DATAROSS · MANAGED INFRASTRUCTURE & COMPLIANCE ENGINEERING · FREDERICK, MD · EST. 2023

Infrastructure
that proves itself.

Proving every change.Auditing every command.Gating every privilege.Rehearsing every failure.Securing every layer.

CMMC Level 2 systems, governed automation, and a ledger entry for every single command. If we can’t prove it, we don’t claim it.

30-MINUTE CALL · PLAIN ANSWERS · NO OBLIGATION

0NIST 800-171 controls mapped & deployed3.1.1 → 3.14.7 · SSP + POA&M maintained
T1–T4Human-held authorization tiers on automationTOTP-resolved · 30-second codes · single-use
0%of commands audited — session, tier, timestampJSONL relay audit · fcntl-locked · session-tagged
0anonymous changes. Ever.every command carries a name · credentials vault-held
What we run

Six disciplines. One accountable operator.

Six disciplines. One accountable operator. Hover any tile for the specifics.

Managed Virtualization & Hybrid Cloud

Proxmox clusters on owned hardware, extended with cloud where it earns its keep.

  • Cluster design, live migration, HA & capacity planning
  • Snapshot & backup regimes with tested restores
  • DigitalOcean / Linode hybrid integration

Secure Networking

Encrypted overlays and least-privilege segmentation across mixed hardware generations.

  • WireGuard mesh & VPN architecture
  • Dell switch estates (OS6 / OS9 / OS10) & VLAN policy
  • RADIUS / SSO with per-tier privilege mapping

CMMC Level 2 / NIST 800-171

Compliance engineered into the systems — not stapled on as paperwork.

  • Gap assessment across all 110 controls
  • SSP & POA&M authorship, SPRS scoring support
  • GCC High migration & CUI enclave design

Out-of-Band & Fleet Management

The lights-out path, brought under managed control before the bad day.

  • iDRAC estate inventory, baselines & credential rotation
  • Firmware lifecycle across mixed generations
  • Console rescue paths & recovery runbooks

Automation & AI-Assisted Operations

Automation that answers to a human — nothing executes anonymously, ever.

  • TOTP-gated authorization tiers (read-only → architect)
  • Immutable session & command audit logs
  • Self-hosted models where data can't leave

Hosting, Monitoring & Continuity

The boring parts done relentlessly: certs renew, backups restore, alerts reach a human.

  • Hardened Nginx edge & certificate automation
  • PostgreSQL operations, Node / Python runtimes
  • Uptime monitoring with multi-channel alerting
Cause → effect

Same hardware. Different truth.

One switch. Watch what governance actually changes.

app-01no backups · config driftbackups verified nightly
db-01shared credentialstiered access · rotated
edge-01silent changesevery change announced
sw-core“who touched this?”named session, always
AUDIT TRAIL: ?reconstruction by memory · hours to answer “what changed?” AUDIT TRAIL: every command, timestamped, attributed“what changed?” answered in seconds — from the log, not from memory2026-07-02T16:33:26Z DR-2026-0702-003 T4 vm179 cp index.html index.html.bak-pre-v8-20260702123326 rc=02026-07-02T16:34:07Z DR-2026-0702-003 T4 vm179 md5sum index.html → 14d8d8346e6a800b47078ab12810597a rc=02026-07-02T16:34:19Z DR-2026-0702-003 T4 vm179 chown www-data:www-data index.html v8.html rc=0
“What changed last Tuesday?”Nobody knows. Somebody guesses.
“A bad change just shipped.”Rebuild it from scratch — and hope.
The platform

One path in.
One ledger out.

The reference architecture we run and deploy — five stops, no side doors.

EdgeCLOUDFLARE · TLS 1.3
ProxyONE INGRESS · API-ONLY
ClusterPROXMOX + CLOUD
ServicesDNS · MONITORING · DATA
LedgerEVERY COMMAND · IMMUTABLE
T1 · OBSERVERread-only diagnostics
T2 · OPERATORstandard changes, deployments
T3 · ENGINEERrestarts, fleet commands
T4 · ARCHITECTdestructive ops, credentials

Every command enters through a registered session, carries a human-held tier, and lands in the ledger — flip the switch above to see the difference it makes.

