Services

DevSecOps and IaC consulting
by retainer.

Three consulting tiers plus Infrastructure as Code engagements. No prices listed — every engagement is scoped on a discovery call. Book one and find out what the right fit looks like for your situation.

Book a Discovery Call
opsfox — pipeline
building
main → prod/deploy
run #247
Pipeline
Source
Build
Scan
Harden
Deploy
SAST Scan
passed
Container Audit
clean
Secrets Detection
0 exposed
Compliance Gate
analyzing…
→ scanning container image layers…
→ CVE-2024-0311: patched in base
→ 0 critical vulnerabilities found
3 containers
vault sealed
2 namespaces
0 alerts
opsfox pipeline
2m 14s
Secure
Observe

Eyes on your infrastructure.

We audit what you have, document what's exposed, and deliver a written remediation plan you can hand to any engineer.

Right forTeams that have built something and need an honest look at it before a compliance review, a customer audit, or a security incident.
What's included
  • Infrastructure and configuration audit (Docker, networking, identity, secrets management)
  • Threat surface documentation — what's reachable, what's misconfigured, what's missing
  • Written remediation roadmap with prioritized findings
  • One follow-up session to walk through the findings
  • Async Q&A via email for 30 days after delivery
Operate

Security ops without the headcount.

Ongoing security operations without hiring a full-time engineer. We run monitoring, maintain your security stack, and respond when things go wrong.

Right forSmall businesses, defense subcontractors, and development teams that ship product and need a security function without adding headcount.
What's included
  • Everything in Observe, on a recurring monthly basis
  • Wazuh SIEM deployment and tuning — alerts that mean something
  • Keycloak or equivalent identity and SSO configuration and maintenance
  • Incident triage and response (async during business hours, escalation path defined upfront)
  • Monthly security posture report with actionable findings
  • Configuration change reviews before you ship
Optimize

Embedded. End to end.

We embed into your team. DevSecOps pipeline, CMMC compliance path, air-gap architecture, and hardening — end to end.

Right forDefense contractors pursuing CMMC certification, companies moving to air-gapped or zero-trust architectures, and teams building regulated systems from scratch.
What's included
  • Everything in Operate
  • DevSecOps pipeline build-out: secrets scanning, SAST, container hardening, IaC review
  • CMMC Level 1 or Level 2 readiness — gap analysis through documentation
  • Air-gapped infrastructure design and implementation (Blocky DNS, offline mirrors, network segmentation)
  • Architecture review and sign-off on new systems before they go live
  • Dedicated async channel with same-day response during business hours
Infrastructure as Code

IaC consulting: Terraform, Ansible, Docker Compose.

Reproducible, auditable infrastructure built to last. We design, review, and document IaC pipelines from scratch — or clean up what already exists. Engagements scoped by project, not by retainer.

Terraform module design, state management, and remote backend configuration
Ansible playbooks and role structure for repeatable provisioning
Docker Compose hardening — secrets handling, network isolation, restart policies
GitOps pipeline review and security gate integration
Infrastructure documentation and runbook authoring
Code review and refactoring of existing IaC to meet security and maintainability standards

Not sure which tier fits?

Book a free 30-minute discovery call. Tell us what you're running and we'll tell you what makes sense.

Book a Discovery CallBrowse the Store