What CMMC Actually Is

Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD’s contractual enforcement mechanism for cybersecurity in the Defense Industrial Base (DIB). If your organization handles Controlled Unclassified Information (CUI) and wants to win DoD contracts, CMMC is the gate. It is not a best-practices framework — it is a pass/fail assessment tied directly to contract eligibility.

CMMC 2.0 replaced the original five-level model in 2021, consolidating it into three levels aligned directly to existing NIST standards. The final rule took effect in December 2024, meaning assessments are now a contractual reality, not a future requirement.

The Three Levels

Most defense contractors fall under Level 2. The operative document is NIST SP 800-171, and a third-party assessor organization (C3PAO) certified by the Cyber AB conducts the triennial audit. There is no partial credit on Level 2: deficiencies require a Plan of Action & Milestones (POA&M) with a credible remediation timeline to maintain contract eligibility during remediation.

The 14 Control Domains

NIST SP 800-171 organizes its 110 controls into 14 domains. Organizations consistently underestimate three of them:

Access Control (AC) — 22 controls The largest domain. Least privilege, session lock, remote access restrictions, and CUI access logging. This is where Zero Trust architecture directly maps to compliance: every AC control is easier to satisfy if you have an identity-governed, microsegmented environment. Organizations running flat networks with shared service accounts fail AC consistently.

Configuration Management (CM) — 9 controls Requires a baseline configuration for all systems, change control processes, and documented deviation approval. The practical requirement: every system in scope must have a documented configuration baseline in version control, and changes must go through an approval process. CI/CD pipelines with policy gates satisfy this natively.

Incident Response (IR) — 3 controls Deceptively short but operationally demanding. IR requires a tested, documented incident response plan and the capability to report incidents to DoD within 72 hours via the DIBNet portal. Many organizations have plans they have never exercised. Assessors ask for evidence of tabletop exercises, not just document existence.

The remaining 11 domains — Audit & Accountability, Awareness & Training, Identification & Authentication, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, System & Information Integrity — follow the same pattern: each control requires documented implementation and supporting evidence artifacts.

The System Security Plan

The System Security Plan (SSP) is the central artifact of a CMMC assessment. It must describe:

• The authorization boundary: exactly which systems, networks, and users are in scope for CUI handling
• Implementation status for all 110 controls (Implemented / Partially Implemented / Planned / Not Applicable)
• For every implemented control: the specific policy, procedure, or technical configuration that satisfies it
• All external service providers (cloud, managed services) and their inherited controls

The SSP is a living document. Assessors will cross-reference it against actual system configurations during the assessment. A well-written SSP with inaccurate technical claims fails faster than a sparse SSP that accurately reflects a partially implemented environment.

Where Organizations Actually Fail

1. Scope creep on the authorization boundary. Organizations try to shrink their CUI boundary to reduce assessment scope, but draw it too narrowly. When the assessor finds CUI flowing through a system excluded from the SSP, the entire assessment is at risk. Define the boundary conservatively, then work to reduce the actual CUI footprint.

2. Inadequate audit logging. AU controls require logging of user activity, privileged commands, and CUI access — with logs protected from tampering and retained for at least three years. Most organizations have logging enabled but lack the centralized SIEM, integrity protection, and retention policies the controls require.

3. Inherited controls without documentation. Cloud providers (AWS GovCloud, Azure Government) satisfy many controls at the infrastructure layer. But CMMC requires the organization to document which controls are inherited, from which provider, and under what shared responsibility model. “We use GovCloud” is not sufficient — the SSP must map inherited controls explicitly.

4. Software supply chain gaps. SR controls (from NIST SP 800-171 Rev 3, added in the 2024 rulemaking) require supply chain risk management: SBOM documentation, vendor vetting, and controls against counterfeit components. Organizations that have not updated their SSP for Rev 3 additions enter assessments with unmitigated gaps.

Connecting CMMC to Zero Trust

The DoD’s ZT Strategy and CMMC are complementary frameworks targeting the same underlying controls from different directions. The ZT pillar requirements directly satisfy CMMC control families:

• User pillar → AC (Access Control) and IA (Identification & Authentication)
• Device pillar → CM (Configuration Management) and SI (System & Information Integrity)
• Data pillar → MP (Media Protection) and AC data controls
• Visibility pillar → AU (Audit & Accountability)

Organizations implementing ZT architecture as a genuine operational model — not just for compliance — will find CMMC Level 2 assessments significantly easier. The controls are the same; ZT just implements them as automated, continuously enforced policy rather than documented procedures.

Summary: Assessment Is an Engineering Problem

CMMC 2.0 assessments are won or lost on evidence quality, not intent. The C3PAO is not evaluating whether your organization cares about security — they are evaluating whether each of 110 controls is implemented and documented. That is an engineering and documentation problem as much as a security problem.

The organizations that pass Level 2 assessments cleanly share three traits: an accurate, current SSP; technical implementations that match what the SSP claims; and evidence artifacts (screenshots, configuration exports, log samples, policy documents) pre-organized by control family. Build the evidence package as you build the controls, not the week before the assessment.

The deadline is no longer theoretical. Contracts are being awarded with CMMC requirements in the solicitation. The time to close the gap is before the assessor shows up.

The Runtime Governance Challenge

Most organizations govern AI during development—asking about training data, model versions, and CI/CD guardrails. While necessary, this only covers the system before it operates. The harder problem begins after deployment, when mission AI systems operate at the tactical edge with intermittent connectivity and high-stakes consequences.

In these environments, governance cannot stop at the pipeline. Build-time governance validates the system you intended to deploy; runtime governance constrains the system that is actually operating.

6 Core Runtime Capabilities

A runtime control plane for autonomous behavior is required to manage speed, trust, and accountability. This control plane needs six primary capabilities:

1. Context-Aware Authorization

Authority should belong to the mission context, not just a service account. An agent’s permissions should be dynamically scoped by mission role, data sensitivity, operational phase, and confidence thresholds.

2. Policy-as-Code at the Edge

Mission AI needs executable policy bundles that run locally. This “hybrid” model ensures that even when disconnected from a central control plane, the system continues to enforce approved boundaries.

3. Data Provenance and Freshness

The system must continuously evaluate data quality. If sensor data is stale or a source is degraded, the AI should lose the authority to take actions dependent on that data. No output should carry more trust than the data pipeline beneath it.

4. Human Authorization Thresholds

Human-in-the-loop is an engineering design problem. Runtime governance must separate recommendation from execution, ensuring that high-impact actions always trigger explicit human approval workflows.

5. Continuous Telemetry and Audit

AI-specific telemetry must capture more than just uptime. It must record model identity, prompt context, tool calls, and the policy logic behind every autonomous decision to support post-mission accountability.

6. Graceful Degradation

Every system needs designed failure modes. When confidence drops or data integrity is compromised, the system should automatically shift from autonomous to advisory mode or disable specific high-risk tools.

The Architectural Balance

A mature mission AI architecture requires four distinct layers:

1. Execution Layer: Where models and agents generate recommendations.
2. Runtime Governance Layer: Where actions are evaluated against live mission policy.
3. Telemetry Layer: Where behavior and approvals are recorded for audit.
4. Enterprise Layer: Where model approvals and policy bundles are managed centrally.

Summary

Autonomy without runtime governance is just automation with an accountability gap. The goal is not to slow operators down, but to ensure that speed does not erase accountability and that autonomous behavior remains strictly aligned with mission intent. Runtime governance is what keeps a system worthy of trust once it leaves the clean environment of the dashboard and enters the field.

The Mandate

In November 2022, the DoD released its Zero Trust Strategy and Roadmap — a directive requiring all DoD components to achieve department-wide Zero Trust Architecture by FY2027. The trigger was EO 14028 (May 2021), which ordered federal agencies to accelerate ZT adoption, followed by OMB M-22-09 setting hard timelines across the federal enterprise.

The DoD’s version goes further than most federal mandates. It defines 152 discrete ZT activities across two maturity tiers, holds components accountable to a published roadmap, and has a dedicated program office tracking progress. For an organization of this scale — millions of users, tens of thousands of systems, a mix of cloud and legacy — it is the most ambitious ZT program ever attempted.

The Seven Pillars

The DoD ZT framework is organized around seven capability pillars. Each pillar has its own activity set and target maturity level.

The Data and Visibility pillars are the hardest. Data tagging at scale in a multi-classification environment — where the same system may handle CUI, FOUO, and SCI — is an unsolved operational problem for most components. Visibility requires telemetry ingestion from systems that were never designed to emit it.

