Technology Enterprise Software & IT Cloud & Platform Engineering

Cloud Infrastructure

Platform decisions with deep integration complexity, organizational change, and long-term data stakes.

AWS Microsoft Azure Google Cloud HashiCorp
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder Alignment

      Confirm decision roles, timeline, compliance owners (CISO, compliance officer), and what ‘good’ looks like for security, finance, and procurement.

      Alignment Questions

      Start Here: A Quick Snapshot

      • Which best describes your organization's primary industry and scale? Options: Regional bank / credit union, Health system / hospital, Insurance / benefits, Federal contractor / government agency, Large enterprise (non-regulated), Other
      • Who will be the primary sponsor for this cloud initiative (title/function)?
      • What is the main strategic reason you are evaluating a move to a compliance‑focused cloud platform today? Options: Regulatory compliance requirement, Reduce risk and simplify audits, Predictable committed pricing, Replace legacy data center, Escape hyperscaler complexity, Other
      • How would you describe your current overall stance toward cloud adoption? Options: All‑in on public cloud, Hybrid: some workloads only, Conservative — compliance blocks most moves, Exploratory / pilot phase only, Unclear / undecided
      • If you had to name the single most important outcome for this engagement (in one line), what would it be?

      Who Actually Signs Off — and Who Keeps You From Moving?

      • If your CISO or compliance officer said 'not today' on this migration, who else would be directly impacted and why?
      • Which roles will need formal approval for a procurement/committed‑spend decision? Options: CTO/Head of Engineering, CISO/Security, Compliance Officer, Head of Procurement, Head of Finance, Legal / Contracts, Other
      • Who owns incident response, penetration testing approvals, and vendor security attestations in your organization—name titles if possible?
      • What is the realistic decision timeline from initial SOW to signed committed spend? Options: < 30 days, 30–60 days, 60–90 days, 3–6 months, > 6 months
      • What procurement constraints or approval gates typically slow this kind of deal (e.g., legal review, budget cycles, regulatory signoff)?

      What’s Living Under the Floorboards?

      • How many 'unknown' or shadow systems do you think would surprise your team during a migration inventory? Options: None — inventory is comprehensive, A few (1–5), Some (6–20), Many (20+), Not sure
      • Can you describe your current architecture footprint—primary datacenters, clouds in use, and any co‑located sites?
      • Which data classifications and sensitive data types run in the workloads you plan to move first? Options: PII / Personal data, PHI / Health records, Payment card data (PCI), Controlled unclassified information (CUI), Proprietary IP, No sensitive data, Other
      • Which compliance frameworks must the migrated workloads satisfy? Options: FedRAMP, HITRUST, PCI DSS, SOC 2, ISO 27001, HIPAA, Other
      • Do you have up‑to‑date architecture diagrams, data flow maps, and a list of third‑party integrations for the targeted workloads? Options: Yes — full artifacts, Partial artifacts, No — need help discovering

      When Costs Go Off the Rails — Tell Me the Worst‑Case Month

      • Imagine a production month where cloud spend is far higher than expected—what are the three most likely causes?
      • Which cost drivers do you currently struggle to model or control? Options: Egress / data transfer, Storage tiering and cold storage, Unreserved compute (no RI/savings), Burst autoscaling / spikes, Misconfigured backups / snapshots, Licensing, Other
      • Who currently owns cloud cost forecasting and committed‑spend reconciliation in your organization? Options: Finance, Cloud/Platform team, DevOps/Engineering, A central FinOps team, No one / informal
      • What visibility tools or reports do you have to reconcile committed spend vs actuals each month? Options: Custom dashboards, Cloud provider billing tools, Third‑party FinOps tool, Manual spreadsheets, None
      • How tolerant is your finance team of month‑to‑month variance (e.g., ±10%, ±25%, higher)? Options: ±10% or less, ±25%, ±50%, No clear tolerance

      If Compliance Could Speak, What Would It Ask?

      • What single compliance requirement would immediately block deployment if not demonstrably satisfied? Options: Data residency / region controls, Encryption standards (at rest/in transit), Audit logging and retention, Penetration testing results, Third‑party attestations (FedRAMP/HITRUST), Other
      • What evidence package does your audit team expect for a new cloud provider (e.g., SOC2 reports, FedRAMP package, configuration baselines)?
      • How do you prefer contractual security guarantees to be structured: strict SLAs with penalties, shared responsibilities with defined handoffs, or a hybrid? Options: Strict SLAs with penalties, Shared responsibilities (RACI), Hybrid / negotiable
      • What are your expectations around penetration testing—frequency, scope (internal/external), and DPA/GDPR‑related requirements?
      • What residual risk thresholds are acceptable for your compliance officer (e.g., 0 critical findings, some low/medium findings allowed)? Options: No critical findings; low only, No critical/medium; low allowed, Some medium allowed, Unsure / need guidance

      What Would Make Everyone Celebrate Six Months From Now?

      • If the migration succeeded perfectly, what measurable signals would your CTO, CISO, and Finance each point to as proof?
      • Which KPIs would you track to determine whether the platform met expectations (pick top three)? Options: Cost vs committed spend, Time to resolve security incidents, Audit pass rate / audit evidence completeness, Application latency / performance, Migration wave completion per schedule, User adoption / app uptime
      • How quickly do you expect to see ROI from the first migrated workload (choose target window)? Options: Within 3 months, 3–6 months, 6–12 months, Longer than 12 months, Not sure
      • What acceptance criteria will your compliance team require to sign off a workload as 'production ready'?
      • What would be an unacceptable outcome even if other metrics were green (e.g., any data residency violation, a missed SLA causing revenue loss)?

      What Could Make the Cutover Fail at T‑Minus 1?

      • What single unresolved dependency would cause you to pause or cancel a go‑live in the final week? Options: Missing security evidence, Insufficient reserved capacity, Key stakeholder signoff missing, Backout/rollback plan untested, Third‑party vendor dependency, Other
      • Who must be on call during migration waves and who is the ultimate owner for rollback decisions?
      • Do you have preapproved migration windows and maintenance blackout dates that we must work around? Options: Yes — defined windows, Yes — but flexible, No defined windows yet
      • Which runbook elements are missing or untested today (select all that apply)? Options: Rollback procedures, Database cutover scripts, DNS and traffic switch steps, Compliance evidence capture, Post‑cutover validation tests, None / fully tested
      • What would be the acceptable maximum downtime or data loss for the initial workloads? Options: Zero RTO/RPO, < 15 minutes, < 1 hour, < 4 hours, More tolerable

      Tying the Deal to Reality — Commercial & Operational Red Lines

      • What contractual terms would make you comfortable signing a committed‑spend agreement today? Options: Transparent egress pricing, Storage tiering guarantees, Clear reserved capacity discounts, Defined SLAs and penalties, DPA and data locality clauses, Other
      • How important is month‑to‑month reconciliation and a monthly committed‑spend review with our account team? Options: Critical — must have, Important — helpful, Nice to have, Not necessary
      • Would you require a pilot or proof‑of‑value before committing to annual spend? If yes, what should the pilot prove? Options: Yes — security/compliance baseline, Yes — cost predictability, Yes — migration velocity, No pilot required
      • What level of solutions‑architect engagement do you expect during onboarding (hours/week or named SA)?
      • Are there any commercial non‑negotiables (e.g., egress caps, data residency guarantees, penalty clauses) we should be aware of now?

