Articles
Technical and strategic articles about sovereign AI in legal, public procurement, and document workflows. Each article passes through an editorial gate before publication.
0 results
No articles match the search. Try other terms.
Most recent
-
Network Intrusion Detection Without Deep Packet Inspection
Roughly 95% of HTTPS connections rode TLS 1.3 or QUIC by late 2025 (Cloudflare Radar Year in Review 2024), which means the signature-based IDS still pattern-matching payloads on your perimeter is scanning ciphertext i…
Read more -
JANUS: because "we saw it happen" doesn't fix anything
A control layer between your team and any AI on the internet — it anonymizes or blocks sensitive data before it leaves the organization. Sits at the threshold, decides in real time, runs on the client's infrastructure.
Read more -
Prompt Injection in SOC Copilots: Treat Logs as Adversarial Input
Your SIEM ingests 40 million events a day. An attacker controls a non-trivial slice of them — user agents, URL paths, DNS query labels, HTTP bodies. Now your LLM-based triage assistant reads those fields.
Read more -
What's actually happening when an Agentic AI system does things for you?
The plain-English guide to AI agentic systems — no jargon, with a hotel analogy. Agents, orchestrators, containers and webhooks explained through concierges, housekeepers and doorbells.
Read more -
BIMI: Verified Logo in Gmail/Yahoo Inbox — Brand Anti-Phishing
BIMI displays your official logo directly in Gmail, Yahoo, and Apple Mail inboxes. Requires DMARC enforcement and a VMC certificate, delivering significant anti-phishing UX.
Read more -
Bug Bounty in Romania: When It Makes Sense and When It Doesn't
Bug bounty programs attract ethical hackers to find vulnerabilities for rewards. We analyze when it suits Romanian firms, compare it to traditional pentesting, and reveal real costs.
Read more
All articles by category
Click a category to expand. Or use the search above.
Compliance & Regulation 9 AI Act · NIS2 · CRA · DORA · ISO 27001 · GDPR — articles for compliance officers and legal teams building audit-ready programmes.
-
EU Delays AI Act to 2027: What Compliance Teams Do Now
On 6 May 2026, EU institutions agreed the "Digital Omnibus on AI", a package that pushes the AI Act's high-risk obligations from August 2026 to **December 2027** and product-related rules to August 2028 (European Comm…
Read more -
EU AI Act — how to correctly classify your AI system: minimal, limited, high or unacceptable risk (practical decision tree)
Regulation (EU) 2024/1689: the four risk categories, classification decision tree, obligations per category, and 2025-2027 deadlines for providers and deployers.
Read more -
Cyber Resilience Act (Regulation 2024/2847) — obligations for products with digital elements, vulnerability disclosure, SBOM and security updates
CRA for manufacturers, importers and distributors: the three product classes, substantive obligations, active vulnerability reporting, and the 11 Dec 2027 application deadline.
Read more -
DORA Regulation 2022/2554 — the five pillars for banking, fintech and insurance (with implementation timeline)
Digital Operational Resilience Act: ICT risk management, incident reporting, resilience testing, third-party risk and information sharing. Checklist and 2025-2027 deadlines.
Read more -
EU AI Act: obligations for companies fine-tuning LLMs
What the EU AI Act requires from companies fine-tuning LLMs on their own data: documentation, risk classification, obligations for high-risk systems.
Read more -
ISO/IEC 27001:2022 — migrating from the 2013 edition with the 93 controls reorganised into 4 themes
ISO 27001:2013 → 2022 changes: from 114 to 93 controls, the 11 new controls, reorganisation into 4 themes, and a concrete migration path for already certified organisations.
Read more -
Lexnomia vs OneTrust, TrustArc and Drata — why a US SaaS lock-in is not the answer for a 50-200 person EU company
Direct comparison between Lexnomia and US compliance platforms: real cost, sovereignty, evidence vs PDF, and why European SMBs pay twice for the same controls.
Read more -
NIS2 implementation — operational checklist for essential and important entities (Directive 2022/2555)
Who falls under NIS2, the mandatory Articles 20-23, fines up to 10 million EUR or 2% of turnover, and what you must prove to the competent authority.
Read more -
7 anti-patterns of self-serve compliance SaaS — and how we avoid them in Lexnomia
Free tier abuse, scope creep, PDF without evidence, dashboard theatre, AI hallucination — the classic anti-patterns of self-serve compliance platforms and the concrete fixes.
Read more
AI & RAG 12 RAG · LLM routing · fine-tuning · citation grounding · anti-hallucination — for teams shipping reliable AI products on their own corpora.
-
When RAG Hurts: Malware Explanation as Signal Extraction
Three in four malware reports a junior analyst opens are noisier after retrieval than before. That is the awkward finding behind a recent empirical study on Retrieval-Augmented Generation for malware explanation, whic…
Read more -
How we use A2A in practice at CAI Technology (and why MCP isn't enough)
MCP standardises tools, A2A standardises cooperation between agents. At CAI we run 12 Demeter agents coordinated through Iris over an MCP layer with 15 tools. Here's how and why, with concrete production examples.
