This environment is for
Kearney employees only.
Sign in with your Kearney credentials to continue.
Access issues? Contact sandbox-support@kearneyco.com
Kearney Federal Cyber Platform

Architecture Reference

UNCLASSIFIED // FOUO  |  Pulumi project: kearney-soar-paas  |  AWS us-east-1  |  No CDK, no containers

One codebase deploys the internal AI sandbox and four product demos: SOAR log analytics, Navy Readiness, TECOM Budget, and AD/CD Command Center. A single mode config value in Pulumi decides which platforms get created. Stack names stay generic (dev, staging, prod, sandbox).

4
Product demos
4
Pulumi stacks
18+
AWS services
3
Deployment modes

Looking for the platform plan and decision brief? See Moving Forward for the platform plan, decisions needed, and anticipated questions. Revenue breakdown is the CGO/CFO line-by-line services menu (13 core + 4 companion lines).

System topology

index.ts is the entry point. It reads Pulumi config and instantiates one or more ComponentResource modules. Everything lands in AWS us-east-1 under the sandbox or agency stack you select.

flowchart TB
    subgraph Entry["Pulumi entry: index.ts"]
        MODE[mode config]
    end
    subgraph Demos["Product demos"]
        SOAR[FinancialSystemLogPlatform]
        NAVY[NavyDemoPlatform]
        TECOM[TecomDemoPlatform]
        ADCD[AdcdDemoPlatform]
    end
    subgraph Development["Development"]
        SANDBOX[AISandboxPlatform]
        MON[SandboxSecurityMonitoring]
    end
    subgraph AWS["AWS us-east-1"]
        SVC[Managed services]
    end
    MODE -->|sandbox or full| SANDBOX
    SANDBOX --> MON
    SANDBOX --> SOAR
    SANDBOX --> NAVY
    SANDBOX --> TECOM
    SANDBOX --> ADCD
    SANDBOX --> SVC
        
Four product demos attach to the sandbox stack. SOAR is on when mode includes soar; Navy, TECOM, and AD/CD use their enable*Demo config flags.

Repo modules

github.com/clthomps/Kearney-Pulumi (branch main). Click a file to open it on GitHub.

FileRole
index.tsEntry point. Reads config, dispatches by mode.
financial-system-log-platform.tsSOAR product demo for federal financial systems.
ai-sandbox-platform.tsAI/ML sandbox. This website lives here.
sandbox-security-monitoring.tsOptional audit trail and policy alarms for the sandbox.
navy-demo-platform.tsNavy Readiness product demo.
tecom-demo-platform.tsTECOM Budget product demo.
adcd-demo-platform.tsAD/CD Command Center product demo.

Deployment modes

ModeWhat deploysTypical use
soar FinancialSystemLogPlatform only (product demo stack) SOAR demo per agency scenario. Requires systemId and agencyId.
sandbox AISandboxPlatform only Internal AI/ML work on synthetic data. Demos and monitoring are config flags.
full SOAR demo and sandbox together Integrated dev or staging with the SOAR demo stack and AI sandbox in one Pulumi stack.

Sandbox components

AI Sandbox Platform Development

Config: mode: sandbox | full

AI/ML workbench on synthetic data only. SageMaker Studio, Bedrock, inference harness, and this site when enableDemo is true. All product demos attach here.

AWS: KMS, S3, Lambda, SageMaker, Bedrock, Step Functions, Cognito, CloudFront, API Gateway, Route53, CloudWatch, Secrets Manager, SSM

Sandbox Security Monitoring Optional module

Config: enableSecurityMonitoring

CloudTrail, GuardDuty, Athena queries, CloudWatch alarms, and the read-only portal at /monitoring/.

AWS: S3, CloudTrail, GuardDuty, EventBridge, Glue, Athena, CloudWatch, SNS

Product demos

Four demos on the same footing. Each is synthetic or fixture data only, not a production client deployment.

Financial System Log Platform Product demo

Config: mode: soar | full

Federal financial system SOAR showcase: log ingestion, ML anomaly scoring, MSSP alerts, honeybucket tripwires, ServiceNow ticketing. FedRAMP/FISCAM design targets on demo data.