      A Practical Roadmap — Next Steps That Make Sense

      • Which of these immediate next steps would be most valuable to you right now? Options: Security/compliance readiness assessment, Detailed migration inventory and TCO, Pilot migration of a low‑risk workload, Commercial term review (pricing/egress), Assign solutions architect
      • How soon can your team participate in a 2‑week discovery sprint to produce an actionable migration plan? Options: Immediately, Within 2 weeks, Within 1 month, Longer than 1 month
      • What additional stakeholders should we include in the next meeting to accelerate decisions?
      • What format of deliverable helps you get internal buy‑in (e.g., one‑page executive brief, technical runbook, financial model)? Options: Executive brief, Technical architecture pack, Detailed TCO / pricing model, Risk and compliance heatmap, All of the above
      • Finally, what would success look like for our first 30‑, 90‑, and 180‑day checkpoints? Please list concise objectives for each timebox.
    2. Current State Mapping

      Capture on‑prem and cloud architectures, compliance gaps (FedRAMP/HITRUST/PCI), cost drivers, and failure modes that block migration.

      Current State

      Tell Us About Today — quick orientation

      • Which environments host your current production workloads? Options: On‑premises datacenter(s), Private cloud (VMware/OpenStack), AWS, Azure, Google Cloud, Other public cloud, Managed service provider
      • Approximately how many active compute nodes (VMs/instances/hosts) and containers are in scope for the first wave?
      • How much primary data (TB) and monthly egress (TB/month) do you estimate leaving the origin systems today?
      • Which three applications or systems are highest priority for migration and why?
      • Who currently owns the migration decision and budget (pick all that influence sign‑off)? Options: CTO/Head of Engineering, CISO/Security, Head of Compliance, VP Infrastructure/Platform, Finance, Procurement, Business Unit Owner
      • How confident are you that your existing architecture already satisfies your regulator’s expectations? Options: Completely confident, Mostly confident with minor gaps, Unsure — likely several gaps, Not confident at all

      If Your Architecture Were a Story, Where Does It Stall?

      • What single recurring architectural problem most frequently delays projects or triggers escalations?
      • Which of these best describes your network topology constraints between on‑prem and cloud? Options: Dedicated leased line/VPN with predictable bandwidth, Bursting over Internet with variable latency, MPLS/SD‑WAN blended, Limited connectivity — large data transfer windows only, No stable connectivity yet
      • Which backend integrations or third‑party systems (IDPs, payment gateways, lab systems, EHRs) create the tightest coupling to your current datacenter?
      • How tightly bound is data residency to physical racks/regions — are there datasets that cannot leave a specific geography? Options: Yes — strict regional residency required, Partially — some datasets restricted, No — flexible residency, Unsure / need to confirm
      • Tell a story of the last time an architectural change failed in production—what happened, who noticed it first, and how long did recovery take?

      What Compliance Audits Keep You Up at Night?

      • Which compliance frameworks must be satisfied for any cloud environment you run in (select all that apply)? Options: FedRAMP (Low), FedRAMP (Moderate), FedRAMP (High), HITRUST, PCI DSS, SOC 2, ISO 27001, HIPAA/HITECH, None / internal only
      • Which specific control gaps have auditors or internal assessments repeatedly flagged?
      • If a cloud provider could guarantee a particular certification out of the box, which one would change your timeline or decision the most? Options: FedRAMP Moderate/High, HITRUST, PCI DSS, SOC 2 Type II, ISO 27001, HIPAA eligibility
      • Which security controls are currently manual or inconsistent in your estate (encryption key management, least‑privilege access, audit logging, pen‑test remediation)? Options: Encryption key management, Fine‑grained IAM/ABAC, Comprehensive audit logging, Patch & vulnerability management, Pen‑test remediation tracking, Data loss prevention, None — most automated
      • When was your last external compliance audit or pen‑test, and what were the top three findings that still need work?

      Where the Bills Surprise You — cost friction and unpredictability

      • When was the last time your cloud or hosting bill created an unexpected finance escalation? Options: Within last month, Last 3 months, Last year, Never
      • Which cost drivers have historically been hardest to model or control? Options: Egress bandwidth, Cold vs hot storage tiering, Unreserved compute usage, Database licensing, Support & professional services, Third‑party SaaS connectors
      • How do you currently forecast committed spend vs actual consumption (tools/process), and where does that process break down?
      • Have you experienced a workload that behaved well in test but spiked costs in production? Tell us which workload and why you think costs spiked.
      • Which billing transparency features would reduce your procurement team's objections (hourly cost of egress by service, storage tier breakdown, reserved capacity utilization dashboards)? Options: Hourly egress by service, Storage tier cost breakdown, Reserved instance reservation/utilization, Per‑workload cost attribution, Predictive monthly forecasts, Alerting for anomalous spend

      What Breaks When Things Go Wrong?

      • Which failure mode would cause the most immediate business damage if it occurred in the cloud (data breach, extended outage, compliance audit failure, cost overrun)? Options: Data breach / exfiltration, Extended service outage, Failed compliance audit, Massive unexpected bill, Loss of transaction integrity
      • How well defined are your current runbooks, rollback plans, and on‑call responsibilities for the systems we’d migrate first? Options: Complete and tested, Defined but not tested, Partial runbooks exist, No formal runbooks
      • Describe the last incident that exposed a gap in monitoring, alerting, or audit logging. What was missed, and what would you change?
      • What recovery time and recovery point objectives (RTO / RPO) are non‑negotiable for your top workloads? Options: RTO < 1 hour, RPO < 5 min, RTO < 4 hours, RPO < 1 hour, RTO < 24 hours, RPO < 24 hours, Flexible / none defined
      • Which diagnostic or observability tools are essential for you to trust a migration (APM, distributed tracing, centralized logging, SIEM), and which are missing today? Options: APM (NewRelic/Datadog), Distributed tracing, Centralized logging, SIEM/SOAR, Cost telemetry, All present

      People, Policy, and the Hidden Hurdles

      • Who on your team can unilaterally block a migration decision, and why would they do so? Options: CISO / Security, Head of Compliance, Procurement / Legal, Finance, Business Unit Leader, Other
      • Which procurement or legal constraints are most likely to delay contracting (committed‑spend approval, DPA negotiation, egress/storage terms, SLAs)? Options: Committed‑spend approval, DPA/Data residency clauses, Egress & storage terms, SLA & liability caps, Pen‑test & security evidence, None / fast track
      • How mature is your internal change management — approvals, CAB meetings, and security sign‑offs required per migration wave? Options: Very mature — automated approvals, Mature but manual, Ad hoc approvals, Unclear / varies by team
      • Where does skill shortage show up most — platform automation, networking, security hardening, or migration orchestration? Options: Platform automation (IaC), Networking & VPNs, Security hardening/compliance, Data migration & ETL, Migration orchestration
      • How does your team prefer to receive help — embedded solutions architect, runbook templates, hands‑on migration support, or train‑the‑trainer sessions? Options: Embedded solutions architect, Prebuilt runbook templates, Hands‑on migration execution, Train‑the‑trainer / enablement, All of the above

      If We Could Move One Thing First, What Would Change?

      • What single outcome would make the first migration wave feel like an unequivocal success to execs and compliance?
      • Which measurable success signals would you accept after wave one (latency reduction, cost predictability within X%, audit evidence delivered, successful DR run)? Options: Latency improvement, Cost within X% of forecast, Compliance evidence delivered, Successful DR test, User satisfaction / fewer incidents
      • What residual risks are acceptable after the first wave, and which are absolute deal‑stoppers?
      • Realistically, what is your desired timeline for the first cutover and what blockers must we clear to hit it? Options: 0–3 months, 3–6 months, 6–12 months, 12+ months
      • If we were to propose a migration playbook today, what level of vendor involvement would you expect during execution? Options: Full execution by vendor, Shared execution with our team, Advisory + handover, Tooling only
  2. Outcome & Risk Discovery

    Define target outcomes, measurable success signals, acceptable residual risk, and procurement constraints tied to committed spend.

