Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

How to Meet EU Cyber Resilience Act (CRA) Requirements

In March 2026, attackers from the TeamPCP group compromised Trivy (CVE-2026-33634) — a widely-deployed open-source vulnerability scanner running in thousands of CI/CD pipelines — and turned it into a credential harvester. SSH keys, Kubernetes secrets, cloud tokens — secrets accessible to any pipeline that ran a compromised version — were exposed. The attacker retained access long enough to exfiltrate newly rotated secrets before the window closed.

PostgreSQL: How to Control and Audit Agent Access with Identity

AI agents querying databases pose well-documented risks. What gets less attention is the fact that PostgreSQL has no native concept of an agent as a distinct actor. This means DBAs are managing access for something that appears in pg_stat_activity like any other role created with CREATE ROLE, with no distinguishing attributes and no indication of who or what initiated the connection. AI agents have no distinct identity when interacting with PostgreSQL.

Automating Identity and Access for FedRAMP 20x KSIs with Teleport

Cloud service providers preparing for FedRAMP 20x are encountering a fundamentally different authorization model than the one their compliance programs were built around. The traditional FedRAMP path produced lengthy System Security Plans, point-in-time assessments, and human-readable narrative evidence.

Your AI Agent Needs to Know Who You Are

When your AI agent calls an MCP tool, that tool has no idea who actually triggered the request. It sees the agent, not you. This post explains why that matters and how to fix it with Teleport JWTs. In part two of this post, we will explain how to extend this to AWS to carry your identity through Amazon Bedrock AgentCore all the way into CloudTrail.

Teleport Debuts Delegated Agentic Identity and LLM Proxy in Beams Public Beta, for Containing Agents in Production Infrastructure

Two foundational identity concepts - controlling the scope of agent roles and constraining what they can access - now have a production implementation in Beams, Teleport's trusted, ephemeral agent runtime.

How to Eliminate Shared Database Passwords: MySQL, PostgreSQL, and More

Traditionally, engineers have relied on shared database passwords. When someone needs to run a query, they either already have standing access granted via a static credential everyone on the team knows, or someone has to scramble to create a quick workaround. Every new user, exception rule, or port forward through a bastion host becomes a “just this once” fix.

What SPIFFE Answers for Workload Identity and What It Doesn't

On workload identity, a spec the industry has already started building around, and what the next layer looks like. I don't have a better answer than SPIFFE (Secure Production Identity Framework for Everyone) for workload identity, and that's where I want to start, because what follows is going to sound like I do.

Remote Access That Works Behind NAT, CGNAT, and Uncontrolled Firewalls

A device in your fleet encounters an issue. You try to SSH in only to discover that the IP changed overnight, the customer's firewall blocks inbound connections, and the VPN they set up six months ago stopped working when the device switched from Wi-Fi to cellular. The next several hours disappear into a Slack thread with the customer's IT team trying to get a port opened. Every engineer who has shipped hardware into a customer's environment has a version of this story.