Transitioning to enterprise software. Services live now. First product, RAG Studio, ships Q4 2026. See the roadmap →
sonofgraigsonofgraig isometric mark. Primary. Three-face hexagonal prism. Flat colour.
sonofgraig
02 Cluster · Infrastructure Layer

Multi-cloud control,
shipped from
Cape Town.

Cloud Console, Pipeline Builder, Security Posture Manager, and FinOps Dashboard — four products on one infrastructure layer. POPIA Section 72 enforced at provisioning so resources cannot land outside permitted regions. Built on the same stack we use to run the rest of the platform.

Join the early interest list Explore the four products
Platform engineers SecOps FinOps SREs
Product surfaces
5
Cloud Console · Pipeline Builder · Security Posture · FinOps · IT Ops Hub
Hyperscalers integrated
3
AWS af-south-1 · Azure South Africa North · GCP Johannesburg
Source service lines
4
Cloud Architecture · Cybersecurity · DevOps · IT & Technical Solutions
Compliance frameworks
4+
POPIA · SOC 2 · ISO 27001 · GDPR — automated evidence collection
Why the Cloud & DevOps Suite exists

Cloud spend is rising. POPIA is enforceable. Hyperscaler consoles do not care.

Four structural problems make South African cloud and DevOps difficult to operate at scale. Cluster 02 was built specifically to dissolve them — and it inherits the same compliance posture, ZAR pricing, and af-south-1 residency as Cluster 01.

01 — Operational fragmentation

One operational problem. Four vendor consoles.

Cloud architecture is one decision. DevOps tooling is another. Cybersecurity is a third. IT management is a fourth. Today, that means four budgets, four security reviews, four contracts — and four sets of dashboards an SRE has to reconcile at 2am.

Separate vendors handling four dimensions of the same operational problem.
02 — Cloud cost drift

Idle resources. FX volatility. Surprise invoices.

Hyperscaler bills arrive in USD, denominated against a moving rand. Idle resources accumulate. Reservations expire silently. Most teams discover overspend a quarter after it happens — not in time to do anything about it.

30%+ Of typical enterprise cloud spend that is recoverable through rightsizing and reservation discipline.
03 — POPIA section 72

Cross-border data flows are not optional.

POPIA Section 72 restricts the transfer of personal information outside South Africa. Hyperscaler consoles let engineers spin up resources in any region — including ones where your data should never sit. You catch it in the audit, not at provisioning.

0 Native POPIA Section 72 enforcement in any major hyperscaler console.
04 — The local support gap

A ticket. A timezone. A wait.

When something breaks, you raise a ticket and wait for a Mumbai or Dublin engineer to read it. There is no in-country technical account manager, no shared incident bridge, and no procurement officer who understands B-BBEE compliance.

+8h Typical timezone delay between incident escalation and a hyperscaler engineer reading it.
Hyperscaler-only

The old way

  • Resources land in any region — POPIA caught in audit, not provisioning
  • USD billing exposes you to FX risk
  • Cost overrun discovered a quarter late
  • SOC, security, and DevOps as four disconnected stacks
  • Tickets answered in another timezone
sonofgraig

The unified Suite

  • Region-lock policies enforced before resources are created
  • ZAR pricing — no FX exposure on platform spend
  • FinOps anomaly detection within hours, not quarters
  • Cloud · DevOps · Security · IT in one operational pane
  • Pretoria-based SOC and technical account management
Five-layer architecture

Built for the operations buyer — and the auditor.

The Cloud & DevOps Suite is structured the same way as the rest of the sonofgraig platform: shared services beneath specialised products, hosted on infrastructure that satisfies POPIA Section 72 by default. The deeper a customer goes into the suite, the higher the operational switching cost — that's the lock-in.

L1
Consumers
Four operational personas sharing one suite — platform engineers, SecOps, FinOps, and SRE leadership.
Platform Eng. SecOps FinOps SREs
L2
Products
Five user-facing surfaces drawn from four service lines. Each is independently subscribable; together they close the operational loop.
Cloud Console Pipeline Builder Security Posture FinOps IT Ops
L3
Platform services
Shared with the AI Dev Platform — same auth, same audit log, same observability. One billing relationship, one SOC.
API gateway RBAC Observability
L4
Cloud abstraction layer
Terraform, Pulumi, AWS CDK, and the Kubernetes API normalised into a single resource model. Region-lock policies enforced here before any provider call.
Terraform Pulumi AWS CDK Helm
L5
Infrastructure
AWS af-south-1 primary. Azure SA North and GCP Johannesburg as managed peers. Kubernetes for stateful workloads, serverless for stateless.
af-south-1 Azure SA North GCP Joburg 99.9% SLA
The infrastructure lock-in — why this cluster compounds

Infrastructure tooling generates the most reliable recurring revenue in SaaS because customers cannot cancel without operational disruption. Pipelines deploying to your cloud, security policies enforcing at provisioning, FinOps owning the budget approval workflow — these become the daily-operations layer. The longer the suite runs, the deeper it sits in your operating model, and the lower the chance any individual product gets ripped out. That's the strategic case for Cluster 02.

