Senior InfoSec Analyst · GRC Engineer

Turning compliance into a system that actually works.

I bridge the gap between federal security frameworks and modern software delivery, turning RMF, cATO, and Policy-as-Code from paperwork into pipeline-native automation. Then I build the tools and curriculum to help others do the same.

See My Work → Explore the GRC Playground Download Resume ↓
Ashley Pearce
Ashley Pearce
Senior Information Security Analyst · Rise8
Top Secret
10+ Years
Wesley Chapel, FL
ashpearce
cATORMF Policy-as-CodeCI/CD GRC EngineeringUSAF Veteran
10+
Years in Federal & Enterprise Security
100+
Systems Authorized Across Programs
20+
Organizations Supported
30+
Programs Spanning Federal & Enterprise
1000s
of Controls Mapped & Automated
20+
Analysts Mentored & Developed
About Me

Security isn't the add-on. It's the foundation.

I'm a Senior Information Security Analyst embedded in an engineering team at Rise8, a defense software company built around continuous Authorization to Operate. My work lives inside the CI/CD pipeline, where compliance has to be automated, auditable, and fast, not a checklist someone prints before an audit.

My background spans GRC, Risk Management Framework, and federal compliance at Amazon, PepsiCo, and Sev1Tech, grounded by years of service as a Cyber Services Technician in the United States Air Force. That combination of military precision, enterprise scale, and modern software delivery is what shaped how I think about security programs today.

I'm also building the GRC Playground, a lab-based learning platform designed to turn compliance analysts into GRC engineers, because the skill gap in this field is real, and I've spent long enough watching it slow down good teams.

Download Resume ↓

Continuous Authorization to Operate

Architecting cATO programs inside real software delivery pipelines, not theoretical frameworks. RMF that moves at the speed of deployment.

Policy-as-Code

Translating security controls into machine-readable, pipeline-native checks. If a human has to manually validate it every time, it's not a compliance program, it's a liability.

GRC Engineering

Building compliance infrastructure the same way engineering teams build software: versioned, testable, repeatable, and connected to the things that actually get deployed.

Educator & Builder

Creating curriculum, platforms, and content that closes the gap between traditional GRC analysts and the automation-first skills federal security programs actually need.

Flagship Project

Inside the GRC Playground

Most compliance training teaches you what a control is. The GRC Playground teaches you what to do with it. Here's what the platform looks like and how a user actually moves through it.

the GRC Playground — landing page
the GRC Playground — skill paths
the GRC Playground — active lab
the GRC Playground — how it works
the GRC Playground — progress tracking
How It Works

Two paths. Real labs. Actual skills.

Users choose between two skill paths depending on where they are in their career. Path 1 covers RMF from the ground up for analysts who need a solid foundation. Path 2 moves into GRC engineering territory, where compliance stops being a document and starts being code.

Each path contains multiple labs that build on each other. Progress is tracked individually per user, so the platform meets you where you are rather than forcing a linear sequence that doesn't match your background.

Labs are built around real-world scenarios, not textbook examples. The platform is built on Vercel with Supabase handling authentication, user data, and progress state.

Vercel + Supabase
Hands-On Learning
Dual Skill Paths
Progress Tracking
Policy-as-Code

What a lab experience actually looks like

A walkthrough of the user journey inside a GRC Playground lab
1
Choose your skill path
After creating an account, users select a skill path based on where they are today. RMF Fundamentals is built for analysts who understand compliance conceptually but need structured, hands-on reinforcement. Entry Level GRC Engineering is for practitioners ready to move from documentation into automation. The platform surfaces relevant labs based on that choice, not a one-size-fits-all curriculum.
2
Enter the lab with real context
Each lab opens with a scenario grounded in something that actually happens in federal or enterprise security work. Not a fictional company with a fictional problem, but the kind of situation a GRC analyst or engineer actually faces: a misconfigured system, a control that needs to be implemented as code, an authorization package that needs to be built from scratch. The context matters because the skills only transfer if the problem feels real.
3
Work through guided exercises
Labs are structured as guided exercises with expanded explanations at every step. Nothing is left as an assumption. Each line of logic, each control decision, each automation choice is explained in plain language so the practitioner understands not just what to do but why it works that way inside a real program. This is where the mature ELI5 approach makes the difference between training that sticks and training that gets forgotten.
4
Connect it back to continuous authorization
Every lab closes with a wrap-up that ties the specific skill back to continuous authorization and what it means in a real cATO context. The goal is not just to complete the exercise but to understand where that skill sits in a modern, pipeline-native compliance program. Progress is saved automatically so users can return exactly where they left off across sessions.
Thought Leadership

Building the conversation around GRC engineering.

