KJ × NetBox Labs · VP Engineering

JD REQUIREMENT → KAY'S PROOF · 5 CARDS

JD REQUIREMENT

Scaled Engineering Leadership (40–100 Engineers)

"You have built and run an engineering organization at this size. You know what a team at scale looks like."

KAY'S PROOF

TD Banking Group — grew AKS/Container DevOps team to serve 500+ Lines of Business, Big Data Platform (500+ LOBs), 5+ HPC clusters, 75+ custom applications. Created agile team structure and service design processes across core infrastructure teams and shared services. Public Cloud Roadmap ownership and vendor relationship management. "Identify team strengths and weaknesses and increase team size to meet demand" — this is the exact problem.

JD REQUIREMENT

Scrappy Pragmatic Operator — Bias Toward Progress

"Move work forward with incomplete information, limited resources, evolving structure. Comfortable with ambiguity."

KAY'S PROOF

EOSE Labs (Aug 2023–present) — 7-silo sovereign fleet, 3 incorporated companies, AKS cloud, 41K+ file codebase — zero external team, built from Week 1. Westpac (2016) — greenfield Cloud Control Plane from POC to production. Every engagement: mid-flight on arrival, always shipping. Toyota, Cabcharge, QSuper, TD, CTC — different stacks, same pattern. This is not a disposition — it's the documented work history.

JD REQUIREMENT

Execution Track Record — Shipped Products, Fixed Delivery Failures

"Clear ownership, shipped outcomes, measurable improvement to delivery systems."

KAY'S PROOF

AKS Container-as-a-Service (Istio/Argo) across 2 regions, PCI + Restricted Data — shipped to production at TD. HPAAS (Hybrid PaaS) end-to-end design through run at Westpac. LBaaS, SFSaaS, Site-as-a-Service — all shipped at enterprise scale (Bitbucket→Jenkins→VRO→CCP→F5→THALES fully automated). CTC: IAM Factory, federated identity pipeline (dynamic SPN → userAssigned), SOAR playbooks — formal Service Design deliverables, not proof-of-concepts.

JD REQUIREMENT

Infrastructure / Platform Fluency

"Engage credibly with engineers building infrastructure and developer tooling. Not just managing — understanding."

KAY'S PROOF

Ran Infoblox DNS/IPAM at both TD and Westpac — direct NetBox IPAM domain overlap. Not adjacent — this is the exact problem space. Kubernetes/AKS/Helm/Istio/Flux/cert-manager — expert or solid. Terraform Enterprise 60+ months. This is not learned context — this is the career. Not a manager who learned infra. An infra engineer who learned to lead.

JD REQUIREMENT

AI-Native Conviction, Grounded in Practice

"Hands-on exposure to AI-assisted development. Point of view on how it changes engineering."

KAY'S PROOF

EOSE Labs — sovereign fleet AI, PEMCLAU GraphRAG (9,022-entry knowledge graph, 17K nodes, 81K edges), ARC-AGI 64% benchmark, 7-silo local + cloud inference fleet. CTC: AgenticRAG (LangGraph, MongoDB Atlas, hybrid search). Not a consumer of AI tooling — an architect. Point of view: operationalized AI-native at silo scale. The constraint for NetBox's on-prem customers — AI must work offline with customer-controlled models — is already solved in this fleet.

CAREER ARC · 20 YEARS · 2005–PRESENT

AUG 2023 – PRESENT

SRE + Cloud Architect

EOSE Labs Inc. / Canadian Tire Corp.

Built sovereign fleet: 7 local silos (RTX 5090/4090/5080/3090), AKS cloud Canada East, 3 companies incorporated (EOSE Labs + DESEOF + PEMOS, 2026-03-29)
EOSE: PEMCLAU GraphRAG 9,022-entry knowledge graph, ARC-AGI 64% benchmark, 18-wave analysis engine, Zitadel SSO fleet auth
CTC: IAM Factory (App Reg automation), federated identity migration (dynamic SPN → userAssigned), AKS Kubernetes CI/CD, Venafi cert-manager chain, SOAR playbooks with APIM integration
Cloud Architecture Framework aligned to CAF well-architected; cost governance via automated policies; PIM integration with Durable Timers

