Most engineers treat cloud native security as a checklist — scan the image, sign the artifact, move on. Mohammad-Ali A’rabi, a Senior Backend Engineer at JobRad GmbH, has spent the last year arguing — loudly, across multiple continents — that there’s a much better way. Between May 2025 and May 2026, he published a book, co-founded a CNCF chapter, delivered 15 talks and workshops across 6 countries, and somehow found time to mentor the next generation of open source contributors through LFX and Google Summer of Code.
- Cloud native security expert Mohammad-Ali A’rabi published a book, launched a CNCF chapter, and spoke across 6 countries in a single year.
- His cloud native security book was nominated as a finalist for Best DevOps Book of the Year at the DevOps Dozen 2025 awards.
- A’rabi created narrative-driven technical fiction — using 1865 folklore and fantasy monsters to make DevSecOps principles accessible to junior engineers.
- The Docker Commandos workshop series has since traveled from Berlin to Utrecht, Zurich, and Cologne, with more dates confirmed for 2026.
From Docker Captain to Cloud Native Security Advocate
A’rabi’s infrastructure story started back in 2015 as a casual Docker user. By 2022, he’d been recognised as a Docker Captain and was running a Snyk Ambassador role alongside his day job. But what’s changed recently isn’t his credentials — it’s the scope of his ambition. He’s now applying for the CNCF Ambassador program, which would make him one of a relatively small group of community leaders officially recognised by the Cloud Native Computing Foundation.
That evolution mirrors what’s happening across the industry. Containers don’t exist in isolation anymore. The conversation has shifted from “how do I run a container” to “how do I secure an entire supply chain of containers, images, attestations, and dependencies.” A’rabi has been riding that wave — and to his credit, helping to shape it.
Building a Cloud Native Security Community in Germany
In 2022, A’rabi founded the Docker Black Forest meetup in Freiburg, Germany, because he couldn’t find a local community worth joining. Three years later, that scrappy local group has grown into something considerably more substantial. He merged it with DevOps Meetup Freiburg to create Cloud Native Freiburg, now an official CNCF chapter, with DockBurg.com serving as the combined community hub.
The numbers tell a decent story. Docker Freiburg and Black Forest sits at around 400 members with 19 events and a 4.7/5 rating across roughly 50 reviews on Meetup.com. DevOps Meetup Freiburg has around 600 members, 25 events, and the same 4.7/5 rating. Since the CNCF chapter launched in April 2025, they’ve already run 10 in-person events with an average attendance of 20 people per session — not huge numbers, but consistent and high-quality.
Speaker lineups have included Docker Captains Lize Raes (Developer Advocate at Oracle), Timo Stark (Head of IT), and Jonas Scholz (Co-founder of Sliplane). These aren’t names pulled in for vanity — they’re practitioners with real war stories. That’s exactly the kind of programme that builds a community rather than just filling a calendar.
The Cloud Native Security Book That Almost Made DevOps Dozen
After nearly two years of writing and 170 git commits — yes, he tracked a book in git — A’rabi published Docker and Kubernetes Security in October 2025. It was nominated as a finalist for Best DevOps Book of the Year at the DevOps Dozen 2025 awards. He also launched DockerSecurity.io as a companion platform, publishing ongoing updates and making the first two chapters freely available.
The book itself is a direct response to a real problem: cloud native security documentation is often technically accurate but brutally dull. Policy frameworks, CVE advisories, and compliance checklists are written for auditors, not engineers. A’rabi clearly decided that wasn’t good enough.
He also served as a technical reviewer for Operational AI with Docker by Ajeet Singh Raina and Harsh Manvar, published in May 2026 — a book that sits squarely at the intersection of AI workloads and container infrastructure, which is arguably one of the most contested technical battlegrounds of 2025 and 2026.