    Discovery Questions

    Start with the Big Picture

    • What's the single most important business outcome you need this cloud migration to deliver in the next 12 months? Options: Reduce operational cost, Enable digital services (customer-facing), Meet regulator/compliance mandate, Improve disaster recovery/resilience, Retire on‑prem data center, Other
    • Who is the executive sponsor and who will be your day‑to‑day point of contact for technical decisions?
    • How would you describe your current cloud posture today—pilot/POC, partial production, multi‑cloud, or mostly on‑prem? Options: No cloud (on‑prem only), Pilot/POC only, Single workload in production, Multiple production workloads, Multi‑cloud hybrid
    • What is the timeline you're working toward for migrating the first regulated workload to production? Options: Next 30 days, 30–90 days, 3–6 months, 6–12 months, 12+ months, No fixed timeline
    • When you think about this effort, what keeps you or your team up at night?

    If Compliance Could Talk, What Would It Demand?

    • What would it do to your migration plan if your CISO or a regulator said: 'We won't accept anything less than full FedRAMP/HITRUST/PCI controls as deployed—not just compliance‑eligible services'? Options: Pivot timeline, Require 3rd‑party assessment, Engage external compliance consultants, Stop migration until evidence provided, No change
    • Which specific certifications or attestations are mandatory for the workload(s) in scope? Options: FedRAMP Moderate, FedRAMP High, HITRUST, PCI DSS, SOC 2 Type II, ISO 27001, State/regional privacy requirements, Other
    • Who in your organization is the final approver for compliance acceptance (title/role)? Options: CISO, Head of Compliance, Security Architect, Legal/Privacy Lead, External Regulator, Other
    • What compliance evidence do you currently require to sign off on a new platform (examples: control mapping, audit reports, system security plan, pen‑test report)? Options: SSP/System Security Plan, Third‑party audit report (SOC/FedRAMP), Penetration test report, Encryption attestations, Data residency proof, Other
    • Tell us about a past time compliance blocked or delayed a cloud project—what happened and how long did it take to resolve?
    • Are there internal policies or external contracts that prevent you from using certain regions or vendors (e.g., data residency, vendor blacklist)? Options: Yes — internal policy, Yes — contractually prohibited, Yes — regulator imposed, No restrictions, Unsure

    Where Money Sneaks Out the Backdoor

    • What would it mean for your team if a migrated workload produced a surprise six‑figure monthly bill—how would decisions change? Options: Immediate rollback, Cut non‑essential services, Finance escalation, Renegotiate committed spend, Accept and monitor, Other
    • Which of these cost factors have surprised you before or feel most risky for this migration? Options: Egress charges, Storage tiering & cold storage, Network bandwidth, Unoptimized reserved capacity, Licensing / marketplace costs, Support & managed services, Other
    • Do you currently model expected steady‑state monthly spend and peak month spend separately? If so, how confident are you in those models? Options: We model both and are confident, We model both but not confident, We only model steady‑state, We don't model in detail, Unsure
    • What committed‑spend approach would your finance/procurement team consider acceptable (minimum term, payment cadence, true‑up options)? Options: 12‑month minimum, 24‑month minimum, Annual prepayment, Monthly true‑up, Quarterly true‑up, Consumption‑based with floor
    • Have you experienced billing disputes or opaque egress/storage pricing with prior vendors? Describe one example and the impact.
    • Which stakeholders must approve pricing tradeoffs (e.g., finance, procurement, legal, security)? Options: Finance/FP&A, Procurement, Legal, CISO/Security, Business Unit Owner, Other

    What Does Success Look Like in Real Numbers?

    • If we measured success 90 days after go‑live, what 3 metrics would tell you this migration is working?
    • Which of the following operational targets are non‑negotiable for you? Options: RTO (Recovery Time Objective), RPO (Recovery Point Objective), SLA uptime %, Mean time to detect/respond, Audit/log integrity, Cost per workload
    • What thresholds in those metrics would trigger escalation or rollbacks? Options: X% below SLA, Y hours downtime, Z% cost overrun, Failed compliance audit, Other
    • How will you measure user/business impact (examples: transaction latency, support tickets, revenue at risk)? Options: Transaction latency, Error rate, Support ticket volume, Revenue impact, Customer experience/NPS, Other
    • Who will own reporting and cadence for these metrics after go‑live (title/role)? Options: Cloud Ops Lead, Platform Engineering, Solutions Architect, Business Unit Owner, Other
    • Would you be open to a jointly defined success dashboard we review monthly with the account and engineering teams? Options: Yes, Maybe, No

    How Much Risk Are You Willing to Live With?

    • If you had to pick one sentence that describes your organization's appetite for residual risk after migration, what would it be? Options: Zero tolerance — must be fully mitigated, Very low — only minor residual risk, Moderate — acceptable tradeoffs for speed, High — willing to accept risk for cost/speed, Undecided
    • Which residual risks would you consider acceptable to the business (select all that apply)? Options: Minor configuration deviations, Delayed non‑critical audits, Temporary limited monitoring gaps, Performance variance, None — all must be resolved
    • What incidents or findings in a pen‑test or audit would be automatic deal blockers for your compliance team? Options: Critical vulnerabilities, Data exfiltration risk, Unencrypted data at rest, Missing audit logs, Third‑party subprocessor concerns, Other
    • How do you currently handle risk exceptions—who signs them off and what documentation is required?
    • What specific security or privacy controls do you expect to be enforced by default (examples: encryption at rest, access boundaries, centralized audit logging)? Options: Encryption at rest, Encryption in transit, Role‑based access control, Centralized audit logging, Key management (customer‑managed), Data residency enforcement
    • How quickly would you expect remediation for a high‑severity finding post‑deployment (SLAs for fixes)? Options: 24 hours, 72 hours, 1 week, Depends on complexity, No expectation defined

    Deal Mechanics — Where the Rubber Meets Paper

    • What are the non‑negotiable contract terms you must have before signing a committed‑spend agreement? Options: Transparent egress pricing, Clear storage tiering terms, Data Processing Agreement (DPA), Pen‑test and results sharing, Service availability SLA, Termination and exit terms
    • Which procurement cycle best describes how your organization awards multi‑year platform agreements? Options: Fast track (under 30 days), Standard (30–90 days), Complex (3–6 months), Enterprise procurement (6+ months)
    • Who needs to sign off on pricing and legal terms (roles)? Options: Procurement Director, VP Finance/CFO, General Counsel, CISO/Security, Business Unit Head, Other
    • What billing model do you prefer for committed spend? Options: Monthly billing with true‑up, Quarterly billing, Annual prepay, Consumption with minimum commitment, Other
    • What exit/egress protections are essential to you (examples: data export tools, assistance, capped transfer rates)? Options: Export tooling & scripts, Assisted data export period, Capped egress rates or credits, No special protections needed, Other
    • Are there procurement policies (e.g., SOC 2 attestation required, DPA language) you can share so we can align contract language early? Options: Yes — will share, Yes — but restricted, No — none to share, Unsure

    Who's Playing Which Role — Team Rhythm and RACI

    • Who will be the dedicated technical owner for the migration and ongoing ops (title/role)? Options: Cloud/Platform Engineer, DevOps Lead, Infrastructure Manager, Solutions Architect (internal), Other
    • Which internal teams must be actively involved during migration windows? Options: Security/InfoSec, Network Engineering, DBA/Storage, App Owners/Developers, Compliance/Privacy, Procurement/Finance
    • Would you want a named solutions architect embedded with your team for the first 3–6 months? Options: Yes — mandatory, Preferred but optional, No
    • How do you prefer handoffs and decision‑making to work during migration (examples: weekly steering, daily standups, asynchronous tickets)? Options: Weekly steering committee, Twice‑weekly syncs, Daily runbook standups during waves, Asynchronous with SLAs, Other
    • What internal communication channels and escalation paths already exist for cloud incidents? Options: Pager/on‑call rotation, Dedicated Slack/MS Teams channel, Email escalation chain, Incident response runbook, None formalized
    • What would success look like for your team’s working relationship with our solutions architect in month 1 and month 3?

