Practical security insights and product updates from the team building safer, simpler key management for modern APIs.
Encrypting Terraform state doesn't solve the problem. It delays it. Every IAM key and database password in your tfstate is a long-lived credential waiting to be found. Here's what to do instead.
Real AI agent incidents share one root cause teams keep missing: credential architecture. Here's what those post-mortems get wrong every time.
Terminating an employee triggers an SSO deactivation and a laptop wipe. It rarely triggers a credential audit. Here's the gap that lets ex-employee API keys persist for months.
When AI agents go wrong, everyone blames the model. They're wrong. A forensic look at real incidents shows the same credential architecture failure, every time.
The Trivy action attack exfiltrated AWS keys, GitHub tokens, and SSH credentials from pinned pipelines. Pinning fixes one vector. Scoped, ephemeral secrets fix the problem.
Attackers hijacked 75 Trivy GitHub Action tags without finding a single vulnerability in your code. They targeted the secrets you left in CI env vars, and thousands of pipelines handed them over.
CNCERT flagged prompt injection in AI agents as a national security risk. The Telegram link preview exfiltration technique is real. Here's how a credential proxy makes it structurally impossible.
Run API Stronghold as a credential proxy for OpenClaw so agents never hold real API keys. Fake keys in, real credentials injected at the proxy, nothing reaches the LLM context window.
PII breaches get the headlines and the regulatory fines. Credential leaks get the access. Here's why an exposed API key is often more dangerous than leaked personal data, and what you can do about it.
Stop hardcoding API keys into MCP servers. Here's the register→scope→issue→validate→expire pattern with real endpoints platform engineers can deploy today.