Terraform-managed cost guardrails, Grafana Bloodbath dashboard, anomaly detection wired to your comms channel, and DORA / NIS2 / ISO 27001 evidence — shipped as a product, not a Time-and-Materials gamble.
The median EU SME estate wastes 20-40% of monthly AWS spend on resources nobody uses, nobody tagged, and nobody owns. Every month it compounds. Every audit makes it worse. Every quarter your CFO asks the same question with sharper edges.
Idle EC2, un-attached EBS, orphaned NAT gateways, oversized RDS. Each one bleeds money quietly until quarter-end when finance asks why the bill grew 22%.
AWS Budgets configured once, never tuned. Cost Anomaly Detection enabled in the console with default thresholds. Nobody gets paged when spend spikes 3x at 02:00.
Half the stack provisioned in the console, the other half in stale Terraform state. Tags applied inconsistently. Finance has no per-team cost attribution.
No screenshots of a SaaS UI. No locked dashboards. Five concrete layers of code + configuration + documentation that land in your Git repository on day one.
Four fixed-scope tiers. Same Terraform template under all of them. The only difference is who lifts the wrench.
Self-deploy. Buy once, own forever.
Best for
In-house team comfortable with Terraform that wants the SEAWALL blueprint without an engagement.
Outcome
You ship the controls in an afternoon. Zero lock-in. Your code from day one.
Done-for-you. We deploy it in your AWS organization.
Best for
Companies wanting the engine live in production without their team learning Terraform fluently this quarter.
Outcome
20-30% run-rate saving within 30 days of go-live, signed off by your CFO.
Hosted Grafana + monthly cost report. Hands-off cost control.
Best for
Teams that deployed SEAWALL but want us to host the dashboard and triage anomalies asynchronously.
Outcome
Predictable spend curve. Audit evidence pack that writes itself every quarter.
We operate the guardrails. You ship product.
Best for
FinTech, Maritime, Legal, and regulated estates that need same-day response and audit-grade FinOps records.
Outcome
Predictable cloud economics + a named engineer you can call when it burns.
Looking for a one-off diagnostic before committing to deploy? Bloodbath Audit · fixed-scope diagnostic
No middleware, no iPaaS, no premium connector add-ons. Native API + IaC integration with the surfaces your team already runs.
SEAWALL is built for EU regulated entities. Every guardrail carries an explicit citation to the clause your auditor reads from. The evidence pack is part of the deliverable, not a paid add-on.
Article 6 ICT risk management. Budgets, anomaly detection, and SCP guardrails map to ICT control objectives with timestamp + remediation history.
Article 21 cyber-security risk-management measures. Tagging SOP, IAM baseline, and logging evidence ship in the handover pack.
Annex A.5 / A.8 cloud-cost-management, change-management, and segregation-of-duties mapped for regulated EU operators.
Your platform team sees the Terraform plan before any change lands. Every module is documented, versioned, and exits cleanly if you decide to leave.
Every Terraform module + Grafana dashboard JSON + SOP markdown sits in a private repo invited to your GitHub or GitLab on purchase. Tag-based release channel.
GitHub Actions workflow runs terraform plan on every PR and posts the diff as a review comment. Your engineers approve infrastructure changes the same way they approve code.
One CLI command revokes the SEAWALL IAM role across your AWS Organization. Terraform state stays in your bucket. Dashboards stay in your Grafana. Nothing on our side is load-bearing.
Those are dashboards — they tell you something is wrong, then bill you per user for showing you. SEAWALL ships the controls that stop the bleed: Terraform-managed Budgets, Service Control Policies, anomaly detection wired to your comms channel, and a tagging SOP your engineers actually follow. You keep the IaC. No per-seat SaaS fee, no vendor lock-in, no proprietary metric model that breaks when you switch tools.
Yes. Every module lives in your Git repository under a permissive internal-use license. We hand over the code, the state, the documentation, and the training. If you ever cancel a managed retainer, nothing breaks and nothing disappears — your guardrails keep running.
The DIY tier needs zero access from us — you clone, plan, apply. For Implementation+, we provision a scoped IAM role using a CloudFormation StackSet with an External ID. ReadOnly during discovery; Write access only after a documented blast-radius review. You can revoke the SEAWALL role with a single CLI command at any time. All evidence is stored encrypted in the EU (Hetzner Falkenstein) and destroyed on request.
Net reduction in monthly AWS invoice — measured against a frozen 90-day baseline, with anomalies and one-off spikes excluded. We do not count Reserved Instance purchases, Savings Plans, or promotional credits as savings (those are commitment decisions, not waste removal). If the post-Implementation invoice does not drop, you do not pay the success component of any retainer.
Multi-account: yes, that is the default — SEAWALL deploys via StackSets across your entire AWS Organization, including newly-created accounts automatically. Multi-region: yes, the guardrails follow your region allow-list. Multi-cloud: SEAWALL targets AWS today (largest waste surface in our client base). An Azure equivalent is in beta (Azure Budgets, Cost Management exports, Management Group policies, Azure Monitor alerts) — request access if Azure is your primary.
Every SEAWALL control ships with an explicit mapping to DORA Article 6 (ICT risk management), NIS2 Article 21 (cyber-security risk-management measures), and ISO 27001 Annex A. At the end of Implementation you receive an evidence pack formatted for your next supervisory review or internal audit. Managed tiers refresh this pack quarterly with timestamps + remediation history.
One senior engineer — the same one you meet on the discovery call. No account managers, no offshore hand-off, no junior rotation. You get a single Slack channel and a direct line to the person holding the Terraform plan. The DIY tier is community-supported on Discord.
Yes. DIY customers get a credit toward Implementation if they upgrade within 12 months. Implementation customers can add a Managed tier without re-engagement. We do not punish moving up the stack.
DIY ships to your inbox in 60 seconds. Implementation books out 2-3 weeks ahead. Managed tiers start the first of the month. Pick the depth that fits this quarter.
Need a one-off audit first? Cloud FinOps narrative + Bloodbath Audit