Available for Contract & Consulting

When your backend can't afford to fail.

I've built and hardened production infrastructure for House.gov, NOAA, DISA, and DoD contractors — and recovered a state-sponsored attack with zero data loss in 48 hours. 25 years of mission-critical delivery. Fixed-price contracts. US & Europe.

Get in Touch ↗ View My Work

Fixed-price contracts · Remote · US & EU clients · Solo delivery — subcontractors available for scaled builds

25+

Years Delivering

10+

Federal Clients

99.5%

Uptime Delivered

Las Palmas, Spain — Remote

eric.maag@gmail.com

+34 675 741 692

Eric Maag

Senior Backend Engineer

GitHub ↗ LinkedIn ↗

GovernmentStack.php

// US Federal Government · Contractor
// House.gov · NOAA · USDA · DISA · NAVSUP
 
$clients = [
    'House.gov'   => 'DevOps + Email',
    'NOAA'        => '99.5% uptime',
    'USDA'        => 'Solr + Tika',
    'DISA.gov'    => 'x509 / PKI',
    'NAVSUP.mil'  => 'cert hardening',
];
          

Proof of Work

When the Attack Landed at 3am

2005 · International Trade Association · Incident Response

OIDA: State-Sponsored Attack Recovery

48-hour full recovery · $100K+ in fees protected · Zero data loss

The Situation

The Optoelectronics Industry Development Association ran their annual membership conference on a custom PHP platform. Three weeks before their flagship conference, a state-sponsored threat actor compromised the system — corrupting membership data, locking admin access, and exposing payment records. The board was 48 hours from canceling the event and refunding $100K+ in fees.

The Constraint

No offsite backups. No source control history past 6 months. Registrations were still processing from international attendees. Any extended downtime meant refunds, reputational damage, and potential PCI liability. I had one weekend.

What I Built

Forensic analysis identified the vector: an unpatched file upload handler that had been backdoored. I isolated the instance, recovered the database from transaction logs (there was no snapshot), and rebuilt with a hardened multi-tier architecture — separating the public form, payment processor, and admin panel into isolated access contexts, with audit logging on every state change.

Why It Was Hard

Recovering from no backup, under active conference load, while ensuring no persistent attacker access, while keeping live registrations processing. The normal answer is "restore from backup." There was no backup. There was no acceptable data loss.

Outcome

48h

Full recovery

Zero

Data lost

$100K+

Fees protected

25 hrs/mo

Overhead eliminated

Conference ran on schedule. The rebuilt architecture ran three subsequent conference cycles without incident and eliminated 25 hours/month of manual reconciliation between the payment processor and registration database.

PHPIncident ResponseForensic RecoveryPCI-scoped ArchitectureCustom RBACMySQL

How to Engage

Three Ways I Work With Clients

For: Companies handling sensitive data

Security Audit

You've never had a real security review — or you've been burned and need a post-mortem. I audit authentication flows, certificate infrastructure, and data exposure surface, then give you a written remediation roadmap ranked by severity.

Full auth & cert infrastructure audit
Written findings ranked by severity
Remediation roadmap with time estimates
Optional: I implement the top 3 fixes

Timeline: 2 weeks · Fixed price · €4–8K

Start with a scoping call →

For: Teams with legacy PHP they're afraid to touch

Backend Rescue

Your Drupal, Laravel, or custom PHP backend works — but it's fragile, slow, and nobody wants to touch it. I don't rewrite everything. I audit what exists, identify what's actually dangerous, and fix the things that matter.

Code & infrastructure audit
Prioritized technical debt map
1–3 high-impact fixes implemented
Documentation of every change and why

Timeline: 4–8 weeks · From €8K

Tell me what's breaking →

For: Funded teams building production backends

Infrastructure Build

You need a production-ready backend architected to survive growth, compliance audits, and the next engineer who inherits it. I design it, build it, document it, and hand it off with runbooks your on-call can use at 2am.