The standard

Ten words we’re prepared to prove.

Ten words, ten mechanisms. Flip any card.

01 / 10TRUTHhover / tap → the mechanism
THE MECHANISM

If we didn’t see the output, it didn’t happen. Every claim traces to a captured result.

02 / 10EVIDENCEhover / tap → the mechanism
THE MECHANISM

Session logs, checksums, timestamps — exportable on request, not anecdotal.

03 / 10PROOFhover / tap → the mechanism
THE MECHANISM

Deployments are verified byte-for-byte before they’re called done.

04 / 10HONESTYhover / tap → the mechanism
THE MECHANISM

We name our limits: no certifications we can’t issue, no uptime we can’t defend.

05 / 10RELIABILITYhover / tap → the mechanism
THE MECHANISM

Backup-before-modify is a standing rule, not a habit. Alerts page a human.

06 / 10CAPABILITYhover / tap → the mechanism
THE MECHANISM

Mixed-generation fleets, hybrid clouds, CUI enclaves — engineered, not improvised.

07 / 10CONSISTENCYhover / tap → the mechanism
THE MECHANISM

One process for every change. A DNS record and a firewall get the same rigor.

08 / 10ADAPTABILITYhover / tap → the mechanism
THE MECHANISM

OS6 → OS10, iDRAC7 → 9, on-prem → GCC High. We meet the estate where it is.

09 / 10SCALABILITYhover / tap → the mechanism
THE MECHANISM

Hosts multiply; the process doesn’t. One rail governs five nodes or five hundred.

10 / 10CONTINUITYhover / tap → the mechanism
THE MECHANISM

Every task records were / are / going. Nothing lives in one person’s head.

Scale without ceremony

Hosts under management: 12 — drag it.

Twelve hosts. One way to change them.

CONSTANT 1 process · 1 audit trail · 1 authorization gate
— regardless of fleet size —
Selected work

Recent engineering, anonymized where it should be.

Fleet operations · defense sector

Out-of-band rescue of a mixed-generation server estate

Dozens of iDRAC controllers across three hardware generations brought under inventory, managed credentials, and firmware baselines — including recovery paths for units whose management firmware predated modern tooling.

Network identity

RADIUS SSO across a mixed Dell switch estate

One identity source across OS6, OS9, and OS10 switch generations — with per-tier privilege mapping engineered around each platform's quirks, verified live on distribution and lab fabric.

Product · security engineering

Zero-knowledge file transfer

A public transfer tool where the relay mathematically cannot read the payload: ECDH key exchange between devices, AES-256-GCM end-to-end, and a human-verifiable image check that catches interception.

timedbox.app
Compliance · CUI workflows

GCC High collaboration migration

Planning and execution moving CUI-bearing email and file workflows into Microsoft GCC High — tenant architecture, cutover sequencing, and the NIST 800-171 mapping that makes the move defensible.

Compliance practice → guardnix.com
In production

The stack we operate — chosen for longevity, not fashion.

Every logo below runs in our production today.

Proxmox VEProxmox VEvirtualization
WireGuardWireGuardencrypted mesh
DebianDebianbase OS
CloudflareCloudflareedge & DNS
NginxNginxreverse proxy
iptablesiptableshost firewall
Dell EMCDell EMCswitching & OOB
DigitalOceanDigitalOceancloud nodes
LinodeLinodecloud nodes
DockerDockercontainers
Pi-holePi-holeDNS filtering
Uptime KumaUptime Kumamonitoring
OpenSSLOpenSSLcrypto tooling
Let's EncryptLet's Encryptcertificates
CMMC Level 2

Contracts touching CUI?

We treat CMMC Level 2 as an infrastructure project — because that’s what it is. A defensible self-assessment, an SPRS score you can stand behind, and systems where the controls actually live.

Start the gap assessment ↗
NIST SP 800-171SELF-ASSESSMENT · DEFENSIBLESPRSM365 GCC HIGH
No pitch deck. An operator.

Ready when
you are.

One call. Straight answers about your environment — sometimes the right answer is “change nothing.”

Book an assessment ↗ [email protected]
Book an assessment ↗
v9 · Jul 2026