Transitioning to enterprise software. Services live now. First product, RAG Studio, ships Q4 2026. See the roadmap →
sonofgraigsonofgraig isometric mark. Primary. Three-face hexagonal prism. Flat colour.
sonofgraig
Service · Cluster 2 · Cloud & DevOps Suite

Zero-trust cloud, in four to six weeks.

A fixed-scope engagement that builds the foundation a serious South African enterprise actually needs — AWS af-south-1 architected for POPIA Section 72 from the VPC up, Terraform infrastructure-as-code your team owns, GitHub Actions CI/CD that ships safely, and the observability stack to know when something is wrong before customers do. Built on the same patterns sonofgraig uses to run its own platform.

Region-locked by architecture. POPIA Section 72 enforced by VPC and IAM, not by contract or trust.
Everything reviewable as code. Terraform for infrastructure, YAML for pipelines, Helm for deployments.
Three regions supported. AWS af-south-1 by default; Azure South Africa North or GCP Johannesburg on request.
POPIA documentation in the deliverable. Section 19 and Section 72 evidence pack — not an extra invoice.
Enquire about Cloud Architecture See what's included
Zero-trust posture
Fixed scope, fixed price
30-day post-delivery support
Convert to Cloud Console subscription
Starting at
R75,000
Delivery window
4–6 weeks
Default region
AWS af-south-1
IaC tool
Terraform
01 · Outcomes

What ships at the end of week six.

Most cloud-architecture engagements fail in the same three ways: the deliverable is a slide deck instead of running infrastructure, the security posture is documented but not enforced, and the operations team gets a system they cannot actually run. We solve all three by making them deliverables — not optional add-ons.

Outcome 01
A running cloud, not a slide deck
A live AWS account in af-south-1 with VPC, private subnets, EKS cluster, RDS, S3, IAM, secrets management, and a working sample workload deployed end-to-end via the CI/CD pipeline. Day one of go-live, you can deploy a service.
~30 min from commit to production deploy
Outcome 02
Zero-trust by architecture
No public IPs on backend infrastructure. Identity-based segmentation. Least-privilege IAM policies. Every workload runs in a private subnet with allow-listed egress. POPIA Section 72 enforced by VPC configuration, not by contract or trust.
0 backend services with public IP exposure
Outcome 03
Observable from day one
Prometheus metrics, Grafana dashboards, OpenTelemetry tracing, and Sentry error tracking wired in before the first workload. SLO and error-budget tracker configured for the services in scope. Alerts route to Slack or PagerDuty per your runbook.
4 golden signals tracked: latency, traffic, errors, saturation
02 · Six pillars

Cloud Architecture & DevOps Solutions, in one engagement.

sonofgraig's source-service catalog defines Cloud Architecture and DevOps Solutions as twelve sub-disciplines. The standard scope below covers the six that matter most for an enterprise establishing or rebuilding their cloud foundation. The other six are quoted as add-ons during scoping.

Pillar 01 · Cloud Architecture
Multi-region foundation
Production VPC with private subnets, public ingress through ALB only, multi-AZ for resilience, region-locked at the IAM layer to prevent accidental cross-region provisioning.
  • VPC, subnets, NAT, ALB, security groups
  • Multi-AZ deployment for production
  • Region-lock IAM SCP — no cross-region provisioning
Pillar 02 · Container Orchestration
Managed Kubernetes (EKS)
Production-grade Amazon EKS cluster with managed node groups, cluster autoscaler, ALB ingress controller, and Helm-based deployments. Private cluster endpoint by default.
  • EKS cluster with managed node groups
  • Helm charts for app deployment & rollback
  • Cluster autoscaler & HPA configured
Pillar 03 · Infrastructure as Code
Terraform IaC, end-to-end
Every resource defined in Terraform. Remote state in S3 with DynamoDB locking. Modular layout per environment (dev / staging / prod). Plan/apply gated by pull request.
  • Terraform modules per environment
  • Remote state with locking & encryption
  • Plan output enforced in PR before apply
Pillar 04 · CI/CD Pipeline
GitHub Actions, with guardrails
Build, test, scan, and deploy. SAST (semgrep, gitleaks) and SCA (trivy) on every commit. Critical findings block the merge. Helm-based deploy with rollback. Branch protection enforced.
  • Build · test · scan · deploy in pipeline
  • Helm chart deploys with rollback
  • Branch protection on protected branches
Pillar 05 · Observability
Prometheus + Grafana + OTel
Prometheus for metrics, Grafana for dashboards, OpenTelemetry for distributed tracing, Sentry for errors. SLOs and error budgets configured for the services in scope. Alerts in Slack or PagerDuty.
  • Four golden signals dashboarded
  • SLO & error-budget tracker per service
  • Sentry + OTel for tracing & errors
Pillar 06 · Zero Trust & Edge
Identity, secrets & perimeter
Cloudflare WAF and DDoS protection at the edge. AWS Secrets Manager for credentials. Identity-based segmentation. Least-privilege IAM policies. No long-lived keys; OIDC federation from CI runner to AWS.
  • Cloudflare WAF, DDoS, rate limiting
  • OIDC federation — no long-lived keys
  • Secrets Manager + KMS for all credentials
03 · Architecture

