Public Money, Private Startups, and the Unanswered Questions Around Ed Carroll’s Rise at the Carolina Cyber Center

The public promise of the Carolina Cyber Center was straightforward: Montreat College and its cyber arm would help North Carolinians move into cybersecurity jobs through affordable, flexible training and industry-aligned instruction. C3’s own materials describe a path from little or no IT experience to an entry-level cybersecurity role in less than a year, and its public staff page identifies the center as founded by Montreat College.  

Also in this article: Was Carroll's business partner Jeremiah Smith a real cyber revenue leader producing measurable results for North Carolina’s taxpayer-supported cyber workforce program—or was C3 paying for a paper résumé, a startup story, and hours that belonged at a cheese shop?

But behind that workforce-development message, new questions are emerging about overlapping roles, grant-funded compensation, outside business ventures, and whether public money earmarked for cybersecurity training was adequately documented.

At the center of those questions is Ed Carroll, now publicly listed by C3 as executive director. Carroll’s highly unlikely rise inside the Carolina Cyber Center came during a period when Montreat’s cybersecurity ambitions were heavily supported by public funds. Reporting by The Assembly found that Montreat received an initial $2 million for a regional cybersecurity center, later obtained $30 million for cybersecurity programs, and received another $8 million for the cyber center. The same reporting found that, despite $40 million in public support over five years, less than $3 million had been used at that point and the long-promised cyber center building had not been constructed.  

No public record reviewed for this article proves that Carroll committed fraud, that C3 knowingly misused funds, or that Montreat leadership directed improper billing. But the public record does show enough overlap to warrant serious scrutiny of Ed Carroll's billing practices paid by President Paul Maurer and then Executive Director Larry Young, while Carroll was working full time on multiple other projects.

In June 2021, a Carolina Cyber Center blog post described Carroll as working full-time as a senior director for C3. That same year, Carroll and longtime associate Jeremiah Smith were publicly identified as cofounders of Edison Marks, an Asheville-area cybersecurity startup that received NC IDEA MICRO recognition in fall 2021. A 2022 startup profile said Carroll and Smith went from idea to product in a matter of months, won an NC IDEA grant in October 2021, and were building a cybersecurity scoring platform for small businesses. 

By early 2023, Edison Marks was still being publicly promoted. A Business RadioX profile described Jeremiah Smith as CEO and cofounder and Ed Carroll as cofounder and president, presenting Edison Marks as a platform intended to help small and midsized businesses understand and manage cyber risk. The same profile described Carroll as a "high-performing" sales and partner executive in the security space.  

See a supporting article here: https://hypepotamus.com/feature/edison-marks-north-carolina/ 

That creates the central question: while Carroll was publicly described as full-time at C3, what work was he performing for Edison Marks, what work was he performing for any other employer, and which hours—if any—were billed to grant-funded programs?

Working for more than one entity is not automatically unlawful. Founding a startup while employed elsewhere is not automatically fraud. But grant-funded work is different. Grant rules require financial records that identify the source and use of funds and are supported by source documentation. Federal rules also require compensation charged to awards to be based on services rendered during the period of performance and supported by appropriate records and internal controls.  

That is why the timekeeping question matters.

According to source-provided allegations, Carroll billed C3 for undocumented or loosely documented hours while also working on outside business interests. Those records have not yet been independently authenticated for publication. But if authenticated, they would raise a significant grant-compliance question: did C3 pay for actual documented cyber-center work, or did public money subsidize vague labor entries, overlapping employment, or startup activity?

The distinction is critical. The U.S. Department of Justice describes the False Claims Act as applying to knowingly false claims for payment or the knowing use of false records material to false claims. That does not mean every sloppy timesheet is fraud. It does mean that unsupported, knowingly inaccurate, or mischarged labor connected to public funds can become far more serious than an internal HR issue.  

Carroll’s compensation also deserves attention. ProPublica’s Nonprofit Explorer lists Carolina Cyber Center Inc. as a Black Mountain nonprofit with fiscal-year 2024 revenue of about $2.85 million, expenses of about $2.12 million, and net assets of about $3.58 million. The same filing lists Edward Carroll as interim executive director and reports $110,985 in compensation, plus $21,899 in related compensation, for the reported period.  

