NIS2 entered force on 17 October 2024. Six months later, companies are in the trenches. I cover what has actually changed in operational security, what was paper theater, and where the directive still bites.
Cuando un LLM pasa de contestar texto a ejecutar herramientas, la superficie de ataque cambia de categoría. La inyección de prompts, la contaminación de memoria y el abuso de protocolos entre agentes son el nuevo OWASP Top 10.
Valkey 8.1 salió el 31 de marzo y marca el momento en que la alternativa comunitaria de Redis deja de ser experimento. Cuenta una migración real: qué cambió, qué se mantuvo igual, y dónde hubo sobresaltos.
Kubernetes 1.33 (Octarine) lands April 23. In-place pod resize moves to beta and ships on by default, sidecar containers finally reach GA, and several endpoint and security deprecations arrive that operators should review before upgrading from 1.32.
Después de años acumulando SBOMs, el cuello de botella es filtrar qué CVEs afectan de verdad. VEX aparece como la pieza que convierte el ruido en señal, y en 2025 empieza a tener adopción real en pipelines de supply chain.
Semgrep has grown into one of the most pragmatic static analyzers in the ecosystem. A look at why it works where other SAST tools fail, and how to fit it into a pipeline without turning it into noise.
Two years after Zero Trust stopped being a marketing word, it is worth looking at how it connects with the SIEM teams run day to day. A look at useful signals, avoidable noise, and the decisions that actually change security posture.
CodeQL lleva años siendo el motor de análisis estático de GitHub, pero su alcance real no siempre está claro. Balance de qué detecta bien, qué se le escapa y cómo conviene integrarlo en el flujo de revisión.
Nebula es una VPN peer-to-peer liberada por Slack en 2019 que ha ido madurando sin mucho ruido. Explico cómo funciona, cuándo tiene sentido frente a WireGuard o Tailscale, y qué aprendí desplegándola entre varios nodos.
Deno 2.0 salió en octubre de 2024 con una apuesta clara: compatibilidad seria con npm, pnpm, package.json y node_modules, manteniendo la identidad del runtime. Medio año después, miramos qué ha supuesto para proyectos reales y dónde sigue cojeando.
NIST published the final post-quantum cryptography standards in August 2024. Six months on, it is time to move from headline to plan: crypto inventory, crypto-agility, a realistic timeline, and the typical mistakes of teams jumping in now.
WASI 0.3, also known as preview 3, was ratified on June 11, 2026, adding native asynchronous concurrency to the WebAssembly component model through streams, futures, and async functions. It fixes old fragmentation across languages and runtimes, enables real composition between Wasm services, and paves the way for cooperative threads planned in upcoming 0.3.x releases.
Meta publicó Llama 3.2 con modelos tan pequeños como 1B y 3B, pensados específicamente para ejecutarse en dispositivos. Análisis de qué pueden hacer realmente y cómo se comparan con las alternativas.
Cloudflare Workers turned eight in 2025 without slowing down: it now ships D1 for databases, R2 for egress-free storage, Durable Objects for distributed state, and Workers AI for running models without managing GPUs. It remains the fastest option for edge logic; for large in-memory processes or strict global consistency, other platforms fit better.
Qualcomm, Intel and AMD Copilot+ processors have normalised the presence of an NPU in everyday PCs. A 40 TOPS NPU can run quantised Phi-3 Mini drawing just 5-10 W, versus 40-50 W for a laptop GPU doing the same task. What actually changes for running AI models locally, and when it is worth it.
M3 and M4 solidified the Apple Silicon advantage: unified memory up to 128 GB shared across CPU, GPU, and Neural Engine; 12 to 16 hours of real battery life; and a 38-TOPS Neural Engine that runs large language models directly on the laptop. The practical difference for developers is measurable.
Vector is the Datadog observability agent, written in Rust with its own transformation language VRL. Typically 30-100 MB memory, handling logs, metrics, and traces from dozens of sources. The right choice when pipelines are too complex for Fluent Bit and a modern alternative to Logstash.
Terraform 1.6, 1.7, 1.8 y 1.9 han traído import blocks, removed, ephemeral values, un framework de tests nativo y el preview de stacks. Mientras tanto, OpenTofu consolida su fork tras el cambio a BSL.
