What does Matthew Mackes do?

Matthew Mackes is an AI Risk & Governance Architect and cybersecurity leader with 25+ years of hands-on experience in Zero Trust security architecture, DevSecOps automation, cloud security (AWS/Azure) and full-stack Linux engineering across regulated, enterprise-scale environments.

What are Matthew Mackes' core skills?

AI risk architecture and governance (Microsoft & GitHub Copilot), Zero Trust architecture, DevSecOps and CI/CD security automation (Python, BASH, Ansible, Terraform), privileged access management (CyberArk), cloud security across AWS and Azure, application security (SAST/DAST), network engineering and full-stack Linux.

What has Matthew Mackes built?

He is the creator of MAP2 (Mackes Audio Platform), an open-source real-time Linux audio platform, and MDE (Mackes Desktop Environment), a secure, mesh-native Rust/Wayland desktop for Linux.

SHEET 00COVER · PORTFOLIO & RÉSUMÉ · REV. A · 2026

Open to senior security & AI-governance roles

Secure systems · AI governance · 25+ years hands-on

Matthew
Mackes.

// AI RISK & GOVERNANCE ARCHITECT — ZERO TRUST · DEVSECOPS ·
NETWORK ENGINEERING · FULL-STACK LINUX — BUFFALO, NY

Cybersecurity leader with 25+ years of hands-on-keyboard experience — AI risk and governance architecture, strategic program management, and deep technical architecture across highly regulated, enterprise-scale environments. I also build the platforms I secure.

LinkedIn ↗ Email ↗ GitHub ↗

FIG. 0 · WIREFRAME

BUILDER-OPERATOR · SECURES & SHIPS THE STACK

Current roleAI Risk & Governance ArchitectBest Western Hotels & Resorts

Experience25+ yearsHands-on-keyboard, enterprise-scale

BasedBuffalo, NY · USAOn-site / hybrid / remote

Core domainsZero Trust · AI GovernanceDevSecOps · Cloud · Full-stack Linux

A-04

Experience & Education

// 25+ YEARS · SECURITY ARCHITECTURE & ENGINEERING

Aug 2025 – Present10 monthsUnited States

CyberSecurity Architect — Enterprise Architect, Global Data & AI Risk

Best Western Hotels & Resorts

AI risk architecture & governance for Microsoft Copilot (M365) — DLP, ethical-use guardrails, and integration across the M365 suite while managing generative-AI risk, hallucination, bias and sensitive-data exposure for a global workforce.
AI governance for GitHub Copilot & IDEs — secure deployment from IDE to repository with code security, IP protection and compliance scanning.
Global enterprise Data & AI risk governance; regulatory compliance (GDPR, CCPA, EU AI Act); resilient, secure-by-design AI frameworks. Microsoft Solutions Architect (AI focus).

Oct 2024 – Jun 20259 monthsBuffalo, NY

Cyber Security Architect, Senior Manager

Kforce Inc · contract — Marriott Hotels (GIS Security Architect)

Cyber security architecture reviews for full-stack services and workloads, ensuring compliance with organizational standards.
Governance for secure cloud, on-premises workloads and IoT security — identity controls, network design, automation, SaaS/IaaS deployment reviews with evidence-based testing.

Jun 2024 – Sep 20244 monthsBuffalo, NY

Senior Technical Engineer, Privileged Access Management

Lighthouse Technology Services · contract — M&T Bank

Led discovery and RFP for a new enterprise Privileged Access Management solution (CyberArk, Delinea) — environment analysis, stakeholder & auditor interviews, vendor/proposal evaluation, findings and recommendations.

Oct 2022 – Apr 20241 yr 7 mosBuffalo, NY

Principal Cloud & Solutions Security Engineer · Team Manager

World Kinect Energy Services

Audited the org's on-prem → AWS transition; CISO/stakeholder reviews across the full CIO IT services portfolio.
CI/CD pipeline reviews, automated external-perimeter scanning, production patch & OS vulnerability lifecycle; Prisma Cloud + Microsoft Defender for observation and configuration review.
Identity configuration reviews — least privilege, multifactor, privilege-elevation controls.

Mar 2021 – Oct 20221 yr 8 mosBuffalo, NY

CyberSecurity Enterprise Architect

American Family Insurance

Senior architect for DevSecOps pipelines — security baked in via automation, GitLab.
SAST (Veracode, SonarQube), Terraform release automation, container scanning via Twistlock (Palo Alto) pre-publication and zero-day post, continuous perimeter and open-port detection.

