Before I ever touched a compliance framework, I was running patrols in Afghanistan.

I served in the U.S. Air Force Security Forces - deployed to Afghanistan, Iraq, Oman, Saudi Arabia, Kuwait, and other locations throughout the Middle East. I worked police transition teams, ran area support operations, and later served at U.S. Central Command leading foreign military sales programs that put critical capabilities into the hands of our partners across the region.

I’ve seen what defense technology looks like when it actually matters - when it’s keeping people alive or failing them in real time. When the drone feed cuts out. When the comms go down. When the equipment a contractor promised would work in 130-degree heat doesn’t.

That experience shaped everything I’ve done since.

When I transitioned out of the military, I went deep into cybersecurity and compliance — building expertise in FedRAMP, CMMC, NIST 800-53, and the Risk Management Framework. Today I serve as a Cloud Security Advisor at Motorola Solutions, hold active 3PAO assessor contracts supporting programs including the Defense Health Agency, and I’m building an AI-powered application security platform.

I’ve sat across the table from DHA program managers explaining why their authorization boundary needs to change. I’ve written expert commentary on FedRAMP RFCs while most of the industry was still figuring out what the changes meant. I’ve watched billion-dollar cybersecurity companies panic when an AI coding tool threatened to automate what they sell.

And through all of it, I kept noticing the same thing: the publications covering this space are written by people who don’t do the work.

They cover defense tech like it’s a venture capital beat. They write about compliance like it’s a policy abstraction. They report on AI security like it’s a future problem instead of a current crisis. Most of them have never been downrange, never sat in a SCIF, never written a finding in an assessment report.

Iron Echelon exists to fix that.

What this briefing covers

This is an intelligence briefing - not a news aggregator. Every issue delivers analysis across five pillars:

Defense Tech & AI - Drone warfare, autonomous systems, AI in defense acquisition, and the companies building the next generation of national security infrastructure. I don’t cover this from a Sand Hill Road perspective. I cover it from the perspective of someone who’s used this equipment in theater and now assesses the systems that support it.

Cybersecurity & Compliance - FedRAMP, CMMC, NIST 800-53, and the regulatory decisions that reshape how the defense industrial base operates. Written from inside the assessment process — not from the outside looking in.

Market Intelligence - Who’s winning contracts, who’s losing ground, and what the money is telling us about where defense and cyber are headed. When a cybersecurity stock drops 15% because an AI tool threatens their business model, I’ll tell you what it actually means.

AI Security - Supply chain risks, model vulnerabilities, agentic AI implications, and the collision between AI capability and security requirements. This is the frontier, and most people covering it don’t understand the compliance implications.

Practitioner Intel - The frameworks, tools, and hard lessons from someone who actually writes the findings, builds the architectures, and sits in the assessment rooms. If you’ve ever needed to explain a POA&M to a program manager or defend an authorization boundary to an AO, this section is for you.

Who this is for

If you’re a CISO, a program manager, a GRC professional, a defense tech founder, a compliance officer, an assessor, or anyone who needs to understand the intersection of cybersecurity, defense, and AI at a practitioner level — this briefing is built for you.

If you’re a veteran working in defense tech or cybersecurity and you’re tired of reading analysis from people who’ve never served - this is your publication.

If you want surface-level takes recycled from press releases, there are plenty of other newsletters for that.

What’s coming

Iron Echelon publishes every few days. Free subscribers get full access to analysis and market intel. I’ll introduce paid tiers down the road for deeper research, practitioner frameworks, and exclusive content - but for now, everything is free.

Here’s a preview of what’s in the pipeline:

• How Claude Code Security is quietly reshaping the cybersecurity vendor landscape

• The real state of CMMC implementation - what assessors are actually seeing

• FedRAMP modernization: what the latest RFCs mean for 3PAOs and CSPs

• Why the defense industrial base’s AI adoption is a security crisis hiding in plain sight

• Drone warfare lessons from Ukraine and what they mean for U.S. force structure

Subscribe, share it with your team, and reply to any email if you want to talk. I read everything.

The first real briefing drops this week.

- Ryan Gutwein

Air Force combat veteran. Building the future of AppSec.

ironechelon.com