This is the show by and for DevSecOps practitioners who are trying to survive information overload, get through marketing nonsense, do right technology bets, help their organizations to deliver value and last but not the least to have some fun. Tune in for talks about technology, ways of working and news from DevSecOps.
We created this podcast because we realized that we were not the only ones to struggle with security on a daily basis. It is also difficult to find information without marketing content or a product pitch. We don’t intend to sell anything, now or later.
This show is not sponsored by any technology vendor and we are trying to be as unbiased as possible. We talk like no one is listening. For good or bad 😉.
As DevOps improved the collaboration between developers (dev) and operations (ops), DevSecOps includes security aspects into the development and operation of applications. It adds the dimension of security to a DevOps culture.
Enjoy the talks and feel free to participate.
Mark Shine, Pawel Piwosz, and Filipe Berti discuss why the default choice of AWS, Azure, or GCP is no longer automatic for every team. The conversation covers cost, managed services, open source, AI workloads, and what European cloud providers can offer instead.
What happens when AI can turn patches into exploits in hours? The hosts discuss with Ian Amit and Matias Madou why the 90-day disclosure window is breaking, what Mythos Preview changes, and why shipping vulnerable code is becoming more expensive.
Six years after the podcast first covered infrastructure as code, what still holds up and what does not? The hosts revisit IaC through a 2026 lens: platform teams shipping secure-by-default modules, stacks becoming standard, GitOps making more sense for Kubernetes, and AI raising new questions instead of removing old ones. It is a practical look at where infra tooling is heading and what teams should stop assuming.
What changed between episode 1 and episode 100, and what stayed surprisingly constant? The hosts revisit infrastructure as code, observability, incident response, secrets, compliance, and supply chain security through the lens of six years of conversations. It is part retrospective, part editorial reset for what the next 100 episodes should focus on.
Could AI handle the worst parts of incident response before you even join the call? Mattias and Paulina talk with Birol Yildiz about AI-written status updates, fast root cause analysis, and the path from read-only help to autonomous fixes. They also explore why post-mortems and documentation may be some of the best places to start.
Andrey shares the thinking behind Boris and the idea of going beyond AI SRE. The conversation covers the DevOps talent shortage, the coming squeeze on AI costs, why repeatable operational tasks are a strong fit for agents, and why customer data should stay in the customer’s own AWS account.
March 2026 made supply chain attacks feel a lot less theoretical, but what made these incidents different? The hosts discuss compromised publishing credentials, automatic execution hooks like post-install scripts and Python .pth files, and how both humans and security tools caught the malicious releases. They also talk through concrete ways to make developer environments harder to abuse.
This episode with Joachim Hill-Grannec asks: How do platforms bloat, and how do you keep them simple and fast with trunk-based dev and small batches? Which metrics prove it works—cycle time, uptime, or developer experience? Can security act as a partner that speeds delivery instead of a gate?
Is your Kubernetes stack bloated, slow, and hard to explain? Steve Wade shares simple checks—the hiring treadmill, onboarding time, and the acronym test—to spot platform theater fast. What would a 30-day deletion sprint cut, save, and secure?
We bring Paul Stack back to cover the parts we skipped last time. What changed when the models got better and we moved from one-shot Gen AI to agentic, human-in-the-loop work? How do plan mode and tight prompts stop AI from going rogue? Want to hear how six branches, git worktrees, and a TypeScript CLI came together?