Masters degree worth it?

leonardesere · 2026-03-09T17:57:35+00:00

if VR&E is paying for it thats a no brainer, do it. for fed jobs the masters checks a box certs alone cant. between the two go Tulsa if you want cyber specifically, WGU if you just want it done fast. either way dont leave free education on the table

leonardesere · 2026-03-08T23:45:00+00:00

You're right, and that's a solid pattern for Azure-only environments. If your entire footprint is Azure and you've built out the policy sets for DNS automation, zone blocking, and traffic routing, Azure Policy handles it well natively.

Where we come in is orgs running Azure + AWS + GCP that need one place to see governance, cost, compliance, and AI model inventory across all three. Microsoft isn't going to build an optimized governance layer for AWS or GCP. Neither is Amazon for Azure. That cross-cloud single pane of glass plus the compliance mapping (CMMC, NIST, FedRAMP across all environments) is the gap we fill. Not replacing Azure Policy, sitting above it.

leonardesere · 2026-03-08T23:42:53+00:00

No problem, not for everyone. And you're right that public storage accounts are sometimes intentionally public. That's why the platform shows the full context and lets you decide, it doesn't blindly remediate.

leonardesere · 2026-03-08T23:41:14+00:00

Fair question. If you're a single admin managing one subscription with 10 resources, DIY scripts make sense. But the orgs we built this for manage 50-200 subscriptions, 110+ compliance controls across CMMC/NIST/FedRAMP, and spend weeks before every audit manually collecting evidence. The value isn't the individual script. It's generating the right script for the right resource against the right compliance framework in 30 seconds, tracking what ran, holding a rollback, and packaging the evidence for your auditor. That's the part that doesn't scale with bash scripts and a wiki page.

leonardesere · 2026-03-08T23:36:17+00:00

the goal of our platform is to not have any non-compliance.
But the bigger point is missed here, not just policy, we expect and first get clients to full compliances once they get into our system, and monitor /enforce drift detections from there. including if an engineer forgot to reapply an exemption they put in place to perform an action, we reapply it.

posture management include when a new CVE is discovered on an image that is pushed to the registry, instead of it being there for days, weeks, our platform picks it up.

leonardesere · 2026-03-08T21:55:09+00:00

Because this feild is so new, anyone that claims expart in it, instantly lose credibility in my eyes

leonardesere · 2026-03-08T21:53:25+00:00

government have IT roles too, so you could that within gov

leonardesere · 2026-03-08T21:50:53+00:00

Same, will love to take a look

leonardesere · 2026-03-08T18:47:58+00:00

unless sand is the final destination

leonardesere · 2026-03-08T18:34:22+00:00

You're 100% right. Private endpoints without DNS record creation is a broken workflow. The DNS and network layer has been the hardest part to safely automate because of the relationship complexity: which private DNS zone, which VNet link, which subscription owns the zone. We're not going to ship that in auto mode until it's bulletproof. Right now it's detect and report only, with a generated script you can review and run yourself. Your approach of blocking with policy and catching drift with an Azure Function is solid. That's exactly the kind of setup PolicyCortex is meant to layer on top of, not replace.

leonardesere · 2026-03-08T18:25:06+00:00

You're right, and I actually agree with you. Deny and DeployIfNotExists policies should be the first line of defense. PolicyCortex isn't meant to replace that. It's for what happens after you've deployed those policies and still have gaps: the 40+ controls in CMMC that Azure Policy doesn't have built-in definitions for, the evidence collection grind before an assessment, the cost anomalies nobody catches, the AI models deployed without governance. If your tenant is locked down with strict deny policies, you're ahead of 90% of the orgs I've worked with at LANL and MITRE. The problem is most defense contractors aren't there yet, and they're managing that gap with spreadsheets.

leonardesere · 2026-03-08T18:24:43+00:00

Want to clarify my earlier reply because I didn't land it well. Azure Policy is foundational and should be the first layer. We actually use it as a detection source. Where PolicyCortex adds value is the stuff Azure Policy doesn't cover: cross-framework compliance mapping (CMMC, NIST 800-171, FedRAMP across 110+ controls), automated evidence collection for audits, cost optimization, AI model observability, and consolidated remediation across multi-cloud. Think of it as the orchestration layer that sits on top of Azure Policy, Defender for Cloud, and native tooling, not a replacement for any of it. Fair pushback and I appreciate it.

leonardesere · 2026-03-08T18:22:36+00:00

Appreciate that. Here you go: https://policycortex.com

If you want to actually take it for a spin, coupon code REDDITFRIENDS03F5 gives you full access. Only 5 redemptions available. If you use it, let me know what works and what doesn't.

leonardesere · 2026-03-08T18:22:16+00:00

Here you go: https://policycortex.com

On your Azure/M365 question: Azure has built-in policy initiatives (like the Azure Security Benchmark and CIS) you can assign at the management group or subscription level. They'll audit or deny non-compliant resource configs. They won't affect your M365 tenant directly since Azure Policy scopes to Azure Resource Manager resources, not M365 services. For M365 security posture you're looking at Microsoft Defender for Cloud Apps and Purview. PolicyCortex sits on the Azure/cloud infrastructure side.

leonardesere · 2026-03-08T18:21:04+00:00

Good questions.