    If This Worked, What Comes Next?

    • Imagine we met your top success metrics—what would your next migration look like and how soon would you want to expand? Options: Expand similar workload immediately, Plan next workload in 3 months, Consolidate several services before expanding, Not sure yet
    • Which parts of your estate are highest priority for follow‑on migrations (select up to three)? Options: Core banking/transactional systems, EHR/clinical systems, Billing & claims, Analytics/data warehouse, Backup & archive, Dev/test environments
    • What organizational signals would tell you it’s time to expand (examples: compliance sign‑off, cost savings realized, SLA reliability)? Options: Compliance sign‑off on initial workload, Consistent cost predictability, SLA met for X months, Business request for scale, Other
    • What internal obstacles could derail expansion even if the initial migration succeeds? Options: Budget constraints, Procurement cycle delays, Security concerns, Change fatigue, Competing priorities, Other
    • If you could ask our team for one guarantee to make you feel confident about expanding, what would it be?
    • Realistically, when should we schedule a follow‑up to review success signals and discuss expansion plans? Options: 30 days after go‑live, 60 days after go‑live, 90 days after go‑live, On milestone completion, Other
  3. Solution Experience

    Ground the offering in the customer’s context by walking through a compliant architecture, migration path, and cost model that prove the outcomes.

    Experience Meetings

    • Solution Experience Kickoff — Current State Confirmation
    • Consequence & Success Metrics Workshop
    • Compliant Architecture Solution Experience
    • Migration Path & Runbook — Pilot Proof
    • Cost Model & Commercial Proof
    • Lock in pilot schedule and required test data windows.
    • Compliance owner lists mandatory compliance gates (e.g., FedRAMP baseline, pen-test timing) and signs off.
    • One-sentence Future State
    • Get customer agreement that the presented architecture will achieve the defined future state and success metrics.
    • Map each compliance control to evidence and owner, closing any responsibility gaps.
    • Establish concrete validation checkpoints to be executed during pilot and waves.
    • Solutions architect to deliver an annotated architecture diagram with control-to-evidence mapping.
    • Compliance owner to confirm the sufficiency of mapped evidence for audits and list any additional documentary needs.
    • Operations owner to accept the validation checklist and assign test owners.
    • Migration Waves & Pilot Selection
    • Agree on a low-risk pilot that will prove the architecture and migration process against the success metrics.
    • Confirm runbooks, rollback criteria, and operational owners for pilot execution.
    • Introductions & Objectives
    • Build and share pilot runbook with step owners, expected outcomes, and rollback triggers.
    • Network/ops to provision transfer bandwidth reservation and confirm egress throttling parameters for the pilot window.
    • Schedule pilot cutover date and invite all operational stakeholders and audit observers.
    • Current Cost Baseline & Drivers
    • Obtain customer validation that the cost model reliably projects outcomes and that key cost risks are mitigated.
    • Select a pricing scenario for negotiation and identify legal/compliance items required to finalize terms.
    • Establish a billing governance cadence and dashboard ownership for ongoing cost control.
    • Deliver a detailed cost-model workbook with scenario tabs and assumptions annotated for customer review.
    • Finance/legal to draft term sheet reflecting committed-spend band, egress/storage clauses, and SLA obligations.
    • Set up monthly spend-review meeting and connect billing dashboards to designated finance owners.
    • Achieve a single, agreed one-sentence current state describing who is affected and how it’s breaking.
    • Surface initial quantified consequences (cost/risk/time) tied to the current state.
    • List all missing evidence and assign owners to supply them before the architecture walkthrough.
    • Customer provides finalized architecture diagram, workload inventory, and last 3 months of billing/cost drivers.
    • Solutions architect drafts a one-sentence current-state proposal based on attachments for customer confirmation.
    • Schedule the Consequence & Metrics Workshop and Architecture Walkthrough with required stakeholders.
    • Reconfirm Current State & Stakes
    • Agree on a small set of measurable success signals that will prove the future state.
    • Quantify the business and compliance consequences that make the change urgent.
    • Document acceptable residual risk and procurement constraints to constrain the solution design.
    • Create a Success Metrics document mapping each metric to measurement source, owner, and target values.
    • Finance provides committed-spend bounds and billing constraints to be used in cost modeling.
    • Proposed Cost Model Aligned to Architecture
    • Data Migration & Egress Strategy
    • Quantify Consequence — Cost, Time, Risk
    • Read & Validate Current State (one sentence)
    • Architecture Walkthrough — Zones & Controls
    • Runbooks & Rollback Procedures
    • Evidence Review — What’s Real
    • Control-to-Evidence Mapping
    • Define Measurable Success Signals
    • Scenario Modeling & Sensitivity Analysis
    • Consequences Snapshot (preliminary)
    • How Design Eliminates the Key Problems
    • Operational Owners & Run Schedule
    • Billing Governance & Reconciliation
    • Acceptable Residual Risk & Compliance Gates
    • Acceptance Criteria & Validation Points
    • Data & Preconditions Missing
    • Procurement & Spend Constraints
    • Pilot Success Criteria & Measurement
    • Decision & Contractual Next Steps
    • Validation & Sign-off
    • Alignment & Next Steps
  4. Solution Scope

    Define modules (compute, storage, networking, DB, containers, AI), compliance baselines, data residency, responsibilities, and acceptance criteria; assign the dedicated solutions architect.

    Scope Configuration

    • Provision FedRAMP-certified Compute Instances
    • Deploy HITRUST-compliant Managed Database
    • Create Isolated Compliance VPC with Network Controls
    • Enable Default Encryption and Managed KMS
    • Activate Audit Logging with Tamper-Evident Storage
    • Provision PCI-DSS Hardened Payment Processing Environment
    • Provision Managed Kubernetes Cluster with Compliance Defaults
    • Configure Data Residency Controls and Regional Locking
    • Provision Dedicated Hosts with FIPS 140-2 Modules
    • Set Up Role-Based Access Boundaries with MFA
    • Enable Transparent Egress Billing and Usage Alerts
    • Provision Storage Tiering with Lifecycle Policies
    • Deploy Managed AI Inference Service in Certified Region
    • Provision Terraform Provider with Prebuilt Compliance Modules

    Scope Questions

    Provision FedRAMP-certified Compute Instances

    • Which FedRAMP impact level do your workloads require? Options: FedRAMP Low, FedRAMP Moderate, FedRAMP High, Unsure — need guidance
    • What types of workloads will run on these instances (e.g., web tier, application servers, analytics)? List primary workload types and any special requirements.
    • Estimate the expected instance footprint at launch (CPU cores and RAM per node) and anticipated scale over 12 months. Options: Small (<=8 vCPU), Medium (9-32 vCPU), Large (>32 vCPU), Custom — see details
    • Do you require single-tenant / dedicated compute (hardware isolation) versus multi-tenant instances? Options: Dedicated hosts required, Shared tenancy acceptable, Mix of both
    • What uptime or SLA targets must compute meet (percent uptime, RTO for critical services)? Options: 99.9%, 99.95%, 99.99%, Custom/Not sure
    • Are there specific OS images, hardening standards (CIS, STIG), or baseline configurations we should apply? Options: CIS Benchmarks, DISA STIGs, Customer baseline (provide), Use provider default