JAN 2020 – AUG 2023

Snr Managing Engineer, Containerization

TD Banking Group — Cloud DevOps Engineering

AKS Container-as-a-Service (Istio/Argo) across 2 regions, PCI + Restricted Data — shipped to production; API v3 framework (300+ APIs), Custom Apps (50+)
AKS Dedicated Cluster Pattern: Big Data Platform (500+ LOBs), HPC clusters (5+), Custom Apps (75+); Dock-in-Docker build for real-time trading plant → FPGA promotion
Grew and trained team; created agile structure across core infra teams and shared services; Public Cloud Roadmap ownership; vendor relationship management
AWS Control Tower + Landing Zones; Image Curation Pipeline; runtime/assurance/K8s policy automation; Certificate Manager issuer for all landing zones

JUN 2019 – JAN 2020

Snr Cloud Architect & Engineer

TD Banking Group — Core Infra Tools Strategy

ServiceNow to Network Tools API — abstraction layer for all network tools; QIP → Infoblox migration; Netbrain, Tufin, HPNA, Aruba, BIG-IQ for CMDB uplift
LBaaS: F5 automation via BIG-IQ/ServiceNow/Bitbucket/Jenkins/Venafi/CyberArk/Terraform Enterprise; iRule → NGINX migration strategy
Python framework for data-driven development → Tableau dashboards; network segmentation modelling for Federal Reserve Board regulatory reporting (500K+ devices)
AWS Control Tower; Landing Zones; Federation IAM; AMI Pipeline — instance repersonalization

SEP 2016 – JUN 2019

Principal Cloud Architect

Westpac Banking Corporation — Cloud Engineering

Cloud Control Plane: greenfield design through production — IAM, Secrets, Event, Encryption, Certificate, Key, Backup Mgmt; Java microservices on serverless via Swagger + API Gateway
HPAAS: Hybrid PaaS — on-prem IBM + AWS + Azure simultaneously; NSX Mgr, vSphere 6, VSAN automation; CHEF cookbooks for CI/CD of all patterns
LBaaS + SFSaaS fully automated catalogue (Bitbucket→Jenkins→VRO→CCP→F5→THALES/Gemalto); GSLB Active/Active + Active/Passive
TOGAF architecture; API roadmap governance for all cloud APIs at WBC; APRA compliance (Secure By Design); HSM-as-a-Service with native + volume encryption

JUN 2016 – SEP 2016

Senior Solution Architect

Toyota Finance Australia

Financial Data Warehouse — 6 environments, 13 feeder systems, cube modelling, 2-week Agile sprints
Customer Retention Project — Tibco data transformation, SQL BI stack, SSIS packages, AWS transfer

2014 – 2016

Cloud Architect / Systems Specialist

Cabcharge · QSuper

Payment Switch, Virtual Migration, vCloud Director, AWS, DCP cloud migration, vCloud Air.

2010 – 2014

Solutions Architect / Solutions Designer

Gallagher Bassett · QLD Health

vSphere, SRM, HDS HUSVM/HNAS, SQL Cluster, Citrix, SCCM, architecture private cloud + AWS. QLD Health: PHICSS, CRISSP, ICU-CIS, CIMHA.

2005 – 2010

Systems Engineer / Technical Lead

WebCentral/MelbourneIT · Data#3 · Public Safety Network

Level 2 HelpDesk through Technical Implementation Manager. First enterprise infrastructure exposure — where the 20 years began.

EDUCATION

Degrees & Certifications

Griffith University + QUT

BSc Biomedical Science — Griffith University Nathan (1996–2000)
BIT Data Systems & Software Development — QUT Gardens Point (2001–2005)
CISSP 2016 · AWS Certified SA + SysOps 2014/2015 · VMware VCP vSphere 5.5 2010 · ITIL Practitioner 2009 · MCSE 2003

CORE SKILLS — EXPERT LEVEL

Kubernetes / AKSEXPERT

Terraform EnterpriseEXPERT

Azure / AAD / EntraEXPERT

Infoblox DNS/IPAMEXPERT

HelmEXPERT

Istio / Service MeshSOLID

CyberArk / SecretsEXPERT

Python + SDKsEXPERT

Flux / GitOpsSOLID

cert-managerSOLID

GraphRAG / LangGraphEXPERT

SOAR / PlaybooksSOLID

I assessed NetBox before this conversation.

