Software Architect, Engineer & Leader
The first SaaS application in history to receive an Authority to Operate from the Department of Homeland Security — a cloud-native cyber range platform that cut provisioning time from hours to seconds and operational costs by over 75%.
The Cybersecurity and Infrastructure Security Agency is the national authority for protecting America’s critical infrastructure. Its people need to be trained on real threats — actual malware, real network attack patterns, industrial control system intrusions — in environments that are isolated, controlled, and reproducible. The existing solution made that task expensive, slow, and inflexible.
Before CVLE, CISA paid a third-party vendor approximately $50,000 per month to maintain a fixed pool of virtual machine environments. Every course shared the same rigid network topology — including Active Directory domain controllers and shared file servers that many courses had no use for. Spinning up a single student’s lab environment took two to four hours. Instructors had no self-service capability. CISA had no visibility into usage, cost, or performance. And the proprietary nature of the solution made extension or migration impossible.
The vendor was not solving the mission. They were holding it hostage.
The automated provisioning system eliminated approximately 90% of manual administrative tasks, allowing instructors to launch, modify, and terminate lab environments without DevOps involvement. The warm standby pool reduced effective wait time to zero for the most common case: when a course started and students arrived, their machines were already running.
The technical success translated directly into business impact. The platform became the primary differentiator that contributed to the firm being awarded a subsequent federal contract valued at over $100 million.
An Authority to Operate is the federal government’s rigorous certification that a software system meets the security, compliance, and operational standards required to run within a government agency’s environment. Without it, CVLE could not legally operate within DHS or deliver CISA courses to government personnel.
Authority to Operate — Department of Homeland Security / CISA
CVLE became the first Software-as-a-Service application to receive an ATO from the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency. This milestone was not incidental. It was the product of an exhaustive compliance and documentation process that Fred personally led, authoring all security documentation, system architecture diagrams, and compliance evidence required to satisfy DHS and CISA auditors.
The ATO set a precedent for how cloud-based SaaS platforms could be certified and operated within DHS and adjacent agencies — establishing a template that did not previously exist and cementing CVLE’s status as a trusted, mission-critical system for federal cybersecurity education.
The central design decision that made the entire platform possible: each student is a UUID. A single 32-character globally unique identifier drives the creation, naming, routing, and teardown of every infrastructure resource allocated to that student. The design is simple in principle and comprehensive in practice.
Each EC2 instance, security group, and Guacamole connection carries the student’s GUID in its name. NGINX configurations are dynamically updated to route requests to the correct backend instance. URLs are ephemeral and unbookmarkable — they cannot be spoofed, shared, or reused.
Browser access, no client software. A student opens a URL in any modern browser. No VPN, no remote desktop client, no pre-installed software required.
Authentication. The student authenticates through the Auth API. Their identity is resolved to a GUID that will track all resources for their session.
Resource check. The Management API checks whether pre-provisioned standby machines are available for the student’s GUID. If so, they are assigned immediately — the student is in their lab in seconds.
Dynamic provisioning (if needed). If no standby is available, the Range Processor — a custom Node.js CLI — polls the provisioning queue, assembles Terraform configuration files for the student’s GUID, and executes them. EC2 instances, security groups, and Guacamole connections are created in under 30 seconds.
Credential injection. Randomized login credentials are generated at provisioning time and injected directly into Apache Guacamole. They are never displayed to the student, never stored in the Student Dashboard, and never transmitted in plaintext.
Browser-based lab session. Apache Guacamole presents a full remote desktop in the student’s browser — RDP for Windows machines, SSH for Linux. Multiple instances per student appear as separate connections in the same browser tab. The student works in a completely isolated environment with no awareness of the infrastructure beneath it.
Teardown and cost recovery. After inactivity or course end, the system releases or terminates the student’s resources. Machines can be returned to the standby pool for immediate reuse by the next student. Running costs are tracked per allocation, to the minute.
The entire CVLE infrastructure is managed as code across 19 Terraform repositories and 2 Node.js application repositories. The platform is organized into four distinct infrastructure layers, each of which must be deployed before the layers below it can function.
Establishes two parallel AWS Organizations — one Commercial, one GovCloud — along with IAM Identity Center (SSO), Service Control Policies (restricting all API calls to US regions), and per-developer sandbox account pairs. The foundation everything else stands on.