Read more -
Anti-hallucination for legal chatbots: 2.8M Romanian documents
How we removed hallucinations from a Romanian legal chatbot using a citation-grounding pipeline indexed over 2.8 million legislative documents.
Read more -
BYO-LLM adapter pattern: how to avoid lock-in on a single model
Bring-Your-Own-LLM with minimal ~150-line adapters per provider. Why mono-LLM frameworks are rigid, how to drop to a uniform signature.
Read more -
Citation grounding: implementing a 4-gate pipeline
A practical citation-grounding pipeline for legal and procurement RAG: retrieve, answer with citations, validate, return. Full pseudocode included.
Read more -
Cost-aware LLM routing: how to cut 70% of the bill while keeping quality
Smart routing between premium model for design, mid model for work and local models for polling. Pseudocode, decision tree and measured numbers.
Read more -
Hybrid search: RRF vs Cohere Rerank vs cross-encoder
Practical comparison of Reciprocal Rank Fusion, Cohere Rerank, and BGE cross-encoder for hybrid search. Latency, quality, cost — when each one wins.
Read more -
Multilingual RAG RO + EN: implementation pattern with BGE-M3
How to build a RAG that answers in Romanian over a mixed RO+EN corpus: cross-lingual retrieval, adaptive prompts, citation language match.
Read more -
Observability of AI agents: what to monitor in production
AI agent dashboard: tokens consumed, latency p50/p95/p99, hallucination rate, tool-use success, audit-log completeness. A practical template.
Read more -
RAG vs BM25 keyword search: when each is the right call
A CTO decision matrix: when fast, cheap BM25 keyword search beats hybrid RAG, and when investing in semantic RAG is justified.
Read more -
RAG vs fine-tuning in 2026: a decision matrix with real costs
When RAG (large changing corpus, citation needed) and when fine-tuning (style consistency, low latency, narrow specific task). Real 2026 numbers.
Read more -
Fine-tuning LLMs on Romanian corpora: real challenges
Why under 0.3% of frontier models contain Romanian, and how to do continued pretraining + SFT correctly on a legal and procurement corpus.
Read more
Cybersecurity & IT Audit 21 SIEM · post-quantum · OIDC · hardening · incident analysis — operational cybersecurity, not just conceptual.
-
CAA Records: Prevent TLS Certificate Mis-issuance for Your Domain
Learn what CAA is, how attackers can obtain a valid TLS certificate for your domain in 30 seconds without it, and how to defend your infrastructure with a single DNS record.
Read more -
CSP Configuration Guide 2026: Why 'unsafe-inline' Nullifies Security
CSP is the second XSS defense after input sanitization. Learn modern CSP setup (nonce + strict-dynamic) and why 'unsafe-inline' reduces protection to security theater.
Read more -
DKIM: Proper Email Signing and Key Rotation Every 6-12 Months
DKIM cryptographically authenticates your emails. Use 2048-bit RSA or Ed25519, multiple selectors, and periodic rotation to limit damage in case of compromise.
Read more -
DMARC: Ultimate Anti-Phishing & BEC Protection for Your Domain
DMARC stops BEC and phishing attacks impersonating your domain. Ramp correctly from p=none → quarantine → reject in 3-6 months, with continuous monitoring via RUA reports.
Read more -
DNSSEC: Why It Matters in 2026 and How to Secure Your Domain
DNSSEC is a defense layer ignored by 70% of .ro domains. Learn what it is, how it works, the risks it mitigates, and concrete steps for registrar implementation.
Read more -
HSTS: Enforced HTTPS & Preload List — Anti SSL Stripping in 2026
HSTS forces browsers to reject HTTP connections on your domain. With the HSTS Preload List, SSL Stripping attacks on public networks become impossible.
Read more -
MTA-STS: Secure Email Channels Against Downgrade Attacks
MTA-STS enforces strict TLS on your SMTP and blocks downgrade attacks that expose email content to attackers. Configuration in 1 day, continuous monitoring.
Read more -
NIS2 in Romania 2026: Deadlines, Obligations, Fines (Law 244/2024)
The NIS2 Directive is transposed in Romania via Law 244/2024. Discover applicable entities, compliance requirements, and actual fines (up to €10 million).
Read more -
OWASP API Top 10:2025 — Complete Checklist for RESTful APIs
APIs differ from traditional web apps. The OWASP API Top 10:2025 lists the most critical risk categories and how to validate them.
Read more -
PCI-DSS 4.0 for E-commerce: Key Changes and 2026 Readiness
PCI-DSS 4.0 is mandatory for all card processors. The 2025 full enforcement introduces 64 new requirements. Discover concrete steps for compliance.