Running EOSE Labs' sovereign fleet deployment — I evaluated NetBox as the structural layer of Galaxy-4 INFRA. The assessment took a week. Here's what I found.

✓ WHAT'S GOOD

REST + GraphQL API: best-in-class for this category. Auto-generated OpenAPI 3 schema. Clean, versioned, predictable.

ObjectChange audit log: every create/update/delete logged with user, timestamp, pre/post JSON diff. Immutable. This is enterprise-grade.

Plugin system: netbox-operator (K8s CRDs), netbox-topology-views, netbox-dns — all mature. The ecosystem is real.

Prometheus metrics: django-prometheus wired. Grafana dashboard in under an hour.

OIDC ready: REMOTE_AUTH + social-auth-core = Zitadel/Keycloak integration native. Fleet SSO works out of the box.

⚠ WHAT NEEDS FIXING

ALLOWED_HOSTS = [] default. Accepts any host header. Every production deployment needs this explicit.

v1 tokens store plaintext in PostgreSQL. v2 uses HMAC. v1 should not be provisioned in any production environment.

No rate limiting on auth endpoints. Brute-force possible on local accounts. Needs upstream layer (Istio/nginx/oauth2-proxy).

Script execution = RCE. Anyone with "run script" permission executes Python on the server. Must be restricted to ops-only.

REMOTE_AUTH_AUTO_CREATE_USER = True by default. Every OIDC user auto-provisions. Flip to False, explicit provisioning only.

→ THE INTEGRATION OPPORTUNITY

NetBox → PEMCLAU GraphRAG: device graph via GraphQL → 2-hop semantic traversal. Topology-aware search across the fleet.

Galaxy-4 INFRA: extend fleet pipeline GIT→BUILD→PORT→DNS→INFRA→SOVEREIGN. NetBox = live device star map for every sovereign deployment.

netbox-dns: live IPAM data drives DNS automation for 44-domain portfolio. No more manual zone management.

netbox-operator: K8s CRDs → GitOps for network state. Exact same pattern as MECRDS fleet CRDs. Convergent architecture.

12-MONTH PLAN · MAPPED TO THEIR SUCCESS CRITERIA

EMBED — Read Before You Write

MONTH 1

No structural changes. Map what's working (reinforce), fragile (add structure), wrong (fix fast).

Ship one small execution improvement. Prove I read the system before I change it.

Meet every director 1:1. Not to evaluate — to understand their constraints and what's blocking them.

Identify the cross-team coordination blocker. There's always one. Name it. That's the Month 2 target.

EXECUTION SYSTEM — Load-Bearing Structure

MONTHS 2–3

Cycle cadence locked. 2-week cycles, Monday planning (1hr max), Friday demo (working software only — no status theater).

Ownership matrix published. Every component has exactly one owner (team, not person). No shared mutable responsibility.

Escalation ladder defined: L1 team → L2 director → L3 VP (me, 48h unblock) → L4 CTO (strategy only).

Cross-team contracts: clean interfaces between products and platform. Teams move independently once contracts are defined.

AI-NATIVE PILOT — Prove It With Data

MONTHS 4–6

One team, one product, spec-driven development from day 1. AI writes first draft. Human reviews before code is written.

AI accountability model: P0=human only · P1=AI+human review · P2=AI+automated tests · P3=AI autonomous with lint gate.

Measure throughput delta. Publish it. Let the data recruit the other teams. Mandate fails; evidence persuades.

On-prem constraint: AI tooling must work with customer-controlled models. Not SaaS-only. NetBox customers can't take that dependency.

SYSTEM SCALES — The System Outlasts Any Individual

MONTHS 7–12

Directors independently run their teams. Escalation to VP rare — target: once per week max by Month 9.

Foundations (platform) team materially reducing delivery friction across product teams. Measure it — cycle time, integration incidents, shared service uptime.

CTO fully out of day-to-day execution management. Freed up for strategy, not unblocking engineers.

AI-native across all teams. Not a mandate — earned by Month 6 pilot results. The system outlasts any individual contributor.

I assessed NetBox before this conversation.

DIRECT

ENTITIES

WHAT THIS IS

RELATED