# Derek Fontaine, Staff DevSecOps Engineer at Meridian Payments — read of ConfigGuard, June 10 2026

> 11 years in platform and security engineering, currently the only person at a 280-person fintech who reads every Terraform PR before it merges.

## How I got here

Our incident response last month turned up a shell config in a repo that had been quietly doing something it had no business doing. Nobody wrote it maliciously -- a contractor copy-pasted from StackOverflow years ago. I've been half-assedly Googling "yaml code execution detection" and "config injection scanning" for three weeks. A Substack I follow for tool recs mentioned Wishdeal Factory in passing. I found this page from there.

## What I clicked first

The hero pulled me in: "Find the hidden code in your config files." That's exactly the problem I just had. Not generic. Not "secure your DevOps pipeline" -- it named the specific weird thing that bit me. Then I saw the specs table. GitHub Actions, GitLab CI, Jenkins, ArgoCD. YAML, JSON, HCL, shell. That's my stack. I scrolled down expecting a demo or a signup form.

## Where I paused

The specs table reads like real product documentation. I was genuinely reading it as if I was evaluating a live tool. Field/Value/Notes format, specific integration names. Then I hit: "Honest disclosure: we don't have live customers on this idea yet." I reread the whole top of the page. I had to piece together that this is not ConfigGuard the product. This is ConfigGuard the idea, being sold as a kit for someone else to go build. That realization took me about 45 seconds and I've been on the internet for 30 years.

## What I distrusted

The spec table is the problem. It reads like you're describing a product that works right now. "Scans YAML, JSON, HCL, and shell configs for dangerous code execution patterns that break out at runtime" -- that's present tense, feature-complete language. But nothing on this page actually does any of that. When I got to "-$21,617 Year-1 take-home (Fermi)" I thought I misread it. That number is for the person who BUILDS this, not me, the person who has a config security problem and typed a search query. These audiences are completely different and the page is trying to serve both at once, and it serves neither cleanly.

The "1 in 11 meaningful-success odds" is kind of gutsy to publish. I respect that it's there. But it also made me think: if you're selling me a strategy kit for $5-$99 to build something with an 8% success rate and negative year-one income, that's a very specific kind of bet you're asking someone to take.

## What would convince me

If I'm the buyer of the TOOL: a working demo. A repo I can point it at. Even a CLI command that I can run against a public repo. "Scan Your Configs Free" appears twice but clicking it does... nothing useful that I can tell.

If I'm the buyer of the IDEA (the operator who would build this): a single real quote from a security engineer describing the exact incident that would have been prevented. Not a testimonial, not a stat, a story. "Our contractor pushed a Makefile with an eval loop in the CI stage and it silently exfiltrated ENV vars for 6 days before we caught it." That would tell me the problem is real and specific, and that someone with domain knowledge thought through the use case.

## What I'd ask in an email reply

1. The spec table describes exact behavior -- is any of this actually running, or is it a design spec? If it's running, can I run it against a private repo right now?

2. "Executable pattern detection" -- what's the underlying approach? Regex against AST? Semgrep rules? Static analysis? That answer will tell me if this is serious or pattern-matching theater.

3. Who wrote the detection logic? I want to know if a security researcher thought through edge cases or if this was generated from a list of known-bad patterns.

## Verdict: on-the-fence

The problem is real and the page names it correctly, which is more than most tools do. But I spent 90 seconds not knowing what I was actually looking at, and most people in my position would have bounced. If there is a working scanner behind this, the page is burying it.

---
*Memo by skeptic persona, generated 2026-06-10. Studio breaks own self-grading loop.*