    Deploy HITRUST-compliant Managed Database

    • Which database engines do you plan to use? Options: PostgreSQL, MySQL, Microsoft SQL Server, Oracle, Other
    • What is the expected database size and IOPS profile at go‑live and projected 12 months out? Options: <100GB, 100GB-1TB, 1TB-10TB, >10TB, Unknown — need sizing
    • Does the data include PHI or other HITRUST-sensitive categories that require special handling? Options: Yes — PHI, Yes — Other sensitive data, No, Unsure
    • What RPO/RTO requirements do you have for the database (backup frequency, maximum acceptable data loss)? Options: RPO < 1 hour, RPO < 24 hours, RTO < 1 hour, RTO < 24 hours, Custom — specify
    • Do you require customer-managed keys (BYOK) for DB encryption or provider-managed keys? Options: Provider-managed keys, Customer-managed KMS (BYOK), HSM-backed keys required, Unsure — discuss
    • Are cross-region replication, read replicas, or analytics replicas required as part of the managed DB offering? Options: Cross-region replication, Read replicas, Analytics replicas, None

    Create Isolated Compliance VPC with Network Controls

    • What isolation model do you prefer for the VPC/network (per-application, per-environment, per-tenant)? Options: Per-application, Per-environment (prod/stage/dev), Per-tenant / dedicated VPC, Hybrid
    • Which inbound/outbound connectivity patterns are required (Internet only, VPN, Direct Connect/PrivateLink, partner peering)? Options: Internet only, Site-to-site VPN, Dedicated private interconnect (Direct), Partner peering/private links
    • Which network controls do you require by default (security groups, NACLs, stateful firewall, IDS/IPS, WAF)? Options: Security groups / microsegmentation, NACLs, Stateful firewall, IDS/IPS, WAF, All of the above
    • Do you need explicit egress filtering or proxying for traffic leaving the VPC (e.g., approved outbound IPs, TLS inspection)? Options: Egress filtering required, Egress proxy required, No egress controls required
    • Are private DNS, internal load balancers, and service discovery required within the isolated network? Options: Private DNS, Internal load balancers, Service discovery (Consul/ECS/K8s), None
    • Do you require network segmentation proof (diagrams, segmentation tests) for auditors/regulators? Options: Yes — diagrams and test evidence, Yes — diagrams only, No

    Enable Default Encryption and Managed KMS

    • Do you require provider-managed keys, customer-managed keys (BYOK), or HSM-backed keys for encryption at rest? Options: Provider-managed, Customer-managed BYOK, HSM-backed (FIPS), Mix depending on data type
    • Which assets must be encrypted by default (compute disks, databases, object storage, backup snapshots)? Options: Compute disk volumes, Managed databases, Object storage, Backups/snapshots, All of the above
    • Do you require key rotation policies, dual-control for key deletion, or separation of duties for KMS admin roles? Options: Automatic rotation, Manual rotation, Dual-control for deletion, Separation of duties
    • Are FIPS 140-2/140-3 validated cryptographic modules required for your environment? Options: Yes — FIPS 140-2/3 required, No, Unsure — need guidance
    • Will keys be used across multiple regions or must keys be region-locked? Options: Region-locked keys, Multi-region keys allowed, Mix by data classification
    • Do you require audit logging and exportable key usage reports for compliance reviews? Options: Yes — full audit trail, Basic logging only, No

    Activate Audit Logging with Tamper-Evident Storage

    • Which sources should forward logs by default (compute, databases, network devices, containers, IAM events)? Options: Compute, Databases, Network devices, Containers/K8s, IAM events, All of the above
    • What retention period is required for audit logs for compliance (months/years)? Options: 90 days, 1 year, 3 years, 7+ years, Custom — specify
    • Do you require tamper-evident/WORM storage and chain-of-custody evidence for stored logs? Options: WORM/tamper-evident required, Standard immutable snapshots sufficient, No special immutability required
    • Do you need logs forwarded to an existing SIEM, or should we provide a hosted log analytics instance? Options: Forward to customer SIEM, Provide hosted SIEM/log analytics, Both
    • What volume of logs (GB/day) do you estimate so we can size retention and storage tiers? Options: <1GB/day, 1-10GB/day, 10-100GB/day, >100GB/day, Unknown — need help estimating
    • Which personnel should have access to audit logs and what RBAC restrictions are required?

    Provision PCI-DSS Hardened Payment Processing Environment

    • Does your environment handle cardholder data directly, or will a tokenization/third-party gateway be used? Options: Directly handles cardholder data, Tokenization/third-party gateway, Hybrid
    • What PCI level / SAQ type do you expect to demonstrate (e.g., SAQ A, SAQ D)? Options: SAQ A, SAQ A-EP, SAQ D, Not sure — need assessment
    • Are there required quarterly external vulnerability scans and annual penetration tests to include in scope? Options: Quarterly scans and annual pen-test required, Only scans required, No external testing required
    • Which encryption and TLS requirements must be enforced for payment traffic? Options: TLS 1.2 minimum, TLS 1.3 required, Strong cipher suites only, Customer-specified
    • Do you require segmentation evidence demonstrating separation of cardholder environment from other systems? Options: Yes — segmentation evidence, No
    • Are there preferred WAF rulesets, fraud detection integrations, or payment gateways we must support?

    Provision Managed Kubernetes Cluster with Compliance Defaults

    • What Kubernetes control plane model do you prefer (managed control plane, self-managed, or hybrid)? Options: Fully managed control plane, Self-managed (customer-managed nodes), Hybrid
    • What compliance defaults are required (network policies, Pod Security Standards, admission controllers, image scanning)? Options: Network policies enforced, Pod Security Standards enforced, Admission controllers/OPA/Gatekeeper, Image vulnerability scanning, All of the above
    • Estimate cluster size (number of nodes) and expected pod density for initial migration. Options: Small (<=3 nodes), Medium (4-10 nodes), Large (>10 nodes), Unknown — need assessment
    • Do you require private container registries with signed images and SBOM support? Options: Private registry with image signing, Public registry allowed, SBOM required, Not required
    • What RBAC model and service account restrictions are required for operator/CI/CD access? Options: Strict RBAC with least privilege, Team-level roles, Admin access for ops, Custom — specify
    • Do you need built-in backup/restore for cluster state and persistent volumes? Options: Yes — full backups, Snapshots only, No — customer handles backups

    Configure Data Residency Controls and Regional Locking

    • Which regions or countries must data remain in for residency/compliance reasons?
    • Which data classes are subject to residency controls (PII, PHI, payment data, logs, backups)? Options: PII, PHI, Payment card data, Audit logs, Backups, All of the above
    • Is cross-region replication or disaster recovery permitted if the destination is the same jurisdiction? Options: Allowed within same jurisdiction, Not permitted, Allowed with encryption and approval
    • Do you require automated region-locking enforcement and drift detection for storage and databases? Options: Yes — automated enforcement, Audit-only (reporting), No enforcement required
    • Are legal hold, e-discovery, or regulator access controls required for region-locked data? Options: Legal hold required, E-discovery required, Regulator access controls required, None
    • What latency or locality constraints exist for users or systems accessing region-locked data? Options: Low latency required (<50ms), Moderate latency acceptable, Batch processing only, Unknown