Five product surfaces

Cloud · DevOps · Security · FinOps · IT.
One operational pane.

Each product is independently subscribable. Each solves a specific problem for a specific persona. Together they form the closed loop required to run modern enterprise infrastructure on South African terms.

Product 01 · Service 4 — Cloud Architecture

Cloud Control Console

Unified multi-cloud resource management with POPIA Section 72 enforced at provisioning.

Q2 2027 Subscription + % managed spend
Multi-cloud resource view
AWS, Azure South Africa North, and GCP Johannesburg in one searchable inventory. Tag-aware. Cost-aware.
Region-lock policies
POPIA Section 72 compliance: resources cannot be provisioned outside permitted regions without explicit override approval.
Serverless mesh templates
Pre-built deployment patterns for Lambda, Functions, and Cloud Run — wired into VPC and IAM by default.
Edge integration
Cloudflare Workers managed alongside hyperscaler resources. One IAM. One audit trail.
Container orchestration
Managed Kubernetes clusters across all three hyperscalers. Helm chart catalogue with rollback.
Disaster recovery
Cross-region snapshots, runbook automation, and tested failover procedures — without sending data to a non-permitted region.
Cost allocation
Spend attributed by department, project, environment, and service — across providers, in rand.
Approval workflows
Provisioning requests routed through tier-aware approval chains. Auditable. Slack-native.
Platform engineers
One inventory across AWS, Azure, GCP. Tag-driven cost views.
Compliance teams
POPIA s.72 enforced at provisioning, not in the audit cycle.
SREs
DR runbooks live alongside the resources they recover.
Heads of cloud
Quarterly board view of multi-cloud spend, in rand.
Product 02 · Service 6 — DevOps Solutions

Pipeline Builder

Visual CI/CD designer with Terraform IaC and Helm chart management built in.

Q2 2027 Tier + pipeline run metering
Visual workflow designer
Drag-and-drop pipeline canvas. Generates GitHub Actions, GitLab CI, or Bitbucket Pipelines YAML.
Terraform IaC generator
Configure cloud resources in the UI; the system emits Terraform or Pulumi modules ready for review.
Helm chart catalogue
Manage Kubernetes releases with version pinning, dry-run, and one-click rollback.
AppSec automation
SAST, DAST, SCA, and container scanning wired into every pipeline. Failures block deployment.
GitOps manager
ArgoCD-powered. Declarative environment management with drift detection and auto-sync.
SLA & error budgets
Define SLOs per service, track error budget burn, and gate releases when budgets are exhausted.
Observability stack
Prometheus, Grafana, and OpenTelemetry pre-wired. Traces, metrics, and logs in one view.
Pipeline-as-code
Every visual change emits a versioned YAML diff into your repo. Code remains the source of truth.
DevOps engineers
Build pipelines visually; YAML stays the source of truth.
Release managers
SLO-gated releases. Error budget visible to the whole team.
SecOps
SAST, DAST, SCA wired in by default. No bypass without sign-off.
SREs
Drift detection on every environment. ArgoCD sync built in.
Product 03 · Service 5 — Cybersecurity

Security Posture Manager

Zero-trust architecture, automated pen testing, and compliance evidence collection — with a 24/7 SOC behind it.

Q3 2027 Tier + SOC retainer
Zero-trust wizard
Generate identity-based segmentation policies from your existing IAM. No flat networks. No implicit trust.
Automated pen testing
Scheduled vulnerability scans with human review on findings. Findings flow into Pipeline Builder as blocking issues.
Compliance Forge
SOC 2, GDPR, POPIA, ISO 27001 evidence auto-collected from infrastructure events.
AppSec automation
SAST, DAST, SCA, secrets scanning, container CVE detection — embedded in every pipeline.
24/7 SOC
Pretoria-based Security Operations Centre. Same timezone. Same language. Same business hours as your CISO.
Incident response
Documented playbooks, automated containment, retainer-based forensics. Breach notification workflows ready.
Posture score
A single 0-100 number on the dashboard. Drillable to specific findings, owners, and remediation status.
Blockchain security
Smart contract scanning, wallet hygiene, on-chain anomaly detection — for customers running tokenised products.
CISOs
Posture score in one view. Audit evidence in one click.
SOC analysts
Pretoria-based 24/7 ops, no timezone delay on triage.
Compliance teams
SOC 2 / ISO 27001 evidence collected automatically.
AppSec leads
SAST/DAST/SCA wired into every pipeline by default.
Product 04 · Service 4 — Cloud FinOps

FinOps Dashboard

Anomaly detection, rightsizing, and budget enforcement — denominated in rand, not dollars.