AWS: KMS, VPC, EC2 (VAULT), S3, Lambda, Glue, Athena, SNS, EventBridge, CloudTrail, CloudWatch, API Gateway, Secrets Manager, SSM

Navy Readiness Demo Product demo

Config: enableNavyDemo   URL: navy.kearneysandbox.com

Navy maintenance readiness scenarios. Grounded vs naive AskSage comparison for client meetings.

TECOM Budget Demo Product demo

Config: enableTecomDemo

TECOM budget justification scenarios. Same grounded/naive pattern as Navy, plus Google Drive admin uploads.

AD/CD Command Center Product demo

Config: enableAdcdDemo   URL: cyber.kearneysandbox.com/adcd

Six modules from the AD/CD white paper: SOAR triage, honeypot, canary tokens, OT mirage, hunt lab, and related tooling.

flowchart TB
    USER[User] --> CF[CloudFront]
    CF --> S3[S3 static site]
    CF --> APIGW[API Gateway HTTP]
    APIGW --> JWT[Cognito JWT]
    JWT --> LAMBDA[Demo runner Lambda]
    LAMBDA --> TR[S3 traces / fixtures]
        
Shared pattern for Navy, TECOM, and AD/CD. SOAR uses the same sandbox stack but adds VAULT EC2, Glue, and Athena instead of a public demo site.

SOAR demo data flow

flowchart LR
    SRC[Source systems] --> S3[S3 raw/]
    S3 --> LP[Lambda parser]
    LP --> PQ[Parquet + Athena]
    LP --> SNS[SNS MSSP]
    SNS --> SNOW[ServiceNow]
    DECOY[Honeybucket decoy] --> P1[P1 SNS alert]
        
SOAR demo log path. Honeybucket access triggers a P1 alert. Decoy bucket name is never exported in stack outputs.

SOAR also provisions VAULT EC2 hosts (SSM-only), EventBridge scheduled scans, Glue crawler, CloudTrail, VPC flow logs, and a ServiceNow webhook via API Gateway HTTP.

DemoConfigURLNotes
SOAR Log Analytics mode: soar | full Sandbox stack or agency scenario stack VAULT EC2, Glue, Athena, honeybucket
Navy Readiness enableNavyDemo navy.kearneysandbox.com navy-demo/ + external navy-readiness-tool checkout
TECOM Budget enableTecomDemo tecom.kearneysandbox.com tecom-budget-tool
AD/CD Command Center enableAdcdDemo cyber.kearneysandbox.com/adcd adcd-demo/lambda/

Navy and TECOM need their application repos checked out locally before pulumi up.

AI sandbox

Synthetic data only until post-ATO. Approved sources include USASpending.gov public records, GPT-generated PBIS/STARS-FL fixtures, and public policy documents.

flowchart LR
    S3S[S3 synthetic data] --> HAR[Inference harness]
    HAR --> S3A[S3 model artifacts]
    SM[SageMaker Studio] --> NB[Notebooks]
    BR[Bedrock IAM] --> HAR
    SITE[kearneysandbox.com] --> CF[CloudFront + Cognito]
    CF --> PP[Prompt proxy API]
        
Sandbox boundary. No live client data.

Auth on this site uses Cognito Hosted UI (implicit grant). The ID token sits in sessionStorage and gates pages including this one. The prompt proxy validates the same JWT on POST /refine.

AskSage (IL5) is required for DoD-scoped work. Bedrock covers Nova, Titan, Llama, Mistral, and Cohere for internal use. Anthropic/Claude ARNs were removed from Bedrock IAM per FASCSA guidance.

Security monitoring

flowchart LR
    ACT[API + S3 activity] --> CT[CloudTrail]
    ACT --> GD[GuardDuty]
    CT --> S3T[Trail bucket]
    S3T --> GLUE[Glue catalog]
    GLUE --> ATH[Athena]
    GD --> EB[EventBridge]
    EB --> SNS[SNS alerts]
    CT --> MF[Metric filters]
    MF --> CW[CloudWatch alarms]
    CW --> SNS
        
Sandbox security monitoring. Portal at /monitoring/ embeds CloudWatch dashboards.