Read more -
Referrer-Policy: Prevent Data Leaks via the Referer Header
URLs containing tokens or PII automatically leak to external domains through the Referer header. A single header configuration resolves this vulnerability.
Read more -
SPF Record: Strict Configuration (-all) for Email Anti-Spoofing
SPF is the foundation of email authentication. Learn how to configure a strict SPF (-all), manage the 10-lookup limit, and avoid errors that invalidate your policy.
Read more -
WAF/CDN: First Line of Defense at $0 — Cloudflare Free vs. On-Prem ModSecurity
A WAF blocks 80% of automated attacks before reaching your server. Cloudflare Free offers basic coverage at no cost; ModSecurity + OWASP CRS for those requiring full control.
Read more -
X-Content-Type-Options nosniff: Prevent MIME Sniffing in Web Apps
MIME sniffing allows browsers to misinterpret files, enabling XSS via uploads. A single HTTP header eliminates this attack vector.
Read more -
X-Frame-Options & CSP frame-ancestors: 2026 Anti-Clickjacking
Clickjacking lets attackers turn user clicks into unauthorized actions. Two HTTP headers secure your application.
Read more -
AI incident analysis with a local LLM: triage from 30 minutes to 30 seconds
SOC pipeline: alert → context from a similar-incidents DB → AI narrative → next-action proposed. How an open-source 30B-class LLM delivers quality triage without sending logs to the cloud.
Read more -
Why a Romanian law firm cannot use Auth0 — and what we built instead
Schrems II plus the CLOUD Act make Auth0 and Okta a compliance problem for law firms handling attorney-client data. Here is the legal analysis and our sovereign alternative.
Read more -
Graylog vs Splunk for 50-500 server SMBs: 3-year TCO and scaling pain points
Open-source vs commercial for a mid-sized estate. Concrete 3-year TCO numbers, scaling pain points, and vendor risk. The decision is not technical — it is about control.
Read more -
From 10 vulnerabilities to 0 in 5 days: pre-production hardening of a legal platform
How we identified and fixed 10 vulnerabilities on Leta between v2.32 and v2.33: header forging, OAuth CSRF, CAPTCHA bypass, brute-force via XFF spoof, plus reusable patterns.
Read more -
On-premise SIEM with a local LLM: AI incident analysis without breaking confidentiality
Datadog and Splunk are cloud SIEMs — your logs leave. For regulated entities, that is impossible. An open-source stack plus a local LLM delivers enterprise SIEM at a fraction of the cost.
Read more -
SaaS SIEM vs on-premise TCO: 200 servers and 10k events/sec, 3-year numbers
Datadog, Splunk Cloud, Sentinel — or an open-source on-prem stack. For a 200-server estate producing 10k events/sec, the financial comparison over 3 years with hidden costs included.
Read more
Automation & Agents 9 AI agents · MCP · approval-driven · multi-agent — patterns to take agentic automation into production.
-
Agentic AI Safety Lives in Topology, Not Model Weights
A frontier model passes every red-team eval, then fails in production the moment you wire three of its instances into a deliberation loop. That gap is not a training bug. It is a topology bug.
Read more -
State-Constrained Dispatch Beats Zero-Shot Multi-Agent Routing
Multi-agent systems advertise emergent intelligence, then leak 30+ points of routing accuracy the moment a user types something the prompt never anticipated.
Read more -
Demeter — Buy an AI agent that does your work, hosted in Romania
Demeter is the SaaS platform where you pick from a catalog AI agents (email, contracts, invoices) that work for you 24/7. Data on encrypted S3 in Romania.
Read more -
Approval-driven automation: why yolo automation breaks production ops
The propose-then-act pattern with Telegram inline approval is the safest UX for ops automation. Three real case studies: backups, restart, DNS.
Read more -
Claude Code CLI as agent runtime: a pattern instead of a custom framework
Use the claude CLI as a subprocess for an agent runtime — subscription pricing, native tools, prompt caching, model swap without re-engineering.
Read more -
HG907 quotation engine without LLM: deterministic-legal precision
Why our HG907 quotation engine uses no LLM at all — Decimal precision, ROUND_HALF_UP, and 14 validation rules to guarantee an audit-pass result.
Read more -
MCP server design patterns: how to design a robust Model Context Protocol
Tool naming, response format, error handling, idempotency and rate limiting — concrete patterns for an MCP server used in production by AI agents.
Read more -
158 AI agents on a single SEAP bid: anatomy of a procurement pipeline
A SEAP bid is not solved with one big GPT prompt. Bid365 runs 158+ specialised agents across 6 systems with dual-pass QA and 11 HITL gates. Here is the architecture and why it matters.
Read more -
Propose-then-act: the architecture of an AI agent for production ops
Why an AI agent that acts without asking is unacceptable in production, and how propose-then-act cuts costs by ~70% while preserving the audit trail.
Read more