Q3 2027 Tier + savings share
Anomaly detection
ML-driven cost spike alerts the same day they happen — not a quarter later in the FX-translated invoice.
Rightsizing recommendations
Idle, over-provisioned, and stranded resources surfaced with one-click resize or termination.
Reservation planner
Recommends Savings Plans, Reserved Instances, and Committed Use Discounts based on six months of usage.
Budget enforcement
Hard caps at the project level. Soft caps trigger Slack approval. No more midnight overspend surprises.
Showback & chargeback
Cost allocation by team, project, environment, or feature flag. Generated as PDF or API.
Multi-cloud unit economics
Cost per request, cost per agent execution, cost per fine-tune — across all hyperscalers.
FX hedging view
USD-denominated hyperscaler spend translated daily at the live ZAR rate. See your real exposure.
Executive reporting
Board-ready monthly spend pack — by cluster, by product, by department, in rand.
FinOps leads
Anomalies same-day. Reservations recommended automatically.
CFO & finance
Cloud spend in rand. Departmental chargeback ready.
Engineering managers
Per-team budgets enforced before resources spin up.
Heads of cloud
Multi-cloud unit economics in one trend chart.
Product 05 · Service 7 — IT & Technical Solutions

IT Operations Hub

Network, MDM, helpdesk, IoT, and unified comms — for the operations team that runs the office, not just the cloud.

Q4 2027 Tier + per-seat helpdesk
Network topology
Documentation as code. SD-WAN configuration. VLAN, VPN, and firewall rules versioned in Git.
MDM dashboard
Jamf and Intune integrated. Device posture, app whitelisting, remote wipe, compliance reports.
Smart office IoT
Device registry for printers, sensors, badge readers, and meeting room hardware. Alerting and lifecycle.
AI helpdesk bot
Internal support agent built on Cluster 01's Agent Builder. Resolves tier-1 tickets without a human.
Hybrid cloud manager
On-premises data centre operations stitched into the same console as cloud — for customers running both.
Unified comms
VoIP, video, SMS, and presence. SIP-trunked locally; international PSTN where needed.
Heads of IT
One pane for network, devices, IoT, and helpdesk.
Network engineers
SD-WAN config as code. Topology versioned.
Helpdesk leads
Tier-1 deflection by an AI agent that knows your runbooks.
Office managers
Smart office device fleet, one inventory, one health view.
What it plugs into

Brings the tools you already pay for under one console.

The Cloud & DevOps Suite is not a forklift replacement. It sits above your existing hyperscaler accounts, your Git host, your IAM, and your observability stack — and gives operations a single pane that respects all of them.

Hyperscaler & edge providers

Three South African hyperscaler regions, plus the global edge layer. Region-lock policies enforce POPIA Section 72 before the API call leaves sonofgraig — a misconfigured Terraform plan cannot land resources outside permitted regions.

AWS af-south-1 (Cape Town) — primary region
Azure South Africa North (Johannesburg) — managed peer
GCP africa-south1 (Johannesburg) — managed peer
Cloudflare Workers — edge runtime alongside hyperscalers
Kubernetes (EKS, AKS, GKE) — managed cluster lifecycle
Terraform / Pulumi / AWS CDK — IaC code emitted, not stored

Source control & CI runners

Pipeline Builder is host-agnostic. It writes to GitHub Actions, GitLab CI, or Bitbucket Pipelines YAML — your repo remains the source of truth. We never lock in pipeline definitions to our format.

GitHub + GitHub Actions runners
GitLab + GitLab CI runners (self-hosted or SaaS)
Bitbucket + Bitbucket Pipelines
ArgoCD GitOps for Kubernetes deployment
Webhook-driven self-hosted Git providers
Helm chart catalogue — versioned, signed, scanned

Security & identity

Security Posture Manager federates rather than replaces. Your existing IAM stays the source of identity; we enforce policies against it. Findings flow into your existing ticketing or directly into Pipeline Builder gates.

Okta · Azure AD · JumpCloud · Google Workspace
SAML, OIDC, SCIM provisioning
Trivy + OWASP ZAP for SAST/DAST
OPA / Gatekeeper for Kubernetes policy
Vanta + Drata for evidence collection
Wazuh + Falco runtime detection

Observability & alerting

Pipeline Builder ships Prometheus, Grafana, and OpenTelemetry pre-wired. Alerts route into the channels your team already lives in. Customers with existing Datadog or New Relic environments keep them — we federate, not replace.

