← Home
CURRICULUM VITAE

Malik Warren

Software engineer with roughly six years building the “who are you, and what are you allowed to touch” layer for systems where getting it wrong is catastrophic. My work sits at a rare intersection: production federal identity-proofing at scale (login.gov, a NIST 800-63 IAL2 platform serving 100M+ user accounts), the modern credential frontier (mDL / ISO mdoc, OpenID4VP over the W3C Digital Credentials API), and cleared AI delivery for defense. Core stack: Ruby on Rails, Python, React / TypeScript, and Go, on AWS.

malik@bluemetatech.comGitHub ↗LinkedIn ↗X ↗

Active Public Trust · delivery experience in cleared defense environments

EXPERIENCE

Software Engineer II, Fearless Solutions

2022 – present

login.gov (GSA / TTS) and U.S. Air Force programs · Jul 2022 – present

  • Core contributor to the identity-verification (IDV) pipeline on login.gov, the federal NIST 800-63 IAL2 identity-proofing platform serving 100M+ user accounts across 50+ agencies. 46 merged pull requests over roughly 13 months in the proofing and access-control layer.
  • Trusted peer reviewer on an access-critical federal codebase: reviewed 64 colleagues' pull requests and formally approved 53 over the same period.
  • Built AAMVA (DMV) identity-verification gating that blocks applicants from advancing until their state-ID data passes an authoritative-source check. Led the AAMVA reimplementation, a 1,438-line change re-architecting the flow with pending-session state and async DMV polling.
  • Designed a feature-flag-gated Proofing Agent API with mandatory request-header authentication, returning 404 when the capability is disabled and 400 on missing identifiers. Grants and scopes access to a sensitive capability based on approved use.
  • Hardened passport MRZ validation, adding Department of State verification, expiration enforcement, and US-issuer restriction as gates controlling whether a proofing session may proceed.
  • Identified and patched a file-upload exploit in the Acuant document-capture SDK across all deployed versions. Built the LexisNexis TrueID (DDP) document-authentication client and a manual-capture fallback, improving completion rates.
  • Enforced safeguards across the flow: gated downstream vendor calls on a passing source check, closed a fraud-check bypass for hybrid-flow users missing ThreatMetrix sessions, and added anti-bypass flow-policy enforcement.
  • On U.S. Air Force programs: core contributor to 5 production Go microservices on AWS GovCloud. Built the JWT authentication infrastructure (HMAC signing, token encrypt/decrypt, Secrets Manager), SAML 2.0 SSO, custom CSRF middleware, and reusable session/permission middleware extracted into a shared module.

Tech Lead & Product Owner, Saber Technology Solutions

2026 – present

Cleared federal AI delivery · Jan 2026 – present

  • Led design, development, and deployment of a cleared AI system for a federal agency, managing a 6-person team across 5 sprints.
  • Designed the full LLM architecture: an XML-structured prompt system (~6K tokens), full-context injection, forced tool use for structured JSON via Bedrock's toolChoice API, and chain-of-thought reasoning. Iterated accuracy from a 67% baseline to 98%, with 0% underclassification.
  • Built a provider abstraction layer (circuit breaker, exponential backoff, fallback chains) supporting Anthropic direct, AWS Bedrock, and Ollama behind a single factory interface, plus a benchmarking framework (14 metrics, A/B prompt testing, severity-weighted safety scoring).

Founder & Lead Software Developer, BlueMeta Technologies

2022 – 2025

Government technology consultancy · Jan 2022 – 2025

  • Selected for Hutch, the two-year government-contracting incubator, as one of eight companies in the Class of 2024.
  • Delivered $750K+ in lifetime contracts as a Google Cloud Partner, with clients including the U.S. Census Bureau, Harvard Business School, Morgan State University, and Texas Southern University.
  • Built the ByBlack Spend Tracker (React, Python, MongoDB, GCP) with Plaid integration, and MyBlockCounts with the University of Maryland, a React Native geospatial civic-reporting tool routing resident feedback to government agencies.
  • Developed federal environmental-justice spending visualizations (React, Node.js, PostgreSQL, GCP) with multiple HBCUs and the Bezos Earth Fund.

Tech Lead, Belay Technologies

2021 – 2022

Dec 2021 – Jul 2022

  • Led SummitRTS, a cloud-automation framework with GCP integration for provisioning, testing, and security. Built the WorkerManager provisioning system (Node.js, Express, PostgreSQL) and its React / GraphQL frontend.

Software Engineer, Northrop Grumman

2020 – 2021

Jul 2020 – Dec 2021

  • Worked on the Defense Travel System, a mission-critical app serving 100K+ military and DoD personnel daily (Java, Spring Boot, SQL). Built internal hiring/clearance-tracking and resource-allocation tools.

Software Engineer, Baltimore Healthy Start

2020 – 2022

Jan 2020 – Jan 2022

  • Built a client onboarding and tracking app (Django, PostgreSQL, JavaScript) replacing a manual intake process, with reporting that supported grant proposals.
SELECTED WORK, IN PUBLIC

login.gov is open source. A sample of my merged pull requests, on github.com/Mawar2, that you can read end to end:

#12960Proofing Agent API controller (search_user / proof_user): grants and scopes access to a sensitive capability#12977Mandatory request-header authentication on the Proofing Agent API#13222Only call downstream proofing vendors after an ID-validation check passes#12812AAMVA (DMV) in-person proofing reimplementation: pending-session state and async polling#12652AAMVA verification gate before the SSN step#12851Verify the hybrid flow before skipping the ThreatMetrix fraud check#12201Upload exploit fix in the Acuant document-capture SDK#12338Strengthen passport MRZ validation#12781LexisNexis TrueID (DDP) document-authentication API client#13191Hosted wallet logos and request spec (mobile driver's license)
STANDARDS & CREDENTIALS FRONTIER
TECHNICAL SKILLS
Identity & AuthNIST 800-63 identity proofing · mDL (ISO 18013-5/-7, mdoc) · OpenID4VP · W3C Digital Credentials API · KYC / in-person proofing · JWT · SAML 2.0 SSO · CSRF · session & permission middleware
LanguagesGo · Ruby · Python · JavaScript / TypeScript · SQL · Java
FrameworksRuby on Rails · Gin (Go) · React · Next.js · FastAPI · Node.js · GraphQL · Django · Flask
Cloud & InfraAWS (Bedrock, EC2, S3, Lambda, GovCloud, Secrets Manager, CloudWatch) · GCP · Docker · Terraform · CI/CD · DISA STIG
Data & AIPostgreSQL · Redis · MongoDB · Claude API / Bedrock Converse · LLM prompt engineering · provider abstraction
EDUCATION & CERTIFICATIONS
Morgan StateB.S. Computer Science, 2020
NVIDIAAgentic AI Certification, September 2025