NIS2 Technical Readiness Checklist

Scope A technical self-assessment for entities in scope of the NIS2 Directive (Directive (EU) 2022/2555). Each item is a thing a sysadmin can verify on a host now — a command output, a config flag, a file’s contents, an external scan result — not a policy approval or a named role. This is the box-level companion to nis2-infrastructure. That guide explains why each Article 21(2) measure matters and how to implement it; this checklist is the “is it actually configured?” layer. ...

8 min

Agentic AI Deployment Readiness Checklist

Scope Applies to any agentic AI system being deployed in a security operations context — vulnerability triage, log analysis, alert enrichment, ticket routing, control monitoring — where the system can take or recommend actions that have real consequences. This is a design-review checklist, not a hardening checklist. The items below ask “have you decided?”, “is it documented?”, “does it pass the test?” — not “what is the output of this command?”. Work top-to-bottom. Items reference the two long-form pieces in the ai-security series for the reasoning behind each control; this checklist is the “have I done it” layer. ...

6 min

Building Agentic AI for Security: Architecture, Threat Modelling, and the Audit Trail You Will Actually Need

The first article in this series covered the strategic and governance considerations for deploying agentic AI in a security context — control postures, the human-in-loop vs on-loop distinction, and the compliance position. If you have not read it, I would suggest starting there. This article is for the architects and engineers who now need to build the system. I will cover reference architecture, how to threat model an agentic pipeline, practical prompt-injection defences, and what your audit trail needs to look like if it is going to hold up under scrutiny. ...

12 min

tls-audit

What this script does tls-audit runs a read-only audit against a deployed HTTPS endpoint and reports on each item from the Nginx TLS 2026 guide and the nginx-tls config generator: Protocol support — TLS 1.0 and 1.1 should be rejected; TLS 1.2 and 1.3 should be accepted. Certificate — covers the hostname, not expired (and not expiring in the next 21 days), modern key algorithm, complete chain with at least one intermediate, not self-signed. OCSP stapling — the server should be stapling an OCSP response. HSTS — Strict-Transport-Security header present, max-age of at least one year, includeSubDomains directive set, preload flagged if present (informational, not a recommendation). Security headers — X-Content-Type-Options: nosniff and Referrer-Policy present; a Server header that leaks a version number is flagged. It uses only openssl s_client, curl, and standard text tools — no external scanner like testssl.sh required. Designed to run from a machine other than the host being audited, with no privilege. ...

9 min

redis-check

What this script does redis-check is a read-only Bash + redis-cli script that reports on each recommendation from the Redis hardening guide: Network exposure (bind, protected-mode) Authentication (default user state, any ACL user with nopass) Dangerous-command accessibility (FLUSHALL, FLUSHDB, DEBUG, CONFIG, SHUTDOWN) TLS (tls-port vs cleartext port) Resource limits (maxmemory, maxmemory-policy, timeout) Persistence (appendonly) It uses only PING, INFO, CONFIG GET, ACL LIST, and COMMAND DOCS — no writes. If CONFIG has been renamed or disabled (recommended in the guide), the affected checks are skipped with a WARN rather than failing the whole run. ...

7 min

postgres-audit

What this script does postgres-audit is a read-only Bash + psql script that reports on each recommendation from the PostgreSQL hardening guide: Network exposure (listen_addresses) Authentication: password_encryption, pg_hba.conf entries (no trust, no md5, remote rules using hostssl) TLS (ssl, minimum protocol version) Logging defaults (log_connections, log_disconnections, log_hostname, log_statement) Roles and privileges (non-default SUPERUSER, PUBLIC schema CREATE) It issues only SELECT and SHOW queries. Output is colourised in a terminal and plain text in a pipe, so it works cleanly under cron. ...

6 min