Nov 2018 – Mar 20212 yrs 5 mosBuffalo, NY

CyberSecurity Enterprise Architect, Cyber Lead

HealthNow New York Inc.

Security architect for all systems in a regulated healthcare environment with a strong data-controls focus.
DevSecOps threat models; firewall & pen-test config; API secure gateways (IBM, AWS); SAST (SonarQube, Checkmarx) + DAST (Rapid7, OWASP ZAP); secure package/repository vulnerability management.
Cloud automation — Terraform IaC, Ansible, Microsoft Defender, Prisma Cloud; led CyberArk Vault + jump-server deployment and Azure AD / IAM least-privilege.

Jul 2015 – Nov 20183 yrs 5 mosBuffalo / Niagara, NY

Enterprise Architect, Infrastructure Domain | Assistant Vice President

M&T Bank

Enterprise Architecture & Data Technology Group — long-term technology road-map and thought leadership to senior management.
Modeled bank consumption of SaaS/PaaS; onboarded AWS + Microsoft Azure (Azure AD, Intune, O365, SSO, MFA, privileged access, CASB); integrated fully-managed on-prem data centers (Red Hat Linux / OpenStack, Azure on-prem) to meet the bank's risk profile.
Led the shift to software-defined networking — OpenDaylight open standards integrating VMware NSX, Cisco ACI, Arista and SD-WAN; bare-metal-to-on-demand data-center automation.

Jul 2003 – Jul 201512 yrs 1 moBuffalo, NY

Senior Lead: Data, Voice, Security & Virtualization Network Engineer

Delta Sonic Car Wash Systems

Dark-fiber / long-haul WAN across 24 sites — 3 rings at 20 Gbps bidirectional with fail-over; switching, firewalls, WiFi and VPN (Linux, Cisco, Alcatel, Adtran, Force10, Vyatta); OpenVPN, IPSec, Juniper SSL, PCI-DSS.
Open-source GlusterFS SAN/NAS at scale — 20 TB across 10 nodes; Citrix XenServer (50+ hosts, 10+ pools, iSCSI/NFS, DR fail-over & HA across geographies).
VoIP design/implementation (Digium Asterisk; WiFi/WAN VoIP on Red Hat/CentOS/Ubuntu/Debian); full-stack Linux admin (Postfix, Apache, MySQL, IPTABLES, SSH); IP video CCTV — 100+ Geovision systems, 1200+ cameras, 50+ TB/day.

Earlier

2001 – 2004

President & Chief Consultant — Mackes Consulting Corporation · information-systems consulting (network design, telecom strategy, business systems).

2000 – 2002

WAN Site Technician — Decision One (Verizon subcontractor) · T1/DSL/PRI WAN circuit installation; contract hardware repair for Sun, DEC, IBM, Dell.

Education

State University of New York (SUNY)

Computing Systems · Political Science

1995 – 2006

Certifications & Affiliations

Member of ISACA
DevOps Foundations
Collaboration Principles & Process

A-03

Profile & Skills Matrix

// BUFFALO, NY

I'm a Buffalo, NY–based cybersecurity leader with over 25 years hands-on. I direct enterprise-wide security programs, have managed portfolios of up to 45 concurrent projects, and embed security across the entire development lifecycle — deep DevSecOps, Zero-Trust network architecture, and AI risk & governance.

I'm comfortable advising everyone from C-level executives to developers — I've chaired a Security Center of Excellence, governed architecture for AWS and Azure adoption, and led on-prem-to-cloud integration under stringent risk profiles. And I build the platforms I secure.

// COMMON THREAD —
The same hands on the threat model, the network, the daemon and the UI.
Two open-source platforms — MAP2 (audio) and MDE (mesh desktop) — are
where 25 years of security & systems engineering ships as working code.

Full background on LinkedIn ↗ Email ↗

AI Risk & Governance

AI Risk ArchitectureAI GovernanceResponsible AI Microsoft CopilotGitHub CopilotDLP & Guardrails GDPR · CCPA · EU AI Act

Security Architecture & Governance

Zero Trust ArchitectureEnterprise Security Architecture Threat ModelingSecurity Center of Excellence Risk & CompliancePCI-DSSProgram Management

Cloud & DevSecOps

AWSMicrosoft AzureDevSecOpsCI/CD Security TerraformCloudFormationAnsiblePythonBASH SAST · DASTSonarQubeCheckmarxPrisma Cloud MS DefenderCASB