    Provision Dedicated Hosts with FIPS 140-2 Modules

    • How many dedicated hosts are required at launch and what growth do you expect in 12 months? Options: 1-2 hosts, 3-10 hosts, 10+ hosts, Unknown — need estimation
    • Do hosts need FIPS 140-2 validated crypto modules for all cryptographic operations? Options: Yes — FIPS 140-2 required, No, Partial — only for certain services
    • Is single-tenant physical isolation mandatory for regulatory reasons, or is logical isolation sufficient? Options: Physical single-tenant required, Logical isolation sufficient, Hybrid
    • What hardware profiles (CPU, RAM, GPU) and OS families are required on the dedicated hosts?
    • Do you require provable attestation, telemetry, or certificates for host integrity to present to auditors? Options: Attestation/certificates required, Telemetry only, No attestation required
    • Are maintenance windows and reboot policies constrained by regulatory commitments or business operations? Options: Yes — constrained windows, No — flexible, Requires prior approval per change

    Set Up Role-Based Access Boundaries with MFA

    • Which identity provider(s) will you integrate for SSO (Okta, Azure AD, ADFS, other)? Options: Okta, Azure AD, OneLogin, ADFS, Other
    • Which MFA methods are acceptable for your organization (hardware token, TOTP, push, U2F/WebAuthn)? Options: Hardware token, TOTP (authenticator apps), Push notifications, U2F/WebAuthn, Other
    • How many distinct roles or access boundaries are required (e.g., dev, ops, security, auditors)? Options: 1-2, 3-5, 6-10, 10+
    • Do you require just-in-time privileged access, approval workflows, or session recording for privileged sessions? Options: Just-in-time access, Approval workflows, Session recording, None
    • Are break-glass procedures and emergency access controls required and who should own them? Options: Yes — defined break-glass, No, Unsure — need help defining
    • Do auditors or third parties need read-only access to specific logs or resources? Options: Yes — auditors need access, No, Only via time-limited access
  5. Mutual Commit

    Finalize committed‑spend pricing, transparent egress/storage terms, SLAs, DPAs, pen‑test requirements, and mutual acceptance criteria.

    Agreement Modules

    • Statement of Work (SOW)
    • Master Services Agreement (MSA)
    • Committed Spend & Pricing Annex
    • Billing, Invoicing & Payment Terms
    • Egress & Data Transfer Addendum
    • Storage Tiering & Retention Addendum
    • Service Level Agreement (SLA)
    • Data Processing Agreement (DPA)
    • Security & Penetration Test Addendum
    • Compliance Evidence & Certification Appendix
    • Acceptance Criteria & Go‑Live Checklist
    • Reserved Capacity & Allocation Schedule
    • Implementation & Migration Plan
    • Change Order & Scope Amendment Process
    • Data Return, Deletion & Offboarding Agreement
    • Governance, Escalation & QBR Cadence
    • Legal & Regulatory Contact Annex
    • Signature & E‑Sign Execution
  6. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Confirm data classification, access controls, reserved capacity, migration windows, compliance evidence, and owners are ready for execution.

      Readiness Questions

      Quick Intro: Who Are We Talking With Today?

      • Please introduce your organization (name, primary vertical) and the single strongest reason you're evaluating a regulated-cloud migration now.
      • Which best describes your current infrastructure footprint? Options: Primarily on‑premises, Hybrid (on‑prem + cloud), Single hyperscaler, Multi‑cloud, Edge-first
      • Who will be the core decision team for this migration (select all who apply)? Options: CTO/VP Infrastructure, CISO, Compliance Officer, Head of Procurement, VP Finance, Solutions Architect/Engineering Lead, Legal/Data Privacy
      • What is your target timeline to have an initial production workload live on a compliant cloud? Options: 0–3 months, 3–6 months, 6–12 months, 12+ months, Undecided
      • Roughly, what committed annual spend band would procurement consider (or has committed to discussing)? Options: <$100k, $100k–$500k, $500k–$2M, $2M–$10M, >$10M, Not disclosed yet
      • How would you describe current confidence that your compliance team will approve a cloud migration without major rework? Options: Very confident, Somewhat confident, Unsure, Unlikely to approve

      If Compliance Is the Gatekeeper, What’s Holding the Key?

      • If your CISO or compliance officer could insist on one non‑negotiable artifact before approving migration, what would it be?
      • Which compliance certifications or attestations must the platform demonstrate for your workloads? Options: FedRAMP (Low/Moderate/High), HITRUST, PCI DSS, SOC 2 Type II, ISO 27001, State/Local regulator-specific, Other
      • Which concrete pieces of evidence does your auditor expect (select all that apply)? Options: System security plan / ATO package, Penetration test report, Encryption key management docs, Access review logs, Data flow diagrams and classification, SLA & DPA with vendor, Third‑party attestation (SOC/ISO)
      • Where does your organization draw the line on data residency and cross‑border transfer for regulated data? Options: Must remain in-country/region, Can move within specified regions, No residency restriction, Depends on dataset
      • Tell us about the last time compliance blocked or delayed a cloud project—what specifically failed to satisfy them?
      • What residual risk level would be acceptable to your security/compliance teams (e.g., documented compensating controls, SLA-backed remediation windows, or zero residual risk)? Options: Documented compensating controls accepted, Time‑boxed remediation required, SLA‑backed remediation with penalties, Zero residual risk only, Undecided

      Where Does Cost Surprise You Most?

      • What single billing or cost issue has caused the largest operational upset in the past year?
      • Which cost drivers worry you most during migration and in production (select all that apply)? Options: Egress/transfer costs, Storage tiering and long‑term retention, Unexpected TPU/GPU/AI charges, Unreserved compute in prod, Licensing and managed DB fees, Network architecture / cross‑AZ traffic
      • Do you currently model egress, storage lifecycle, and reserved capacity for production workloads? Options: Yes—detailed models, Partially—some estimates, No—ad hoc assumptions, Don’t know
      • Which procurement pricing protections would materially reduce your risk (pick up to two)? Options: Committed‑spend discounts, Transparent egress caps/tiers, Price floors/ceilings, Monthly usage true‑ups, Reserved capacity guarantees, No hidden fees clause
      • How would you prefer to receive cost transparency during migration (select all that apply)? Options: Daily cost dashboards, Predictive monthly forecasts, Automated cost alerts over threshold, Weekly executive summary, Ad‑hoc run cost analyses
      • Share an example of a surprise charge you faced previously and its operational impact.

      Who Really Owns Risk — And What Will Make Them Say Yes?

      • If one stakeholder could veto this project today, who is it and what evidence would flip them to 'go'?
      • Which of these stakeholders need to sign off before cutover (select all that apply)? Options: CISO/security, Compliance officer, VP Finance/FP&A, Procurement/Legal, Business unit owner, Application owners/Dev leads
      • What are the top 3 acceptance criteria each of these groups will require (security, finance, procurement)?
      • How does your organization quantify acceptable residual risk—by financial exposure, incident likelihood, regulatory penalty, or another metric? Options: Financial exposure, Incident likelihood, Regulatory penalty risk, Operational uptime impact, Qualitative judgement
      • Who is authorized to approve emergency changes during migration and what governance is required afterwards?

      What Would a Zero‑Surprise Migration Day Look Like?

      • Imagine day‑one cutover with zero customer complaints—what three things went exactly right?
      • Has data classification been completed for the workloads you plan to migrate? Options: Complete for targeted workloads, Partially classified, Not started, Unknown
      • Which pre‑cutover controls must be validated before any traffic is shifted (select all that apply)? Options: IAM/role mappings, Encryption key access policies, Network ACLs and peering, Logging pipelines to SIEM, Backup/restore verification, Data masking/anonymization
      • Do you have reserved capacity or committed instances planned for cutover to prevent throttling or runaway costs? Options: Yes—reserved/committed planned, We plan auto‑scale only, No—but we can purchase quickly, Undecided
      • What is your preferred migration window cadence (weekend, nights, phased waves) and why? Options: Weekend full cutover, Nightly cutover windows, Phased waves by app/domain, Blue/green with small traffic shift, Other
      • Describe your rollback criteria—what exact symptoms or failures would trigger an immediate reversal?