The filing also shows the center depended heavily on contributions and grants rather than earned program revenue. In fiscal 2024, ProPublica’s extracted filing lists more than $2.55 million in contributions and grants, compared with $266,310 in program service revenue. That does not prove Carroll failed to sell anything. It does, however, make commercial-performance questions fair game, especially if he was hired or promoted based on sales experience. But an inside source tells us that Carroll never sold a single meaningful cyber contract for C3 during his entire time working specifically in a sales capacity.

C3 and Montreat should be able to answer those questions plainly.

What cybersecurity contracts did Carroll personally originate? What revenue did those contracts produce? Which employers or outside entities was he working for while billing C3? Did C3 require contemporaneous time records? Were his hours charged to state funds, federal funds, private grants, Montreat funds, or a combination of accounts? Who approved those charges?

The Edison Marks story adds another layer. Public startup materials presented Edison Marks as a cybersecurity company using behavioral science to help small businesses improve security. Startup Wise Guys listed Edison Marks in its Cyber Xcelerator 2022 batch, and Vitosha Venture Partners described it as software for automated cybersecurity risk assessments.  Now, the website for the "revolutionary" AI platform he promised via Edison Marks re-directs to an Asian gambling website.

Was Edison Marks a scam? All for show? Designed to bolster his appearance?

The public record reviewed for this article suggests Edison Marks never became a meaningful operating cybersecurity company, never produced significant revenue, and never delivered measurable cyber outcomes. If Carroll’s C3 role was justified partly by his startup credentials, then C3, Montreat, and any public funders should be able to explain what due diligence was performed before he was placed in senior leadership.

The concern is not merely biographical. It is structural.

C3 sat inside a larger Montreat cyber ecosystem that included public appropriations, workforce-development promises, Carolina Cyber Center programming, and the Carolina Cyber Network. Public materials for the Carolina Cyber Network list Montreat President Paul Maurer as one of its executive directors and list Ed Carroll as coordinator of strategic partnerships.  

That means Carroll was not simply an employee buried in a back office. He was publicly positioned as a senior cyber-center figure, a strategic partnerships contact, and eventually an executive leader. If sources are correct that he billed vague or arbitrary hours, worked overlapping roles, or failed to generate meaningful sales while receiving substantial compensation, and admitted that he had no real cybersecurity experience, the issue belongs not just with Carroll but with the people who approved the structure. People like Dr. Paul J. Maurer, who has gone through three executive directors so far.

This is where Montreat’s leadership must answer. Not should. Must.

Who supervised Carroll? Who reviewed his outside employment or business interests? Who signed off on his compensation? Dr. Paul J. Maurer and Larry Young did. Were conflict-of-interest disclosures collected? Did anyone examine whether Edison Marks, its founders, or related entities received referrals, contracts, introductions, grant-funded benefits, or reputational value from C3’s taxpayer-supported platform?

The public does not need speculation. It needs records.

C3 and Montreat should release Carroll’s job descriptions, employment status, approved outside-work disclosures, grant-funded time records, sales targets, sales results, contract lists, compensation approvals, and any conflict-of-interest reviews involving Edison Marks. They should also disclose whether any C3, Montreat, Carolina Cyber Network, or grant-related money flowed to Edison Marks, Jeremiah Smith, Carroll-affiliated entities, or related vendors.

Until those records are produced, the question remains simple:

Was Ed Carroll paid public-interest cyber money to build real cybersecurity workforce programs — or did weak oversight allow grant-funded dollars to support promises, overlapping titles, and private ambition?

And what about Smith?

Sources tell us that Carroll and Smith went to school together, and are long time friends. One source said Smith calls Carroll "Fast Eddy" as a nick name. 

The Cheese Shop, the Cyber Startup, and the C3 Billing Questions Around Jeremiah Smith

Jeremiah Smith was publicly marketed as a cyber-startup founder, revenue operator, and growth executive. But sources with knowledge of Carolina Cyber Center accounting now say his C3 role deserves closer scrutiny for a simple reason: while Smith was allegedly billing C3, he was also publicly tied to other business activity, including Edison Marks and South Slope Cheese Co.

The question is not whether someone can own a cheese shop and work in technology. They can. The question is whether grant-funded or publicly supported cyber workforce dollars were paid for actual C3 work—or whether vague billing, overlapping roles, and weak oversight allowed money intended for cybersecurity programs to support private business activity.

