Same rigor, bigger canvas.
AlphaVerify evolved from a focused CMMC compliance practice (still available for defense contractors) into a CTO and systems consultancy. The through-line: hard problems, honest answers, and technical work that survives inspection-whether the inspector is an auditor or a traffic spike at 2 a.m.
Principles
Resilience over hope. We design for the failure you have not met yet, then measure with SLOs so “hope” is not a strategy.
Standards as clarity. Regimes like NIST, ISO, and SOC2, when used well, reduce thrash. We avoid compliance theater: controls that are not in the system are not real.
Scale is holistic. It is traffic, data, people, and dollars. A platform that scales technically but not financially is not scaled.
Direct work. You engage with senior people who have implemented before-not an endless chain of “strategy consultants” who have never paged a service.
John Koontz
I’m a builder and a bridge between technical and executive context. I’ve led government-facing partnerships (FBI, CIA, DoD), delivered and governed infrastructure in regulated and commercial environments, and earned the certifications (SOC2 Type II, ISO 27001, FDA) that only stick when your systems, not your slide deck, pass scrutiny.
20+ years of depth in identity, directory, network security, and high-scale infrastructure-and a preference for the kind of documented, transferable work that makes your next CTO or platform lead more effective on day one.
Base
Champaign, IL · nationwide and remote by design
What changed in the pivot
| Dimension | CMMC / legacy focus | CTO consultancy (this site) |
|---|---|---|
| Primary buyer | DoD supply chain, primes & subs, certification timelines | Product companies, software leadership, and hybrid regulated SaaS |
| North star | Attestation, SPRS, C3PAO readiness, control implementation | Revenue, reliability, and sustainable velocity in complex systems |
| Artifacts | SSPs, control narratives, policy packs, implementation guidance | ADRs, SRE programs, roadmaps, diligence packs, and board-ready risk framing |
| What stayed | NIST/ISO discipline, honest technical depth, and zero tolerance for compliance theater that does not touch production reality. | |
Still on path for CMMC Level 1/2/3 as your primary need? The original program remains available.