KH.
DevOps Consulting & Audits

Service

DevOps Consulting & Audits

An external eye on your infrastructure — before something forces it.

Sometimes you don't need someone to build something. You need someone to look at what you have and tell you honestly: what's working, what's a risk you haven't thought about, and what should you fix first. I do infrastructure audits, architecture reviews, and DevOps assessments for engineering teams that want a second opinion — before a security audit, before a scale event, after an incident, or just because the tech lead left and nobody is sure what they inherited. The output is a written report with findings ranked by risk and an actionable remediation roadmap.

Start a projectBook a call first

Who this is for

  • CTOs or VPs of Engineering who want an independent assessment of their infrastructure health
  • Engineering teams after a production incident who need root-cause analysis and hardening recommendations
  • Startups preparing for SOC 2 or ISO 27001 certification who want to know what's missing
  • Companies that acquired a codebase or infrastructure and need to understand what they own
  • Teams scaling rapidly and unsure if their infrastructure will hold

What you get

Written audit report

A structured report covering findings across security, reliability, scalability, cost, and operational maturity — each with a severity rating and remediation recommendation.

Risk matrix

Findings plotted by severity and effort-to-fix, so you can prioritise remediation work by impact.

Remediation roadmap

A phased plan for addressing findings: quick wins (this week), medium-term improvements (this quarter), and strategic changes (this year).

Architecture review session

A working session with your team to walk through findings, answer questions, and align on the remediation plan.

Optional: hands-on remediation

After the audit, I can implement the highest-priority fixes directly — switching from consulting mode to engineering mode.

How it works

01

Scoping call

1 hour

We agree what the audit covers: cloud infrastructure, CI/CD, Kubernetes, security posture, or all of the above. I define what access I need.

02

Access and documentation review

1–2 days

I review your Terraform/IaC code, CI/CD configuration, Kubernetes manifests, AWS IAM policies, and any existing architecture documentation.

03

Live environment assessment

1–2 days

With read-only access, I review the live environment: running workloads, network configuration, security group rules, IAM policies, monitoring coverage.

04

Report writing

2–3 days

Findings documented with evidence, severity ratings, and specific remediation steps. Not a generic checklist — specific to what I found in your environment.

05

Report delivery and review session

1 day

I deliver the written report and hold a working session with your team to walk through findings, answer questions, and agree next steps.

Pricing

Standard infrastructure audits are fixed-price: £1,800–£4,500 depending on the scope and complexity of the estate. Incident post-mortems are typically 1–2 days of work. Architecture review sessions (without a full audit) can be booked as half-day or full-day engagements.

Get a quoteBook a scoping call

Frequently asked questions

What access do you need to do an audit?+
Read-only access to your AWS account (SecurityAudit IAM policy or equivalent), read access to your IaC repository and CI/CD configuration, and ideally access to your Kubernetes cluster with view-only permissions. I don't need write access and will sign an NDA before any review.
How is a DevOps audit different from a penetration test?+
Complementary, not the same thing. A pentest looks for exploitable vulnerabilities from an attacker's perspective. A DevOps audit looks at operational risk: misconfigured IAM policies, missing monitoring, no disaster recovery plan, CI/CD that bypasses security controls, or infrastructure that hasn't been touched since the founding engineer left. Both are useful; they catch different things.
We just had a production incident. Can you help with post-mortem?+
Yes. I can facilitate the post-mortem process, help write the timeline, identify contributing factors beyond the immediate trigger, and produce a set of hardening recommendations. A blame-free, structured post-mortem is one of the most valuable investments after a serious incident.
Do you work with regulated industries (fintech, healthtech)?+
Yes. I'm familiar with the infrastructure requirements for SOC 2 Type II, ISO 27001, HIPAA (for US clients), and PCI DSS. An audit can specifically focus on the gap between your current state and the controls required by the relevant standard.