Architecture design doc with trade-offs
Full implementation: API, DB, CI/CD, monitoring
Runbooks and handoff documentation
Optional 30-day post-launch support window

Timeline: 6–10 weeks · From €15K · Fixed-price or T&M

Scope my project →

Testimonials

What Clients Say

Viktoria Hotvianska

NOAA — Federal Infrastructure

Eric's deep expertise in Drupal and server infrastructure was critical to keeping our systems running at 99.5% uptime. His proactive approach to security saved us from potential disasters multiple times. I'd bring Eric back without hesitation for anything involving federal-scale infrastructure.

Frank Feulner

Signa Sports United — Enterprise

Eric led our microservices migration with precision. The AI-driven translation pipeline he built reduced our localization effort by 40% and the team trusted his technical leadership completely. Eric's the kind of technical lead you want when the project has no margin for error.

Arvic Arevalo

Philippine Embassy — Multi-Tenant CMS

When we needed someone to architect a multi-tenant CMS spanning 18 consulate sites, Eric delivered a solution that drastically cut our content management overhead while maintaining a unified brand. He delivered under a scope no other vendor was willing to take on.

Featured Work

Federal Agencies, Global Enterprises, Complex Systems

GitHub ↗

US Federal · DevOps

Zero-error launches · Constituent email at congressional scale

US House of Representatives

Contracted to House.gov to build and deploy official websites for incoming congressional members via a standardized DevOps pipeline. Automated provisioning of Drupal-based member sites across multiple offices, and architected bulk constituent email broadcast systems managing large-scale district mailing lists.

DrupalCI/CDBashEmail InfrastructureLinux

house.gov ↗

DoD · Security

Zero non-compliance findings · PKI across DoD infrastructure

DISA & NAVSUP Security Hardening

Security contractor for the Defense Information Systems Agency (DISA.gov) and Naval Supply Systems Command (NAVSUP.mil). Implemented x.509 certificate infrastructure and PKI-based authentication hardening across DoD web properties to meet federal security standards.

x509 / PKITLS HardeningCert ManagementDoD Compliance

disa.mil ↗

Enterprise

40% less translation effort · 30% faster loads · 50% faster processing

Signa Sports United

Led team building scalable microservices architecture for a multi-brand sports retail conglomerate. Implemented AI-driven translation services and CI/CD pipelines across international markets.

SymfonyDockerMongoDB

linkedin.com/company/signa-sports-united ↗

Government

99.5% uptime · $150K annual cost savings

NOAA Infrastructure

Architected a high-availability system across 3 US colocation centers. Automated database replication ensuring zero downtime for millions of users nationwide.

DrupalMySQLBashMulti-Region

noaa.gov ↗

Government · Data

National-scale real-time data · Automated ingestion replacing manual pipelines

USDA Crop Yield Aggregation

Built a real-time data aggregation platform for the US Department of Agriculture to compile and publish national annual crop yield reports. Integrated Apache Solr for high-speed indexing and Tika for automated document parsing from structured field reports.

DrupalApache SolrApache TikaMySQLLinux

usda.gov ↗

Security · Incident Response

48h recovery · Zero data loss · $100K+ fees protected

OIDA Security Recovery

Recovered from a state-sponsored cyberattack in 48 hours with no backups and live registrations still processing. Rebuilt with a hardened multi-tier architecture with audit logging on every state change.

Incident ResponseForensic RecoveryPCI-scoped ArchitectureMySQL

oida.org (archive) ↗

Fintech · Nonprofit

PCI-compliant donations across 20+ countries

FINCA International

Managed the full web presence for FINCA International, a global microfinance organization operating across 20+ countries. Built and maintained their Drupal platform and integrated a PCI-compliant payment gateway for online donations and financial transactions.

DrupalPayment GatewayPCI CompliancePHP

finca.org ↗

Multi-Tenant

60% reduction in content management overhead · 18 sites

Philippine Embassy CMS

Built a sophisticated multi-tenant CMS managing 18 consulate microsites with centralized administration, inherited branding, and role-based access control.