Prometheus + Grafana — included
OpenTelemetry traces and metrics
Datadog · New Relic · Dynatrace federation
PagerDuty · Opsgenie · Squadcast routing
Slack + Teams alert channels
SLO and error budget dashboards
POPIA Section 72

Three questions every cloud audit must answer.
The Suite answers all three at provisioning.

POPIA Section 72 makes cross-border data flows enforceable. Most enterprises catch violations in the audit. The Cloud & DevOps Suite catches them at provisioning — before a single byte leaves the country.

Where is the data right now?
Every resource carries a region tag, every storage volume carries a residency policy, and every cross-region transfer is logged with the operator who initiated it.
→ Cloud Console · Region inventory
Can it leave South Africa?
Region-lock policies block provisioning to non-permitted regions before the API call hits the hyperscaler. Override requires named approval — and that approval is recorded.
→ Cloud Console · Region-lock policies
Can we prove it to the auditor?
Every provisioning event, every override, and every cross-region transfer goes into Compliance Forge. SOC 2, ISO 27001, and POPIA evidence is generated, not collected.
→ Security Posture · Compliance Forge
Honest roadmap

When each Cloud & DevOps product ships.

Cluster 02 is a Phase 2 build. It ships after Cluster 01 generates the platform revenue that funds it — so customers who land on AI Dev Platform first get a coherent infrastructure layer behind it, not a separate vendor relationship.

Phase 1 — Months 1–6 — Funded by AI Dev Platform
Architecture & design
In progress
Multi-cloud abstraction layer design
Region-lock policy engine spec
Pipeline Builder visual canvas prototype
Compliance Forge evidence schema
Hyperscaler procurement & partner agreements
Pretoria SOC operating model
Funded by: Phase 1 platform revenue
Progress: 40% architecture complete
Phase 2 — Months 7–9 — Cluster entry
Cloud Console + Pipeline Builder
Q2 2027
Multi-cloud resource inventory (AWS · Azure · GCP)
Region-lock policy enforcement at provisioning
Visual pipeline canvas → GitHub Actions / GitLab CI YAML
Terraform / Pulumi IaC generator
ArgoCD GitOps integration
Helm chart catalogue + Kubernetes lifecycle
Target: First Cloud & DevOps customer live
Cross-sell: Existing AI Dev Platform customers
Phase 2 — Months 10–12 — Cluster expansion
Security Posture + FinOps
Q3 2027
Zero-trust configuration wizard
Automated pen testing scheduler
Compliance Forge — SOC 2, POPIA, GDPR, ISO 27001
AppSec automation in Pipeline Builder
Cost anomaly detection — same-day alerts
Rightsizing & reservation planner
FX hedging view — USD-to-ZAR daily reconciliation
24/7 SOC operational from Pretoria
Target: 50 Cluster 02 customers
Certifications: SOC 2 Type II + POPIA
Suite ARR contribution: R10M+
Phase 2/3 — Months 13–15 — Final product
IT Operations Hub
Q4 2027
Network topology & SD-WAN configuration
MDM dashboard — Jamf + Intune integrated
Smart office IoT registry & lifecycle
AI helpdesk bot — built on Agent Builder (Cluster 01)
Hybrid cloud / on-prem data centre operations
Unified communications — VoIP / video / SMS
Dependency: Agent Builder GA
Cross-sell: ServiceNow / Freshservice replacements
Pricing for the cluster

One subscription. Priced in rand. Plus a share of what we save you.

Cloud & DevOps is included in Growth and Enterprise tiers. Standalone subscription opens at the entry of Phase 2. FinOps revenue is partly performance-based — we share in the cloud savings we deliver.

Cluster 02 — Cloud & DevOps Suite

Bundled with Growth, included in full at Enterprise.

Growth includes any three clusters — pick Cloud & DevOps and combine it with AI Dev Platform plus Data & Analytics. Enterprise includes all five clusters plus Governance Hub. Indicative pricing for the standalone Suite tier published Q1 2027.

R19,999
Growth tier · 25 seats · billed monthly
View full pricing Join the early interest list

Cloud & DevOps,
shipped from Cape Town.

Cluster 02 ships from Q2 2027 onwards, funded by Phase 1 platform revenue. Joining the early interest list secures founding-customer pricing and direct input into the cluster's product priorities.

Join the early interest list Book a discovery call See all five clusters
POPIA Section 72 enforced at provisioning 3 hyperscaler regions integrated Pretoria SOC, business hours aligned ZAR billing — no FX risk