What a free DevOps and cloud review actually finds: five things we check first

We offer a free review of your DevOps and cloud setup. There’s a reason it’s free, and it’s not the obvious one. Most reviews of this kind are sales theatre — a thirty-minute call, a coloured PDF, and a quote for a retainer. Ours is structured around five specific things that go wrong on real production estates, particularly in shipping, vehicle logistics and other operations-heavy businesses where downtime costs more than a brand impression.

Here’s what we actually look at, and what we typically find.

1. Backups: do they exist, and have they ever been restored?

The single most common finding. Backups are configured, the green tick on the cloud dashboard says “backup successful”, and nobody has ever attempted a restore. We meet teams every month who discover during the review that their backup retention is shorter than they thought, or that the backups are sitting on the same infrastructure as the live system, or that the most recent backup is six weeks old because the credentials silently expired in January.

What we look for: backup frequency, retention policy, offsite copy, restore drill evidence. Untested backups are not backups. They’re hope.

2. Patching cadence and end-of-life software

We routinely find production estates running on operating system versions that lost vendor support twelve to twenty-four months ago, on PHP or Node versions that haven’t received security updates in over a year, or on WordPress core that’s three minor versions behind with thirty-plus plugins on auto-update. Each one is a known unknown that compounds quietly until something gets actively exploited.

What we look for: OS, runtime, framework, CMS, and major library versions against published end-of-life dates. The output of this check is a single sheet: what’s current, what’s overdue, what’s at risk and on what timeline. No drama. Just dates.

3. Monitoring coverage: do you find out before your customers do?

The question we ask: when the site went down last time, how did you find out? If the answer is “a customer rang us” or “we noticed when the support inbox lit up”, you don’t have monitoring — you have customers doing your monitoring for you.

What we look for: uptime monitoring (external, not internal), error tracking, log aggregation, alert routing that actually reaches a human at 3am, and basic synthetic checks on the user journeys that matter. A logistics operator whose driver app stops accepting ePOD scans at 6am needs to know at 6:02, not 9:30 when the support desk opens.

4. Cloud cost optimisation: where the bill is paying for nothing

In about half of the AWS, Azure and DigitalOcean estates we review, we find six to fifteen percent of the monthly bill going on resources that are doing nothing useful — oversized instances chosen during a 2022 launch and never resized, dev environments left running over weekends, snapshots from migrations three architects ago, S3 buckets with lifecycle policies that never got applied, NAT gateways routing essentially zero traffic at fifty pounds a month each.

This is the part of the review that pays for itself. We don’t promise a number — every estate is different — but we give you a prioritised list of what to turn off, what to right-size, and what to reserve.

5. Disaster recovery: what actually happens at 3am?

Not the document. The actual sequence of events. If the production database becomes unavailable at 3am on a Sunday, who gets paged, what’s their authority to act, where is the runbook, where are the credentials, who calls the customer, and what’s the realistic time to a working system?

Most teams have one piece of this. Almost no one has all five. The deliverable from this section of the review is a short, honest one-pager: current state, gaps, and the three changes that would most reduce your blast radius.

Why this is free

We run our own production software, so we look at the same five things on our own estate every quarter. Reviewing yours costs us a couple of hours we’d otherwise spend on ours. If the review surfaces work that needs doing, we’ll quote for it; if it doesn’t, you’ve still got a useful one-pager. The findings are yours either way.

What the review isn’t

It isn’t a penetration test. It isn’t a Cyber Essentials audit. It isn’t a full architectural review of your software stack, and it isn’t our paid AI Operations Audit. Those are different engagements with different prices and different deliverables. The DevOps and cloud review is the five things above, done quickly, written up plainly.

How to book one

Two ways to start. Either email us at hello@teambison.co.uk with a brief note on where your production estate lives — AWS, Azure, GCP, DigitalOcean, a UK managed-hosting provider, somewhere weirder — and we’ll come back with a couple of slots and the access list we’ll need. Or book a 30-minute consultation if you’d rather scope the review on a call first. Most reviews take us about a week from access granted to written findings.

FAQ

What access do you need?
Read-only credentials to your cloud console (or the equivalent on a managed-hosting provider), your monitoring tool of choice, and your CI/CD platform. We don’t need write access to anything during the review.

Do you sign an NDA?
Yes. We’ll sign yours, or send ours if you’d prefer. Our standard terms include a confidentiality clause covering anything we see during the review.

Can the review be done remotely?
Yes — it’s a remote engagement by default. We’re a UK-based senior engineering team and most reviews are completed without an on-site visit.

Does this work if my estate isn’t on AWS or Azure?
Yes. We’ve reviewed estates on DigitalOcean, GCP, OVH, Krystal, Cloudflare, Vercel, and various UK managed-hosting providers. The five things we look at don’t change with the substrate.

---

Team Bison is the software, AI and operations consultancy within the Bison Grid Ltd group. We’ve been running production software for shipping, vehicle logistics, NHS, legal and medical customers since 2003.