      Operational Readiness: Who Does What When?

      • If something breaks within 60 minutes post‑cutover, who is the single point of contact and what is their first action?
      • Which runbook and automation artifacts must exist before migration (select all that apply)? Options: Terraform/Pulumi IaC modules, Step‑by‑step runbook for cutover, Automated rollback script, Monitoring & alert playbooks, Oncall escalation matrix
      • Do your engineers prefer Terraform, Pulumi, or another IaC for onboarding and ongoing ops? Options: Terraform, Pulumi, Cloud‑native templates (YAML/ARM/etc.), Custom scripts, No strong preference
      • Who will be the dedicated solutions architect or AE counterpart on your side during the first 6 months?
      • What level of runbook testing do you require prior to cutover (table‑top, dry‑run, live failover)? Options: Table‑top walkthrough, Dry‑run on non‑prod, Live failover exercise, All of the above, Other
      • What monitoring, alert thresholds, and escalation SLAs must be in place day‑one?

      Evidence & Audit: How Will We Prove It?

      • If an auditor asked for proof of controls 24 hours after cutover, which artifacts would you need to hand them immediately?
      • Which of the following audit outputs are mandatory for you (select all that apply)? Options: Immutable audit logs with retention policy, Configuration baselines and drift reports, Penetration test results, DPA/GDPR compliance clauses, Access reviews and attestations, Network flow and topography documentation
      • Do you require third‑party pen tests and, if so, do you accept vendor‑led remediation windows or insist on independent verification? Options: Yes—independent verification required, Yes—vendor remediation with evidence, No pen test required, Undecided
      • What data retention and logging retention durations are non‑negotiable for your compliance posture? Options: 30 days, 90 days, 1 year, 3+ years, Depends on dataset
      • Have you had any recent audits with findings relevant to cloud migration? If so, summarize the finding and remediation status.

      Commitments, Pricing, and Procurement Red Lines

      • What contractual term would most likely cause procurement to stop negotiations (the deal‑breaker)?
      • Which commercial protections do you require before signing (select all that apply)? Options: Committed‑spend discounts, Transparent egress pricing, Monthly true‑ups, SLA credits and remedies, DPA & data residency clauses, Indemnity for regulatory fines
      • How long is your typical procurement cycle from RFP to signature for cloud infrastructure? Options: <1 month, 1–3 months, 3–6 months, 6–12 months, Varies widely
      • Will your finance team treat this as OPEX consumption or require capital treatment for committed spend? Options: OPEX, CapEx, Hybrid, Undecided
      • Who in procurement/legal needs to be engaged early to avoid last‑minute redlines (name/role)?
      • Are there any regulator‑mandated contract clauses (e.g., specific data handling language) we must include up front? Options: Yes—list required clauses, No specific clauses, Unsure

      Next Steps & Red Flags: What Would Make You Pause?

      • If we leave this conversation without a plan, what single signal would tell you this project is unlikely to proceed in the next quarter?
      • List the top three unresolved risks today that, if mitigated, would unlock fast approval.
      • On a 1–10 scale, how ready is your organization to begin a compliant migration program right now? Options: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
      • How soon could you assign an internal owner and a small working team to begin runbook and IaC onboarding? Options: Immediately, Within 2 weeks, 1 month, 2–3 months, Later / TBD
      • Would you be open to a short technical spike (PoC) to validate cost models, compliance controls, and cutover playbooks? If yes, what success criteria would make it worthwhile? Options: Yes—define success criteria, Maybe—need more info, No
      • Preferred next contact method and timing to follow up on readiness artifacts (email, calendar invite, technical workshop)? Options: Email summary and attachments, Schedule technical workshop, Calendar invite for governance review, Slack/Teams channel
    2. Deployment Enablement

      Schedule waves, coordinate teams, onboard Terraform/Pulumi configurations, runbooks, and execute migrations with clear owners and rollback plans.

    3. Validation Checklist

      Run acceptance tests, audit logging validation, compliance checks, and cost verification to confirm go‑live criteria are met.

      Validation Questions

      Quick Pulse: Is Today a Good Day to Validate?

      • How ready does your team feel to run validation activities right now? Options: Fully ready, Mostly ready with minor gaps, Partially ready — significant gaps, Not ready
      • Who will be the primary owner coordinating validation activities for this workload? Options: CISO/Security, VP/Director of Infrastructure, Solutions Architect, Engineering Lead, Compliance Officer, Other — please specify
      • Which environments should we use for validation (select all that apply)? Options: Development, Integration/QA, Staging, Pre‑Prod, Production (canary)
      • Are there any recent changes (config, network, third‑party) made in the last 30 days that might affect validation?
      • Do you have a preferred go/no‑go meeting cadence and a hard deadline for the validation window? Options: Daily standup during validation, Twice daily checkpoints, Single go/no‑go at end of window, Flexible — will decide case by case

      If We Go Live, What Keeps You Up at Night?

      • If we flipped the switch tomorrow, what single failure would you classify as a show‑stopper or regulatory incident?
      • Which kinds of compliance violations would force you to pause or reverse go‑live immediately? Options: Unauthorized data exfiltration, Encryption key compromise, Improper data residency, Audit trail gaps, Failed access control audits, Other
      • Have you experienced a similar production incident in the past 24 months? If so, briefly what happened and what recovery looked like?
      • When you imagine that incident, which impact concerns you most—regulatory fines, customer trust, outage duration, or financial loss? Options: Regulatory fines, Customer trust/reputation, Operational downtime, Direct financial loss, Executive escalation
      • Which executives or external stakeholders must be notified within specific timeframes if a critical issue appears? Options: CISO, CEO/CTO, CFO, General Counsel, Board/Regulator, No external notification required immediately

      Where Do Our Tests Actually Prove Anything?

      • Which acceptance test do you trust least to reflect real production behavior—and why?
      • Which user journeys or system flows must pass validation to be confident (select all that apply)? Options: Authentication/authorization, Data ingestion pipelines, Backup & restore, Disaster recovery failover, High‑throughput APIs, Batch jobs / ETL, Other
      • Do you have automated test suites tied to CI/CD for these journeys, and what percentage of those critical paths are covered? Options: >90%, 70–90%, 40–70%, <40%, No automated coverage
      • What explicit pass/fail thresholds should we apply for latency, error rates, and throughput during validation?
      • Who owns the test artifacts and long‑term maintenance of the validation suites? Options: Customer engineering team, Customer QA team, Vendor / solutions architect, Shared ownership model, Other

      Can You Trust the Audit Trail When It Matters?

      • If an auditor demanded a tamper‑proof timeline of access to regulated data, could you produce it within 24 hours? Options: Yes, easily, Yes, with effort, Possibly but would take >24h, No
      • Which logging sources are considered authoritative for your compliance posture (pick all that apply)? Options: Platform audit logs, Application logs, Database audit logs, Network flows/VPC logs, SIEM/Log aggregator, Endpoint telemetry
      • Where are logs stored and what is your minimum retention requirement for compliance evidence? Options: 30 days, 90 days, 1 year, 3 years, Custom — please specify
      • How do you detect and respond to gaps or tampering in logs (e.g., integrity checks, write‑once storage, chain of custody)?
      • What proof artifacts will auditors accept for encryption, access reviews, and privileged access events? Options: Signed audit reports, SIEM screenshots, Immutable logs export, Penetration test results, Configuration snapshots, Other

      Who Will Raise the Red Flag and How?