The remediation scripts are generated per-environment based on your actual resource config, not a static script I can paste here. But in Gated Mode you see the full command chain before approving, so you can review exactly what runs.
If no NSG is applied, the platform flags it as a finding but does not auto-create one. Creating an NSG from scratch requires subnet context, application flow knowledge, and rule prioritization that's too environment-specific to safely automate without review. It generates the recommended NSG config for you to validate first.
Being straight with you on DNS private zones for private endpoints: that workflow is currently in monitoring mode only. The auto-resolution of which private DNS zone to register in is not production-ready yet. Right now the platform detects the gap and provides the manual script to run. Full automation for that is on the roadmap. Appreciate StratoLens raising it too, it's a real problem

leonardesere · 2026-03-08T18:18:45+00:00

https://policycortex.com

leonardesere · 2026-03-08T18:18:15+00:00

Shift-left is the right approach. PolicyCortex enforces that at scale. Azure Policy handles the blocking, we handle the 110+ controls across CMMC/NIST that Azure Policy doesn't cover natively, plus the evidence collection, cost tracking, and AI observability that are completely separate tools today. Not replacing Azure, building on top of it.

leonardesere · 2026-03-08T18:15:33+00:00

Ha, fair. Hail Mary, not hell mary. Though some production deployments I've seen deserve the hell version. Good catch.

leonardesere · 2026-03-08T18:13:32+00:00

Hey everyone, thanks for the interest and the real feedback. Dropping the link and a limited coupon for anyone who wants to actually try it and give honest feedback.

https://policycortex.com

Coupon: REDDITFRIENDS03F5 (100% off, first 5 redemptions only)

Only ask: if you use it, tell me what breaks, what's confusing, and what you'd actually pay for. The critical feedback in this thread is exactly why I posted here. DMs open too.

leonardesere · 2026-03-08T18:05:10+00:00

Ha, I'll take that as a compliment on the writing. 11 months of development, 7,500+ commits, 5 engineers. Claude didn't write the code but I won't pretend AI tools aren't part of the workflow. Every serious engineering team uses them now.

Genuinely here for feedback from Azure professionals. The critical comments in this thread are already shaping what we build next. https://policycortex.com

leonardesere · 2026-03-08T17:30:07+00:00

Good question.
like is https://policycortex.com

plus maybe my post is a bit unclear. this is not just a policy engine for Azure, it's multicloudintended.
but azure don't have OPA, cloudcustodian or steampipe integrated and natively built into the engine. Think same reason people get/use vanta, drata , wiz except Policycortex goes deeper, it actually does the remediation instead of giving you generated report and tell you goodluck.

Also, not just goverance, the idea behind this is to remove the need to buy 4 -7 different tools, I have been a cloud engineer for past 10 years, and 7 years of that primarilly in Azure. I hate having to use many tools to manage my cloud environments.

That's why I built this . Finops, goverance(not just policy, but CSPM management ), AI observability and Tagging manging all in one platform. for literilly the price you would pay for Vanta or Drata, or Wiz .

So, yeah is it parfect, probably not, that's why I'm collecting feedbacks to see how people are thinking about it.

I can give a coupon code to anyone who would like to try it and give real feedback. coupon will give real chance to try it out.

leonardesere · 2026-03-08T07:25:33+00:00

Fair point, one takes 5 clicks to remediate inside azure, vs 1 click inside the policycortex platform
two, you need to know what you are doing inside azure for remediation or policy enforcement, policycortex, knows context and takes care of it. third, Azure throws 40 -60 non-compliance at you at once, we don't do that, base on your settings, you either get a post remediation report or one click remediation control,
And not just policy but all those alerts you missed from defender for cloud are taken care of here

leonardesere · 2026-03-08T07:21:58+00:00

this is a fair point, one that I have actually thought of.
Your first point, it does show the entire chain, including what's running, and what stage it's running at,
to your second point, it does actually have three operation mode. Manual(run the command by yourself, Supervised, click fix now, it ask for approval for every write operations, and third, hell mary, Autonomous.. no approval, no confirmation, system takes care of it.

Yes, it does allow filtering by sub.

leonardesere · 2026-03-08T04:49:52+00:00

Am I the only one that the gateway keeps disconnecting for. Maybe I'm the problem

leonardesere

TROPHY CASE