Five layers, all defined in code.

Every layer below is delivered as Terraform modules in your repository. Each layer has a defined purpose, a defined boundary, and a defined responsibility for either security or reliability. You inherit it as code — nothing is delivered as a black box or an undocumented manual configuration.

L01
Edge — Cloudflare global network
Cloudflare WAF in front of every public endpoint. OWASP managed rule sets, bot management, rate limiting per IP and per organisation, DDoS mitigation. TLS 1.3 with strong cipher suites enforced.
Cloudflare WAF DDoS L3/L4/L7 Rate limiting TLS 1.3
L02
Ingress — AWS Application Load Balancer
Single ingress point for the VPC. Public subnets host only the ALB, NAT gateways, and bastion (if required). Backend services are unreachable from the internet. AWS Certificate Manager for TLS termination.
AWS ALB ACM certificates Public subnet isolation
L03
Workloads — Amazon EKS
Containerised workloads run on managed EKS in private subnets. Helm charts for application deployment with rollback. Cluster autoscaler and Horizontal Pod Autoscaler configured. Network policies enforced at the pod level.
Amazon EKS Helm Cluster autoscaler Network policies
L04
Data — RDS, S3 & Secrets Manager
PostgreSQL on RDS in a private subnet with encrypted snapshots. S3 for object storage with versioning and lifecycle policies. AWS Secrets Manager for credentials. KMS keys for everything — AES-256 at rest enforced at the storage layer.
RDS PostgreSQL S3 + lifecycle Secrets Manager KMS · AES-256
L05
Operations — observability & CI/CD
Prometheus scrapes metrics from every service. Grafana dashboards on the four golden signals. OpenTelemetry tracing across services. Sentry for error capture. GitHub Actions for build, test, scan, and deploy with OIDC-based authentication into AWS.
Prometheus Grafana OpenTelemetry Sentry GitHub Actions OIDC federation
04 · Cloud options

Three regions, all in South Africa.

sonofgraig builds on AWS af-south-1 by default because that's the region sonofgraig's own platform runs in. If your group security policy mandates Microsoft or Google, we deliver the equivalent architecture on Azure South Africa North or GCP Johannesburg — the same outcomes, the same scope, the same fixed price.

Default
AWS
af-south-1 · Cape TownThe region sonofgraig's own platform runs in
  • EKS, RDS, S3, Secrets Manager, KMS, ALB
  • Terraform AWS provider — mature ecosystem
  • SCP-based region lock to af-south-1
  • Cost Explorer & Budgets pre-configured
  • OIDC federation from GitHub Actions
  • sonofgraig has shipped this 30+ times
No surcharge. The price is the price. AWS bills go directly to your account.
Available
Microsoft Azure
South Africa North · JohannesburgDefault for Microsoft 365 / Entra customers
  • AKS, Azure SQL, Blob Storage, Key Vault
  • Terraform AzureRM provider — equivalent modules
  • Region restriction via Azure Policy
  • Cost Management + budgets
  • Workload identity federation from GHA
  • Add 5 business days to delivery window
Recommended when your organisation is already deeply on Microsoft 365 and Entra ID.
Available
Google Cloud
africa-south1 · JohannesburgDefault for data & analytics workloads
  • GKE, Cloud SQL, Cloud Storage, Secret Manager
  • Terraform Google provider — equivalent modules
  • Org Policy constraints lock to africa-south1
  • Billing budgets & quotas
  • Workload identity federation from GHA
  • Add 5 business days to delivery window
Recommended for BigQuery-heavy data & analytics workloads.

