O'Reilly
Zero Trust Networks, 2nd Edition
The definitive guide to Zero Trust network architecture. Principles, design patterns, and implementation across modern infrastructure.
View on Amazon
Security at the intersection of architecture and practice.
Two decades building and shipping security products. Writing about what actually works in cloud, Zero Trust, and AI from someone who does the work.
Published & featured
O'Reilly Media Microsoft Press Wiley RSA Conference ATARC IEEE (ISC)² CISSP GIAC Advisory Board
Live & upcoming
All sessions & training Train live with me on AI security and Zero Trust.
Hands-on courses on Microsoft Foundry agents, Zero Trust for AI systems, attack anatomy, and identity. Recorded sessions and full archive on the speaking & training page .
Books
Lessons from building real systems, written down.
O'Reilly
Azure Confidential Computing and Zero Trust
Confidential computing on Azure applied through a Zero Trust lens. For architects and engineers building on Azure.
View on Amazon
Wiley
Programming Microsoft's Cloud
Building applications across Windows Azure and Office 365. Cloud development patterns for the Microsoft ecosystem.
View on Amazon
Microsoft Press
Exam Ref SC-300 Microsoft Identity and Access Administrator
The official Microsoft Press exam reference for SC-300. Identity and access management across Azure AD, hybrid environments, and Microsoft 365.
View on AmazonRecent writing
Posts from practice, not theory.
- June 1, 2026 12 min read Digital Identity Zero Trust
Entra Agent ID Across Clouds: Part 5, Anti-Patterns
Final article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Closes the loop with the variants and failure modes that consume the same operational budget as the federated pattern without delivering its security properties, and ends with the takeaways worth pinning to the team wiki.
- May 15, 2026 16 min read Digital Identity Zero Trust
Entra Agent ID Across Clouds: Part 4, FIC, Cross-Tenant, and OBO
Fourth article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Opens up the Federated Identity Credential as a first-class object: single-tenant, cross-tenant SaaS shape, and the orthogonal world of on-behalf-of (OBO) where the agent acts for a signed-in user.
- May 1, 2026 26 min read Digital Identity Zero Trust
Entra Agent ID Across Clouds: Part 3, Managed Identity and Entra Objects
Third article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Pins down what the UAMI actually is in this architecture, why SAMI breaks federation, the three distinct Entra objects (UAMI, Blueprint, Agent Identity) and the three claims (sub, azp, oid) they each populate, and the production trade-off between federating the UAMI or the Agent Identity to the cloud.
Stay in the loop
New writing, when it lands.