Two Levels: Target and Advanced

The strategy defines two tiers of compliance:

Target ZT — 91 activities covering foundational controls. This is the FY2027 requirement. Most components are building toward this baseline.

Advanced ZT — an additional 61 activities representing a more mature, automated, and analytically sophisticated posture. This is the long-term destination, not a near-term mandate.

The distinction matters operationally: Target ZT is survivable for legacy-heavy organizations. Advanced ZT assumes modern infrastructure, robust telemetry, and policy-as-code enforcement — capabilities that require significant re-platforming for many DoD components.

What DISA Is Building

DISA’s Thunderdome program is the reference implementation. Launched as a ZT pilot in 2022, Thunderdome provides:

• Secure Access Service Edge (SASE) architecture replacing legacy VPN tunnels
• Application-level access control via identity-verified micro-perimeters
• Zero Trust Network Access (ZTNA) brokered by DISA’s cloud-hosted infrastructure

Thunderdome is being extended to DoD enterprise endpoints and serves as the template for component-level ZT deployments. DISA also maintains the ZT Reference Architecture (ZT RA) v2.0, which provides the technical blueprint that program offices are expected to implement against.

Progress and Gaps

The ZT PMO — housed under the DoD CIO — publishes annual assessments. The picture as of early 2026 is mixed:

What’s working:

• Identity and credential management has accelerated. PIV/CAC enforcement and phishing-resistant MFA are broadly deployed across SIPRNet and NIPRNet.
• Cloud migration has created natural ZT on-ramps. New cloud-native workloads are being deployed ZT-first.
• Components with modern infrastructure (DIA, CYBERCOM, NSA) are tracking ahead of schedule on Target ZT activities.

What’s lagging:

• Legacy system integration remains the critical path risk. Many components operate COBOL-era back-office systems that cannot emit the telemetry ZT requires without middleware shims that introduce their own attack surface.
• Microsegmentation is the most-cited unmet control. Segmenting flat DoD networks at scale requires changes to physical switching infrastructure that procurement cycles can’t keep up with.
• Data tagging at the pillar level is largely manual in practice. Automated classification pipelines exist in classified enclaves but are not uniformly deployed.
• OCONUS environments — deployed tactical networks operating in denied or degraded conditions — have no clear ZT implementation path for several advanced controls.

The FY2027 Question

The FY2027 deadline for Target ZT is aggressive but achievable for the majority of DoD components — if procurement and integration timelines hold. The realistic risk is a two-speed outcome: modern, cloud-forward organizations clearing Target ZT, while legacy-heavy components receive waivers or partial credit on the 20–30 activities that require infrastructure modernization.

Advanced ZT by FY2027 is not the goal, and conflating the two tiers creates false urgency in the wrong places. Organizations should focus resources on the 91 Target activities before optimizing toward the Advanced tier.

Summary: The Accountability Layer

What separates the DoD ZT strategy from prior federal security mandates is the accountability structure. The ZT PMO has visibility into component progress, the roadmap is public, and waivers require documented justification. This is policy-as-code thinking applied at the organizational level: the intent is enforceable, measurable, and auditable.

The FY2027 target will stress-test that accountability layer. Components that treat ZT as a compliance checkbox will fail the activity audits. Those that treat it as an infrastructure migration — identity-first, microsegmentation second, telemetry third — have a clear path to completion.

The perimeter is gone. The question is only how long it takes each organization to finish building what replaces it.

The Era of AI as a Perimeter

In early 2026, the White House and Microsoft sent unambiguous signals: the era of treating AI as a standalone application is over. The 2026 National Cyber Strategy now mandates Zero Trust Architecture (ZTA) and AI security across federal networks. For defense contractors, the AI stack is the security perimeter, and it must be defended as rigorously as the network itself.

Why Traditional Zero Trust Fails AI

Traditional Zero Trust was designed for human users and managed devices. AI systems break this model in three fundamental ways:

1. The Identity Problem: AI agents often inherit broad service account permissions rather than scoped, verifiable identities.
2. The Data Problem: Models “absorb” data during training. Weights become data artifacts that carry the classification of their source, yet traditional labels can’t track floating-point weights.
3. The Verification Problem: Continuous verification built on behavioral baselines fails against non-deterministic AI agents whose outputs are variable by design.

A Framework for AI Zero Trust

Extending ZTA to the AI stack requires four primary enforcement layers:

1. Model Provenance and Attestation

Every model version must be cryptographically signed, traceable to a known training run, and documented via AI-BOM (AI Bill of Materials). Unsigned or unverified models must be blocked from deployment.

2. Agent Least Privilege

AI agents must operate under the strictest application of least privilege. Permissions should be scoped to specific repositories or tasks and automatically revoked upon completion. This is a technical implementation of AC-6 (Least Privilege) for automated systems.

3. Pipeline Integrity Gates

The CI/CD pipeline is the last line of defense. Organizations should implement AI-specific Policy as Code (OPA) gates that require human approval for any AI-authored changes to security controls or infrastructure manifests.

4. Technical Data Governance

AI data governance requires four-part lineage tracking:

• Lineage: Tracking every dataset used in fine-tuning.
• Sensitivity Labeling: Labeling model weights with the highest classification of their absorbed data.
• Output Filtering: Applying DLP controls to inference outputs.
• Post-Quantum Encryption: Encrypting all model weights on the 2030 federal migration timeline.

Summary: The Compliance Reality

If your AI system touches Controlled Unclassified Information (CUI), it is in scope for your CMMC 2.0 assessment. Organizations must add AI components to their System Security Plan (SSP), document model provenance as a configuration management (CM) control, and implement agent least privilege as an access control (AC) requirement.

The framework is clear and the tooling (SLSA, OPA, MLflow) is mature. The choice is whether to build this compliance in now or respond to an audit finding later.

The Shift to a Software-Defined Battlefield

Modern warfare is no longer defined by the range of a radar or the speed of a missile, but by the latency of a decision. While the 1990s focused on networked warfare, modern adversaries have built capabilities specifically to blind and isolate traditional forces. The answer is Joint All-Domain Command and Control (JADC2)—a strategic framework for connecting sensors and shooters across land, sea, air, space, and cyber into a single, coherent operational picture.

JADC2 is fundamentally a software architecture problem. It requires a “Data Fabric” that normalizes information across service-specific silos using modern cloud principles: event-driven architecture, API-first interoperability, and Zero Trust security.

From Kill Chains to Kill Webs

Traditional targeting follows a linear kill chain: find, fix, track, target, engage, and assess. This sequential process is fragile and slow. JADC2 enables a kill web—a resilient, parallel mesh where any sensor can cue any shooter. If one node is jammed or destroyed, the network reroutes.

Experiments in programs like the Air Force’s ABMS and the Army’s Project Convergence have demonstrated targeting cycle reductions from 20 minutes to under 20 seconds. This is not a future capability; as seen in Ukraine with tools like Starlink and DELTA, it is an architectural pattern being implemented today with commercial software and open standards.

The Engineering Toolkit for JADC2

Engineers building JADC2-aligned systems are utilizing the same toolkit as commercial cloud architects, adapted for physically hostile and electronically contested environments:

• Platform One / Iron Bank: Providing hardened, K8s-based DevSecOps foundations.
• Policy as Code (OPA): Enforcing security rules on disconnected edge nodes where manual review is impossible.
• GitOps (Flux/ArgoCD): Ensuring declarative state convergence for systems with intermittent connectivity.
• Zero Trust (NIST SP 800-207): Replacing perimeter security with continuous, identity-based authorization.

The Hard Problems Ahead

The technical concept is clear, but the execution faces significant non-technical hurdles:

1. Cross-Domain Security: Automating data sharing across classification boundaries requires new policy authorities, not just software.
2. CDIL Environments: Systems must function in Contested, Degraded, Intermittent, and Limited connectivity, requiring aggressive edge computing and local AI inference.
3. Acquisition Speed: Software evolves in days, but defense programs take years. The organization must evolve faster than the adversary can adapt.

The Bottom Line

JADC2 is the most ambitious software integration project in history. It will be won not by the side with the most hardware, but by the side that fields distributed systems, API design patterns, and DevSecOps practices most effectively. The software-defined battlefield is the present reality; the only question is the speed of implementation.

