Original broadcast 8/20/25
Presented by Carahsoft
Patrick Lorigan, Technical Director at the Air Force Research Laboratory (AFRL), has seen firsthand how full automation can transform software delivery in the Department of Defense (DoD). By building a completely automated DevSecOps pipeline, Lorigan and his team have slashed processes that once took weeks or months down to minutes—all while improving both security and quality. His work demonstrates that in modern military operations, speed and security are not competing priorities, but mutually reinforcing goals.
Lorigan describes AFRL’s pipeline as fully integrated from end to end. Every time a developer pushes an update to the software baseline, it triggers a series of automated actions: security scans, quality checks, regression testing, and functional testing. These steps, which historically involved extensive manual effort, now happen in minutes. This means new code is not only delivered faster but also with higher assurance that it meets security and performance requirements.
Security benefits are significant. In the past, code might be scanned only at the end of a development cycle. Developers would then have to sift through a long list of vulnerabilities, prioritize the most severe, and defer or ignore the rest. Now, vulnerabilities—whether critical or low-level—are caught and addressed immediately. This continuous attention to security reduces risk and prevents the accumulation of unresolved issues that could undermine a system over time.
Getting to this point required significant up-front investment. Lorigan is quick to point out that while the automated process appears seamless to product teams, it is the result of years of effort—selecting tools, integrating them, and securing authority to operate (ATO) from the organization’s authorizing officials. This preparation phase is essential; without it, automated delivery cannot operate at the speed or scale AFRL now enjoys.
Maintaining the pipeline is also a continuous effort. Lorigan’s team rolls in updates every few weeks, addressing high-priority security patches as soon as they are available. They also evaluate new tools, sometimes replacing existing ones when better, more cost-effective options emerge. This adaptability ensures the pipeline stays current with evolving threats and technology trends.
However, Lorigan’s experience has revealed an important reality: just because his team can deliver updates in minutes doesn’t mean users always want them that quickly. In commercial contexts, consumers may not notice—or may even expect—frequent updates. In operational military environments, though, users often prefer more predictable release schedules. Stability is critical when software supports mission-critical operations, and sudden changes can be disruptive.
This need for “rigidity,” as Lorigan puts it, requires balancing speed with operational readiness. His team works closely with users to schedule updates at times that minimize disruption, while still ensuring critical fixes and improvements are delivered promptly. It’s a reminder that DevSecOps is as much about aligning with user needs as it is about technical capability.
User engagement is central to AFRL’s approach. Lorigan’s product teams communicate with users regularly—sometimes every few days for fast-moving projects, and at least monthly for slower-moving ones. This ongoing dialogue helps ensure that updates reflect actual operational requirements, not just developer assumptions. It also allows teams to gather feedback quickly, address issues early, and make informed decisions about future enhancements.
Lorigan stresses that success is not just about giving users exactly what they ask for. Instead, his teams look for solutions that best serve the overall system and mission. When multiple user groups request similar features in different ways, it falls to the development teams to find an approach that meets everyone’s needs without creating unnecessary complexity.
The AFRL’s long-standing commitment to zero trust principles has also influenced how Lorigan’s team works. Partnering with Platform One early on, they have built security into their operations from the start. This foundation ensures that the pipeline’s speed does not come at the expense of security—a crucial consideration for any organization delivering software in a contested or high-risk environment.
Looking ahead, Lorigan is interested in how wider adoption of zero trust across the DoD will affect organizations like his that have been implementing it for years. As more services and programs align with these principles, opportunities for interoperability and shared capabilities will expand, potentially creating efficiencies across the department.
Lorigan’s work at AFRL offers a model for how automation can serve as both a technical and cultural enabler. By combining rigorous security and quality checks with close collaboration between developers and users, his team delivers software that is fast, reliable, and aligned with mission needs. The lesson is clear: automation is not just about speed—it’s about creating the conditions where speed and trust can coexist.
Key Takeaways
Fully automated DevSecOps pipelines can cut delivery timelines from months to minutes while improving security and quality.
Operational users may prefer predictable release schedules, even when rapid deployment is possible.
Regular user engagement ensures updates meet mission needs and maintain operational stability.