When CVEs Become Monsters: Storytelling as a Security Tool
Here’s where A’rabi’s approach gets genuinely interesting. Recognising that security content causes what he describes as cognitive fatigue, he ran an experiment in December 2025: a 24-part advent series called Black Forest Shadows: Container Security Advent Series, published across DEV.to and Medium.
The conceit was bold. Set in 1865 Black Forest folklore, the series turned CVEs — Common Vulnerabilities and Exposures, the dry catalogued flaws that security teams track daily — into literal monsters threatening the realm. DevSecOps principles became plot mechanics. Junior engineers who might glaze over at a CVSS score found themselves actually reading.
That experiment evolved into a full publication: Black Forest Shadow: A Dark Fantasy Guide to Docker and Kubernetes Security, released on Friday the 13th of March 2026. The release date choice was obviously deliberate. It’s the kind of detail that signals someone who understands how to market technical content, not just write it.
15 Global Engagements and the Docker Commandos
The storytelling didn’t stay on the page. A’rabi built a cast of 10 fictional characters — the Black Forest Commandos — each representing a different cloud native security tool or Docker command. Think of them as a security-themed superhero team, where each character embodies a specific technical concept:
- Gord — Docker Init
- Rothütle — Docker SBOM
- Jack — Docker Scout
- The Valkyrie — SBOM Attestations
- Artemisia — Docker Hardened Images
- Mina — VEX Exemptions
- RuinTan — VEX Attestations
- Captain Ahab — Docker Bake
- Evie — Cosign
- Agent Null — Zero-Day Defense
These characters have now appeared at conferences across Europe. At PlatformCon 2025, A’rabi delivered a talk on Docker Scout, Trivy, Cosign, SBOM attestations, and Docker Bake. At the WeAreDevelopers World Congress in Berlin in October 2025, the workshop version attracted 40 attendees — with another 100 reportedly waiting outside the room to get in. That kind of overflow is a real signal in the conference world. It means the session was well-promoted, the topic was timely, and the format worked.
At Jfokus 2026 in Stockholm — a Viking-themed Java conference — he adapted the Commandos narrative to fit the setting, placing them in Asgard defending against CVE monsters. It’s a smart move: the core technical content stays consistent, but the framing shifts to match the audience’s cultural context. The same week, he published a companion piece in JAVAPRO magazine introducing each Commando persona in detail.
Rabobank and Docker, Inc. then jointly invited him to run a workshop at an internal conference in Utrecht, Netherlands, where 50 attendees worked through the Commandos material. The workshop has since appeared at JCON Europe 2026 in Cologne and DevOpsDays Zurich in May 2026. EnterJS in Mannheim is next, where A’rabi will pivot to NPM supply chain attacks — billed as “Defense Against the Dark Arts: NPM Attack.”
Why This Approach to Cloud Native Security Matters
The broader industry problem A’rabi is tackling is real and under-discussed. Cloud native security tooling has matured rapidly — Cosign, Sigstore, SBOM generation, VEX attestations, and image hardening are all increasingly accessible. But adoption lags badly, particularly in teams without a dedicated security function. The bottleneck isn’t tooling; it’s comprehension and culture.
Traditional security training bores people. Compliance documentation alienates developers. A’rabi’s bet — that narrative, character, and folklore can close that gap — is unorthodox, but the workshop attendance figures suggest it’s working. When 140 people fight to get into a Docker security workshop at a developer conference, something is landing correctly.
His CNCF Ambassador application, if successful, would give him a wider platform to scale that approach. The CNCF’s ambassador network operates in communities where cloud native security adoption decisions get made. Whether it’s persuading a mid-size engineering team to start signing their container images or convincing a conference programme committee that security talks don’t have to be dry — the ambassador role amplifies exactly the kind of work A’rabi has already been doing. The question now is whether the rest of the industry is ready to learn security through a story about a forest full of CVE monsters. Based on the crowds at his workshops, a lot of developers clearly are.
Source: https://dev.to/aerabi/my-cloud-native-journey-docker-kubernetes-security-and-open-source-5588