The End of Human-Only Assumptions

Every CI/CD pipeline was designed around one implicit assumption: a human wrote the code with conscious intent. AI agents—like GitHub Copilot Workspace, Devin, and Claude Code—break this assumption. They are already writing features, fixing CI jobs, and modifying infrastructure at speed.

When AI agents are in the loop, the CI/CD pipeline stops being a quality gate and becomes a governance layer. Traditional review ensures that human-reviewed code is consistent; AI-aware pipelines must catch emergent issues that only appear when agentic code interacts with a broader system.

Building an AI-Aware Pipeline

An AI-aware pipeline requires four fundamental additions to the standard DevOps workflow:

1. Provenance and Attribution

Every AI-generated change must be tagged at commit time with metadata: which model produced it, what prompt triggered it, and which human authorized it. Frameworks like SLSA and tools like Sigstore/Gitsign provide the necessary cryptographic chain of custody.

2. AI-Specific Static Analysis

Standard SAST tools catch known vulnerabilities, but AI can produce novel, semantically incorrect patterns. Pipelines need Semgrep rules tuned for LLM failure modes (hallucinated APIs, incorrect error propagation) and OPA/Conftest to enforce architectural invariants.

3. Hallucinated Dependency Detection

LLMs occasionally invent plausible but non-existent package names—a major risk for dependency confusion attacks. Mitigation requires strict lockfile enforcement and treating any unrecognized dependency in an AI PR as a high-priority human review item.

4. Intent-Oriented Human Review

When agents write code, human review changes character. It is no longer about mechanical correctness (tests handle that). It is about intent alignment: Should this feature exist? Does this infrastructure change match our architectural direction? The reviewer moves from checking the implementation to checking the decision.

Risk Modeling for Agentic Development

Organizations must explicitly model three primary agentic risks:

• The Compromised Agent: An agent manipulated via prompt injection to introduce backdoors.
• The Confident Hallucination: An agent implementing a security algorithm incorrectly while providing readable but false documentation.
• The Runaway Agent: An agent with broad permissions making individually reasonable decisions that lead to a collectively catastrophic outcome (e.g., mass resource deletion).

Summary: The GitOps Connection

GitOps is the governance structure that makes AI agents safe at scale. By making Git the single source of truth, every change an agent makes—from spinning up servers to updating manifests—becomes a versioned, reviewable pull request.

The pipelines we built for humans aren’t wrong; they are incomplete. The transition to AI-aware CI/CD is the organizational decision to treat agent governance as a first-class engineering concern before something goes wrong.

Open source software (OSS) has evolved from a niche movement into the bedrock of modern technology. Its collaborative model offers a unique combination of rapid innovation, community-driven security, and unparalleled flexibility. By mastering the open source stack, teams avoid vendor lock-in and tap into global innovation faster than proprietary cycles allow.

The Technical Payload: Industry Standards

The open source ecosystem is vast, but these tools have become the non-negotiable standards for modern engineering:

1. Control & Orchestration

• Git: The foundation of all collaboration and version-controlled intent.
• Kubernetes (K8s): The CNCF-maintained standard for container orchestration at scale.
• Docker: The definitive tool for ensuring application consistency across environments.

2. Infrastructure & Delivery

• Terraform / OpenTofu: Declarative Infrastructure as Code (IaC) for multi-cloud provisioning.
• Ansible: Agentless automation for configuration management and orchestration.
• Jenkins / GitLab CI: Customizable automation engines for the CI/CD backbone.

3. Observability & Monitoring

• Prometheus: High-performance systems and service monitoring.
• Grafana: The leading platform for querying, visualizing, and alerting on technical metrics.

Conclusion: A Shared Foundation

The tools we use shape the products we build. Mastering these foundations is only half the battle; the ecosystem thrives when users become contributors. Whether through code, documentation, or bug reports, helping maintain the open source foundation ensures that our collective infrastructure remains secure, robust, and capable of scaling to the next challenge.

Traditional security policies—Word documents, PDF checklists, and manual reviews—cannot scale with modern infrastructure. In a world where code deploys dozens of times per day, document-based policy is a liability. Policy as Code (PaC) solves this by expressing security rules as machine-readable, executable code version-controlled in Git.

Instead of a document stating “No public S3 buckets,” PaC uses logic (e.g., Rego) to automatically reject any infrastructure manifest that lacks encryption or blocks public access. This is testable, versionable, and automatically enforced in the CI/CD pipeline.

Why Policy as Code Matters

• Automatic Enforcement: PaC shifts security to the left, catching violations at the build gate rather than during a post-deployment audit.
• Testability: Policies can have unit tests, ensuring they correctly block risks while allowing legitimate traffic before they reach production.
• Auditability: Every policy change is a Pull Request in Git, providing a complete, tamper-evident record of who approved what rule and when.
• Scalability: A codified policy is enforced identically across 5 developers or 5,000, ensuring consistent governance across every team.

The Implementation Stack

Successful PaC implementation requires enforcement at four distinct layers:

1. Pre-commit: Lightweight checks (e.g., Checkov) running on developer workstations to catch obvious misconfigurations.
2. CI Pipeline: The primary enforcement gate where every PR is evaluated against the full policy set (using OPA or Sentinel).
3. Admission Control: Runtime enforcement in Kubernetes (via Kyverno or OPA Gatekeeper) to reject non-compliant resources that bypass CI.
4. Continuous Monitoring: Detecting “drift” in deployed infrastructure using cloud-native tools like AWS Config or Azure Policy.

Summary: Turning Gates into Guardrails

Policy as Code turns security from a periodic gate into a continuous guardrail. By making Git the source of truth for both infrastructure (GitOps) and security rules, organizations can ship faster with higher confidence.

Start small: pick five critical rules (e.g., encryption at rest, no hardcoded secrets), codify them, and add them to your pipeline. The hard part is the first policy; after that, automated governance becomes a natural property of the system.

The Necessity of Defense Agility

Agile—iterative progress, collaboration, and adaptability—is no longer optional for the defense industry. When threats emerge weekly, the traditional 18-36 month “Waterfall” cycle is obsolete. Iterative development allows systems to adapt to accelerating threat landscapes and integrate warfighter feedback in weeks, not years.

However, standard Silicon Valley Agile often fails in defense due to Documentation Gaps, Security Accreditation (ATO) bottlenecks, and Contractual Rigidity. The goal is not to adopt Agile blindly, but to adapt it for the unique constraints of high-stakes mission systems.

The 5 Pillars of Defense Enterprise Agility

To succeed, defense organizations must build a framework that balances speed with enterprise-grade governance:

1. Modular & IDIQ Contracting

Fixed-price contracts lock in requirements before learning happens. Defense leaders should pivot to modular contracting with sequential awards tied to demonstrated capability and IDIQ (Indefinite Delivery/Indefinite Quantity) task orders scoped per release.

2. Continuous ATO (DevSecOps)

Traditional security reviews happen at the end, creating 6-12 month delays. Agile defense requires embedding security engineers into teams and using Continuous ATO approaches where controls are verified incrementally via automated CI/CD pipelines (SAST, DAST, container scanning).

3. Automated & Versioned Documentation

Agile’s emphasis on “working software over documentation” can lead to sustainment nightmares. The solution is Automated Documentation: generating API docs from code and architecture diagrams from IaC, then versioning them in Markdown alongside the source code in Git.

4. Hardware-Software Decoupling

Pure Agile struggles with 3-year hardware cycles. Successful programs use Hardware Abstraction Layers (HALs) and Digital Twins to decouple software development from physical hardware milestones, allowing code to evolve even while components are in production.

5. Architectural Guardrails

Iteration without vision creates technical debt. Organizations must define a modular System Architecture upfront, using Microservices and clearly documented Interoperability Standards to allow team autonomy within defined technical boundaries.

The Bottom Line

Agile in defense is a mindset, not a checklist. It requires a fundamental shift in legal, cultural, and technical practice. Organizations that succeed will build systems that are modular, secure, and responsive to the battlefield; those that fail will continue building systems too rigid to adapt and too slow to matter.

GitOps applies DevOps best practices—version control, collaboration, and CI/CD—to infrastructure automation. By using Git as the single source of truth for declarative state, teams can manage complex systems through pull requests and automated reconciliation. In an era defined by AI-driven automation and software-defined warfare, GitOps has shifted from a convenience to a strategic necessity.

