B Bold Blueprint
Selected work

Anonymized case studies from active engagements.

Client names are withheld and identifying details are generalized. Industries, stacks, scale, and outcomes are real. Longer-running relationships are marked as such — a few of these span years.

Case 01
Industrial IoT · SCADA on AWS

Multi-year engagement, sole AWS / infrastructure provider, non-technical CEO.

EC2RDS MySQLALBACMIgnitionMQTT Sparkplug B

Cloud SCADA for an industrial waste-equipment manufacturer with cruise-ship telemetry

Initial AWS and Ignition Cloud Edition stand-up. Firewall split between 80/443 via ALB and engineering ports direct to the EC2 security group. Same-day recovery on a Cloudflare SSL incident and an ACM renewal failure — both on production telemetry from shipboard edge PLCs. In-place Ignition upgrade with gateway backup and tested rollback. Parallel next-major-version dev environment architected on a second EC2 sharing the existing RDS so production telemetry is never disturbed.

Scope
Build, operate, upgrade
Cadence
Hourly retainer, multi-year
Platform
Ignition Cloud Edition, Cirrus Link MQTT, Sparkplug B
Compliance
SOC 2 readiness in flight
Case 02
Logistics ISV · ISO-certified

Canadian region, 12 EC2 instances across two unpeered VPCs, recurring working sessions with a senior engineer and leadership presence.

Aurora MySQLRDS PostgresLambdaGuardDutySecurity HubClickUp

Cost discipline and compliance lift for an ISO-certified logistics platform

Realized roughly $2K/mo in recurring savings on a $9K/mo AWS budget through right-sizing, cross-region backup tuning, and retention window adjustments. Presented a 2026 infrastructure roadmap to management covering CI/CD, disaster recovery, staging, autoscaling, vulnerability remediation, SFTP IP whitelisting, monitoring, and a public status page. Rewrote the Security Hub → ticketing Lambda with SSM Parameter Store checkpointing, S3 finding cache, and a time-remaining guard. Supported an internal ISO audit to completion and stayed on for the external audit.

Scope
Cost, compliance, reliability
Cadence
Twice-weekly working sessions
Highlight
$2K/mo savings retained, not one-shot
Audit
ISO internal complete; external in flight
Case 03
Construction tech · Windows / .NET

Federated SSO via Google; Windows Server 2019 fleet; SQL Server; IIS with 22 sites.

CloudWatchAWS Managed GrafanaCWAgentlog4net

Windows / .NET observability buildout with AWS Managed Grafana

Seven AWS Managed Grafana dashboards authored end-to-end covering Overview, Server Metrics, SQL Server, IIS, Web Traffic, App Logs, and a hub. Diagnosed and documented a Grafana 12.2.1 quirk where schemaVersion 39 silently breaks CloudWatch panels — rebuilt all dashboards in a minimal format. Brought the CloudWatch Agent from 100% CPU to 7.4% by scoping the IIS log glob from 9,300+ files down to specific sites, and configured Windows service auto-recovery for durability. Tuned twelve alarms with multi-datapoint thresholds.

Scope
Observability & remediation
CPU outcome
100% → 7.4%
Dashboards
7 end-to-end
Alarms
12 tuned with multi-datapoint
Case 04
Legacy ERP · Windows EC2

Windows Server 2019 EC2 hosting Active Directory, Apache, MySQL, and a legacy ERP stack; AWS Backup for nightly snapshots.

SSMAWS BackupIAM auditGuardDuty

SSM-driven modernization for a legacy Windows ERP environment

Attached the SSM role and instance profile to enable remote PowerShell via aws ssm send-command, replacing ad-hoc RDP for routine administration. Verified and documented the nightly AWS Backup chain. Delivered a written security audit identifying stale IAM users with 2017 and 2019 keys, absent GuardDuty, no VPC Flow Logs, missing MFA, and a globally open high port — with a prioritized remediation plan.

Scope
Modernization & audit
Access
RDP → SSM-based PowerShell
Findings
Prioritized security remediation list
Case 05
Professional services · Azure Linux

Azure Bpsv2 ARM64 VMs, Ubuntu 24.04, Node.js 24, Nginx with self-signed TLS, GitHub Actions runner, NSG IP whitelisting.