Compliance has a perception problem. It gets treated as a tax on engineering, a thing that slows teams down, a checklist that someone else manages. I've spent years working to change that narrative, both inside the organizations I've worked with and publicly through my LinkedIn content.

My content strategy focuses on making RMF, cATO, and Policy-as-Code accessible to the practitioners who need it most, not just the executives who sign off on it. The goal is a field where GRC engineers are as well understood and well respected as software engineers.

I post twice a week, mixing technical explainers, framework breakdowns, and practitioner-focused perspective on where federal and enterprise compliance is actually heading.

Follow on LinkedIn →
cATO & Continuous Authorization
Demystifying what continuous authorization actually means in practice, separating the real implementation from the buzzword version that shows up in vendor decks.
Policy-as-Code & RMF Modernization
Translating NIST controls into automation concepts that engineers can actually build, and GRC practitioners can actually own without becoming software developers.
GRC Engineering as a Career Path
Making the case for a new kind of security professional — one who sits at the intersection of compliance, engineering, and automation rather than being siloed in any one of them.
Practitioner Education & the GRC Playground
Using content to teach the skills the GRC Playground was built to develop, creating a pipeline from awareness to practice for analysts who want to level up.
Experience

A career built at the intersection of security and systems.

Dec 2023 — Present
Senior Information Security Analyst
Rise8 · Defense Software
Embedded in an engineering team delivering cATO, Policy-as-Code, and Compliance-as-Code within live CI/CD pipelines. Translating NIST 800-53 Rev.5 and NIST SSDF requirements into automated security controls using GitLab, ArgoCD, Trivy, SonarQube, Vault, OWASP ZAP, Cosign, and SD Elements. Advising Authorizing Officials on continuous authorization strategies. Active Top Secret clearance.
Aug 2022 — Dec 2023
Third-Party Security Specialist
Amazon · Enterprise
Performed large-scale security risk assessments for third-party vendors integrating with Amazon systems. Evaluated vendor security posture against internal standards and ISO 27001, produced risk analysis reports identifying vulnerabilities and compliance gaps, and partnered with vendors on remediation strategies.
Oct 2021 — Aug 2022
Security Exceptions Specialist
PepsiCo · Enterprise
Managed the enterprise security exception program supporting risk-based decision making across the organization. Assessed operational risk, designed compensating controls and mitigation strategies, and developed governance standards improving consistency in risk decisions.
Aug 2019 — Oct 2021
Cyber Security Analyst / GRC Subject Matter Expert
Sev1Tech · Federal Contracting
Led RMF compliance and risk management for classified and unclassified government systems. Managed full ATO lifecycle activities including eMASS tracking, security control assessments, and remediation planning. Built custom audit automation tooling and delivered training to 20+ technical and non-technical stakeholders.
Jan 2014 — Nov 2017
Cyber Services Technician
United States Air Force
Delivered systems administration and Tier 1–2 support for mission-critical communications systems. The discipline, precision, and mission-first mindset of this foundation informs everything that came after.
Skills & Credentials

The technical depth behind the frameworks.

Frameworks & Compliance

NIST RMF / SP 800-53 Rev.5
cATO Programs
NIST SSDF (800-218)
FedRAMP / FISMA / CMMC
Continuous Monitoring

Engineering & Tooling

Policy-as-Code
GitLab / ArgoCD / CI/CD
Trivy / SonarQube / OWASP ZAP
Vault / Cosign / SD Elements
Python / Security Automation

Strategy & Leadership

GRC Program Design
Stakeholder & AO Advisory
Curriculum Development
Product Management
eMASS / ATO Documentation
CompTIA Security+
Active Top Secret Clearance
Product Management — Product School
Google UX Design — Coursera
Google IT Automation with Python — In Progress
B.S. Visual Arts, Graphic Design — Full Sail University
USAF Veteran
Let's Connect

Ready to bring engineering-grade compliance to your organization?

I'm actively building toward a GRC Engineering Director role in federal and enterprise markets. If you're working on security programs that need to move at the speed of modern software delivery, let's talk.

Connect on LinkedIn → Send an Email Download Resume ↓