$ ls case-studies/

Our Work

Anonymized case studies from real engagements. The problems were complex. The constraints were real. The solutions are running in production.

Financial Services

Multi-Cloud Landing Zone for Financial Services

Fortune 500 Financial Institution

// The Challenge

A major financial institution had grown through acquisition, inheriting three separate cloud environments—AWS, Azure, and GCP—each with its own security posture, identity system, and compliance gaps. Their auditors were threatening to halt cloud expansion until governance was unified.

// Constraints

  • SOC 2 Type II and PCI-DSS compliance required
  • Zero downtime migration window
  • Existing applications could not be modified
  • 200+ engineers needed onboarding to new patterns

// Outcome

  • Passed SOC 2 audit with zero findings
  • Reduced cloud spend by 34% through visibility
  • Deployment velocity increased 5x
  • Mean time to provision dropped from 2 weeks to 4 hours

// Solution

We designed and implemented a unified multi-cloud landing zone using a hub-and-spoke architecture. AWS Transit Gateway and Azure Virtual WAN served as regional hubs, with cross-cloud connectivity via dedicated interconnects. Identity was federated through Okta with SCIM provisioning to each cloud. Security policies were codified in Open Policy Agent and enforced through CI/CD gates.

// Sample Code

# Unified tagging policy across all clouds
resource "opa_policy" "mandatory_tags" {
  name = "mandatory-resource-tags"

  deny[msg] {
    not input.resource.tags["cost-center"]
    msg := "All resources must have a cost-center tag"
  }

  deny[msg] {
    not input.resource.tags["data-classification"]
    msg := "All resources must have data-classification"
  }
}
Fintech

Zero Trust Migration for Remote-First Startup

Series C Fintech Startup

// The Challenge

A 400-person fintech company was struggling with their legacy VPN infrastructure. Remote employees complained of slow connections, the security team had no visibility into who was accessing what, and the VPN concentrators were becoming a critical single point of failure.

// Constraints

  • Fully remote workforce across 12 time zones
  • Mix of managed and BYOD devices
  • SOC 2 audit in 90 days
  • Budget for only one security engineer

// Outcome

  • VPN decommissioned within 6 weeks
  • Latency reduced by 67% for remote users
  • Zero security incidents in first year
  • Passed SOC 2 audit on first attempt

// Solution

We implemented Cloudflare Access as the primary authentication layer, replacing the VPN entirely for application access. WARP client was deployed for DNS filtering and device posture verification. Internal applications were exposed through Cloudflare Tunnel, eliminating the need for public IPs or firewall holes. Device trust policies ensured only compliant devices could access sensitive resources.

// Sample Code

# Cloudflare Access policy for internal apps
resource "cloudflare_access_policy" "internal_apps" {
  application_id = cloudflare_access_application.internal.id
  name           = "require-corp-device"
  precedence     = 1
  decision       = "allow"

  include {
    group = [cloudflare_access_group.employees.id]
  }

  require {
    device_posture = [
      cloudflare_device_posture_rule.corp_managed.id,
      cloudflare_device_posture_rule.disk_encrypted.id,
    ]
  }
}
Manufacturing

Hybrid Network Optimization for Manufacturing

Global Manufacturing Company

// The Challenge

A manufacturing company with 40 facilities worldwide was paying $2.3M annually for MPLS circuits. Latency to cloud workloads was causing production delays, and adding new sites took 6+ months of circuit provisioning.

// Constraints

  • OT networks required air-gap from IT
  • Some facilities had no local IT staff
  • 99.99% uptime SLA on production systems
  • Existing Cisco infrastructure investment

// Outcome

  • Annual WAN costs reduced by $1.8M
  • New site deployment: 6 months → 2 weeks
  • Cloud workload latency reduced by 78%
  • 99.997% uptime achieved in first year

// Solution

We replaced MPLS with Cloudflare Magic WAN, using existing Cisco routers as on-ramps via IPsec tunnels. AWS Direct Connect and Azure ExpressRoute provided dedicated paths for latency-sensitive workloads. BGP policies were engineered to prefer cloud-direct paths for production traffic while using Magic WAN as a fallback. OT networks remained isolated through dedicated VRFs with no route leakage.

// Sample Code

# BGP route policy for cloud-direct preference
route-policy PREFER-DIRECT-CONNECT
  if destination in AWS-PREFIXES then
    set local-preference 200
    set community (65000:100)
  elseif destination in AZURE-PREFIXES then
    set local-preference 200
    set community (65000:200)
  else
    set local-preference 100
  endif
end-policy

$ echo "Your turn"

Ready to become our next case study?

Every project in our portfolio started with a conversation. Let's discuss what success looks like for your organization.

Start a ConversationRead Our Manifesto