Azure VM (ARM64)NSGNginxGitHub Actions

Cost-efficient Azure Linux build for a professional-services MVP

Chose Standard_B2ps_v2 ARM64 in East US at roughly $33/mo versus ~$61 for the x86 B2ms equivalent — a ~45% monthly reduction — and navigated Azure quota and feature-flag blockers to land the build. Configured Nginx with HTTPS and path-level IP restriction layered on top of NSG-level whitelisting. Cleaned up an earlier eastus2 D-series build by deleting NIC, NSG, public IP, disk, and vnet. Installed a system-assigned managed identity and distributed SSH keys across multiple developers.

Scope
Greenfield Azure VM
Cost reduction
~45% versus x86 equivalent
Access controls
NSG + Nginx path-level IP restriction
Case 06
Bitcoin Lightning fintech · POS

AWS us-east-2, IAM Identity Center, private encrypted RDS PostgreSQL, bastion EC2, Secrets Manager.

PostgreSQL 17IAM Identity CenterSecrets ManagerBastion EC2

PostgreSQL schema design and AWS bastion build for a Bitcoin Lightning retail platform

Designed and shipped a production-ready PostgreSQL schema — 29 tables, 32 check constraints, 23 foreign keys, 90 indexes, 15 triggers — through ten review rounds with four LLMs cross-reviewing each other. Eradicated a NULL bypass anti-pattern across eight columns. Set up multi-user SSO via IAM Identity Center with custom permission sets (Admin, Developer, ReadOnly), group mapping, and MFA gating. Hardened the bastion with three-key SSH access and SSH tunneling on an alternate local port to avoid conflicts.

Scope
Schema design + AWS access plane
Review rigor
4 LLMs, 10 rounds, production-ready
Access
SSO, custom permission sets, MFA
Case 07
Nonprofit publisher · full-stack web

React + Express + Sequelize + PostgreSQL; Node 16 locked; Mailgun email; DigitalOcean droplets; PM2; Nginx; Let's Encrypt.

ReactExpressPostgreSQLNginxLet's Encrypt

Long-running full-stack operations for a religious nonprofit publisher

Multi-year engagement across four droplets (production, wills site, dev, donations/merch). Replaced an expired GoDaddy certificate with Let's Encrypt plus certbot auto-renew. Built a category-search sidebar with Redux integration, then a keyword-matching sidebar with Hebrew and English regex across 17 topic categories. Diagnosed silent Travis CI PM2 deploy failures and established a manual restart workflow. Specced a staging-droplet plan for a Node LTS upgrade migration off the locked Node 16.

Scope
Operations + feature work
Cadence
Multi-year retainer
Highlights
TLS migration, search sidebars, deploy hardening
Case 08
Owned product

Real-time fact-checking Chrome extension for YouTube, including live broadcasts. Self-funded, currently operating on live political and civic coverage.

Chrome MV3Node.jsDynamoDBOpenAIspaCyEC2 + PM2

Real-time fact-checking Chrome extension (self-built product)

Full-stack: manifest V3 Chrome extension, Node.js API on EC2 + PM2, DynamoDB caching with a seven-day TTL, a waterfall search across Google Fact Check, BLS, FRED, NewsAPI, NewsData.io, and DuckDuckGo, and OpenAI-generated verdicts. Retired a $355/mo OpenSearch line item by rebuilding the caching and search layers. Shipped a nine-check autonomous QA framework covering claim provenance, source-metric matching, temporal validation, and a contrarian pass. Tuned FALSE-rate accuracy from ~16% to 7.4% under target. Operated live during presidential pressers, congressional hearings, and Sunday political shows.

Role
Founder, sole engineer
Cost discipline
$355/mo OpenSearch retired
Accuracy
FALSE-rate 16% → 7.4%

If any of these sound like your situation, send a note.

No sales funnel, no discovery-call gauntlet — one email, one reply, one scoped conversation.

Start a conversation