      • When the first sign of trouble appears, who must be in the room within the first hour, and who is hardest for you to call? Options: On‑call SRE, Engineering Lead, CISO/Security, Solutions Architect (vendor), Legal/Compliance, Executive Sponsor
      • Do you have runbooks and incident playbooks for Sev1/Sev2 events, and how recently were they exercised? Options: Fully documented and exercised in last 90 days, Documented but not recently exercised, Partial runbooks, No formal runbooks
      • What escalation SLAs do you expect from the vendor and from your internal teams for critical incidents? Options: 15 minutes, 30 minutes, 1 hour, 2+ hours, Custom — specify
      • How do you want post‑incident accountability handled (immediate actions, blameless post‑mortem, external reporting)? Options: Immediate resolution + post‑mortem, Containment then external notification, Blameless post‑mortem only, Require vendor‑led remediation plan
      • Do you require the vendor to run tabletop or live incident drills before go‑live? If yes, what cadence? Options: Yes — weekly, Yes — monthly, Yes — quarterly, No, not required

      Are Costs Going to Surprise Anyone?

      • Which line item on the bill would cause the most executive friction if it doubled unexpectedly? Options: Egress charges, Storage tiering, Snapshots/backup storage, Inter‑region data transfer, Reserved compute misallocation, Third‑party services
      • Which cost drivers should we prioritize during validation modeling? Options: Egress, Long‑term cold storage, Snapshot frequency, Cross‑region replication, Provisioned vs autoscaled compute, AI/accelerator usage
      • How accurately have you modeled committed‑spend versus expected usage—what margin of error is acceptable? Options: Within 5%, Within 10%, Within 20%, Uncertain / no model yet
      • Do you want cost‑governance gates during validation (alerts, auto‑throttles, budget caps)? If so, which? Options: Budget alerts, Auto‑throttle noncritical workloads, Egress caps, Notification only, Other
      • Who in your organization will own cost reconciliation against committed spend after go‑live? Options: Finance, Cloud FinOps team, Engineering, Account manager (vendor), Shared ownership

      Acceptance Criteria: Are We Signing for the Right Thing?

      • If you had to sign off today, what single unmet acceptance criterion would force you to delay go‑live?
      • Which modules must meet acceptance before sign‑off (choose all required)? Options: Compute, Storage, Networking, Databases, Container orchestration, AI/accelerators, Security/compliance controls
      • Which compliance baselines must be demonstrably met with artifacts (select all that apply)? Options: FedRAMP/NIST controls, HITRUST, PCI DSS, SOC 2, ISO 27001, Data residency proofs
      • What concrete artifacts do you require for acceptance (e.g., test reports, immutable logs, pen‑test results, SLA statements)? Options: Automated test reports, Immutable log exports, Penetration test report, SLA and DPA documents, Configuration and architecture diagrams
      • Who are the required signatories for final acceptance and what authority level must they hold?
      • Describe the rollback criteria that would trigger an immediate revert during the validation window.

      Final Checklist — Can We Prove it in 48 Hours?

      • If we gave you 48 hours of focused validation support, what three outcomes would convince you to greenlight go‑live?
      • Can you run a dry‑run or smoke migration during that 48‑hour window? Options: Yes, independently, Yes, with vendor support, No — need more time, Not applicable
      • Which stakeholders must be available during the 48‑hour validation window (select all who must be on call)? Options: On‑call SRE, Engineering lead, Solutions architect (vendor), CISO/Security, Compliance officer, Product owner
      • Which dashboards, metrics, or success signals will you monitor in real time to declare the window successful?
      • After go‑live, how long should we keep heightened monitoring and rapid rollback capability before transitioning to steady state? Options: 24 hours, 72 hours, 1 week, 30 days, Custom — specify
      • What immediate post‑go‑live optimizations or compliance follow‑ups should we prioritize in the first 30 days?
  7. Success

    Review outcomes against success signals, plan estate consolidation and next migrations, and maintain a shared channel for issues and enhancements.

    Success Reviews

    • Success Review & Validation
    • Estate Consolidation & Next-Migration Planning
    • Committed Spend & Cost Optimization Review
    • Operational Rhythm: Issues, Enhancements & Shared Channel Governance
    • Quarterly Success Steering (Executive Review)

    Issues & Enhancements

    • Provision the shared channels, add initial members and post the triage matrix and runbook links.
    • Ensure capacity and cost implications are modeled for committed-spend planning.
    • Surface high-risk migrations requiring additional validation or pilot activity.
    • Publish the wave plan as a living artifact with owners, dates, acceptance criteria, and runbook links.
    • Perform PoC/pilot for any top-risk workload identified before scheduling full migration.
    • Update committed-spend forecast to reflect reserved capacity or tier changes required by planned waves.
    • Spend vs Commitment Summary
    • Reconcile committed spend and confirm any required adjustments or additional purchases.
    • Identify immediate cost-reduction actions that do not compromise compliance or availability.
    • Agree on financial owner actions and timeline for implementing optimizations.
    • Deliver a detailed cost report with recommendations and estimated savings for each optimization.
    • Execute agreed reserved capacity purchases or contract amendments via procurement.
    • Track and report savings in the next success review cycle.
    • Shared Channel Purpose & Access
    • Create a single source-of-truth shared channel with clear access, triage, and escalation rules.
    • Define SLAs and owners to reduce time-to-resolution for incidents.
    • Establish a repeatable enhancement intake and prioritization process tied to business and compliance value.
    • Introductions & Purpose
    • Populate the enhancement backlog with initial candidate items and score them for prioritization.
    • Schedule recurring triage and grooming meetings and publish the cadence to stakeholders.
    • One-sentence Current State
    • Secure executive approval for the next migration waves and any committed-spend changes.
    • Align senior stakeholders on strategic priorities, risk acceptances, and reporting expectations.
    • Ensure funding and procurement path is clear for proposed expansions.
    • Produce an executive one-pager summarizing KPIs, risks, proposed waves, and decision requests.
    • Obtain formal sign-off on budget/commit changes and document procurement actions.
    • Schedule the next quarterly steering meeting and assign a dashboard owner for monthly updates.
    • Demonstrate evidence that each agreed success signal has been met or document precise remediation required.
    • Obtain customer validation and formal acceptance (or a documented remediation plan with owners and deadlines).
    • Identify and prioritize any critical residual risks that block broader estate migration.
    • Deliver a packaged acceptance artifact set (metrics, logs, compliance evidence) for archiving and audit.
    • Create remediation tickets with owners, SLAs, and verification steps for unmet success signals.
    • Schedule follow-up validation meeting aligned to remediation completion dates.
    • Inventory Snapshot & Dependencies
    • Produce an agreed prioritized migration backlog (waves) with owners and acceptance criteria for each wave.
    • Egress, Storage & Tiering Analysis
    • Prioritization Criteria
    • KPIs & Success Signals Review
    • Triage Workflow & Severity Matrix
    • Current State (one-sentence)
    • Strategic Opportunities & Risks
    • Outcome Metrics & Evidence
    • Wave Definition & Templates
    • Reserved Capacity & Discount Opportunities
    • Response & Resolution SLAs
    • Cost & Capacity Modelling per Wave
    • Recommended Next-Wave Investments
    • Enhancement Backlog Process
    • Consequence Assessment
    • Quick Wins & Optimization Roadmap
    • Gaps, Remediations & Timeline
    • Decisions & Approvals
    • Forecast & Contract Implications
    • Timeline, Windows & Owners
    • Meeting Cadence & Reporting
    • Acceptance Decision & Sign-off Criteria
    • Finance & Procurement Next Steps
    • Runbooks, Playbooks & Tooling Links
    • Risk Register & Mitigation
    • Governance & Reporting Cadence
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.