Why GitOps Matters Now

• Reproducibility for AI Agents: As AI agents handle more operations, GitOps provides the immutable infrastructure and audit trails necessary to maintain human oversight of autonomous decisions.
• Scale and Speed: Whether scaling a global SaaS platform or a distributed sensor network, GitOps enables continuous reconciliation, ensuring systems constantly converge toward their desired state.

Software-Defined Warfare: Lessons from Ukraine

The conflict in Ukraine has validated GitOps principles at scale. The battlefield is now a software-defined environment where victory depends on the speed of iteration.

1. Sensor Mesh Management: Saturation of the battlespace with sensors requires coordinated, declarative deployment across thousands of distributed nodes.
2. UAV Fleet Scaling: Managing thousands of drones requires version control for mission parameters and rapid iteration cycles to counter adversary jamming within hours.
3. Rapid Countermeasures: When new electronic warfare threats emerge, counter-algorithms are pushed through GitOps pipelines—tested, validated, and deployed to entire fleets simultaneously.

The GitOps Control Loop

A mature GitOps implementation rests on four core principles:

1. Declarative Configuration: Defining what the system should look like, not how to build it.
2. Version Control: Every change resides in Git with a full, immutable history.
3. Automated Reconciliation: Controllers (e.g., Flux, ArgoCD) continuously work to eliminate drift.
4. Observability: Providing real-time visibility into the actual state of every system.

For critical infrastructure, this must be augmented with Signed Commits for provenance and Air-Gapped Sync capabilities for disconnected operations.

The Bottom Line

GitOps provides the guardrails that modern automation requires. Whether you are managing cloud infrastructure or deploying software to thousands of drones, the operational framework remains the same. The side that can iterate fastest and reconcile most reliably holds a decisive advantage. GitOps is the engine that makes that speed possible.

Vibe Coding is a modern development philosophy that prioritizes intuitive, flow-based momentum over rigid upfront planning. In an era saturated with agentic AI, the developer’s role has shifted from manual syntax construction to defining the “vibe”—the overall intent, logic, and creative direction of the system.

It is characterized by:

• Flow-State Focus: Minimizing decision overhead and context-switching to maintain creative momentum.
• Agentic Partnership: Leveraging AI as a real-time collaborator that influences and accelerates the coding direction.
• Iterative Refinement: Starting with a working “feeling” or prototype and refining the architecture only after the core logic is proven.

The Vibe Coding Workflow

Vibe coding isn’t an absence of structure; it’s a different order of structure:

1. Define the Vibe: Establishing the core intent and “feel” of the feature.
2. Iterate with Agency: Using tools like Cursor or Claude to generate and refine logic in real-time.
3. Optimize Later: Delaying performance tuning and deep refactoring until the initial creative success is achieved.

This approach is ideal for Prototypes, MVPs, and Dynamic Environments where requirements evolve faster than traditional blueprints can be updated.

Balancing Spontaneity and Discipline

While vibe coding excels at speed and creativity, it requires a disciplined “cleanup” phase. Spontaneous code often accrues technical debt that must be addressed through:

• Architectural Review: Ensuring the “vibe” aligns with long-term system stability.
• Disciplined Refactoring: Hardening the organic code into production-grade logic.
• Documentation: Capturing the intent that might have been lost in the flow state.

The Bottom Line

Vibe coding is human-centered development. It leverages modern AI to handle the mechanical syntax, freeing the developer to focus on high-level problem solving and architectural intent. It’s not about abandoning best practices; it’s about finding the balance between spontaneous intuition and engineering discipline in a fast-paced, agentic world.

The best AI tools for vibe coding are those that amplify intuition without interrupting the flow. In 2026, the core stack has consolidated around three primary pillars:

• Cursor: The definitive AI-first IDE. With deep integration of models like Claude 3.5 and O1, it provides seamless tab-completion, refactoring, and natural language editing that feels native to the development process.
• GitHub Copilot: The industry standard for context-aware code completion. Its strength lies in reducing boilerplate and integrating directly into VSCode, JetBrains, and Vim.
• Claude (Anthropic): The preferred pair programmer for high-level architectural discussions, complex refactoring, and design reviews. Its long context window and reasoning capabilities make it the benchmark for technical discussion.

Specialized Technical Payloads

Beyond the primary editor, specialized tools handle the heavy lifting for specific domains:

• v0 (Vercel): Generative UI for React. It transforms text descriptions or sketches into high-fidelity, accessible components in seconds.
• Vercel AI SDK: The standard framework for building AI-powered applications, providing a unified API for streaming across multiple models.
• Eraser: An AI-powered whiteboarding tool that converts system design prompts into professional architectural diagrams and flowcharts.
• Codeium: A high-performance, privacy-focused alternative to Copilot that offers a robust free tier for individual developers.

The Optimal Workflow

To build a high-velocity vibe coding environment, consider this configuration:

1. Primary Editor: Cursor (for deep AI integration).
2. Architectural Partner: Claude (for design and logic review).
3. UI Accelerator: v0 (for rapid frontend iteration).

Final Guidance

AI tools are multipliers, not replacements. Use suggestions as high-quality starting points, but always perform manual reviews for security and architectural intent. The goal is to let the AI handle the syntax while you focus on the system’s “vibe”—its overall logic, user experience, and long-term maintainability.

Explain complex systems using visuals and simple terms. Whether you’re preparing for a System Design Interview or you simply want to understand how systems work beneath the surface, we hope this repository will help you achieve that.