Viewers need the Cognito group sandbox-monitoring-viewers on pool kearney-ai-sandbox-users. That portal uses authorization-code + PKCE, separate from the implicit flow on the main site, same user pool.

Pulumi stacks

Stack names stay generic. Never put client or agency names in the stack ID.

StackEnvironmentModeDemosDomain
sandboxsandboxsandbox | fullSOAR, Navy, TECOM, AD/CDkearneysandbox.com
devdevsoar | fullSOAR (+ sandbox if full)Per agency scenario
stagingstagingsoar | fullSOAR (+ sandbox if full)Per agency scenario
prodprodsoar | fullSOAR (+ sandbox if full)Per agency scenario

Deploy steps

npm install, npm run build, pulumi stack select <name>, pulumi preview --diff, pulumi up. Package the SOAR Lambda layer before the first SOAR deploy (see repo README).

AWS service matrix

Not used in this codebase: DynamoDB, ECS/Fargate, RDS, ElastiCache, CDK.

ServiceSOARSandboxDemosRole
S3YesYesYesLogs, synthetic data, static sites, traces, CloudTrail
LambdaYesYesYesParser, harness, prompt proxy, demo runners
KMSYesYesYesEncryption at rest
CloudFrontNoYesYesCDN for demo static sites + OAC
CognitoNoYesYesUser auth for demo portals
API Gateway (HTTP)YesYesYesServiceNow webhook, prompt proxy, demo APIs
VPC / EC2YesNoNoVAULT tier (SSM-only, no SSH)
Glue + AthenaYesYesNoLog analytics and incident queries
SageMakerNoYesNoJupyter notebooks for ML experiments
BedrockNoYesNoFoundation model access (non-Anthropic)
CloudTrailYesYesNoAPI and S3 audit log
GuardDutyNoYesNoAnomaly and threat findings
SNSYesYesNoMSSP alerts, experiment notifications, security alarms
CloudWatchYesYesNoLogs, dashboards, metric filters, alarms
EventBridgeYesYesNoScheduled scans, GuardDuty routing
Secrets ManagerYesYesYesServiceNow, AskSage, Gemini, GDrive SA
Route53NoYesYesCustom domains
SSM Parameter StoreYesYesNoOperational reference parameters
Step FunctionsNoOptionalNoML experiment pipeline

Compliance and data

Frameworks

FedRAMP High (target), FISCAM, CMMC Level 2, NIST SP 800-53 Rev 5, DoD Zero Trust.

Data boundaries

All demos, including the SOAR log analytics stack, use synthetic or fixture data only. The AI sandbox is the same: no PII, no real client records, nothing classified or CUI until we have an ATO for a given workload.

OPSEC

  • Never export or log the honeybucket/decoy bucket name.
  • Store ServiceNow URLs with pulumi config set --secret.
  • Keep stack and CI output free of client identifiers where possible.
  • Do not commit notebooks with real system IDs or client names.

Software bill of materials

CycloneDX 1.5 SBOM for this codebase, Lambda layers, and Pulumi dependencies: SBOM inventory and downloads.

External dependencies

Navy packages code from navy-readiness-tool at deploy time (sibling checkout; see navy-demo-platform.ts). TECOM packages code from tecom-budget-tool. AD/CD is self-contained under adcd-demo/lambda/.

Source files

github.com/clthomps/Kearney-Pulumi

ComponentPulumi moduleClass
Orchestratorindex.tsEntry point
SOARfinancial-system-log-platform.tsFinancialSystemLogPlatform
AI Sandboxai-sandbox-platform.tsAISandboxPlatform
Security Monitoringsandbox-security-monitoring.tsSandboxSecurityMonitoring
Navy Demonavy-demo-platform.tsNavyDemoPlatform
TECOM Demotecom-demo-platform.tsTecomDemoPlatform
AD/CD Demoadcd-demo-platform.tsAdcdDemoPlatform