Fixed-scope engagement

Hands-On Team Training

Your team inherited systems nobody fully taught them — or we just built something together and you want your people confident running it. We train your team hands-on, on your actual environment: your cloud, your network, your security tooling. Anything we know how to build, we can teach.

Hands-On Team Training is fixed-scope, senior-led training built around your real environment — labs and runbooks drawn from your own systems, not a vendor demo tenant. The agenda, audience, and price are agreed in writing, and your team keeps every lab guide, runbook, and exercise in your repo afterward.

Start a conversation

The problem hands-on training solves

"We sent people on courses and they came back with a certificate — and still can't debug our network. The training taught the vendor's demo environment, not our setup, and the confidence didn't transfer." Root cause: commodity training teaches abstractions on toy environments; real confidence comes from supervised reps on the systems your team actually runs, with someone senior watching and explaining why.

What you own when we leave

  • A training plan built around your environment and your team’s actual gaps — audience, agenda, and outcomes agreed up front.
  • Hands-on labs run against your own systems or a sandboxed copy we stand up — never a generic demo tenant.
  • Every lab guide, runbook, and exercise as files in your repo, so the material outlives the sessions and onboards the next hire.
  • A written debrief: where the team is now strong, and what to practice next.

Not a slideware seminar or a certificate mill. Working sessions on your own systems.

How we approach it

  1. 01

    Discovery

    We read your accounts, configs, and constraints directly (scoped read-only access or exported state), map the real current state, and agree on a written scope and success criteria before any code is written.

  2. 02

    Architecture Decision Records

    We write down the key decisions — what we’re doing, the options we rejected, and why — as ADRs in your repo, so the reasoning survives long after we’re gone and you can challenge it before we build.

  3. 03

    Implementation

    We build the solution as reviewable Terraform/IaC in small, tested pull requests against your CI, so you watch it land incrementally and nothing arrives as a black box.

  4. 04

    Handover

    We walk your team through the repo, the threat model, and the runbooks live, confirm you can apply/destroy/extend it yourselves, and then we leave. You own everything — there is no phase 5 where you still need us.

Engagement shape

Fixed scope like everything else: a defined audience, agenda, and number of sessions, agreed in writing first. Delivered remote or on-site — standalone, or as an extended handover phase of any other engagement.

Fixed price, agreed in writing before we start. You can stop at the decision point and keep everything produced.

  • 90-day warranty: anything we shipped that does not behave as documented, we fix at no charge.
  • Discovery runs on read-only roles you create and can revoke at any second — we complete your security questionnaire before you grant anything.
  • Want us on call afterward? An optional prepaid support block keeps senior hours available for anything that comes up — never a required retainer.

A sample of what we ship

labs/03-find-and-close-a-public-bucket.md Sanitized sample
## Lab 03 — find and close a public bucket   [45 min, pairs]

Runs in: sandbox-team-a (vended from your own landing zone)

1. Find it the way an attacker would:
   $ aws s3api list-buckets --query 'Buckets[].Name'
   $ aws s3api get-bucket-policy-status --bucket <each>
     → "IsPublic": true on one of them. Which, and why?

2. Read the Terraform that created it (infra/storage/):
   the module predates the org guardrail — no public-access block.

3. Fix it the way we fix it: a pull request, not a console click.
   Add aws_s3_bucket_public_access_block, plan, apply, re-run step 1.

Debrief: why the org guardrail alone didn't catch this, and where
drift like it hides in your estate. → runbooks/public-exposure.md
The shape of a training lab: a real task in your own sandbox, the commands your team actually runs, and the why written down — not a vendor demo tenant.

FAQ

Questions about this engagement

Who actually does the work?

A small senior practice — whoever scopes your engagement writes the Terraform and hands it over. There is no junior bench, no offshore handoff, no solution architect who disappears after the sales call, and no second team we could quietly hand you to. We deliberately take on few engagements at once, which is how the seniority stays real.

How does pricing work, and why won’t you just post a price?

Every engagement is fixed scope, fixed price — agreed in writing before we start, with no hourly creep. We do not post a price list because the price tracks scope (how many accounts/clouds, how strict the guardrails, how many access paths or connections), and a number without a scope would mislead you in one direction or the other. One anchor we do publish: most first Cloud Security Reviews land between $8,500 and $15,000 CAD. Tell us what is going on, and the first call ends with a fixed scope and a fixed price in writing — then you decide. Engagements are also phased: you can stop at the decision point, pay only for the phases delivered, and keep everything produced.

What about availability and capacity?

We run a small number of engagements at once so each gets senior attention. That can mean waiting for a start slot; we give you a written start date during scoping, before you commit. Within an engagement, the scope and timeline are fixed and agreed in writing. If your real need is round-the-clock operational coverage, that is a managed-service retainer — which is not us — and we will say so rather than overpromise.

Can we keep you around after the engagement?

Yes, two ways — both optional, and neither is a retainer you are locked into. A support block: a prepaid block of senior hours your team draws on for anything that comes up — fixes beyond the 90-day warranty, changes, questions, small new pieces of work — scoped and priced in writing like everything else. And hands-on training: sessions that teach your team the systems we shipped, or anything else we know, built on your real environment rather than generic courseware. Neither is required; the handover exists so you can run everything without us.

Tell us what's going on