peculiar.cloud
Request a scoping call
Services Cloud Security Reality-CheckAWS / Multi-Cloud Landing ZoneZero-Trust TransformationHybrid NetworkingAI Platform Governance Approach Engagements Notes Request a scoping call

Fixed-scope engagement

Cloud Security Reality-Check

A Cloud Security Reality-Check is a fixed-scope senior review that hands you a ranked exposure register and the Terraform to close the top issues — findings and fixes as code in your repo, not a PDF. It ranks risk by what we assess as most reachable and what an attacker would actually gain, not by scanner severity. Findings are bounded by the accounts and access in scope and reflect a point-in-time review.

Request a scoping call

The problem this solves

"Our scanner fires hundreds of alerts and we can't tell which ones could actually get us breached. Compliance says we're fine; the alerts say otherwise. We need a senior read on real exposure, not another dashboard." Root cause: severity-by-CVSS and posture scores don't model reachability, identity blast radius, or trust boundaries — so the real risk is buried in noise.

What you own when we leave

  • A prioritized exposure register tied to concrete attack paths (entry → identity → blast radius), each item rated by the paths we assess as most reachable and their impact, not by scanner score.
  • A threat model of your reviewed environment (trust boundaries, identity flows, the paths that actually matter).
  • Terraform/IaC pull requests that remediate the top-ranked findings (tightened IAM, removed public exposure, segmentation, logging gaps closed) — merged or ready to merge in your repo.
  • A short, ranked fix-it backlog for everything scoped but not implemented, written so your team or a follow-on engagement can execute it.
  • ADRs for any structural decision we made.

Not a PDF of findings. Not a deck. The fixes are code in your repo.

How we approach it

  1. 01

    Discovery

    We read your accounts, configs, and constraints directly (scoped read-only access or exported state), map the real current state, and agree on a written scope and success criteria before any code is written.

  2. 02

    Architecture Decision Records

    We write down the key decisions — what we’re doing, the options we rejected, and why — as ADRs in your repo, so the reasoning survives long after we’re gone and you can challenge it before we build.

  3. 03

    Implementation

    We build the solution as reviewable Terraform/IaC in small, tested pull requests against your CI, so you watch it land incrementally and nothing arrives as a black box.

  4. 04

    Handover

    We walk your team through the repo, the threat model, and the runbooks live, confirm you can apply/destroy/extend it yourselves, and then we leave. You own everything — there is no phase 5 where you still need us.

Engagement shape

A bounded, fixed-scope review over a defined set of accounts/clouds, typically a couple of weeks of senior work, with a fixed deliverable list agreed up front. This is the low-commitment way to work with us first; for most clients it surfaces the larger landing-zone, zero-trust, or networking work — and if it does, the cost rolls into that engagement.

Engagements typically start at $9,500 USD. Contact for scope and a fixed price.

A sample of what we ship

exposure-register.md Sanitized sample 
## EXP-001 — public jump host can assume the CI deploy role   [rank 1]

Path:  internet → EC2 (sg inbound 22 from 0.0.0.0/0) → instance profile
       → sts:AssumeRole ci-deploy → s3:* on the prod data buckets

Why rank 1: two hops from unauthenticated to prod data. The CSPM rated
the security-group finding "Medium" in isolation — reachability and the
role's blast radius are what make it critical.

Fix shipped: fixes/exp-001-jump-host.tf
  - SSM Session Manager replaces inbound 22; the security group closes
  - ci-deploy trust policy scoped to the runner role + ExternalId
  - s3:* narrowed to the two buckets CI actually writes

Residual: none observed after apply — see threat-model/ci-deploy.md
The shape of a Reality-Check finding: the attack path, why it outranks its scanner score, and the fix already shipped as Terraform — not a severity column.

See how this engagement goes: Reality-Check for a scaling fintech (illustrative) →

Related note: CSPM severity vs attack-path prioritization →

FAQ

Questions about this engagement

What do I actually get — is this just a report?

No. Every engagement ends with infrastructure-as-code in your repository: Terraform/IaC, the guardrail set (Service Control Policies or equivalents), a threat model, ADRs, and runbooks. The documents exist to help an engineer run the code — they are never the deliverable instead of the code. "We ship, not slide" is the whole point. The sample Terraform on this site shows the shape of what you get.

Why not just use a CSPM/governance SaaS or a Big-4 firm?

A SaaS dashboard observes and alerts; it rarely enforces inside your accounts, and the control leaves when the subscription does. A Big-4 engagement often ends in a framework and a recommendation to hire builders. We build the enforcing controls as code you keep. Different tools have their place — but if you want enforcement you own, that is specifically what we do.

What if something breaks after you’ve handed over and left?

Every engagement includes a 90-day warranty: if anything we shipped does not behave as documented, we fix it at no charge — that is a defect we own, not new scope. After that window the code is standard Terraform/IaC on standard tools, so your team or any engineer can maintain it. If you would rather we come back for a defined follow-on — a new scope, a new fixed price — we are a short email away. We make ourselves unnecessary by default; we do not make ourselves unreachable.

We already have a security team / platform team. Why bring you in?

Usually because they are at capacity, or the work needs a specific senior depth (landing-zone design, zero-trust enforcement, hybrid routing, AI guardrails) that is hard to staff for a one-time build. We work as reviewable PRs against your CI so your team reviews and absorbs everything as it lands — by handover it is genuinely theirs, not a black box dropped on them.

What access do you need, and how do you handle our data and credentials?

Discovery uses scoped, read-only IAM roles that you create in your accounts and can revoke at any second — never long-lived keys we hold. Where you must export configuration or state, it lands encrypted in storage you control, and we delete our working copies on a documented schedule with written confirmation. We use no sub-processors and nothing leaves the jurisdiction you specify; wherever possible, implementation runs entirely inside your own tenancy and CI so we never hold your credentials at all. We will complete your security questionnaire (CAIQ/SIG-lite) before you grant any access. You can inspect this site too: cookie-free self-hosted analytics, Cloudflare only for edge/CDN and bot protection, a clean CSP, and no third-party trackers.

Start with a scoping call

Request a scoping call