Resource Index

• API and Web Development
  • Short/long polling, SSE, WebSocket
  • Load Balancer Realistic Use Cases
  • 5 HTTP Status Codes That Should Never Have Been Created
  • How does gRPC work?
  • How NAT Enabled the Internet
  • Important Things About HTTP Headers
  • Internet Traffic Routing Policies
  • How Browsers Render Web Pages
  • What makes HTTP2 faster than HTTP1?
  • What is CSS (Cascading Style Sheets)?
  • Key Use Cases for Load Balancers
  • 18 Common Ports Worth Knowing
  • What are the differences between WAN, LAN, PAN and MAN?
  • How does Javascript Work?
  • 8 Tips for Efficient API Design
  • Reverse Proxy vs. API Gateway vs. Load Balancer
  • How does REST API work?
  • Load Balancer vs. API Gateway
  • How GraphQL Works at LinkedIn
  • GraphQL Adoption Patterns
  • A cheat sheet for API designs
  • API Gateway 101
  • Top 3 API Gateway Use Cases
  • What do version numbers mean?
  • Do you know all the components of a URL?
  • Unicast vs Broadcast vs Multicast vs Anycast
  • 10 Essential Components of a Production Web Application
  • URL, URI, URN - Differences Explained
  • API vs SDK
  • A Cheatsheet to Build Secure APIs
  • HTTP Status Codes You Should Know
  • SOAP vs REST vs GraphQL vs RPC
  • A Cheatsheet on Comparing API Architectural Styles
  • Top 9 HTTP Request Methods
  • What is a Load Balancer?
  • Proxy vs Reverse Proxy
  • HTTP/1 -> HTTP/2 -> HTTP/3
  • Polling vs Webhooks
  • How do we Perform Pagination in API Design?
  • How to Design Effective and Safe APIs
  • How to Design Secure Web API Access
  • What Does an API Gateway Do?
  • What is gRPC?
  • Top 12 Tips for API Security
  • Explaining 9 Types of API Testing
  • REST API vs. GraphQL
  • What is GraphQL?
  • REST API Cheatsheet
  • The Ultimate API Learning Roadmap
  • The Evolving Landscape of API Protocols in 2023
• Real World Case Studies
  • 100X Postgres Scaling at Figma
  • API of APIs - App Integrations
  • The one-line change that reduced clone times by 99% at Pinterest
  • Is Telegram Secure?
  • Fixing Bugs Automatically at Meta Scale
  • How Levelsfyi Scaled to Millions of Users with Google Sheets
  • McDonald’s Event-Driven Architecture
  • Uber Tech Stack - CI/CD
  • How to Design Stack Overflow
  • Twitter 1.0 Tech Stack
  • How does Twitter recommend “For You” Timeline in 1.5 seconds?
  • How YouTube Handles Massive Video Uploads
  • How Does a Typical Push Notification System Work?
  • 4 Ways Netflix Uses Caching
  • Netflix Tech Stack - Databases
  • 0 to 1.5 Billion Guests: Airbnb’s Architectural Evolution
  • How Netflix Scales Push Messaging
  • Netflix’s Overall Architecture
  • Netflix Tech Stack - CI/CD Pipeline
  • How TikTok Manages a 200K File Frontend MonoRepo
  • How Netflix Really Uses Java
  • Evolution of Airbnb’s Microservice Architecture
  • Reddit’s Core Architecture
  • 10 Principles for Building Resilient Payment Systems
  • What is the Journey of a Slack Message?
  • Top 9 Engineering Blogs
  • Uber Tech Stack
  • Evolution of the Netflix API Architecture
  • How Discord Stores Trillions of Messages
  • Twitter Architecture 2022 vs. 2012
  • Evolution of Uber’s API Layer
  • Netflix’s Tech Stack
• AI and Machine Learning
  • 5 Functions to Merge Data with Pandas
  • Key Data Terms
  • ChatGPT Timeline
  • DeepSeek 1-Pager
  • The Open Source AI Stack
  • What is an AI Agent?
  • Data Pipelines Overview
  • How does ChatGPT work?
• Database and Storage
  • Read Replica Pattern
  • Pessimistic vs Optimistic Locking
  • How to Upload a Large File to S3
  • Types of Message Queues
  • Smooth Data Migration with Avro
  • The Ultimate Kafka 101 You Cannot Miss
  • Database Isolation Levels
  • Top 6 Data Management Patterns
  • Why is Kafka Fast?
  • Explaining the 4 Most Commonly Used Types of Queues
  • Time Series DB (TSDB) in 20 Lines
  • Differences in Event Sourcing System Design
  • Erasure Coding
  • Delivery Semantics
  • Change Data Capture: Key to Leverage Real-time Data
  • Can Kafka Lose Messages?
  • Storage Systems Overview
  • Explain the Top 6 Use Cases of Object Stores
  • Top Eventual Consistency Patterns You Must Know
  • B-Tree vs. LSM-Tree
  • How to Decide Which Type of Database to Use
  • Cloud Database Cheat Sheet
  • Types of Memory
  • Understanding Database Types
  • Top 4 Data Sharding Algorithms Explained
  • Top 6 Database Models
  • SQL Statement Execution in Database
  • What is Serverless DB?
  • Why PostgreSQL is the Most Loved Database
  • Top 10 Most Popular Open-Source Databases
  • Is PostgreSQL Eating the Database World?
  • How to Choose the Right Database
  • iQIYI Database Selection Trees
  • 8 Data Structures That Power Your Databases
  • How to Implement Read Replica Pattern
  • A Crash Course on Database Sharding
  • IBM MQ -> RabbitMQ -> Kafka -> Pulsar: Message Queue Evolution
  • CAP Theorem: One of the Most Misunderstood Terms
  • Consistent Hashing Explained
  • Types of Databases
  • Key Concepts to Understand Database Sharding
  • Database Locks Explained
  • A Cheatsheet on Database Performance
  • What does ACID mean?
  • Top 5 Kafka Use Cases
  • Types of Memory and Storage
  • 7 Must-Know Strategies to Scale Your Database
• Technical Interviews
  • How do SQL Joins Work?
  • What Happens When You Type google.com Into a Browser?
  • What Happens When You Type a URL Into Your Browser?
  • How to Ace System Design Interviews
  • Recommended Materials for Technical Interviews
• Caching & Performance
  • What is ELK Stack and Why is it Popular?
  • Why are Content Delivery Networks (CDN) so Popular?
  • How Big Keys Impact Redis Persistence
  • A Beginner’s Guide to CDN
  • The Ultimate Redis 101
  • Cache Systems Every Developer Should Know
  • Top 5 Strategies to Reduce Latency
  • Top 5 Caching Strategies
  • Things to Consider When Using Cache
  • Cache Eviction Policies
  • Memcached vs Redis
  • Low Latency Stock Exchange
  • Cache Miss Attack
  • Top 8 Cache Eviction Strategies
  • How Can Cache Systems Go Wrong?
  • Top 6 Elasticsearch Use Cases
  • How Does CDN Work?
  • How Redis Architecture Evolved
  • How Does Redis Persist Data?
  • How can Redis be used?
  • Why is Redis so Fast?
  • How to Learn Elasticsearch
  • What is CDN (Content Delivery Network)?
  • Frontend Performance Optimization
  • Which Latency Numbers Should You Know?
  • Top Caching Strategies
  • Top 9 Website Performance Metrics You Cannot Ignore
  • Top 5 Common Ways to Improve API Performance
  • Learn Cache
• Payment and Fintech
  • E-commerce Workflow
  • Digital Wallets: Banks vs. Blockchain
  • What is a Stop-Loss Order and How Does it Work?
  • What is Web 3.0? Why doesn’t it have ads?
  • SWIFT Payment Messaging System
  • 4 Ways of QR Code Payment
  • Handling Hotspot Accounts
  • Reconciliation in Payment
  • Unified Payments Interface (UPI)
  • How Scan to Pay Works
  • Money Movement
  • Payment System
  • How to Learn Payments
  • The Payments Ecosystem
  • Foreign Exchange Payments
  • How to Avoid Double Payment
  • How do Apple Pay and Google Pay work?
  • How VISA Works When Swiping a Credit Card
  • How ACH Payment Works
  • How does Visa make money?
• Software Architecture
  • Inter-Process Communication on Linux
  • Orchestration vs. Choreography in Microservices
  • UML Class Diagrams Cheatsheet
  • Amazon Prime Video Monitoring Service
  • Is Microservice Architecture the Silver Bullet?
  • Database Middleware
  • 9 Best Practices for Developing Microservices
  • Design Patterns Cheat Sheet
  • Key Terms in Domain-Driven Design
  • 8 Key OOP Concepts Every Developer Should Know
  • 18 Key Design Patterns Every Developer Should Know
  • 10 System Design Tradeoffs You Cannot Ignore
  • 9 Essential Components of a Production Microservice Application
  • 9 Best Practices for Building Microservices
  • 8 Key Concepts in Domain-Driven Design
  • 8 Common System Design Problems and Solutions
  • 6 Software Architectural Patterns You Must Know
  • How To Release A Mobile App
  • How Do Computer Programs Run?
  • Linux Boot Process Explained
  • MVC, MVP, MVVM, VIPER Patterns
  • The Ultimate Software Architect Knowledge Map
  • Typical Microservice Architecture
  • Top 5 Software Architectural Patterns
• DevTools & Productivity
  • Git Commands Cheat Sheet
  • How does Git Work?
  • JSON Crack: Visualize JSON Files
  • Git vs GitHub
  • Git Merge vs. Git Rebase
  • 30 Useful AI Apps That Can Help You in 2025
  • Diagram as Code
  • Top 9 Causes of 100% CPU Usage
  • Top 6 Tools to Turn Code into Beautiful Diagrams
  • Tools for Shipping Code to Production
  • Making Sense of Search Engine Optimization
  • Most Used Linux Commands Map
  • Linux File Permissions Illustrated
  • 5 Important Components of Linux
  • 15 Open-Source Projects That Changed the World
  • 20 Popular Open Source Projects Started by Big Companies
  • Linux File System Explained
  • Life is Short, Use Dev Tools
  • How Git Works
  • How do Companies Ship Code to Production?
• Software Development
  • Top 6 Most Commonly Used Server Types
  • How does Garbage Collection work?
  • A Roadmap for Full-Stack Development
  • What Are the Greenest Programming Languages?
  • Java Collection Hierarchy
  • Running C, C++, or Rust in a Web Browser
  • Top 8 C++ Use Cases
  • Top 6 Multithreading Design Patterns You Must Know
  • Data Transmission Between Applications
  • Blocking vs Non-Blocking Queue
  • Big Endian vs Little Endian
  • How to Avoid Crawling Duplicate URLs at Google Scale?
  • 10 Books for Software Developers
  • Top 8 Standards Every Developer Should Know
  • How Do C++, Java, Python Work?
  • 10 Key Data Structures We Use Every Day
  • A Brief History of Programming Languages
  • Top 6 Load Balancing Algorithms
  • The Fundamental Pillars of Object-Oriented Programming
  • Top 8 Programming Paradigms
  • Algorithms for System Design Interviews
  • Imperative vs Functional vs Object-oriented Programming
  • Explaining 9 Types of API Testing
  • The 9 Algorithms That Dominate Our World
  • Concurrency vs Parallelism
  • Linux Boot Process Explained
  • 11 Steps to Go From Junior to Senior Developer
  • 10 Good Coding Principles to Improve Code Quality
• Cloud & Distributed Systems
  • How AWS Lambda Works Behind the Scenes
  • 8 Must-Know Scalability Strategies
  • System Design Cheat Sheet
  • Cloud Disaster Recovery Strategies
  • Vertical vs Horizontal Partitioning
  • Top 9 Architectural Patterns for Data and Communication Flow
  • Top 6 Cases to Apply Idempotency
  • Top 5 Trade-offs in System Designs
  • How to Detect Node Failures in Distributed Systems
  • Why Meta, Google, and Amazon Stop Using Leap Seconds
  • The Fantastic Four of System Design
  • What makes AWS Lambda so fast?
  • Scaling Websites for Millions of Users
  • Resiliency Patterns
  • 25 Papers That Completely Transformed the Computer World
  • A Crash Course on Architectural Scalability
  • Must Know System Design Building Blocks
  • Monorepo vs. Microrepo: Which is Best?
  • How to Handle Web Request Errors
  • A Cheat Sheet for Designing Fault-Tolerant Systems
  • Typical AWS Network Architecture
  • Unique ID Generator
  • Amazon’s Build System: Brazil
  • Infrastructure as Code Landscape Cheatsheet
  • How do we manage configurations in a system?
  • How do we incorporate Event Sourcing into systems?
  • The 12-Factor App
  • Explaining 5 Unique ID Generators
  • Retry Strategies for System Failures
  • Cloud Monitoring Cheat Sheet
  • Why Use a Distributed Lock?
  • Top 6 Cloud Messaging Patterns
  • Most Important AWS Services to Learn
  • How to Transform a System to be Cloud Native
  • Hidden Costs of the Cloud
  • 2 Decades of Cloud Evolution
  • Cloud Cost Reduction Techniques
  • Top 7 Most-Used Distributed System Patterns
  • Cloud Load Balancer Cheat Sheet
  • AWS Services Evolution
  • Azure Services Cheat Sheet
  • A cheat sheet for system designs
  • CAP, BASE, SOLID, KISS, What do these acronyms mean?
  • System Design Blueprint: The Ultimate Guide
  • How to Design for High Availability
  • What is Cloud Native?
  • Cloud Comparison Cheat Sheet
  • Big Data Pipeline Cheatsheet for AWS, Azure, and Google Cloud
  • AWS Services Cheat Sheet
• How it Works?
  • How do AirTags work?
  • How is Email Delivered?
  • Design Gmail
  • How Google/Apple Maps Blur License Plates and Faces
  • Quadtree
  • Build a Simple Chat Application with Redis
  • Live Streaming Explained
  • How to Design a System for Internationalization
  • How to Design Google Docs
  • Payment System
  • Experiment Platform Architecture
  • Design Google Maps
  • Designing a Chat Application
  • Design Stock Exchange
  • How are Notifications Pushed to Our Phones or PCs?
  • What Happens When You Upload a File to Amazon S3?
  • Proximity Service
  • How Do Search Engines Work?
• DevOps and CI/CD
  • Top 10 Kubernetes Design Patterns
  • Some DevOps Books I Find Enlightening
  • Paradigm Shift: Developer to Tester Ratio
  • Push vs Pull in Metrics Collection Systems
  • Choose the Right Database for Metric Collection
  • Top 4 Kubernetes Service Types
  • Cloud Native Anti-Patterns
  • Kubernetes Tools Stack Wheel
  • Kubernetes Tools Ecosystem
  • Kubernetes Periodic Table
  • 9 Docker Best Practices You Must Know
  • Netflix Tech Stack - CI/CD Pipeline
  • Top 8 Must-Know Docker Concepts
  • CI/CD Simplified Visual Guide
  • Top 5 Most-Used Deployment Strategies
  • Kubernetes Command Cheatsheet
  • Kubernetes Deployment Strategies
  • How does Terraform turn Code into Cloud?
  • DevOps vs. SRE vs. Platform Engineering
  • Deployment Strategies
  • Logging, Tracing, and Metrics
  • Log Parsing Cheat Sheet
  • DevOps vs NoOps: What’s the Difference?
  • Why is Nginx so Popular?
  • What is Kubernetes (k8s)?
  • How does Docker work?
  • CI/CD Pipeline Explained in Simple Terms
• Security
  • What is DevSecOps?
  • Encoding vs Encryption vs Tokenization
  • Storing Passwords Safely: A Comprehensive Guide
  • Designing a Permission System
  • How Password Managers Work
  • Is PassKey Shaping a Passwordless Future?
  • Firewall Explained to Kids and Adults
  • Cookies vs Sessions
  • HTTP Cookies Explained With a Simple Diagram
  • Token, Cookie, Session
  • Sessions, Tokens, JWT, SSO, and OAuth Explained
  • How to Design a Secure System
  • Top 6 Firewall Use Cases
  • Top 4 Authentication Mechanisms
  • How Digital Signatures Work
  • How do we manage sensitive data in a system?
  • HTTPS, SSL Handshake, and Data Encryption Explained
  • Symmetric vs Asymmetric Encryption
  • Session-based Authentication vs. JWT
  • JWT 101: Key to Stateless Authentication
  • Is HTTPS Safe?
  • Cybersecurity 101
  • Cookies vs Sessions vs JWT vs PASETO
  • How does SSH work?
  • How Does a VPN Work?
  • How Google Authenticator Works
  • Types of VPNs
  • What is a Cookie?
  • OAuth 2.0 Flows
  • Top Network Security Cheatsheet
  • What is SSO (Single Sign-On)?
  • How does HTTPS work?
  • Session, Cookie, JWT, Token, SSO, and OAuth 2.0 Explained
  • Explaining JSON Web Token (JWT) to a 10 Year Old Kid
  • OAuth 2.0 Explained With Simple Terms
• Computer Fundamentals
  • Paging vs Segmentation
  • IPv4 vs. IPv6: Differences
  • Top 4 Most Popular Use Cases for UDP
  • How Does the Domain Name System (DNS) Lookup Work?
  • DNS Record Types You Should Know
  • TCP vs UDP for Online Gaming
  • What is a Deadlock?
  • Process vs Thread: Key Differences
  • OSI Model Explained
  • Visualizing a SQL Query
  • Explaining 8 Popular Network Protocols in 1 Diagram
  • What is the Best Way to Learn SQL?

