Looking for the platform plan and decision brief? See Moving Forward for the platform plan, decisions needed, and anticipated questions. Revenue breakdown is the CGO/CFO line-by-line services menu (13 core + 4 companion lines).
System topology
index.ts is the entry point. It reads Pulumi config and instantiates one or more ComponentResource modules. Everything lands in AWS us-east-1 under the sandbox or agency stack you select.
flowchart TB
subgraph Entry["Pulumi entry: index.ts"]
MODE[mode config]
end
subgraph Demos["Product demos"]
SOAR[FinancialSystemLogPlatform]
NAVY[NavyDemoPlatform]
TECOM[TecomDemoPlatform]
ADCD[AdcdDemoPlatform]
end
subgraph Development["Development"]
SANDBOX[AISandboxPlatform]
MON[SandboxSecurityMonitoring]
end
subgraph AWS["AWS us-east-1"]
SVC[Managed services]
end
MODE -->|sandbox or full| SANDBOX
SANDBOX --> MON
SANDBOX --> SOAR
SANDBOX --> NAVY
SANDBOX --> TECOM
SANDBOX --> ADCD
SANDBOX --> SVC
Repo modules
github.com/clthomps/Kearney-Pulumi (branch main). Click a file to open it on GitHub.
| File | Role |
|---|---|
| index.ts | Entry point. Reads config, dispatches by mode. |
| financial-system-log-platform.ts | SOAR product demo for federal financial systems. |
| ai-sandbox-platform.ts | AI/ML sandbox. This website lives here. |
| sandbox-security-monitoring.ts | Optional audit trail and policy alarms for the sandbox. |
| navy-demo-platform.ts | Navy Readiness product demo. |
| tecom-demo-platform.ts | TECOM Budget product demo. |
| adcd-demo-platform.ts | AD/CD Command Center product demo. |
Deployment modes
| Mode | What deploys | Typical use |
|---|---|---|
| soar | FinancialSystemLogPlatform only (product demo stack) | SOAR demo per agency scenario. Requires systemId and agencyId. |
| sandbox | AISandboxPlatform only | Internal AI/ML work on synthetic data. Demos and monitoring are config flags. |
| full | SOAR demo and sandbox together | Integrated dev or staging with the SOAR demo stack and AI sandbox in one Pulumi stack. |
Sandbox components
AI Sandbox Platform Development
AI/ML workbench on synthetic data only. SageMaker Studio, Bedrock, inference harness, and this site when enableDemo is true. All product demos attach here.
AWS: KMS, S3, Lambda, SageMaker, Bedrock, Step Functions, Cognito, CloudFront, API Gateway, Route53, CloudWatch, Secrets Manager, SSM
Sandbox Security Monitoring Optional module
CloudTrail, GuardDuty, Athena queries, CloudWatch alarms, and the read-only portal at /monitoring/.
AWS: S3, CloudTrail, GuardDuty, EventBridge, Glue, Athena, CloudWatch, SNS
Product demos
Four demos on the same footing. Each is synthetic or fixture data only, not a production client deployment.
Financial System Log Platform Product demo
Federal financial system SOAR showcase: log ingestion, ML anomaly scoring, MSSP alerts, honeybucket tripwires, ServiceNow ticketing. FedRAMP/FISCAM design targets on demo data.
AWS: KMS, VPC, EC2 (VAULT), S3, Lambda, Glue, Athena, SNS, EventBridge, CloudTrail, CloudWatch, API Gateway, Secrets Manager, SSM
Navy Readiness Demo Product demo
Navy maintenance readiness scenarios. Grounded vs naive AskSage comparison for client meetings.
TECOM Budget Demo Product demo
TECOM budget justification scenarios. Same grounded/naive pattern as Navy, plus Google Drive admin uploads.
AD/CD Command Center Product demo
Six modules from the AD/CD white paper: SOAR triage, honeypot, canary tokens, OT mirage, hunt lab, and related tooling.
flowchart TB
USER[User] --> CF[CloudFront]
CF --> S3[S3 static site]
CF --> APIGW[API Gateway HTTP]
APIGW --> JWT[Cognito JWT]
JWT --> LAMBDA[Demo runner Lambda]
LAMBDA --> TR[S3 traces / fixtures]
SOAR demo data flow
flowchart LR
SRC[Source systems] --> S3[S3 raw/]
S3 --> LP[Lambda parser]
LP --> PQ[Parquet + Athena]
LP --> SNS[SNS MSSP]
SNS --> SNOW[ServiceNow]
DECOY[Honeybucket decoy] --> P1[P1 SNS alert]
SOAR also provisions VAULT EC2 hosts (SSM-only), EventBridge scheduled scans, Glue crawler, CloudTrail, VPC flow logs, and a ServiceNow webhook via API Gateway HTTP.
| Demo | Config | URL | Notes |
|---|---|---|---|
| SOAR Log Analytics | mode: soar | full | Sandbox stack or agency scenario stack | VAULT EC2, Glue, Athena, honeybucket |
| Navy Readiness | enableNavyDemo | navy.kearneysandbox.com | navy-demo/ + external navy-readiness-tool checkout |
| TECOM Budget | enableTecomDemo | tecom.kearneysandbox.com | tecom-budget-tool |
| AD/CD Command Center | enableAdcdDemo | cyber.kearneysandbox.com/adcd | adcd-demo/lambda/ |
Navy and TECOM need their application repos checked out locally before pulumi up.
