Case study · CTO

GovCon Enclave

A turnkey enclave platform that gave small defense contractors a CMMC-ready environment for protecting CUI, without enterprise budgets or an in-house security org.

CTO and first technical leader: product, architecture, compliance, and the teams that ran it 2021 - 2026 Acquired by BOOST LLC in 2026; continues as the Secure Enclave Platform

Concept to acquisition

5 yrs

CTO from the first commit in 2021 through the 2026 acquisition

Enclave deployment

2 wks → 2 hrs

Automation framework replaced a two-week manual rollout

Production enclaves

50+

Supporting hundreds of users, operated by a deliberately small team

CMMC Level 2

110 / 110

Perfect C3PAO assessment scores with zero POA&Ms, for the platform (Dec 2025) and its first customer (May 2026)

Infrastructure as code Kubernetes Cloud-agnostic (Azure) Fleet-wide SIEM Hardened Linux

How I lead the teams behind it Full work history

The problem

Small defense contractors handle Controlled Unclassified Information, and CMMC was turning that responsibility into an audited requirement. The companies that most needed a compliant environment were exactly the ones that could not afford the enterprise answer: a security team, a compliance staff, and a six-figure infrastructure project before the first contract deliverable.

GovCon Enclave was Rimstorm's answer: a turnkey enclave where the security architecture, monitoring, and compliance posture come with the platform, so a small contractor gets an environment for protecting CUI without building a security org first.

My role

I joined Rimstorm as Chief Technology Officer and first technical leader, and I owned GovCon Enclave from concept through acquisition. That meant the product and the architecture, but also everything a founding technical executive owns: hiring, training, compliance strategy, and the operating model that let a small company run a growing fleet of production environments. Where the Mistborn case study is about what I build alone, this one is about what I build through teams.

Product strategy Platform architecture Compliance strategy Hiring & training Team leadership Automation engineering Operations Assessment readiness

What I built

A security platform for protecting CUI: infrastructure as code end to end, Kubernetes, a fleet-wide SIEM, and hardened Linux. The defining property is not any single component, and it is not the cloud it runs on: it is that every enclave is deployed, configured, and kept healthy by code. The automation framework I built took enclave deployment from a two-week manual project to a two-hour operation, which changed what the company could promise and what a small team could operate.

That framework is cloud-agnostic by design. The infrastructure layer is kept separate from the platform above it, and we built and ran early enclaves on AWS and Oracle Cloud before standardizing on Azure as the most straightforward path for our first customers. Settling on one provider to start was a practical choice rather than lock-in: because the cloud layer is isolated, the platform could extend to another FedRAMP High cloud without reworking everything above it.

The platform carried Rimstorm through its first independent C3PAO assessment for CMMC Level 2 in December 2025 with a perfect 110 score and zero POA&Ms, scaled to more than fifty production enclaves supporting hundreds of users, and became the core IP behind the company's 2026 acquisition by BOOST LLC, where it continues as the Secure Enclave Platform.

The physical segment

GovCon Enclave started as a cloud environment with virtual desktops. But a compliant platform is only as good as its weakest entry point, and some users need a real, physical machine on a desk rather than a virtual one. The question was whether physical hardware would be an exception to the security model or a part of it.

The answer was an appliance I designed and built that brings a physical workspace inside the enclave's boundary. A physical desktop reaches enclave resources under the same enforced access rules and the same security monitoring as a virtual one, with each client's identity preserved end to end so none of the policy model has to change. A separate management plane, independent of the data path, keeps the appliance reachable and recoverable on its own. The result is that the compliance posture the platform proves in assessment is the same whether the desktop is in the cloud or on a desk: the boundary follows the user, not the hosting model.

Building the teams

The platform was half the job. The other half was building the organization around it: I built up Rimstorm's engineering, development, and maintenance teams, and I kept them deliberately small. The bet was that a few people with deep context and serious automation beat a large roster doing manual work, and the numbers bore it out: deployment effort fell by two orders of magnitude while the enclave count grew past fifty.

Leading them, I worked the way I have led teams since 2015: an open door, candor about what is going well and what is not, credit shared and failures owned by me, and no tolerance for internal competition. Knowledge and judgment carried more authority than titles. People were trained into ownership, not just assigned tasks, so the day-to-day did not route through the CTO. The full philosophy, and where it comes from, is in the leadership essay.

Hard decisions

Five calls that defined the platform and the company's trajectory. Each one was a leadership decision before it was a technical one.

Decision 01

Automation over headcount

Context: Every new enclave began as a two-week manual rollout. The obvious fix was to hire more delivery engineers and keep rolling.
Decision: Spend the engineering budget on an automation framework instead. Treat every enclave as code, and keep investing until deployment was a repeatable two-hour operation.
Trade-off: Months of platform investment with little customer-visible progress, while a deliberately small team absorbed the rollout load by hand.
Outcome: Deployment fell from 2 weeks to 2 hours, and the same small team scaled the platform to 50+ production enclaves supporting hundreds of users. Headcount did not grow in lockstep with customers, and that leverage became the operating model.

