The 10th edition of the Platform Engineering Amsterdam meetup — themed “This is FIN(e)TECH” — took place on a boat at Hannekes Boot, docked on the Amstel. Fitting theme for the venue: how does platform engineering hold up against the specific pressures FinTech puts on infrastructure — Kubernetes security, software supply-chain risk, resilience, compliance, and now AI moving into all of it at once.

Thanks to organizers Michaela, Darko Klincharski, and Rajesh Gunasekaran for pulling the community together again, and to Chainguard and Tarmac.io for hosting and sponsoring the evening.
Lars Lefebvre (ING): What I’ll Tell My Kids About K8s Security
Lars Lefebvre from ING opened with a genuinely different angle on a well-worn topic. Rather than another slide deck of CIS Benchmark checkboxes, he framed Kubernetes security as the story he’d want to pass on — what actually matters once you strip away the compliance theater.
The technical payload: an open-source tool built internally at ING to surface real-world cluster vulnerabilities, not theoretical misconfigurations. The distinction matters. A lot of Kubernetes security tooling flags everything that could theoretically be exploited; what a bank actually needs is a signal for what is exploitable in this cluster, with these workloads, today. Tooling built inside an institution that has to answer to regulators tends to be shaped by that constraint in useful ways.
Cassie Crossley (VulNow): Dark Matter Vulnerabilities
Cassie Crossley, CEO and Co-Founder of VulNow, presented “Dark Matter Vulnerabilities™: The Next Infrastructure Frontier” — a term for the class of software supply-chain risk that sits outside what a standard CVE feed will ever show you.
Three threads stood out:
- PreCVEs — vulnerabilities that exist and are exploitable before they are ever assigned a CVE identifier, meaning any program that gates remediation on CVE publication is working with a structural blind spot.
- Codebase integrity — the difference between “this dependency has no known CVEs” and “this dependency has not been tampered with,” which are not the same claim and get conflated constantly.
- The EU Cyber Resilience Act — upcoming requirements that will force vendors and integrators to demonstrate supply-chain due diligence in a way most current SBOM practices do not yet satisfy.
For platform teams, the practical implication is that supply-chain security programs built purely around CVE scanning are already behind where regulation is heading.
Django Beek (Chainguard): A Secure Platform for, and Against, AI

Django Beek from Chainguard closed the talks with “Towards a Secure Platform for, and against AI” — deliberately framed both ways, because platform teams are now solving two problems at once: how to support AI-powered development without slowing it down, and how to protect the platform from the new failure modes AI introduces.
The traditional open-source maintainer model — a small number of trusted humans reviewing every change — was never designed for a world where a meaningful share of contributions are AI-generated, at AI speed. Django’s argument was that platforms need to become the enforcement point: verified base images, provenance that survives an AI-assisted commit, and policy that does not depend on a human catching a subtle issue in a code review. This is the same direction Chainguard’s supply-chain security work has been pushing for a while, but the AI framing sharpens why it is urgent now rather than later.
Networking on the Amstel


The rest of the evening was BBQ, drinks on the dock, and the kind of hallway-track conversation that makes this community worth showing up to every time — comparing notes on Kubernetes security tooling, supply-chain compliance timelines, and how everyone’s platform team is actually handling AI-assisted development in practice, not just in theory.
Why FinTech Is the Right Lens for This
FinTech makes a good stress test for platform engineering precisely because it cannot cut corners on any of the topics covered: Kubernetes security has to hold up under audit, supply-chain provenance has to survive a regulator’s questions, and AI adoption has to happen without expanding the attack surface the compliance team already has to defend. What a bank’s platform team gets right under that pressure is usually worth stealing for any other industry.
Related Reading
- Platform Engineering MeetUp Amsterdam: Human Intelligence
- Platform Engineering Meetup NL: Xebia, GPUs, and OpenShift
- Container Image Signing and Verification Pipelines
- Cloud Security Posture Management (CSPM) for the Enterprise
About the Author
I am Luca Berton, AI and Cloud Advisor. I work at the intersection of platform engineering, cloud security, and enterprise AI deployments. Book a consultation.