Public records show Smith and Ed Carroll were promoted as cofounders of Edison Marks. That cyber-startup image matters because it appears to have helped position Smith and Carroll as credible players inside the publicly funded Montreat/C3 cyber ecosystem. In startup media, Smith was described as Edison Marks’ CEO and cofounder, with more than 15 years of marketing and sales leadership experience across SaaS, B2B technology, cybersecurity, and machine learning. Carroll was described as Edison Marks’ cofounder and president.  

But according to an accounting source familiar with C3’s internal operations, Smith’s actual C3 work product and sales results did not match the hype. The source alleges Smith billed C3 while his time, attention, and income-producing activity were divided among other ventures. Further, it is believed that Smith and Carroll drove lead generation into Edison Marks, not actually into C3. That allegation should now be tested against records: invoices, time entries, payroll records, emails, calendar entries, customer contracts, and C3 revenue reports.

The cheese-shop overlap is especially important because it is not merely rumor. Public reporting identifies Maria and Jeremiah Smith, along with Abby and Nate Day, as buyers of South Slope Cheese Co. in Asheville while working with Carroll both at Edison Marks and the Caroline Cyber Center. The shop’s work was described as hands-on and time-consuming: sourcing products, working with cheesemakers, telling product stories, and connecting customers with cheeses from across Western North Carolina. Culture magazine also featured Jeremiah Smith and the South Slope Cheese Co. team discussing the business, the community, and the impact of Hurricane Helene on the shop. One of our investigative journalists called the shop, and confirmed Smith was working at the same time while also claiming to be working at the Carolina Cyber Center. Another journalist made a trip to the Cheese Shop, and confirmed Smith worked the counter. This was deliberately done at the same time Smith was purportedly working at the Carolina Cyber Center and billing the center for his time.

That does not prove wrongdoing. But it raises a basic accounting question: when Smith was billing C3, where was he physically working, what work was he performing, and who approved the charges?

If Smith was at South Slope Cheese Co. tending the shop, working the counter, sourcing cheese, handling retail operations, or managing the business during hours billed to C3, that would be a serious issue. It could be fraud. Not just civil fraud, but criminal fraud. If those hours were charged to grant-funded cyber workforce programs, the issue becomes more than internal mismanagement. It becomes a potential grant-compliance problem.

To complicate things, sources allege Smith’s deliverables were thin and his sales performance was weak. If that is wrong, C3 and Montreat College should be able to prove it quickly. It can release a list of Smith-originated contracts, the value of each sale, the dates closed, the customer names or anonymized customer categories, and the revenue actually collected. If the sales existed, there should be a paper trail. If not, what was Dr. Paul J. Maurer paying for?

If the sales did not exist, then C3 and Maurer should explain why Smith was paid, who approved it, and whether any of his compensation came from restricted grant or public workforce-development funds. This is especially important because Montreat’s broader cyber funding has already drawn scrutiny. 

C3 and Montreat should answer the following directly:

• How much money was paid to Jeremiah Smith by C3, Montreat, Carolina Cyber Center Inc., Carolina Cyber Network, or any related entity?
• Was Smith paid as an employee, contractor, consultant, advisor, vendor, or some combination?
• Which grant accounts or funding sources paid him?
• Did Smith submit timesheets, invoices, effort certifications, or other documentation?
• Who approved his hours and payments?
• Was Smith working at South Slope Cheese Co. during any hours billed to C3?
• Did Smith disclose ownership or operating duties at South Slope Cheese Co.?
• Did Smith disclose Edison Marks or other outside roles?
• What cyber sales did Smith personally generate for C3?
• What revenue did those sales actually produce?
• Did Edison Marks, Smith, Carroll, or any related business receive money, referrals, introductions, or other benefits from C3 or Montreat?

Working multiple jobs is not automatically fraud. But billing a grant-funded organization for work not performed can become serious if the records are false, unsupported, or knowingly misleading. 

Smith was quoted as saying, “Cybersecurity is a long game. So taking small actions every day or once in a while to help improve your stance are all opportunities." Then why is EdisonMarks.com currently redirecting to an Asian gambling site? So much for the long game. Or, was he talking about a Long Con? Time will tell. 

2023 interview with Smith.