Enough With the Silence: A Return Post | Davy Hua | Cloud Security & Infrastructure Operations

I’ve been quiet online.

Not because I ran out of opinions.

Mostly because I’ve been doing the work: building infrastructure, hardening systems, and cleaning up the kind of problems that only show up at 3am.

What I’ve Been Doing

The past few years have been spent in the trenches. Running platform teams, navigating SOC 2 audits, and figuring out how to make cloud infrastructure actually work at scale. The unglamorous stuff that doesn’t make for good conference slides but keeps businesses running.

A few things I’ve learned:

Platform Engineering isn’t a rebranding exercise. Done right, it’s the difference between developers shipping daily and waiting weeks for infrastructure. Done wrong, it’s another layer of bureaucracy.
Compliance is evidence, not theater. Auditors don’t care about your documentation site if you can’t produce logs. Build systems that generate evidence as a side effect of normal operations.
Guardrails beat gates. Every approval process is a bottleneck. Every automated check is a force multiplier. The best security teams enable speed while reducing risk.
Your homelab teaches you things production can’t. Breaking your own stuff at 2 AM on a Saturday is still the fastest way to learn. Production failures are expensive; homelab failures are tuition.

What I’m Writing About

Going forward, I’m going to write more about:

Security operations and practical DevSecOps: guardrails > gates. Shifting security left isn’t about adding checkpoints; it’s about making the secure path the easy path. I’ll share what works and what doesn’t. I know a thing or two about this since I was the founding platform engineer for the company that bears the name of this movement! :)
Cloud infrastructure & operations: the unglamorous parts. The monitoring that actually catches issues. The runbooks that work when the primary is down. The cost optimization that doesn’t sacrifice reliability.
Compliance and audit readiness: evidence > theater. SOC 2, ISO 27001, HIPAA. The frameworks are boring; the implementation is where craft matters. How to pass audits without slowing down engineering.
Homelab tinkering: because breaking your own stuff is still the fastest way to learn. Kubernetes clusters on surplus hardware, network segmentation experiments, storage that shouldn’t work but does.
Local LLM experiments for operators: what’s useful vs what’s just hype. Running inference on-premise, cost math for GPU workloads, when local beats API. The AIops landscape is changing fast; not all of it is progress.

My Filter

I don’t have time for fluff, and neither do you. My filter is simple:

If it doesn’t reduce risk, reduce toil, or reduce time-to-recover… I’m probably not interested.

No tool recommendations without context. No best practices without caveats. No hype without skepticism.

The Format

Expect practical posts: specific problems, specific solutions, lessons from actual incidents. Some will be technical deep dives. Others will be frameworks for thinking about infrastructure problems. All will be grounded in experience, not theory.

If you’re into practical engineering, then follow along.