Team Bison
Book an AI Operations Audit
AI Workflows & Agents Custom Software Managed Platforms AI Operations Audit · £3,500 Blog About Contact Book an Audit →
Field note · By Rich Tunstall · 6 min read

What a free hosting and DevOps review actually finds: five things we look at first

Five specific things we look at on every estate — backups, patching, monitoring, cloud cost waste, and what actually happens at 3am. Honest findings. No theatre.

We offer a free review of your hosting and DevOps setup. There’s a reason it’s free, and it’s not the obvious one. Most reviews of this kind are sales theatre — a thirty-minute call, a coloured PDF, and a quote for a managed-hosting retainer. Ours is structured around five specific things that go wrong on real production estates, particularly in operations-heavy businesses where downtime costs more than a brand impression.

Here’s what we actually look at, and what we typically find.

1. Backups: do they exist, and have they ever been restored?

The single most common finding. Backups are configured, the green tick on the hosting dashboard says “backup successful”, and nobody has ever attempted a restore. We meet teams every month who discover during the review that their backup retention is shorter than they thought, or that the backups are sitting on the same infrastructure as the live system, or that the most recent backup is six weeks old because the credentials silently expired in January.

What we look for: backup frequency, retention policy, offsite copy, restore drill evidence. Untested backups are not backups. They’re hope.

2. Patching cadence and end-of-life software

We routinely find production estates running on operating system versions that lost vendor support twelve to twenty-four months ago, on PHP or Node versions that haven’t received security updates in over a year, or on WordPress core that’s three minor versions behind with thirty-plus plugins on auto-update. Each one is a known unknown that compounds quietly until something gets actively exploited.

What we look for: OS, runtime, framework, CMS, and major library versions against published end-of-life dates. The output of this check is a single sheet: what’s current, what’s overdue, what’s at risk and on what timeline. No drama. Just dates.

3. Monitoring coverage: do you find out before your customers do?

The question we ask: when the site went down last time, how did you find out? If the answer is “a customer rang us” or “we noticed when the support inbox lit up”, you don’t have monitoring — you have customers doing your monitoring for you.

What we look for: uptime monitoring (external, not internal), error tracking, log aggregation, alert routing that actually reaches a human at 3am, and basic synthetic checks on the user journeys that matter. A logistics operator whose driver app stops accepting ePOD scans at 6am needs to know at 6:02, not 9:30 when the support desk opens.

4. Cost waste: where the cloud bill is paying for nothing

In about half of the AWS and Azure estates we review, we find six to fifteen percent of the monthly bill is going on resources that are doing nothing useful — oversized instances chosen during a 2022 launch and never resized, dev environments left running over weekends, snapshots from migrations three architects ago, S3 buckets with lifecycle policies that never got applied, NAT gateways routing essentially zero traffic at fifty pounds a month each.

This is the part of the review that pays for itself. We don’t promise a number — every estate is different — but we give you a prioritised list of what to turn off, what to right-size, and what to reserve.

5. Disaster recovery: what actually happens at 3am?

Not the document. The actual sequence of events. If the production database becomes unavailable at 3am on a Sunday, who gets paged, what’s their authority to act, where is the runbook, where are the credentials, who calls the customer, and what’s the realistic time to a working system?

Most teams have one piece of this. Almost no one has all five. The deliverable from this section of the review is a short, honest one-pager: current state, gaps, and the three changes that would most reduce your blast radius.

Why this is free

Two reasons.

One, we run our own production software, so we look at the same five things on our own estate every quarter — BisonGrid, BisonPress, Bison Exchange, Bison Insights. Reviewing yours costs us a couple of hours we’d otherwise spend on ours. If the review surfaces work that needs doing, we’ll quote for it; if it doesn’t, you’ve still got a useful one-pager.

Two, our Managed Platforms retainers (Lite at £275/mo, Pro at £500/mo per site, and Managed Cloud from £800/mo) are built around the same five things. The review is the most honest demonstration of what we do. If you’d rather take the review findings and have your existing team or another agency address them, that’s fine. The findings are yours.

What the review isn’t

It isn’t a penetration test. It isn’t a Cyber Essentials audit. It isn’t a full architectural review of your software stack. Those are different engagements with different prices and different deliverables. The hosting and DevOps review is the five things above, done quickly, written up plainly.

How to book one

Email us at hello@teambison.co.uk with a brief note on where your production estate lives — AWS, Azure, GCP, a UK managed-hosting provider, somewhere weirder — and we’ll come back with a couple of slots and the access list we’ll need. Most reviews take us about a week from access granted to written findings.

Team Bison is the software, AI and operations consultancy within the Bison Grid Ltd group. We’ve been running production software for shipping, vehicle logistics, NHS, legal and medical customers since 2003.