VITI Security

Service · Cloud Services

Cloud architecture that doesn't punish you on the bill.

AWS, GCP, Azure, Hetzner. Architecture, migration, cost optimization, ongoing operations. We pick the cloud that fits - not the cloud we resell.

What's covered

From architecture to monthly cost review.

We don't sell hours; we sell the right answer. Most cloud bills can drop 30%+ without losing reliability.

Architecture + migration

Greenfield design or lift-and-shift to cloud. IaC (Terraform / Pulumi) baked in from day one.

Cost optimization

Find the 40% you're overspending. Reserved instances, right-sizing, savings plans, spot mixing.

Reliability + monitoring

SLOs, alerting that actually pages the right person, runbooks for the rest.

FinOps + reporting

Monthly cost breakdown by team / service / customer. No more spreadsheets.

Typical outcomes

30-50%
Cloud-cost reduction
4
Clouds in our toolbox
< 5 min
Typical alert MTTA

Why it matters

A cloud account is a blast radius, not just a hosting bill.

Most SMB cloud accounts grow by accident: one engineer spins up a server, another opens a security group to debug, a third hardcodes a key into a repo. None of it gets cleaned up. The result is an account that is expensive, fragile, and wide open - and nobody can tell you which of those three is the worst problem. These are the failures we see when we open a new client account for the first time.

  • Root or admin keys with no MFA, often shared in a chat thread or committed to git.
  • Security groups open to 0.0.0.0/0 on SSH, RDP, or a database port - a direct path in.
  • Backups that were never tested, so the first real restore happens during an outage.
  • Idle and oversized instances quietly burning 30-50% of the monthly bill.
  • No tagging, so nobody can answer 'which team or customer does this resource belong to?'
Get a free cloud review

What we deliver

Concrete artifacts, not a slide deck.

Every cloud engagement ends with things you can hand to an auditor, a new hire, or your next provider. You own all of it.

Architecture diagram + decision record

A current-state and target-state diagram, plus a short written record of why each major choice was made (region, managed service vs self-hosted, single vs multi-account).

Infrastructure as code

Your environment captured in Terraform or Pulumi, version-controlled in your repo. Rebuilding a region or spinning up staging becomes a command, not a memory test.

Security baseline

MFA enforced, least-privilege IAM, secrets moved to a vault or parameter store, security groups locked to known sources, encryption at rest and in transit, audit logging turned on.

Tested backup + recovery runbook

Automated backups with a written, rehearsed restore procedure and a stated recovery objective (RTO/RPO) - so a failed disk is an inconvenience, not a crisis.

Cost report you can read

Spend broken down by team, service, and environment, with the specific right-sizing and reserved-capacity moves that cut the bill, and the savings each one delivered.

Monitoring + alerting

SLOs on the things that matter, alerts that page the right person (and stay quiet otherwise), and runbooks for the common failures so on-call is not guesswork.

How an engagement runs

Four phases, each with a deliverable and a date.

A typical migration or hardening project for a moderately complex shop runs 8-16 weeks. You see progress every week, not just at the end.

01

Week 1: Assess

Read-only access to your accounts. We inventory what exists, map dependencies, flag the security and cost problems, and confirm scope. Deliverable: current-state diagram + findings list with severity.

02

Weeks 2-3: Design + plan

Target architecture, region and service choices, migration or remediation sequence, downtime windows, rollback plan. Deliverable: target diagram, IaC skeleton, and a step-by-step runbook you sign off on.

03

Weeks 3-12: Build + migrate

We implement in stages behind IaC, validate each cutover against the rollback plan, and keep the old path live until the new one is proven. Deliverable: working environment, migrated workloads, security baseline applied.

04

Weeks 12-16: Optimize + hand over

Right-sizing, reserved capacity, monitoring, and backup testing. Deliverable: cost report with realized savings, tested recovery runbook, and a handover doc - or a retainer if you want us to keep running it.

Cloud services FAQ

Which cloud should I pick?
Depends on your geography, team, compliance, and what you already have. India-heavy infra: usually Hetzner or AWS Mumbai. US-heavy: AWS or GCP. Multi-cloud is fine if you have a real reason; usually you do not.
Can you fix our high AWS bill?
Usually yes. We start with a free 1-hour cost review. If we can find at least 20% savings in our analysis, we propose a fixed-fee remediation project; if not, no charge for the review. Most clients see 30-50% reduction in the first quarter.
Do you handle migrations from on-prem?
Yes - both lift-and-shift and re-architect. We scope based on what you have today (workloads, data, dependencies, downtime tolerance). Typical migration project: 8-16 weeks for a moderately complex shop.
What about Kubernetes?
We use Kubernetes when it fits - usually when you have multiple services, autoscaling needs, and an operations team. We do not push K8s on a 3-service company that would be fine on ECS or a couple of VMs.
Do you support ongoing operations?
Yes. Monthly retainer covers monitoring, patching, on-call, monthly cost review, quarterly architecture review. Most clients on retainer have us as their 'cloud team' because they don't want to hire one.

Cloud bill too high? Architecture feels brittle?

Tell us what's hurting. Free 1-hour review; we come back with options.