Software built for MacDill, CENTCOM, SOCOM, and the Tampa Bay enterprise.
Veteran-owned and SDVOSB-certified. We build, modernize, and integrate AI into systems that have to hold up under audit, scrutiny, and real operational load.
Tampa programs lose months to vendors who do not understand the mission or the data.
The pattern is familiar around MacDill and the Westshore corridor. A program office or a hospital system buys a platform that demos well, then discovers the integration with their existing Salesforce, Epic, ServiceNow, or legacy Oracle stack was hand-waved in the proposal. AI pilots get stuck because nobody mapped data classification before sending prompts to a public endpoint. Modernization efforts stall because the contractor brought junior engineers to a problem that needed someone who has actually shipped to GovCloud. Meanwhile the operators, analysts, and clinicians keep doing the work in spreadsheets.
- AI pilots that send CUI or PHI to public LLM endpoints with no data-loss controls
- Legacy .NET Framework, ColdFusion, or Oracle Forms apps that nobody will touch and nobody will replace
- Salesforce, ServiceNow, and Epic integrations promised in slideware but never engineered for failure modes
- GovCloud or IL4/IL5 deployments quoted by vendors who have never actually filed an ATO package
How we engage with Tampa Bay teams — from MacDill to Westshore
- STEP-01
Mission and constraints intake
Two-week scoping with operators and engineers. We document the actual workflow, data classifications (CUI, PHI, PCI), interfacing systems, and timelines. Output is a written architecture decision record and a fixed-scope statement of work.
- STEP-02
Reference architecture and threat model
We pick the stack — typically AWS GovCloud, Azure Government, or commercial AWS with FedRAMP-aligned controls. STRIDE threat model, data-flow diagrams, and an IL2/IL4/IL5 mapping where applicable before anyone writes production code.
- STEP-03
Build in two-week increments
Senior engineers ship working software every sprint. CI/CD through GitHub Actions or GitLab, infrastructure as code with Terraform, and demos to actual end users — not just program managers — so course corrections happen in days, not quarters.
- STEP-04
ATO-ready handoff or sustainment
We deliver SSP-ready documentation, SBOMs, and runbooks. For DoD work, artifacts align with eMASS and RMF expectations. For commercial work, we hand off to your team or stay on as the sustainment crew under a retainer.
# Terraform: GovCloud baseline for a SOF-adjacent workload
# Region pinned, logging enforced, no public S3 by default
terraform {
required_version = ">= 1.6"
backend "s3" {
bucket = "voostack-tfstate-govcloud"
key = "tampa/centcom-portal/prod.tfstate"
region = "us-gov-west-1"
dynamodb_table = "tf-locks"
encrypt = true
}
}
provider "aws" {
region = "us-gov-west-1"
default_tags {
tags = {
Owner = "VooStack"
Environment = "prod"
DataClass = "CUI"
Program = "tampa-centcom-portal"
}
}
}
module "baseline" {
source = "./modules/govcloud-baseline"
enable_cloudtrail = true
enable_guardduty = true
enable_config = true
kms_key_rotation = true
s3_block_public_acl = true
vpc_flow_logs = true
}Opinionated GovCloud baseline we drop into week-one of a Tampa engagement. Logging on, public access off, state encrypted.
Field FAQ.
→ Are you actually able to support classified or CUI work out of Tampa?
We are an SDVOSB-certified, veteran-owned firm and we structure engagements for CUI handling from day one — AWS GovCloud or Azure Government, FIPS 140-2 validated crypto, and least-privilege IAM. For classified environments we work through cleared subcontracting arrangements and prime relationships. If your program requires specific clearances or facility access, tell us during scoping and we will be direct about what we can and cannot staff.
→ Why Tampa specifically? Do you have people on the ground?
Tampa is a serious software market because of MacDill, CENTCOM, SOCOM, the SOF industry that surrounds them, and the financial-services and healthcare concentration in Westshore, downtown, and the I-4 corridor. We staff engagements with senior engineers who travel to Tampa for working sessions, and we run remote-first delivery the rest of the sprint. Sustained on-site presence is available for programs that require it.
→ What does SDVOSB certification actually get my program office?
Service-Disabled Veteran-Owned Small Business status makes us eligible for SDVOSB set-asides and sole-source awards up to the FAR thresholds, and it helps primes hit their small-business subcontracting goals. For a contracting officer at MacDill or a prime working a SOCOM task order, that translates to a faster acquisition path and a cleaner small-business compliance story without sacrificing engineering depth.
→ How do you handle AI integration for sensitive workloads?
We default to deployment patterns that keep your data inside your boundary. That means Bedrock or Azure OpenAI inside GovCloud, self-hosted open-weight models on GPU instances when policy requires it, and retrieval-augmented generation against your own document stores rather than fine-tuning on sensitive corpora. We write the guardrails, prompt-injection defenses, and audit logging as part of the build, not as an afterthought.
→ Can you modernize a legacy system without a full rewrite?
Usually, yes — and we push back hard on rewrites that are not justified. The common path is strangler-fig: stand up a new API layer in front of the legacy system, peel off bounded contexts one at a time, and migrate data with dual-writes until the old system is read-only. We have done this with ColdFusion, classic ASP, Oracle Forms, and aging .NET Framework apps for both federal and commercial clients.
→ Do you do staff augmentation or only fixed-scope projects?
Both. Staff augmentation is straightforward: senior engineers, embedded in your team, billed monthly, with a 30-day off-ramp. Fixed-scope is for programs with a defined deliverable and a hard date. Most Tampa engagements start as a small fixed-scope discovery — usually four to six weeks — and then convert into either a build phase or an augmentation contract once the architecture is settled.
→ What does a typical engagement cost and how long does it run?
Discovery and architecture engagements typically run four to six weeks in the low five figures. Build phases usually run three to nine months depending on scope, with team sizes between two and six senior engineers. Sustainment retainers start around a single senior engineer's monthly rate. We give written, fixed pricing after scoping — no time-and-materials surprises buried in a change order.
→ How do you work with primes already holding a contract vehicle?
We subcontract under primes regularly, especially on SOCOM and CENTCOM-adjacent work where the prime holds the vehicle and needs a small-business teaming partner with real engineering capacity. We can flow down DFARS 252.204-7012, NIST 800-171 controls, and CMMC requirements through our own environment. Send us the teaming agreement and the technical scope and we will turn it around quickly.
Continue recon.
Services
Custom build, AI integration, modernization, and staff augmentation scoped to your stack.
REL-02Case studies
Representative engagements across federal, defense-adjacent, healthcare, and financial-services workloads.
REL-03Engagement packages
Fixed-scope discovery, build sprints, and sustainment retainers with written pricing up front.
REL-04Start a conversation
Tell us the mission, the constraints, and the deadline. We respond within one business day.
Building software in Tampa? Let's talk before you write the SOW.
Talk to a VooStack operator. We respond within one business day.