IEC 62443 is the international cybersecurity standard for industrial control systems (ICS) and OT networks. Its four series blocks define security zones and conduits, four protection levels (SL 1-4) and seven foundational requirements. NIS2 pressure is accelerating adoption across Europe. IT teams need to master it to coordinate network segmentation, monitoring and incident response with OT environments.
eBPF-based continuous profiling captures CPU flame graphs for every process on a Linux node around the clock, without instrumenting code or restarting services, at under 1% overhead. Parca covers the whole cluster, Beyla adds automatic HTTP/gRPC metrics and traces, and Pyroscope brings native per-language detail to the most critical services.
In August 2024, NIST published its first finalized post-quantum cryptography standards: FIPS 203 (ML-KEM) for key exchange, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) as a hash-based alternative. They replace RSA and ECDSA before a quantum computer can break them, and hybrid implementations are already live in Chrome and Cloudflare.
Industrial edge computing moves processing capacity from the centralised cloud to the plant floor, the machine, or the robotic cell. Local latency (10-50 ms) is critical for process control, machine vision, and safety systems: it is a physical limit that bandwidth alone cannot solve. OPC UA, K3s, and private 5G now form a proven production-ready stack.
Trivy and Grype have spent years competing to be the default container scanner. Trivy broadened its scope to IaC, Kubernetes, and Git repos in one binary; Grype specialised in SBOM precision and lower false-positive rates. After a year of intensive CI use with real images, here is a side-by-side breakdown of where each one wins.
Kubernetes 1.30, released in April 2024, brings ValidatingAdmissionPolicy to general availability, eliminating the need for external webhooks for CEL-based admission policies. It adds pod scheduling readiness to control when a pod enters the scheduling cycle, and job success policy to define which index combination counts as success in distributed indexed Jobs.
A badly configured Alertmanager turns every incident into noise: a single unrouted receiver ends with an ignored Slack channel within a week. This article covers, on Alertmanager 0.27 and Prometheus 2.54, how to design the routing tree, inhibition rules, silences and on-call rotations to curb alert fatigue without losing real incidents.
Docker Scout continuously scans container images against CVE databases including NVD and ecosystem-specific advisories, and recommends base-image changes to remove vulnerabilities. Built into Docker Desktop and Hub, it competes with Trivy, Grype and Snyk. Best fit for teams already running end-to-end on the Docker ecosystem.
Grafana Beyla is an eBPF agent that automatically instruments existing applications without touching their code: it observes kernel syscalls and generates OpenTelemetry traces and RED metrics for services written in Go, Java, Python, Node, and Rust. It gives broad, immediate coverage, but it does not replace the manual SDK for business metrics and internal logic.
Qualcomm Snapdragon X Elite is the first ARM chip to match Apple M3 performance in Windows laptops, with 22+ hours of battery life and a 45 TOPS NPU for on-device AI. Most software runs well via the Prism emulator, though it is not yet ready for anti-cheat gaming or specialized x86 workloads.
Cloudflare Workers is no longer an isolated edge function. In 2024, together with KV, D1, R2, and Durable Objects, it forms a complete platform that matches AWS on latency and drops egress fees, though it still falls short on long-running compute and the mature managed databases AWS offers.
Kubernetes 1.31 brings no fireworks, but it closes old debts: AppArmor reaches GA, native sidecars now run enabled by default on their way to stable in 1.33, and DRA moves through alpha toward beta. A practical review from the perspective of someone operating clusters in production.
OpenTelemetry declared logs signals stable in July 2024. The third pillar of modern observability finally joins metrics and traces under a single protocol and a shared data model.
CrowdSec installs on Debian or Ubuntu with an official script and the crowdsec package; you then enable the Traefik, WordPress and Gitea collections, configure acquisition to read the right logs, and add the Traefik bouncer as a middleware to block or captcha-challenge IPs flagged by the LAPI in real time.
OpenTofu reached GA in January 2024 as an open-source Terraform fork under MPL 2.0, with Linux Foundation governance. Six months later, it is a stable drop-in replacement: same configs, same state format, same CLI. Version 1.7 adds native state encryption, the first real technical edge over Terraform.
Rust joined Linux mainline in version 6.1 (2022), and by 6.9 (2024) it already ships experimental drivers, including Asahi's GPU driver for Apple Silicon. In C/C++ projects like Chromium, around 70 percent of serious security bugs are memory-safety bugs, the real reason kernel maintainers are debating whether to adopt it.
