peculiar.cloud
Request a scoping call
Services Cloud Security Reality-CheckAWS / Multi-Cloud Landing ZoneZero-Trust TransformationHybrid NetworkingAI Platform Governance Approach Walkthroughs Notes Request a scoping call

Senior cloud & security engineering — Toronto

When we leave, your engineers run it.

We design and build the secure cloud foundation your team will run — AWS and multi-cloud, at a fixed price agreed in writing, shipped as Terraform pull requests your engineers review. The engagement ends when your team operates everything without us.

For startups and scaleups building their cloud foundation, and mid-market teams modernizing the one they have.

Request a scoping call See what you'd own

Fixed price before we start · 90-day warranty on everything we ship · engagements from $9,500 USD · we reply within one business day

What we do

Five fixed-scope engagements

Each ends in a Terraform repository your team owns — not a report, not a slide deck.

01 Start here

Cloud Security Reality-Check

A fixed-scope review that names what is actually exploitable and hands back the Terraform that fixes it.

  • exposure-register.md
  • threat-model/
  • fixes/*.tf

From $9,500 USD, fixed

Scope this →
02

AWS / Multi-Cloud Landing Zone

A secure multi-account cloud foundation, delivered as Terraform your team owns.

  • org/accounts.tf
  • guardrails/scp.tf
  • ADR-0001.md

From $35,000 USD, fixed

Scope this →
03

Zero-Trust Transformation

Identity-first access and segmentation, shipped as policy and config you control.

  • policy/access.rego
  • enforcement/*.tf
  • threat-model/

From $40,000 USD, fixed

Scope this →
04

Hybrid Networking

Datacenter-to-cloud connectivity engineered with the same rigor on both sides.

  • network/transit.tf
  • dns/zones.tf
  • cidr-plan.md

From $30,000 USD, fixed

Scope this →
05 New for 2026

AI Platform Governance

Guardrails and policy-as-code for AI infrastructure, in your repo, not a rented dashboard.

  • paved-path/
  • policy/guardrails.rego
  • ADR-0002.md

From $28,000 USD, fixed

Scope this →

Fit

Who this is for

We fit teams building or modernizing a secure cloud foundation, and teams putting real guardrails on AI infrastructure.

This is for you if

  • You’re a startup or scaleup about to build — or just outgrew — your cloud foundation, and you want it done right once instead of refactored under incident pressure later.
  • You’re a mid-market team carrying cloud you inherited or grew organically, and you need it modernized and secured without a year-long platform rewrite.
  • You’re adopting AI infrastructure and need real guardrails before the spend, the data exposure, and the shadow usage get ahead of you.

This is not for you if

  • You want hourly staff-aug, a managed-service retainer, or a vendor who stays embedded forever.
  • You want a slide deck and a recommendation to hire someone else to build it.
  • You see owning the result yourself — the repo, ADRs, and runbooks in your version control — as a downside. We’d rather say so now than pretend otherwise.

How we work

We ship, not slide

The same four phases run on every engagement. The scope differs; the shape does not.

  1. 01

    Discovery

    We read your accounts, configs, and constraints directly, then agree a written scope before any code.

  2. 02

    Decision records

    We write the key decisions — and the options we rejected — as ADRs in your repo, so you can challenge them before we build.

  3. 03

    Implementation

    We build it as reviewable Terraform in small, tested pull requests against your CI. Nothing arrives as a black box.

  4. 04

    Handover

    We walk your team through the repo, threat model, and runbooks, confirm you can run it without us, and leave. You own everything.

Read the full approach →

Proof

The artifact is the proof

A finding and its fix from our reference work — the standard of what lands in your repo when we leave.

exposure-register.md Sanitized sample 
## EXP-001 — public jump host can assume the CI deploy role   [rank 1]

Path:  internet → EC2 (sg inbound 22 from 0.0.0.0/0) → instance profile
       → sts:AssumeRole ci-deploy → s3:* on the prod data buckets

Why rank 1: two hops from unauthenticated to prod data. The CSPM rated
the security-group finding "Medium" in isolation — reachability and the
role's blast radius are what make it critical.

Fix shipped: fixes/exp-001-jump-host.tf
  - SSM Session Manager replaces inbound 22; the security group closes
  - ci-deploy trust policy scoped to the runner role + ExternalId
  - s3:* narrowed to the two buckets CI actually writes

Residual: none observed after apply — see threat-model/ci-deploy.md
The shape of a Reality-Check finding: the attack path, why it outranks its scanner score, and the fix already shipped as Terraform — not a severity column.

Start with a scoping call

Tell us the problem. If we’re a fit, we’ll scope it fixed; if we’re not, we’ll say so.

Request a scoping call