CMS Made SimpleMulti-TenantRBAC

philippineembassy-dc.org ↗

Media

1,000+ articles/day automated · 4 agencies integrated

UPI News Platform

Custom news aggregation platform processing content from multiple international agencies with automated billing and editorial workflow management.

PHPXMLMySQLCustom CMS

upi.com ↗

Backend

90%+ bugs resolved within SLA

Nuro Media Backend

Scalable PHP backend applications built on clean architecture, with automated testing pipelines and performance optimization via Symfony and Doctrine ORM.

PHPSymfonyPHPUnitDoctrine ORM

nuromedia.com ↗

Philosophy

I help organizations take back control of their own systems.

Too many engineering teams are held hostage by complexity they didn't choose. I build systems that are honest — where the architecture matches the problem and the next engineer can own it without a two-week handoff.

Got a complex problem? Let's scope it →

Architectural Honesty

I match the solution to the actual problem — not the most fashionable pattern. Every abstraction earns its place. Complexity is only introduced when simplicity has been exhausted.

Ownership by Design

Systems I build are meant to be handed off. Documentation, naming conventions, and pipelines are treated as first-class deliverables — not afterthoughts.

Security as a Baseline

After recovering government infrastructure from a state-sponsored attack in 48 hours, I treat security as a foundation — not a feature sprint. Embedded in architecture from day one.

How I Work

A Process Refined Over 25 Years of Delivery

Discover

Deep dive into your infrastructure, goals, and pain points. I ask the hard questions before writing a line of code.

Architect

Design scalable, maintainable solutions with clean architecture. Every decision prioritizes long-term stability.

Develop

Clean, tested PHP with SOLID principles. Every integration point documented, every edge case considered.

Deploy

Zero-downtime deployments via automated CI/CD pipelines with full monitoring and rollback ready.

Support

Proactive monitoring, security patching, and performance tuning — same care after launch as during build.

Read the Full Process →

Technical Expertise

25+ Years of Solving Complex Engineering Problems

Backend Development

PHPLaravelSymfonyPythonMySQLBashLinux/Unix

DevOps & Infrastructure

DockerCI/CDMulti-RegionLoad BalancingGit

CMS & Platforms

Drupal 6–10WordPressJoomlaCMS Made Simple

Security & Compliance

x509 / PKITLS HardeningCert ManagementIncident ResponseVuln. AssessmentDoD Compliance

APIs & Integration

REST APIApache SolrApache TikaPayment ProcessingXML/Data

Languages

English · FluentSpanish · FluentGerman · FluentFrench · Intermediate

FAQ

Common Questions

Do you work with EU data and GDPR-regulated projects?

Yes. I'm based in Spain (EU) and have worked on GDPR-compliant infrastructure for both European and US clients. I understand data residency, consent flows, and audit trail requirements — and I'll flag compliance gaps as part of any engagement.

What timezone are you in, and does that work for US clients?

I work 8am–6pm CET (Central European Time), which overlaps with US East Coast mornings and gives West Coast clients a same-day async window. I've collaborated with US federal agencies and DACH-based teams without issue.

Is this a solo operation or a team?

Primarily solo — which means you work directly with me on every deliverable, not a rotating cast of juniors. For larger infrastructure builds, I have a small network of trusted senior contractors I bring in for specific disciplines (DevOps, frontend) under my direction.

How do invoicing and contracts work?

I invoice in EUR via standard professional invoice (Spanish autónomo). Contracts are plain-language, milestone-based, and signed before work begins. US clients can pay via Wise or SWIFT transfer. Fixed-price projects are billed in two installments: 50% upfront, 50% on delivery.

Do you offer ongoing retainer support after a project ends?

Yes — all Infrastructure Build engagements include an optional 30-day post-launch support window. Beyond that, I offer monthly retainer agreements for monitoring, incident response, and incremental feature work. Ask me about current availability.

What's the fastest way to get started?

Fill out the contact form below with a sentence or two about what you're building or what's broken. I'll reply within 24 hours with questions or a proposed next step. No sales calls, no intake forms — just a direct conversation.