Software Engineer · DevSecOps · ATO Lead
Work
Fifteen years of writing software, wrangling cloud infrastructure, and trying to make security compliance something teams actually do instead of something they dread. Most of that time has been in Ann Arbor, on DoD research and healthcare products.
These days I split time between backend architecture (Java/Spring, service meshes, PostgreSQL tuning), DevSecOps and compliance (NIST 800-53, RMF/ATO, STIGs, post-quantum crypto readiness), and cloud and IaC (Azure GovCloud, Oracle OCI, Terraform, and the hybrid layouts you end up with when the cloud cannot source the GPUs you need). I lead teams of 5-8 engineers, write the documentation people actually read, and care a lot about the gap between "we have a security policy" and "the security policy is real."
Have a look at the projects page or some of the writing. The blog posts run from work-relevant case studies (PostgreSQL tuning, SBOM scanning, STIG automation) to off-clock self-hosting and woodworking. The work-relevant ones are what they sound like. The off-clock ones say more about how I actually think about software.
Contact
Currently
- Software Engineer IV / Tech Lead at SoarTech (an Accelint company)
- Driving the STATS ATO through NIST 800-53 Rev 5 moderate baseline
- Active SECRET clearance - open to roles that need it
- Studying for CompTIA CySA+ (sitting June or July 2026)
What I Focus On
Backend & Architecture
Java/Spring Boot services with REST APIs, Spring Cloud Gateway at the edge, Spring Security with OIDC. PostgreSQL query and schema work. C++ and Qt on the simulator-plugin side, plus enough TypeScript to keep up on the cloud frontends. Cut Spring Boot cold-start time by ~70% on a real STATS workload with GraalVM native image, which made scale-to-zero practical.
DevSecOps
Established the company-wide GitLab CI standards: SonarQube, Fortify SAST, SBOM generation, Trivy and CoSign for container scanning and signing, automated DISA STIG checklist generation. Adoption now spans 4 of 6 active programs. The hard part was getting developers to use it before the ATO review, not after.
Cloud & IaC
Azure GovCloud, Oracle OCI, and AWS GovCloud, with hybrid layouts where the GPUs live in our CoLo because the cloud could not source H200s on the timeline we needed. OpenTofu and Terraform across the board, plus a couple of custom Go-based Terraform providers for internal services. Architected and maintain an internal RKE2 cluster on three Lambda Scale H200 servers with NVIDIA MIG partitioning and Istio for the service mesh; CUI-ready pending CMMC.
Security Compliance
NIST 800-53 Rev 5, RMF, ATO packages, eMASS, DISA STIGs, CCI mappings. Led the STATS ATO through the Rev 5 moderate baseline across a Navy/Army system boundary and pushed it through eMASS. Built browser-based NIST 800-53 / STIG / CCI correlation tooling now used by other programs. Conducted post-quantum crypto readiness assessments mapped to NIST PQC standards (FIPS 203/204/205).
Tools & Tech
Work History
Software Engineer IV / Tech Lead
Lead teams of 5-8 engineers across multiple concurrent DoD-funded research programs. Established the company-wide DevSecOps standards and GitLab CI templates (SonarQube, Fortify, Trivy, CoSign, automated STIG checklist generation). Led the STATS ATO through the NIST 800-53 Rev 5 moderate baseline across a Navy/Army system boundary. Cut Spring Boot cold-start time by ~70% with GraalVM native image, which made scale-to-zero practical and reduced Azure cloud spend by ~30%. Maintain the internal shared infrastructure (GitLab, Sonatype Nexus, SonarQube) used across engineering teams.
Lead Developer / Project Manager
Primary engineer at an early-stage healthcare-IT startup (NIH Award R42MD006149). Built Java backend services, Android tablet and phone apps, and the bedside-hardware integration for the Eloquence ACS nurse-call platform. Designed the UDP call-routing protocol that FDA and UL validated as sufficient for a Class 2 medical device. Resolved a severe N+1 nested-subquery pattern in MySQL - query latency dropped ~90% after refactor. Led the AWS migration while maintaining on-prem deployments for hospital customers with regulatory constraints. Worked with the FDA on Class 2 medical-device design controls and with UL on bedside-tablet certification (fall, fluid spill, EMI, plus the standard 5-pound steel ball from 8 feet). Promoted to PM in 2016; led the team that shipped VidaTalk, recently spotted on The Pitt S2E8.
.NET Developer
Built a plasticizers sales-analytics tool used directly by sales and engineering when researching new product/market fit. Modernized legacy VB Classic and ASP Classic pages to ASP.NET, keeping browser compatibility for the shop-floor environments still in use. Maintained custom SharePoint plugins built in ASP.NET.
Graduate Assistant
Taught computer science and computer-literacy courses to incoming students. Three classes per semester, twenty students each. A lot of practice making technical material land for a non-technical audience - a skill that carried straight into ATO writing later.
Consultant
Maintained a Medicare Part D web application (JSP, Spring, IBM WebSphere) in a regulated federal environment with strict change-control and audit requirements. Migrated the platform from WebSphere 5 to WebSphere 6 and managed Subversion plus the deployment pipeline for a six-person team. First federal-space role, and the start of the path that eventually led back to DoD ATO work.
Education
Professional Scrum Master I (PSM I) · CompTIA CySA+ in progress (2026)