Security Architecture 101

How the kernel mediates files, processes, sockets, memory, and privilege.

Virtual memory, address spaces, isolation, and why memory bugs become control bugs.

Process identity, lifecycle, isolation, and privilege inheritance.

The contract between user programs and the kernel.

Packets, sockets, routing, NAT, firewalls, and service exposure.

Authentication, encryption, key agreement, and transport integrity.

The naming layer that silently controls where traffic goes.

Methods, headers, caching, proxies, cookies, and request interpretation.

A UDP-based encrypted transport with built-in TLS and stream multiplexing.

Packaging plus kernel isolation, not a lightweight virtual machine.

Cluster identity, scheduling, admission, network policy, and workload containment.

Compact public-key cryptography based on hard group problems.

Proof that a key approved a specific message.

Multiple parties compute together without revealing their private inputs.

Cryptographic operations that require k of n participants.

Proving a statement without revealing the underlying witness.

Hardware-backed enclaves for code and data isolation.

Security properties rooted in chips, firmware, buses, and physical access.

Dedicated systems for generating, storing, and using high-value keys.

Turning secrets into purpose-specific keys safely.

Unpredictability as a security dependency.

Encrypting data while also proving it was not modified.

A structured way to decide what can go wrong and what to do about it.

Places where data, identity, or authority changes trust level.

Breaking attacker goals into concrete paths and prerequisites.

How secrets are created, stored, used, rotated, revoked, and audited.

Compromise through dependencies, build systems, vendors, or update channels.

Reducing what compromised code can see or do.

Building security into design, coding, review, release, and operations.

Authentication, authorization, sessions, tokens, and identity lifecycle.

Centralizing authorization decisions without centralizing all context.

Making vulnerabilities harder to weaponize reliably.

AWS authorization as a graph of principals, policies, conditions, and resources.

Envelope encryption, key policy, grants, and cryptographic access control.

AWS isolated compute environments with attestation and no direct networking.

Network segmentation, routing, and controlled exposure in cloud environments.

Giving services short-lived identity instead of static credentials.

Identity, mTLS, and policy for service-to-service traffic.

Authorization for Kubernetes API verbs over resources.

Standard workload identities and automated attestation.

Protecting data in use with hardware-backed isolation and attestation.

When unsafe memory behavior becomes attacker-controlled behavior.

Remote code execution and why it is rarely the end of the story.

Making a server send attacker-chosen requests.

Turning untrusted bytes into objects, and sometimes behavior.

Misusing delegation flows, redirects, scopes, and tokens.

Reaching protected behavior without satisfying the intended check.

Turning limited access into more powerful authority.

Attacks against key custody, signing UX, and transaction intent.

Exploiting immutable on-chain logic, economics, and integrations.

Giving AI agents scoped authority instead of ambient power.

Untrusted content steering model behavior across instruction boundaries.

Extracting model behavior, training data, system prompts, or proprietary outputs.

Misusing the external capabilities connected to an AI system.

Letting agents act for users or services without losing accountability.

Keeping AI-accessible credentials brokered, scoped, and recoverable.

Containing model-generated code, browsing, files, and tool execution.

Making agent-initiated payments, trades, or state changes safe.

Designing agent memory so recall does not become leakage or manipulation.