The central hub. Manages shared resources that all child environments depend on: ECR container registries, Route 53 DNS records (hosted in Commercial AWS because GovCloud cannot hold public zones), Bitbucket repository management, SSM Parameter Store configuration, and Terraform remote state. Every other layer reads configuration from here.
The Cyber Range Management System itself: 10 Node.js microservices running on ECS Fargate behind a three-tier Application Load Balancer structure. A Gateway ALB handles internet-facing traffic for student and admin dashboards. Private and Secure ALBs route between service tiers with no public exposure of sensitive services.
Nine independent course environments. Each is a completely self-contained infrastructure deployment: its own VPC with five subnet tiers (Gateway, Public, Private, Secure, Data), its own EC2 instance sets per student, its own Apache Guacamole remote-access gateway, and its own ALB. No VPC peering exists between ranges — each course is fully isolated from all others.
The legacy vendor system forced every course into the same rigid network topology regardless of whether it was appropriate. CVLE replaced that with nine independently deployed training ranges, each purpose-built for its course objectives. A Windows enterprise security course gets domain controllers and Exchange servers. A network defense course gets pfSense firewalls with dual NICs. An ICS security course gets Marketplace-sourced firewall appliances. The infrastructure matches the curriculum.
| Course | Subject | Key Technologies |
|---|---|---|
| SS205 | Windows Enterprise Security | Active Directory, Exchange Server, Windows workstations, PowerShell |
| SS209 | Range Analyst Network | pfSense dual-NIC firewalls (AWS Marketplace), Active Directory, Windows workstations |
| SS204 | ICS / Industrial Security | pfSense firewalls (Marketplace appliances), Linux/Windows workstations — industrial network perimeter simulation |
| SS213 | SOC Operations | Wazuh SIEM, WordPress, Microsoft 365 audit logs (AzureAD, DLP, General) — live M365 integration |
| SS210 | Remote Linux Ops with SIEM | Linux instances, Wazuh SIEM — log analysis and security monitoring |
| SS206 | DNS Security | Linux DNS servers, Windows DNS servers, PowerShell |
| SS208 | Information Operations | Linux instances |
| SS230 | Linux Operations | Linux instances (streamlined, without SIEM) |
| CDM | Continuous Diagnostics & Mitigation | Elasticsearch, Kibana — browser-based dashboard (unique: Nginx gateway, not Guacamole; 500GB EBS) |
Additionally, a static sites range hosts phishing awareness training: a “good” example site, a phishing example, and a DNS sinkhole page with a fixed static IP for live sinkhole demonstrations. All student machines are network-isolated at the security group level — including containment of actual malicious software when required for hands-on threat training.
CVLE was not incidentally secure. It was designed from the ground up for a federal agency whose mission is national cyber defense. Every architectural decision was made with the security requirements of DHS and CISA in mind.
CVLE was built for AWS GovCloud as the primary deployment target but was explicitly architected to run on Microsoft Azure Government and Google Cloud Platform as well. This was not a nice-to-have — it was a design constraint that shaped every technology decision.
Several AWS-native services — Step Functions, EventBridge, Config, Budgets — were used internally during development but deliberately excluded from the deployable product. The reason: many AWS services have no functional equivalent on Azure or GCP. Additionally, some agencies restrict advanced managed service usage due to compliance boundaries or procurement policies. The system was designed to be handed off to non-developers and operated by instructional staff with minimal cloud specialization.
Amazon S3 usage was abstracted behind an API layer so the storage backend could be swapped for Azure Blob Storage or Google Cloud Storage without changes to the application code. This level of portability requires real discipline — it means deliberately choosing the harder path at every decision point where a cloud-native shortcut exists.
Twenty-one repositories. A custom Range Processor CLI. A custom Moodle CI/CD pipeline. A multi-database backend spanning PostgreSQL, DocumentDB, DynamoDB, Redis, MySQL, and MongoDB Atlas. Ten microservices on ECS Fargate. Nine independent Terraform-managed course environments. All authored by a single principal engineer.
Infrastructure & Orchestration
Application Backend
Admin Dashboard Frontend
Security & Access
LMS & Training Infrastructure