The NIS2 directive entered into force on October 17, 2024, but by mid-2026 only part of the member states have fully transposed it: Germany and the Netherlands closed their law, Spain and France remain in process under pressure from Brussels. Here is what already applies and how to prepare without panic.
WASI 0.2 reached GA in January 2024, bringing WebAssembly's Component Model into production: typed WIT interfaces that let Rust, Go, and JavaScript code compose without manual glue code. That shift makes edge functions with sub-1 ms cold start, secure plugins, and untrusted-code sandboxing viable today, though it does not replace containers for traditional apps.
Parca is a continuous profiling tool based on eBPF that samples CPU usage across an entire Kubernetes cluster around the clock, without instrumenting application code and with under 1% overhead. It catches performance regressions before production and makes flame graphs practical for everyday debugging.
Carbon-aware computing runs flexible workloads when grid electricity emits less CO2, cutting emissions 10-30% without changing infrastructure. Grid carbon intensity varies up to 16x by hour and region; tools like Electricity Maps, WattTime and the Carbon Aware SDK make that scheduling possible with real grid data.
Redis moved to dual SSPL/RSAL licensing in March 2024, no longer meeting the OSI open-source definition. Valkey emerged as a BSD 3-Clause fork backed by AWS, Google Cloud, Oracle, and the Linux Foundation, fully protocol-compatible with Redis 7.2. Migrating is almost always trivial: swap the binary or the Docker image.
cAdvisor is still embedded in kubelet and covers surface metrics, but falls short for production Kubernetes. The modern minimum stack pairs it with kube-state-metrics, node-exporter, Prometheus, and Grafana as a base, eBPF for deep network and syscall visibility, and OpenTelemetry for application context.
Llama 3 is the open-model family Meta released on April 18, 2024, in 8-billion and 70-billion-parameter sizes, trained on 15 trillion tokens. The 70B beat Claude Sonnet, Mistral Medium, and GPT-3.5 in Meta's own human evaluation, and its licence allows free commercial use up to 700 million monthly active users.
Chainguard Images are minimal Docker containers from the company behind Sigstore, with zero known CVEs, Cosign-signed SBOMs and daily rebuilds on top of Wolfi, its own glibc-based distribution. They pay off over official images when strict compliance, supply chain audits or sensitive production workloads are at stake.
In 2024 sustainable data centers move beyond PUE: liquid cooling becomes standard in AI GPU racks, carbon-aware workload scheduling is already practical with tools like the Carbon Aware SDK, and waste-heat reuse has real cases in Stockholm and Helsinki. The EU-wide energy efficiency directive already requires honest metrics instead of greenwashing.
Sigstore has become the standard signing layer for OCI artefacts. GHCR is the best-integrated registry; Harbor 2.5+ and Quay offer native support; AWS ECR pushes its own KMS scheme. Verification earns its keep at three points: the cluster admission controller, the GitOps layer, and the CI/CD pipeline. The public Rekor has rate limits that force self-hosting past a certain build volume.
A model trained in PyTorch or TensorFlow, running the same way on a server, a phone, a browser tab, or an ARM gateway on the factory floor: that is what ONNX Runtime solves. It turns the ONNX format into a genuinely portable artifact, exported once, at the cost of some peak performance versus a platform-native runtime.
Deno Deploy is the serverless-edge platform from the team that built Deno: native TypeScript without a transpile step, standard Web APIs, and global deployment to ~35 regions. Cold start runs ~50ms vs Cloudflare Workers (~5ms). Best for lightweight APIs and Fresh/Astro SSR; less ideal when your project needs the full Cloudflare infrastructure stack.
Loki indexes only labels, not log content, which cuts storage costs dramatically compared to Elasticsearch. The main production risk is cardinality explosion each unique label-value combination generates a stream that inflates the index and slows queries. Separating read and write paths ensures a heavy query cannot saturate ingestion.
Fastly Compute runs WebAssembly code on its ~70 global PoPs with a 35-microsecond cold start. Supports Rust, Go, and JavaScript compiled via Javy. Competes directly with Cloudflare Workers, with advantages for compute-intensive workloads and teams already on Fastly CDN, but at a higher entry cost.
5 min420
We use first- and third-party cookies to analyze site traffic. You can accept them, reject them, or configure your choice.
Learn more about cookies
Cookie preferences
NecessaryEssential for the site to work. Always on.
AnalyticsHelp us understand how the site is used (Google Analytics).