peculiar.cloud
Request a scoping call
Services Cloud Security Reality-CheckAWS / Multi-Cloud Landing ZoneZero-Trust TransformationHybrid NetworkingAI Platform Governance Approach Engagements Notes Request a scoping call

Senior cloud & security engineering

Senior cloud and security engineering, delivered as code you own.

We design and build the secure cloud foundation your team will run — at a fixed scope and a fixed price, handed over as code you own. No retainer, no lock-in. Specifically: AWS and multi-cloud landing zones, cloud security reality-checks, zero-trust, hybrid networking, and AI platform governance, all shipped as Terraform your team runs after we leave.

For startups and scaleups building their cloud foundation, and mid-market teams modernizing the one they have.

See how we work Request a scoping call

We ship the Terraform, guardrails, threat models, and runbooks your team owns. Fixed scope, fixed price. Code you own, not slides.

What we do

Five fixed-scope engagements

Each ends in a Terraform repository your team owns — not a report, not a slide deck.

01 Start here

Cloud Security Reality-Check

A fixed-scope review that names what is actually exploitable and hands back the Terraform that fixes it.

  • exposure-register.md
  • threat-model/
  • fixes/*.tf
Scope this →
02

AWS / Multi-Cloud Landing Zone

A secure multi-account cloud foundation, delivered as Terraform your team owns.

  • org/accounts.tf
  • guardrails/scp.tf
  • ADR-0001.md
Scope this →
03

Zero-Trust Transformation

Identity-first access and segmentation, shipped as policy and config you control.

  • policy/access.rego
  • enforcement/*.tf
  • threat-model/
Scope this →
04

Hybrid Networking

Datacenter-to-cloud connectivity engineered with the same rigor on both sides.

  • network/transit.tf
  • dns/zones.tf
  • cidr-plan.md
Scope this →
05 New for 2026

AI Platform Governance

Guardrails and policy-as-code for AI infrastructure, in your repo, not a rented dashboard.

  • paved-path/
  • policy/guardrails.rego
  • ADR-0002.md
Scope this →

Fit

Who this is for

We fit teams building or modernizing a secure cloud foundation, and teams putting real guardrails on AI infrastructure.

This is for you if

  • You’re a startup or scaleup about to build — or just outgrew — your cloud foundation, and you want it done right once instead of refactored under incident pressure later.
  • You’re a mid-market team carrying cloud you inherited or grew organically, and you need it modernized and secured without a year-long platform rewrite.
  • You’re adopting AI infrastructure and need real guardrails before the spend, the data exposure, and the shadow usage get ahead of you.

This is not for you if

  • You want hourly staff-aug, a managed-service retainer, or a vendor who stays embedded forever.
  • You want a slide deck and a recommendation to hire someone else to build it.
  • You see owning the result yourself — the repo, ADRs, and runbooks in your version control — as a downside. We’d rather say so now than pretend otherwise.

How we work

We ship, not slide

The same four phases run on every engagement. The scope differs; the shape does not.

  1. 01

    Discovery

    We read your accounts, configs, and constraints directly, then agree a written scope before any code.

  2. 02

    Decision records

    We write the key decisions — and the options we rejected — as ADRs in your repo, so you can challenge them before we build.

  3. 03

    Implementation

    We build it as reviewable Terraform in small, tested pull requests against your CI. Nothing arrives as a black box.

  4. 04

    Handover

    We walk your team through the repo, threat model, and runbooks, confirm you can run it without us, and leave. You own everything.

Read the full approach →

Proof

The artifact is the proof

No logos, no testimonials. Judge us on the work: real Terraform, a documented method, and named certifications.

modules/s3-secure/main.tf Sanitized sample 
# modules/s3-secure/main.tf
resource "aws_s3_bucket" "this" {
  bucket = var.name
}

resource "aws_s3_bucket_versioning" "this" {
  bucket                   = aws_s3_bucket.this.id
  versioning_configuration { status = "Enabled" }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  bucket = aws_s3_bucket.this.id
  rule {
    apply_server_side_encryption_by_default { sse_algorithm = "aws:kms" }
    bucket_key_enabled = true
  }
}

resource "aws_s3_bucket_public_access_block" "this" {
  bucket                  = aws_s3_bucket.this.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
A guardrail from the way we build: encryption, versioning, and public-access blocking enforced on every bucket — shipped as Terraform your team owns.

Start with a scoping call

Tell us the problem. If we’re a fit, we’ll scope it fixed; if we’re not, we’ll say so.

Request a scoping call