Over the past few days, insiders have been flooding my inbox with information on the NeoSystems implosion. (See here and here for prior reporting.)

This latest one is particularly damning and goes into some significant detail. Here’s the full text of what I received, edited only for grammar, with one factual removal I am holding for later (keep reading). I am keeping this source anonymous and should emphasize that I have not vetted all the information herein. Much of it, I have, though.

NeoSystems was purchased by High Street Capital. You can see them under their portfolio still today. Brad Mitchell was hand-picked by them to lead because he and David Carlino (CISO) told them that CMMC was the only way Neo could remain profitable. Brad hand-picked his wife, Susan, to be COO.

David Carlino was the driving force behind the push for CMMC, and Brad went right along. They continued to push CMMC [but] had no processes or procedures. Carlino is, and was, the person who was supposed to come up with them, and they had nothing but outlines in Smartsheets up until the end of the company. [They were] was asked for the minimum requirements of the offering and they could never be produced.

They signed clients without proper support personnel and would not listen to the people on the ground. David Carlino’s team voiced to HR and Brad Mitchell that, he (Carlino) was doing underhanded, fraudulent things to pass clients.

The notes include some allegations I cannot verify, so I don’t want to publish them just yet. They involve a claim that NeoSystems used a “friendly” CMMC C3PAO who passed NeoSystems clients despite a lack of cybersecurity controls. I will keep investigating that angle and report on it when I have definitive proof. The source named the C3PAO, so it should be easy to check. For now, I took that part out.

Back to the notes:

Jeff Huckle came in and said they were going to fix all the things that were wrong, installed a bunch of his yes men cronies. He did not replace Carlino. Instead they came up with a plan to write contracts that pointed to a web page for requirements in the contract. They could change the website at anytime, hence changing all the contracts that used them. They would change wording to absolve them of things they didn’t fufil.

Things took a turn for the worst in November 2025, [when] the employees were not paid. When pressed, the upper management said that a “big” client didn’t pay their bill and they didn’t have money to pay the employees until they did. Needless to say this led to lots of churn, employees left, threats of lawsuits against the upperr management etc. it was at this time that Brad Mitchell was removed by High Street. The company was split into two sides: an infrastructure side and a professional services side.

The infrastructure side [was] lead by Jeff Huckle, the professional services side lead by Susan Mitchell. High Street appointed Tim Kurth as the new CEO.

Jeff Huckle, David Carlino, and his “yes” men ran the “ISG” team and made a huge push to get all the clients out of the data center into cloud before 3/31/2026.  Some of the clients kept dragging feet and that date slipped.  They kept getting increasingly nervous and pushing for the clients to be moved.  All the while, as of the last meeting April 15th, Huckle, Carlino, and his yes men told the ISG staff that they were doing great, and that our EBITA was higher than ever, and saying they had big clients coming in and they were going to hire more staff.

Note: that would have been just one month before NeoSystems imploded. That’s not good. Continuing:

There was a move going on the day that the company was shuttered.  There were also clients that sent hardware to be configured, and others also being onboarded. They kept up a good face until 5 PM Eastern and let everyone go from the ISG side, while the ESG Side was sold to Bluestreet.  Susan Mitchell and Brad Mitchell now are at Bluestreet as NeoSytems ESG is owned by Bluestreet.

There were some Neo employees that worked on that move all weekend to not leave the customer in the lurch.  Jeff Huckle actually put out another email that night telling ex-employees to not tell customers Neo shut its doors.

I received multiple copies of that, and you can see it here.

I am sure that David Carlino and others hatched the plan they tried to put into motion on Monday.  They used the NeoSystems teams meeting to do this.  He had a defunct LLC, Adventure Security Advisors, and he brought it back to life on Monday.  Keep in mind that nobody turned down any access, etc., as all the infrastructure people were fired.  He and his people had access to all the systems, passwords, SharePoint, Office 365, Azure, basically everything.

They started calling clients on Monday to have them sign up with them to get their stuff back.

In all, and (again), I don’t see how a criminal investigation isn’t launched here. The class-action suits will be coming, too, of course. If Carlino is trying to essentially grab the clients they ghosted, but through his (revived) company, I suspect there’s some criming involved in that, too.

As usual, it does seem to be another bit of evidence that everyone involved in CMMC is wired differently than the rest of us. Wired badly, that is.

UPDATE 7 May 2026 (16:30 PM): New information has just come in regarding how NeoSystems even “blindsided” their new owners. Per one additional source, BlueStreet’s CEO Tim Zullo was not only stunned by the NeoSystems collapse, but a victim of it. The source reported (emphasis added by me):

Bluestreet acquired the accounting group last Friday (and by extension, the associated data) only to be blindsided by the immediate shutdown of the CMMC side which locked him out from his data. So, the only way he could access the data for the company he acquired was to just acquire all of the infrastructure too. Plausible but unless they are terrible at due diligence, likely this was all expected to go down like this.

Which raises questions on just how the bank approved this sale in the first place, seeing as how BlueStreet never seemed to have vetted the company they were buying.

The source says, “now BlueStreet holds the keys to all these admin accounts for all tenants,” and suggests (but does not state factually) that they believe BlueStreet has “some of the former employees on retainer” to handle credential requests from affected clients and that this likely includes Carlino’s new Adventure Security Advisors… so clients sticking with BlueStreet may not have any idea that their data is still being handled by the corrupt shitdicks who hosed this up in the first place.

A source also reports that BlueStreet may still be in trouble due to NeoSystems failure to pay its bills:

It’s unclear what services are behind in payment so while core MS 365 services are likely to remain up and running, all of the security tooling (SNC Defensible, etc) is likely behind on payment so from a security and compliance perspective, there are going to be some gaps for sure. In the meantime, no one can purchase new licenses so there’s significant operational impact.

And, next, I received a copy of the letter sent from Zullo at BlueStreet acknowledging — in as polite a way as he could muster — that he was sideswiped by this whole mess, too.

Finally — at least for the next hour before the next flood of scoops comes in — BlueStreet does not have any Cyber AB credentials for CMMC at all. Whereas NeoSystems held official RPO credentials, BlueStreet has none. I am not sure how that will affect clients using the NeoSystems services for CMMC conformity, since I believe the companies are required to have an RPO in the loop somewhere.

Mitchell, Carlino, Huckle: I know you are reading this, but you really need to lawyer up. As in criminal defense counsel. Right now, if you’re anything like your brethren in this profession, you see yourselves as untouchable, smug cyberbros. Ask Cask’s Mark Larsen how well that posture worked for him.

 

Advertisements
ISO 14001 Implementation