License

This work is licensed under CC BY-NC-ND 4.0.

Over the years I’ve amassed a large collection of links, resources, tools and so on that I find useful in my trading/investing activities. I’m compiling those here, along with any that were shared with me via Twitter/Reddit/email/etc and seemed useful after a cursory look. While I’ve done my best to link to tools that are not only legitimate but also likely to stay active, alive and useful for the foreseeable future, obviously I have no control over these companies/websites and over time some of the links may break or situations may emerge that turn them into poor recommendations. Also, this list is not exhaustive by any means and may be updated in the future as new tools/resources emerge.

DISCLAIMER: In general, there is no preference given to any of these resources and this is not a recommendation to use them. Besides categorizing them and deciding to include some based on personal experience, I am not officially suggesting any opinion on any of these, but I do have experience with many of them and have tried to include things I’ve had good experiences with or that I personally use in my trading/investing activities.

Any links that are bold are things I either currently use or have used enough in the past to get a good feel for their quality/functionality, but that does not mean I am recommending them, only that I have personal experience with them. If it is not bold, it doesn’t mean I’ve never used it, only that it’s something I just use now and then or that it seemed handy at a cursory glance. In short regarding this entire list, I am not a financial advisor. Do your own due diligence and speak to a professional before making any financial decisions.

Resource Index

GETTING STARTED:

There are two general approaches to investing: active and passive. Active investing implies you are actively buying and selling stocks, bonds, options and so on, conducting research and making active decisions about the investments you make. Passive investing implies you are more disconnected from the market, passively investing money into mutual funds, ETFs, IRAs, 401Ks and allowing the managers of those funds to manage those investments, not focusing on individual stocks, or you may have hired a financial advisor or wealth manager. Neither approach will make you rich quickly. Using active approaches you are very likely to lose money as a beginner. Active investing takes a large amount of work and research and most people will not beat the market’s returns over the long term. If you are brand new, it’s best to start with passive approaches while you get your feet wet and learn about more active strategies, and gradually work towards becoming more and more active.

