The technology stack at each of the four VM maturity levels: what to deploy, what it integrates with, and what compliance evidence it produces as a natural consequence of the tooling decisions, not as a selection criterion.

Adding a SAST scanner to your CI/CD pipeline is not the same as securing it. Three documented incidents from the past 13 months — tj-actions, Trivy, and Axios — show how the pipeline execution layer, dependency installation, and runner credentials are all being targeted at scale. Episode 9 builds the threat model your shift-left programme is missing.