Identity & Access

Privileged Access MgmtCyberArkDelinea IAMAzure ADSSO · MFALeast Privilege

Network, Infrastructure & Platforms

Network EngineeringSDN · Cisco ACI · NSXSD-WAN OpenVPN · IPSecFull-Stack LinuxRHEL · Debian GlusterFSVirtualization · XenServerVoIP · Asterisk Rust · C++ · Python

A-01

MAP2 — Mackes Audio Platform

// OPEN INSTRUMENT PROCESSOR FOR LINUX

Domain	Real-time audio processing
Latency target	< 3 ms round-trip*
Capabilities	100+ documented
Engine	JUCE 8.0 · C++
Control plane	Python · FastAPI · WebSocket
Fabric	AVB cluster · gPTP
License	MIT · open source

MAP2 turns a standard x86_64 computer into a professional audio appliance — an open, transparent alternative to closed-box modelers. It runs hard real-time signal processing for guitarists, keyboardists, producers and live engineers, with deterministic routing and snapshot-portable chains.

<3ms latency100+ capabilities NAM amp modelsIR cabinetsDual parallel chains JSON recipesMulti-surface control

Architecture — four-layer separation

L1 · RT

Engine

JUCE / C++ DSP · hard real-time callbacks · latency instrumentation

L2 · ORC

Control plane

Python · FastAPI · WebSocket · JSON chain recipes & snapshots

L3 · UX

Operator surfaces

Web · TUI · hardware LCD · MIDI controllers & pedals

L4 · NET

Cluster fabric

AVB streams · gPTP time sync · single-box → multi-node topology

Where my background shows up

TOP SKILLS: DIGITAL AUDIO · CLUSTER

Domain depth, not a hobby

"Digital Audio" and "Cluster" are listed career skills — MAP2 is the hands-on expression of both, from DSP to an AVB cluster fabric.

12 YRS VoIP · DIGIUM ASTERISK

Real-time audio over Linux

A decade designing Asterisk VoIP on Red Hat/CentOS is the direct lineage to a low-latency Linux audio engine.

CARRIER WAN · gPTP / AVB

Deterministic, time-sensitive networking

Dark-fiber rings and fail-over WAN translate into sub-millisecond clock sync across an audio cluster.

API DEVELOPMENT (top skill)

Clean control-plane architecture

The FastAPI/WebSocket orchestration layer is the same secure-by-design API discipline I bring to the enterprise.

SRC ⟶ map2-audio REL ⟶ Nightly builds

* TARGET ON TUNED HARDWARE

A-02

MDE — Mackes Desktop Environment

// SECURE · SIMPLE · CENTERLESS WORKGROUP

Domain	Linux desktop environment
Idea	Many machines, one workgroup
Fleet	Up to 8 peers · centerless
Language	Rust
Display	Wayland · sway compositor
Mesh	Nebula encrypted overlay
Storage / IPC	Gluster mesh-home · Bus
License	GPL-3.0 · open source

MDE replaces Fedora's normal desktop with one built around a single idea: your computers should work together as a team. Up to eight peers join an encrypted mesh and behave like one machine — live file sharing, shared clipboard, cross-peer notifications, media streaming, and ssh peer-name with no keys or IPs to manage. No central server: the workgroup is centerless by design.

≤8 peersRustWayland · sway Nebula overlayGluster mesh-homeBus IPCSELinux posture

Topology — centerless peer mesh

NO HUB · EVERY PEER IS EQUAL · ENCRYPTED OVERLAY (UDP/4242)

Where my background shows up

25 YRS ZERO-TRUST ARCHITECTURE

Security designed in, not bolted on

MDE's flat-trust, no-central-server model and documented posture (SELinux, user-UID isolation, scoped capabilities) is Zero-Trust thinking applied to a desktop.

GLUSTERFS — 20 TB / 10 NODES

Distributed storage at scale

I ran open-source GlusterFS in production years ago; MDE's Gluster mesh-home is that experience, re-aimed at a personal workgroup.

OPENVPN · IPSEC · PAM · LEAST-PRIV

Encrypted overlays & access control

A career of VPNs, privileged-access management and least-privilege maps straight onto a Nebula mesh with one non-rotating credential.

FULL-STACK LINUX (RHEL/DEBIAN)

Systems engineering, end to end

Decades of Linux admin, virtualization and network automation underpin a Rust desktop that ships as one Fedora RPM via systemd.

SRC ⟶ MDE ALT ⟶ MDE-X (XOrg/i3)