AI sandbox
Synthetic data only until post-ATO. Approved sources include USASpending.gov public records, GPT-generated PBIS/STARS-FL fixtures, and public policy documents.
flowchart LR
S3S[S3 synthetic data] --> HAR[Inference harness]
HAR --> S3A[S3 model artifacts]
SM[SageMaker Studio] --> NB[Notebooks]
BR[Bedrock IAM] --> HAR
SITE[kearneysandbox.com] --> CF[CloudFront + Cognito]
CF --> PP[Prompt proxy API]
Auth on this site uses Cognito Hosted UI (implicit grant). The ID token sits in sessionStorage and gates pages including this one. The prompt proxy validates the same JWT on POST /refine.
AskSage (IL5) is required for DoD-scoped work. Bedrock covers Nova, Titan, Llama, Mistral, and Cohere for internal use. Anthropic/Claude ARNs were removed from Bedrock IAM per FASCSA guidance.
Security monitoring
flowchart LR
ACT[API + S3 activity] --> CT[CloudTrail]
ACT --> GD[GuardDuty]
CT --> S3T[Trail bucket]
S3T --> GLUE[Glue catalog]
GLUE --> ATH[Athena]
GD --> EB[EventBridge]
EB --> SNS[SNS alerts]
CT --> MF[Metric filters]
MF --> CW[CloudWatch alarms]
CW --> SNS
Viewers need the Cognito group sandbox-monitoring-viewers on pool kearney-ai-sandbox-users. That portal uses authorization-code + PKCE, separate from the implicit flow on the main site, same user pool.
Pulumi stacks
Stack names stay generic. Never put client or agency names in the stack ID.
| Stack | Environment | Mode | Demos | Domain |
|---|---|---|---|---|
| sandbox | sandbox | sandbox | full | SOAR, Navy, TECOM, AD/CD | kearneysandbox.com |
| dev | dev | soar | full | SOAR (+ sandbox if full) | Per agency scenario |
| staging | staging | soar | full | SOAR (+ sandbox if full) | Per agency scenario |
| prod | prod | soar | full | SOAR (+ sandbox if full) | Per agency scenario |
Deploy steps
npm install, npm run build, pulumi stack select <name>, pulumi preview --diff, pulumi up. Package the SOAR Lambda layer before the first SOAR deploy (see repo README).
AWS service matrix
Not used in this codebase: DynamoDB, ECS/Fargate, RDS, ElastiCache, CDK.
| Service | SOAR | Sandbox | Demos | Role |
|---|---|---|---|---|
| S3 | Yes | Yes | Yes | Logs, synthetic data, static sites, traces, CloudTrail |
| Lambda | Yes | Yes | Yes | Parser, harness, prompt proxy, demo runners |
| KMS | Yes | Yes | Yes | Encryption at rest |
| CloudFront | No | Yes | Yes | CDN for demo static sites + OAC |
| Cognito | No | Yes | Yes | User auth for demo portals |
| API Gateway (HTTP) | Yes | Yes | Yes | ServiceNow webhook, prompt proxy, demo APIs |
| VPC / EC2 | Yes | No | No | VAULT tier (SSM-only, no SSH) |
| Glue + Athena | Yes | Yes | No | Log analytics and incident queries |
| SageMaker | No | Yes | No | Jupyter notebooks for ML experiments |
| Bedrock | No | Yes | No | Foundation model access (non-Anthropic) |
| CloudTrail | Yes | Yes | No | API and S3 audit log |
| GuardDuty | No | Yes | No | Anomaly and threat findings |
| SNS | Yes | Yes | No | MSSP alerts, experiment notifications, security alarms |
| CloudWatch | Yes | Yes | No | Logs, dashboards, metric filters, alarms |
| EventBridge | Yes | Yes | No | Scheduled scans, GuardDuty routing |
| Secrets Manager | Yes | Yes | Yes | ServiceNow, AskSage, Gemini, GDrive SA |
| Route53 | No | Yes | Yes | Custom domains |
| SSM Parameter Store | Yes | Yes | No | Operational reference parameters |
| Step Functions | No | Optional | No | ML experiment pipeline |
Compliance and data
Frameworks
FedRAMP High (target), FISCAM, CMMC Level 2, NIST SP 800-53 Rev 5, DoD Zero Trust.
Data boundaries
All demos, including the SOAR log analytics stack, use synthetic or fixture data only. The AI sandbox is the same: no PII, no real client records, nothing classified or CUI until we have an ATO for a given workload.
OPSEC
- Never export or log the honeybucket/decoy bucket name.
- Store ServiceNow URLs with pulumi config set --secret.
- Keep stack and CI output free of client identifiers where possible.
- Do not commit notebooks with real system IDs or client names.
Software bill of materials
CycloneDX 1.5 SBOM for this codebase, Lambda layers, and Pulumi dependencies: SBOM inventory and downloads.
External dependencies
Navy packages code from navy-readiness-tool at deploy time (sibling checkout; see navy-demo-platform.ts). TECOM packages code from tecom-budget-tool. AD/CD is self-contained under adcd-demo/lambda/.
Source files
github.com/clthomps/Kearney-Pulumi
| Component | Pulumi module | Class |
|---|---|---|
| Orchestrator | index.ts | Entry point |
| SOAR | financial-system-log-platform.ts | FinancialSystemLogPlatform |
| AI Sandbox | ai-sandbox-platform.ts | AISandboxPlatform |
| Security Monitoring | sandbox-security-monitoring.ts | SandboxSecurityMonitoring |
| Navy Demo | navy-demo-platform.ts | NavyDemoPlatform |
| TECOM Demo | tecom-demo-platform.ts | TecomDemoPlatform |
| AD/CD Demo | adcd-demo-platform.ts | AdcdDemoPlatform |