Articles

Practical guides for modern security

Honest writing on SOC 2 readiness, continuous compliance, vulnerability management, incident response, and the messy realities of keeping a regulated business secure.

30 articles
Security Posture10 min read

Passkeys and Passwordless Authentication: Killing the Password Without Betting the Company on One

Passwords are the root cause behind most breaches a small business will ever suffer, and passkeys are the first replacement that is both more secure and easier to use. But swapping the front door of every account is the kind of change that either quietly hardens your whole company or locks half of it out on a Monday morning. A plain-language walk through what a passkey actually is, why it cannot be phished, the synced-versus-hardware choice that shapes your rollout, the recovery problem that is harder than the login problem, and how to move a lean team off passwords without stranding anyone.

Paul HittJul 12, 2026
Security Posture11 min read

Quantum-Safe Cryptography: Why a Lean Team Should Start Planning the Migration Now, Not Later

A cryptographically relevant quantum computer does not exist yet — but "harvest now, decrypt later" means the clock on your long-lived secrets is already running, and the standards to fix it landed in 2024. This is a plain-English planning guide to the post-quantum transition: what actually breaks, what NIST finalized, why crypto-agility matters more than any single algorithm, and how a small team turns a decade-long migration into tracked work it can start this quarter.

Paul HittJul 11, 2026
Security Posture8 min read

The Access Point in the Ceiling: Securing the Office Wi-Fi You Actually Own

Most advice about Wi-Fi assumes you are the guest on someone else's hostile network. But a lean team usually owns at least one network — the office access point in the ceiling, the router in the closet — and that one you can actually harden. A practical baseline for the wireless you administer: one password nobody should know, a guest network that reaches nothing, and the smart TV that should never share a segment with payroll.

Paul HittJul 8, 2026
Security Posture8 min read

MTA-STS and TLS Reporting: Making Sure Mail to You Arrives Encrypted

SPF, DKIM, and DMARC prove who sent a message — but none of them guarantee the message travelled encrypted. Mail servers fall back to plaintext silently, and a network attacker can strip the encryption without anyone noticing. How a lean team publishes MTA-STS to require TLS on inbound mail, turns on TLS-RPT to watch for failures, and treats a downgrade report as a finding.

Paul HittJul 2, 2026
Security Posture8 min read

Securing the Networks You Do Not Own: Remote Work, Home Wi-Fi, and the Coffee-Shop Problem

Your team works on networks you will never administer — home routers, hotel Wi-Fi, the cafe down the street. You cannot harden those networks, so the strategy shifts: make the device safe to use on a hostile network, and prove every machine meets that bar. A practical baseline for a distributed lean team, and how to keep it honest.

Paul HittJun 30, 2026
Security Posture7 min read

The Certificate That Expires on a Saturday: Watching TLS Before It Watches You

An expired TLS certificate is a self-inflicted outage that scares away every visitor with a full-page browser warning — and it almost always lands at the worst possible time. As certificate lifetimes shrink toward weeks, manual renewal stops scaling. How a lean team inventories every certificate, watches expiry as a tracked risk, and proves the whole estate is healthy.

Paul HittJun 30, 2026
Articles — Hosting Security