Sugau Blog
Articles on cloud repatriation, bare metal storage, infrastructure security, and sovereign AI — by the engineer who builds it.
ISO 27001, SOC 2, GDPR compliance, penetration test reports — none of it answers the question that matters. Every CISO who signed a US cloud contract after June 2013 made a conscious choice. This is the record that they were told.
Read articleOpenShift promises enterprise Kubernetes. What it delivers is a Ferrari with a mandatory chauffeur — IBM controls the keys, the route, and the bill. What CTOs need to know before they sign.
Read articleA data centre physically located in Sydney doesn’t guarantee data sovereignty. Under the US CLOUD Act, American authorities can compel AWS to produce data held anywhere in the world — including AWS Sydney.
Read articleA company spending $30,000+ a month on AWS paid off their bare-metal hardware in eight months. Five architectural consequences of owning the stack — and why no hyperscaler can match them.
Read article$30,000 a month on AWS became $6,000 a month in a Tier 5 colocation facility — with ten times the capacity headroom. The three hidden costs of cloud, and the real numbers from a gaming company that left.
Read articleMicrosoft embedded Claude into its Security Development Lifecycle instead of its own Copilot. That is not a partnership announcement. It is a verdict — and it tells you which AI to trust for security-critical deployments.
Read articleSolarWinds inserted 3,500 lines of inspectable code. A compromised AI model hides in a trillion parameters. We have no equivalent of a diff, no SBOM, and no pipeline integrity monitor — and the capability trap makes it more dangerous, not less.
Read articleRunning Kimi K2.6 on sovereign infrastructure is not air-gapped security. The air-gap protects you from network exfiltration. It does not protect you from computation that manipulates outputs from inside the perimeter. Model provenance is the question nobody is asking.
Read article80% of breaches in 2025 came from known risks. The definition of “known risks” just quietly expanded — AI coding assistants, MCP servers, agentic frameworks, and Terraform state files storing API keys in plain text.
Read articleCohere committed $20 billion to European sovereign AI infrastructure the same week France announced 2.5 million government workstations moving to Linux. Two stories nobody connected — and what they reveal about where the next decade of AI infrastructure is actually being decided.
Read articleFor classified, regulated, and sovereign environments, public AI APIs are architecturally disqualified — not just risky. The full stack that replaces them: vLLM, open-weight models, pgvector, Go agentic layer, and a RAG pipeline that never leaves your boundary.
Read articleThe most common objection to bare-metal is what happens when you need to scale faster than you can buy hardware. The answer is Cluster API, Karpenter, and a burst node pool that provisions in minutes and scales to zero when the pressure passes.
Read articleTwo anonymised case studies: a defence systems integrator whose air-gapped cluster is now also its sovereign AI platform, and a gaming company that cut its AWS bill by 81% and recovered hardware costs in eight months.
Read articleVanilla Kubernetes on cloud VMs is not a radical move. It removes the managed services toll booth between you and the Linux infrastructure the cloud already is — and makes self-hosting PostgreSQL, Redis, and Kafka straightforward and reversible.
Read articleRDS runs PostgreSQL on a VM very similar to yours and charges three to five times the underlying compute. The tax is not small — and it was designed that way. Managed services are the highest-margin products in the cloud portfolio.
Read articleWritten for the person who looks at the cloud bill every month, asks a question, receives an answer full of technical language, and walks away less certain. The managed services premium does not appear as a line item. Here is how to find it.
Read articlePostgreSQL 17 with CloudNativePG replaces your document store, work queue, full-text search engine, and vector database. A benchmark-backed case for consolidation — and an honest list of the workloads where Postgres loses and you should keep Redis, ClickHouse, or a graph database.
Read articleThe redundant capacity every production bare-metal cluster carries for HA is not waste — it is optionality. Run sandboxes, internal tools, experiments, and free tiers at near-zero marginal cost.
Read articleYour cloud provider’s IAM console has 1,200 possible permission actions. Your attack surface is not a misconfigured server. It’s the system itself.
Read articleFor regulated, classified, and sovereign environments, public AI APIs are not a security risk to be mitigated. They are architecturally disqualified.
Read articleTraditional air-gapped systems are absolute: no network in, no network out. The egress air gap model is a practical middle ground that is defensible and operational.
Read articleEBS is a network block device. Every IO your application makes travels across a network and comes back. That round trip is the spinner your users are watching.
Read articleFour NVMe drives in the right configuration do not just match EBS. They make EBS look like a budget option you are overpaying for.
Read articlePostgreSQL on EBS gp3 versus PostgreSQL on local NVMe RAID-10. The latency numbers, the throughput gap, and why PostgreSQL rewards fast local storage.
Read articleThe honest part. When bare-metal local storage is the clear engineering answer, and when cloud storage is still the right call.
Read articleA four-part series on storage. Not because it is a glamorous topic. Because it is costing you money every month and slowing your users down every day.
Read articleThe cloud industry’s defining security doctrine sounds like partnership. It functions like a liability waiver — and the breach logs prove it.
Read articleEvery LLM is a mathematical distillation of data. Every interaction your company sends to a third-party AI is a potential training signal — gifted, often for free.
Read articleThe breach is rarely the intrusion. The breach is the exfiltration. And exfiltration requires egress. Most organisations are running without enforced egress controls.
Read articlepip install Is an Act of Trust. Have You Thought About Who You’re Trusting?Open source runs the world. You inherited it from strangers on the internet, and you ship it to production every day. The mitigation is ownership, not paranoia.
Read article