Decision 02

Compliance as architecture, not paperwork

Context: CMMC was still taking shape while we built. The path of least resistance was to ship features first and bolt compliance documentation on afterward.
Decision: Translate the evolving requirements into the platform itself: every control we could enforce became an auditable platform behavior (security monitoring, OS-level enforcement, configuration management) rather than a paragraph in a policy binder.
Trade-off: Slower early feature velocity, and a recurring argument with the roadmap every time a control was cheaper to document than to enforce.
Outcome: GovCon Enclave passed its first independent C3PAO assessment for CMMC Level 2 in December 2025 with a perfect 110 score and zero POA&Ms. In May 2026 the first customer enclave repeated the result, also 110 with zero POA&Ms: the compliance model is a product, not a one-off.

Decision 03

Build maintainers, not just developers

Context: A platform run by a small company fails on operations before it fails on features. The classic answer is to hire senior specialists for every function.
Decision: Build three small teams (engineering, development, and maintenance), hire for trainability, and invest my own time in runbooks, mentoring, and teaching people to operate the product day to day.
Trade-off: Training time came directly out of the CTO calendar, and the early teams moved slower than a senior-heavy roster would have.
Outcome: Teams that owned their lanes and kept 50+ production environments healthy without me in the critical path of every incident. The pattern came from training junior engineers on my first product team in 2015, and it held at company scale.

Decision 04

One product, not a consultancy

Context: Every customer environment invited bespoke work, and custom engagements are the easy yes for a small company trying to grow.
Decision: Hold the line on one product and one codebase. Customer needs became platform features that every enclave inherited, not forks that someone would have to maintain forever.
Trade-off: Saying no to paying customization requests, and harder sales conversations in the short term.
Outcome: An internal platform grew into the core IP behind Rimstorm’s 2026 acquisition by BOOST LLC. A consultancy with fifty bespoke deployments would not have been acquirable.

Decision 05

Extend the boundary to physical hardware

Context: The platform secured a cloud environment with virtual desktops, but some users genuinely need a physical machine on a real desk. The easy answer is to declare physical endpoints out of scope, or let them reach the enclave over a side channel that escapes the controls.
Decision: Build a dedicated appliance that pulls the physical segment inside the compliance boundary: the same enforced access rules, the same security monitoring, and the same compliance posture that govern a virtual desktop, with each client’s identity preserved end to end and an out-of-band management plane so the appliance is always recoverable.
Trade-off: Designing and maintaining a hardware-backed path, with its own provisioning and lifecycle, instead of writing physical desktops out of the threat model.
Outcome: The enclave’s security model holds whether a desktop is virtual or physical. The boundary follows the user rather than the hosting model, so the compliance posture proven in assessment extends to physical workspaces without a separate exception.

Outcomes

Acquisition: GovCon Enclave became the core IP behind Rimstorm's 2026 acquisition by BOOST LLC, and I was named Chief Architect for the Secure Enclave Platform after the close.
Compliance proven independently: the platform's own C3PAO assessment for CMMC Level 2 (December 2025) and its first customer's (May 2026) both passed with perfect 110 scores and zero POA&Ms.
Scale without lockstep headcount: 50+ production enclaves supporting hundreds of users, operated by deliberately small teams.
Operational leverage: enclave deployment reduced from 2 weeks to 2 hours through the automation framework.

Lessons I carry forward

Automation is a leadership decision before it is a technical one: the hard part was holding the line on the investment while the team did rollouts by hand.
Compliance and architecture have to be one conversation. The moment they split into two meetings, the platform starts accruing paperwork debt.
Small teams scale on context, not process. People who understand why a control exists make the right call when the runbook runs out.
Train people into ownership early. The day-to-day only stopped routing through me because the teams were taught to run it, not just build it.

Go deeper

The thinking behind it

Leading small teams that punch above their weight

The leadership philosophy behind this case study, from a cyclone season in Madagascar to building the teams that ran GovCon Enclave.

Read the essay

Compliance is kind, threats are wicked

How compliance frameworks and real adversaries differ, and why a platform should treat controls as enforced behavior.

Read the essay

Productizing infrastructure

Why infrastructure work becomes a product instead of a pile of engagements, and what it costs to hold that line.

Read the essay

Thinking through a founding-engineer hire?

GovCon Enclave is what that role looks like when it works: design the product, build the platform, hire and train the teams, and hold the line on the decisions that make the whole thing acquirable. If you are working out a hire like that, I am glad to compare notes: what the role actually owns, what separates a founding engineer from a senior engineer with a new title, and how to tell the difference before the offer. I have been that hire, and I have made those hires.

Get in touch More about me