• Investopedia - How to Start Investing in Stocks
• The Ultimate Fundamentals Guide on What You Need to Learn First
• Fundamentals of Active Trading
• Five Things to Look for on Every Trade
• LazyFA Market Essentials
• Investopedia SEC Filings You Need to Know
• The Balance - Investing for Beginners
• The Balance - Understanding Interest Rates
• The Federal Open Who?
• Learn to Day Trade
• /r/stocks Wiki
• /r/stocks “Stick My Money Somewhere”
• /r/investing FAQ
• Tim Parker - News and the Stock Market
• Khan Academy - Stocks and Bonds
• Khan Academy - Funds and Other Investment Vehicles
• Investopedia Investing Essentials Category
• Jason Leavitt’s Free Mini Masterclass in Trading
• OptionAlpha Education Center
• Open Investing Guide - Simple Passive Portfolio

  TOC

  ---

  I’ve categorized brokers into two groups based on the types of clients they cater to. Long-term-focused brokers tend to offer IRAs, 401k’s and other types of retirement accounts. Active trading/professional brokers tend to have more advanced software, faster executions, and cater to traders who are more active in the markets. One is not necessarily better, and many people will use both.

BROKERS & TRADING SOFTWARE (Investing/Buy & Hold/IRA/Long-term):

• Fidelity
• Charles Schwab
• Merrill Edge
• TD Ameritrade Retirement
• E*Trade Retirement

  TOC

BROKERS & TRADING SOFTWARE (Active Trading/Professional):

• Thinkorswim (AKA ToS, from TD Ameritrade)
• Interactive Brokers
• Tradestation
• Speedtrader (PDT Only, $30k Minimum on Pro)
• Centerpoint Securities (PDT Only, $30k Minimum)
• Lightspeed
• Power E*Trade
• Tastyworks (Options-focused)

  TOC

BROKERS & TRADING SOFTWARE (Canadian):

• Interactive Brokers
• Questrade

  TOC

BROKERS & TRADING SOFTWARE (European):

• Degiro
• Interactive Brokers

  TOC

BROKERS & TRADING SOFTWARE (Reviews and Guides):

• Stockbrokers.com Investing Guides

  TOC

  ---

  GENERAL STOCK MARKET RESEARCH:

• Finviz - Lots of free research tools
• Finviz Relative Performance by Industry
• Finviz Relative Performance by Sector
• Finviz Recent News
• LazyFA - Automated Fundamental Analysis
• Barchart - Technical and Fundamental Analysis Tools
• Koyfin - Free Comprehensive Market Data for Investors
• Wallmine
• Grufity Stock Research
• TipRanks - Analyst Ratings and Market Research
• The Market Ear - Live Market News/Analysis
• IPOScoop - Lots of handy info on IPOs
• Stockrow - News, Fundamental Data and Screeners
• Stock Analysis - Free Online Stock Information for Investors
• StockComps - Compare Investment Returns
• BioPharmCatalyst - Biotech-Specific Research
• Macrotrends - The Long Term Perspective on Markets
• The Ultimate Investing Checklist
• Stock Market Analytics
• Market Chameleon
• CityFALCON - Personalized Financial News Feed and Data Warehouse

  TOC

  ---

  CALENDARS:

• Earnings Calendars:
  • Yahoo! Finance
  • Business Insider
  • Zacks
  • Earnings Whispers
  • Investing.com Earnings Calendar

    TOC

• Dividend/Ex-Dividend Calendars:
  • The Street
  • Dividend.com Ex-Div Date Search
  • Investing.com Dividend Calendar

    TOC

• Economic Calendars:
  • Finviz Economic Calendar
  • Investing.com Economic Calendar
  • IPO Monitor - Recent IPO Filings & Withdrawals
  • Federal Reserve Economic Release Calendar

    TOC

• Misc Calendars:
  • Investing.com IPO Calendar
  • Investing.com Split Calendar
  • Split History
  • BiopharmCatalyst FDA Calendar

    TOC

    ---

    TECHNICAL ANALYSIS (Education):

• Investopedia Technical Analysis
• Technical Analysis Strategies for Beginners
• Technical Analysis of Stocks
• LazyFA Technical Analysis Playlist
• COVID-19 Bear Market Analysis

  TOC

  ---

  TECHNICAL ANALYSIS (Tools/Resources):

• TradingView
• TC2000 Charting
• DAS Trader
• StockFetcher Technical Analysis Screener
• Thinkorswim (AKA ToS, from TD Ameritrade)
• TrendSpider - Technical Analysis Scanning, Backtesting, Alerts and Charting

  TOC

  ---

  FUNDAMENTAL ANALYSIS (Education):

• Investopedia Fundamental Analysis Category
• Coursera - Accounting Analytics
• The Balance - Income Statement Analysis
• The Balance - Analyzing a Balance Sheet
• Alhambra Investments Market Research
• /r/Stocks Fundamentals Wiki
• LazyFA Knowledge Base
• MarketWatch - Guide to Analyst Recommendations

  TOC

  ---

  FUNDAMENTAL ANALYSIS (Tools/Resources):

• LazyFA - Automated Fundamental Analysis
• Finviz - Financial Visualizations
• TipRanks - Analyst Ratings and Market Research
• Finbox
• Atom Finance
• Gurufocus - Value Investing & Market Insight of Investment Gurus
• Stockrow - News, Fundamental Data and Screeners
• Tiingo
• CSI Market
• StreetInsider Earnings Calendar
• StreetInsider EPS Insider
• Docoh - SEC Filing & Company Analysis
• Macrotrends - The Long Term Perspective on Markets
• Beeken - Investing Tools Reimagined
• sharelab - US Stock Comparison Based on Empirical Finance Academia

  TOC

  ---

  SCANNERS, SCREENERS & IDEA GENERATION:

• Finviz Screener
• LazyFA Screener
• Tiingo Screener
• Stockrow Screener
• TradingView Screener
• Wallmine Screener
• Market Chameleon Stock Screener
• StockFetcher Technical Analysis Screener
• TC2000 Realtime Scanning/Screening
• TradeIdeas Realtime Scanning/Screening
• StockCharts Predefined Scans
• Stock Market Watch Ideas
• Optionsonar - Unusual Options Activity & Order Flow Scanner
• FlowAlgo - Options Flow & Unusual Options Activity Scanner
• TrendSpider - Technical Analysis Scanning, Backtesting, Alerts and Charting
• SocialSentiment.io - Social Media Sentiment Analysis
• senatestockwatcher.com - Senate Stock Watcher
• Ortex.com - ORTEX

  TOC

  ---

  TRADE ANALYSIS & REVIEW:

• Tradervue

  TOC

  ---

  SEC FILINGS:

• Research & Education:
  • Official SEC Website
  • SEC Forms Index (PDF)
  • SEC Forms List
  • BamSEC - Financial Research Made Easier
  • LazyFA Market Events
  • Intelligize SEC Forms Quick Reference Guide (PDF)
  • Investopedia SEC Filings You Need to Know
  • Rank and Filed - SEC Filings for Humans
  • Docoh - SEC Filing & Company Analysis

    TOC

• Daily Filings by Type:
  • 10K & 10K/A - Annual Reports
  • 10Q & 10Q/A - Quarterly Reports
  • 8K - Material Events
  • 8K - Material Events, by Category
  • S-* - Securities Registration Statements
  • EFFECT - Effectiveness Notification for Securities Registration
  • 424B* - Prospectus Supplements/Secondary Offerings
  • Form 3 - Initial Insider Ownership Statement
  • Form 4 - Change in Insider Ownership
  • Form 5 - Change in Insider Ownership, Delayed Disclosure
  • SC-13* - Ownership Stakes
  • 13F - Quarterly Institutional Holdings Report

TOC

HALTS, SHORT SELLING AND EXCHANGE RESOURCES:

• Current NASDAQ Trading Halts
• NASDAQ Halt Codes
• NASDAQ Unlisted Trading Privileges Plan Resources
• UTDF Specification
• Time & Sales Flags (Sale Conditions): Summary of Page 6-17 of the UTDF Spec)
• High Short Interest Stocks
• Shortsqueeze.com - Short Selling Resources
• Current Threshold Securities
• Current SSR Securities (Short Sale Restriction/Uptick Rule)
• FINRA Daily Short Selling Volume Raw Data
• Short Volumes (for tracking daily short/long volume by ticker)

  TOC

  ---

  PAID TRADING SERVICES/EDUCATION/CHAT ROOMS:

