← All Builds DAY 2 OF 30

SecureLink

Cyber Security / Federal & Defense · AWS GovCloud · strongSwan IKEv2/IPsec · AWS-LC FIPS 140 · ACM Private CA · CDK on VelocityStack · DynamoDB · 40h build
LIVE https://securelinkvpn.io

Day 2 of 30

Yesterday SecureStackScan went live as Day 1 — the assessment platform that finds the gaps in an SMB’s stack and produces a report the MSP can hand the client. Today’s launch is the network-layer companion: SecureLink — a publicly routable, FIPS 140-validated static IP for Starlink, Starshield, and other CGNAT-locked SATCOM links.

Same channel. Same buyer. One layer deeper into the compliance stack.

What it does

Starlink and Starshield put every customer terminal behind Carrier-Grade NAT. From the public internet, you cannot reach a device on a Starlink link directly — there is no inbound IP to hit. For a field-deployed federal contractor (surveillance crews, drone ground stations, mobile command posts, range telemetry, deployable CUI workstations), that is the connectivity gap that kills the contract.

The market is asking for one thing: a publicly routable IPv4 address that travels with the device. HQ allowlists it. The contracting agency allowlists it. The SOC sees it in the audit log. It does not change when the bird hands off or the dish reboots.

SecureLink delivers that, in two SKUs:

  • Software SKU — a Windows install (.NET 6) that opens a FIPS-mode IKEv2/IPsec tunnel from the workstation to the SecureLink edge in AWS GovCloud. Zero hardware to ship. The MSP pushes it through their existing RMM. The static IP belongs to that device.
  • Router SKU — a managed CPE for sites that need an always-on tunnel for everything behind it: cameras, sensors, IoT, non-Windows workstations, the whole rack. Pre-provisioned with the customer’s device certificate and Elastic IP. Plug in, the tunnel comes up, every device on the LAN egresses through the static IP.

Same edge. Same crypto. Same audit log. The MSP picks the SKU per site.

Why this is a federal product, not a commercial one

The crypto is FIPS 140 validated end-to-end — AWS-LC FIPS Module on the edge, Windows CNG in FIPS mode on the client — and the infrastructure runs in AWS GovCloud (us-gov-west-1 / us-gov-east-1). Consumer and business VPNs (NordLayer, Tailscale, Twingate) cannot match that without re-architecting around a different cloud and a different cryptographic stack.

That matters because the same contractor who needs the routable IP also has to satisfy CMMC Level 2 — roughly 110 NIST 800-171 controls, with enforcement ramping through 2026–2027. A handful of those controls hit network egress directly:

  • Deterministic, auditable egress IP (so the agency can allowlist)
  • Access logs in CMMC-acceptable format with the required retention
  • Certificate-based authentication (no usernames or passwords on the wire)
  • Encrypted tunnels with FIPS 140-validated cryptography (IKEv2/IPsec, AES-256-GCM, SHA-384, ECP-384)

SecureLink ships all of that out of the box. One product solves the Starlink/Starshield CGNAT problem and the CMMC L2 audit story at the same time. The MSP sells one thing. The contractor installs one thing. The auditor sees one thing.

Why Day 2

This week is the Cyber MSP cluster — six ventures across days 1–8 that all share the same channel-motion thesis: the buyer of SMB cybersecurity isn’t the SMB. It’s the MSP that serves the SMB.

SecureLink is the cleanest expression of that thesis. The federal contractor is the SMB-tier of the defense industrial base. The MSP that serves them is the channel. CMMC enforcement is the forcing function — every contractor with DoD-adjacent business needs L2 inside the next 18 months, and almost none of them have the in-house expertise to build it themselves.

Six of the seven Cyber MSP cluster ventures are from the CyberSavi family (Kirby Winters’ team — SecureStackScan, CompliancePulse, CyberSavi Academy, CyberSavIQ, GovernAI). SecureLink sits alongside them as the same thesis applied to a different vertical.

The Velocity Process notes

What Claude Code handled: the strongSwan IKEv2/IPsec configuration generator (FIPS mode, AES-256-GCM, ECP-384), the Elastic IP allocation logic, the ACM Private CA device-certificate flow, the access-log formatter (NIST 800-171 audit-record requirements are precise about field order and retention semantics), the Windows .NET 6 install client and PowerShell VPN profile creation, the router-SKU image pre-provisioning pipeline, and the AWS GovCloud infrastructure via VelocityStack.

What required human judgement: the call to anchor the product on the Starlink/Starshield CGNAT pain rather than lead with CMMC (the audit story is the moat, but the routable IP is what makes the phone ring); the choice to ship two SKUs — software for the per-workstation case, managed router for the site-wide case — instead of forcing one model on every deployment; and the decision to publish the FIPS validation evidence publicly (most competitors bury it).

What broke: the first version of the access-log formatter joined identifier fields in the wrong order — NIST 800-171 says timestamp first, then event type, then actor identity. The auditor toolchain expects exactly that order. Took two hours to find, ten minutes for Claude Code to fix versioned across the Windows client and the router image.

What’s next this week

  • Day 3 (Sun May 3): PartFoundry — on-demand replacement-parts manufacturing. First fully public build of the run: repo open, business plan published, build-session screenshots embedded.
  • Day 4 (Mon May 4): CompliancePulse — the CyberSavi family continuous-compliance engine. Already in revenue.
  • Day 5 (Tue May 5): CyberSavi Academy — training layer.
  • Day 6 (Wed May 6): CyberSavIQ — personal/reputation layer.
  • Day 7 (Thu May 7): Theme essay — EU AI Act 2026.
  • Day 8 (Fri May 8): GovernAI — closes the cluster.

Want to talk

If you run an MSP, vCISO, or fractional CISO desk serving federal contractors or DIB-adjacent SMBs — book 30 minutes. SecureLink pricing is per-end-client, designed for your margin.

Email signup on the home page is wired to GHL — no noise, just the build, the stack, and what actually happened.

Live Product →