• Bulls on Wall Street
• Investors Underground
• Warrior Trading
• Clay Trader
• Trade on the Fly - Active Trading Services
• Benzinga Pro

  TOC

  ---

  BOOKS:

• General Stock Market/Uncategorized
  • Common Stocks and Uncommon Profits
  • How to Make Money in Stocks: A Winning System in Good Times and Bad
  • Market Wizards
  • One Up on Wall Street
  • Reminiscences of a Stock Operator
  • The Intelligent Investor
  • /r/SecurityAnalysis Wiki

    TOC

• Active Trading and Speculation
  • A Complete Guide To Volume Price Analysis
  • Advanced Techniques in Day Trading: A Practical Guide to High Probability Day Trading Strategies and Methods
  • Getting Started in Chart Patterns
  • How to Day Trade for a Living: Tools, Tactics, Money Management, Discipline and Trading Psychology
  • How To Swing Trade: A Beginner’s Guide to Trading Tools, Money Management, Rules, Routines and Strategies of a Swing Trader
  • How To Trade in Stocks
  • Margin of Safety: Risk-Averse Value Investing Strategies for the Thoughtful Investor
  • Speculation as a Fine Art and Thoughts on Life
  • Stock Trading & Investing Using Volume Price Analysis: Over 200 Worked Examples
  • Technical Analysis of the Financial Markets: A Comprehensive Guide to Trading Methods and Applications (New York Institute of Finance)
  • The Alchemy of Finance
  • The Art and Science of Technical Analysis: Market Structure, Price Action, and Trading Strategies
  • The New Trading for a Living: Psychology, Discipline, Trading Tools and Systems, Risk Control, Trade Management
  • Trading from Your Gut: How to Use Right Brain Instinct & Left Brain Smarts to Become a Master Trader
  • Trading in the Zone

    TOC

• Valuation and Accounting Tricks
  • Beyond Earnings
  • Financial Modeling & Valuation
  • Financial Shenanigans: How to Detect Accounting Gimmicks & Fraud in Financial Reports
  • Investment Banking
  • Investment Valuation
  • Security Analysis and Business Valuation on Wall Street
  • The Dark Side of Valuation
  • Valuation (McKinsey & Co)
  • How to Keep Score in Business - Accounting and Financial Analysis for the Non-Accountant

    TOC

• Financial History/Psychology
  • Against the Gods: The Remarkable Story of Risk
  • All the Devils Are Here: The Hidden History of the Financial Crisis
  • Barbarians at the Gate: The Fall of RJR Nabisco
  • Boomerang: Travels in the New Third World
  • Broken Markets: How High Frequency Trading and Predatory Practices on Wall Street Are Destroying Investor Confidence and Your Portfolio
  • Den of Thieves
  • Extraordinary Popular Delusions and the Madness of Crowds (Harriman Definitive Edition): The Classic Guide to Crowd Psychology, Financial Folly and Surprising Superstition
  • Fatal Risk: A Cautionary Tale of AIG’s Corporate Suicide
  • Fed Up: An Insider’s Take on Why the Federal Reserve is Bad for America
  • Flash Boys: A Wall Street Revolt
  • Fooled By Randomness: The Hidden Role Of Chance In Life And In The Markets
  • Infectious Greed: How Deceit and Risk Corrupted the Financial Markets
  • Liar’s Poker (Prequel to the Big Short)
  • More Money Than God: Hedge Funds and the Making of a New Elite
  • Poor Charlie’s Almanack
  • The Big Short: Inside the Doomsday Machine
  • The Black Swan, Second Edition: The Impact of the Highly Improbable
  • The Frackers: The Outrageous Inside Story of the New Billionaire Wildcatters
  • The Great Crash 1929
  • The Predators’ Ball: The Inside Story of Drexel Burnham and the Rise of the JunkBond
  • The Smartest Guys in the Room: The Amazing Rise and Scandalous Fall of Enron
  • When Genius Failed: The Rise and Fall of Long-Term Capital Management

TOC

• Options
  • Option Volatility and Pricing: Advanced Trading Strategies and Techniques
  • Options as a Strategic Investment
  • Options Made Easy: Your Guide to Profitable Trading (3rd Edition)
  • The Only Options Trading Book You’ll Ever Need

    TOC

    ---

    TOC

    CRYPTOCURRENCIES:

• A Crypto Primer: Currencies, Commodities, Tokens

  TOC

YOUTUBE CHANNELS:

• LazyFA - Lots of Educational Livestreams/Webinars
• Jose Najarro Stocks - Excellent Fundamental Analysis and Research
• Invest with Sven Carlin, Ph.D.
• Bulls on Wall Street - Lots of Technical Analysis/Active Trading Stuff
• Investors Underground - Same as Above
• Quoth The Raven Research - Speeches/Podcasts
• Chat With Traders - Tons of Awesome Interviews
• 0 to Hero Investing - Market Commentary and Stock Analysis

  TOC

  ---

  TALKS/SPEECHES:

• Chris Irons - Our Bullshit Economy
• Chris Irons - Short the Whole Fucking Thing
• Traders4ACause Talk Series
• Kunal Desai - How to Get Over Blown Up Trading Accounts and Win

  TOC

  ---

  STOCK MARKET MOVIES/DOCUMENTARIES:

• The Wolf of Wall Street
• Inside the Meltdown
• Boiler Room
• Too Big to Fail
• The Big Short
• Margin Call
• The China Hustle
• Inside Job
• Enron: The Smartest Guys in the Room
• Wall Street: Money Never Sleeps
• Dirty Money: Drug Short

  TOC

  ---

  I’ve categorized Twitter accounts into two groups. In general, I’ve tried to restrict this list to only those that are consistently active and sharing quality content

• Individuals/Small Services: These accounts are more likely to share active trading info, current market opinions, charts, trading ideas and the like, and may run chat rooms/alert/research websites or services.
• Professional/Research-Focused/Journalists/Capital Groups/Funds/HFT: These accounts tend to have a research/broader-market focus and are more likely to put out short/long theses, research reports, or write articles on major news outlets

TWITTER ACCOUNTS:

• Individuals/Small Services:
  • Chris Z
  • Jose Najarro Stocks
  • Oil Stock Trader
  • Diogenes
  • Psycho™
  • IncredibleTrades
  • Madaz
  • JE$US
  • SangLucci™
  • Scott Elliot
  • Dan Shapiro
  • Sandman
  • Doug Runner
  • Eric Wood
  • Offshorehunter
  • Paul J. Singh
  • Nathan Michaud
  • Vegastrader66
  • Emil
  • Steve Burns
  • KKern, TTB
  • Maribeth
  • BioRunUp
  • NYC Trader
  • Kunal Desai
  • SentimEntropy
  • 0 to Hero Investing

    TOC

• Research/Journalist/Funds/HFT: - Muddy Waters
  • GeoInvesting, LLC.
  • Citron Research
  • Hindenburg Research
  • Andrew Menaker, Ph.D.
  • Quoth the Raven Research
  • Kerrisdale Capital
  • SkyTides
  • Prescience Point Capital Management
  • The Street Sweeper
  • Eric Scott Hunsader (Nanex, LLC)
  • Adam Feuerstein
  • Haim Bodek

    TOC

DEVELOPER RESOURCES:

• General Resources
  • Alpaca Algorithmic Trading
  • Reddit /r/AlgoTrading ###### TOC
• Algo Trading Engines
  • QuantConnect
  • LEAN Algorithmic Trading Engine ###### TOC
• Data APIs
  • Tiingo - Enterprise Grade Financial Markets API
  • Intrinio
  • Quandl - Financial, Economic and Alternative Data
  • IEX Cloud - Financial Data Infrastructure
  • Xignite - Market Data Solutions
  • Polygon - APIs for Stocks, Forex and Crypto
  • SEC-API.io
  • Alpha Vantage
  • Norgate Data - Financial Market Data for Stocks, Futures and Forex ###### TOC

BLOGS/DISCUSSION FORUMS/LIVE CHATS/MISC RESOURCES:

• Stockaholics Trader’s Forum
• Estimize Earnings Calendar
• Investors Underground Blog
• Bulls on Wall Street Blog
• LazyFA Blog
• Reddit /r/StockMarket
• Reddit /r/Stocks
• Reddit /r/Investing
• Reddit /r/UndervaluedStonks
• Reddit /r/WallStreetBets
• Reddit /r/StockMarket Official Discord Live Chat
• Woot Street Live Chat
• Boiler Room Trading Discord

  TOC