Multi-cloud (resources in two clouds simultaneously) is out of standard scope but quotable as an extension. sonofgraig's Cloud Console product (Q2 2027) provides multi-cloud unified management as a subscription.

05 · Infrastructure as code

Reviewable. Reversible. Yours.

A real Terraform module from a delivered engagement, slightly redacted. Your team gets the full module library at handover — networking, EKS, RDS, IAM, observability, CI — with documentation and a runbook explaining how to extend it. There is no proprietary wrapper to learn.

What this gives you
A repository your engineers can read, review, and own.
Every resource sonofgraig provisions for you exists as Terraform code in your Git repository. That includes the VPC, the EKS cluster, the RDS instance, the IAM roles, the Helm charts, and the CI/CD workflows. Your platform team can audit it, modify it, and extend it — we are not a black box.
Modular layout — one module per logical concern (network, compute, data, ci, observability)
Per-environment workspacesdev, staging, prod with isolated state
Remote state in S3 with DynamoDB locking and KMS encryption
Plan output enforced in PR before any apply runs against a protected environment
tfsec & checkov in CI — security misconfigurations fail the build
infra/modules/network/main.tf
# sonofgraig Cloud Architecture & DevOps engagement
# Network module — production VPC for af-south-1
# Terraform >= 1.6 · AWS provider >= 5.0

terraform {
  required_version = ">= 1.6"
  required_providers {
    aws = { source = "hashicorp/aws", version = "~> 5.0" }
  }
}

module "vpc" {
  source             = "terraform-aws-modules/vpc/aws"
  version            = "~> 5.5"

  name               = "${var.org}-${var.env}-vpc"
  cidr               = "10.0.0.0/16"
  azs                = ["af-south-1a", "af-south-1b", "af-south-1c"]

  private_subnets    = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets     = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
  database_subnets   = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]

  enable_nat_gateway = true
  single_nat_gateway = false   # multi-AZ NAT — production
  enable_vpn_gateway = false

  # POPIA s.72 — flow logs to detect cross-region egress
  enable_flow_log                       = true
  flow_log_destination_type             = "s3"
  flow_log_destination_arn              = aws_s3_bucket.flow_logs.arn
  flow_log_traffic_type                 = "ALL"
  flow_log_log_format                   = null

  tags = var.tags
}

# Region-lock SCP — applied at the org level via separate
# identity module. Prevents accidental provisioning in
# any region except af-south-1. Override requires explicit
# approval through the security team's IAM role.
06 · Delivery cadence

Four phases. Four to six weeks.

Every phase ships a tangible deliverable. The cadence below is the standard plan; complex compliance regimes (financial services, healthcare) or non-AWS clouds may extend the build phase by up to a week. We will tell you which week you are in at every check-in.

Discovery, requirements & baseline
Workload inventory · Security baseline · POPIA risk assessment
Week 1
Two workshops with your platform team and your Information Officer. We document the workloads in scope, the compliance requirements that apply (POPIA Section 19 and 72, applicable industry rules), the existing identity/SSO setup, and the integration points with your on-premises or other cloud environments. Acceptance criteria for go-live are agreed in writing.
Deliverables
Signed scoping document with measurable acceptance criteria
Network plan — VPC topology, CIDR allocation, AZ layout
POPIA risk register with residency and access control mitigations
Foundation build — IaC & identity
Terraform modules · IAM · OIDC · Secrets Manager
Weeks 2–3
VPC, subnets, NAT, security groups, IAM roles, Identity Center / SSO integration, OIDC federation from GitHub Actions, KMS keys, Secrets Manager. The Terraform repository structure is committed to your Git, with a CI workflow that runs terraform plan on every pull request. Region-lock SCP applied at the AWS organisation level.
Deliverables
Terraform repository in your Git with foundation modules
Identity Center / SSO configured for your IdP
OIDC trust between GitHub Actions and AWS — no static keys
Region-lock policy enforced at the AWS organisation level
Workloads, CI/CD & observability
EKS · Helm · GitHub Actions · Prometheus · Grafana
Weeks 3–5
EKS cluster provisioned and hardened. RDS PostgreSQL with encrypted snapshots and automated backups. The reference workload is built, scanned (SAST + SCA), tested, deployed via Helm to staging, promoted to production. Prometheus, Grafana, OpenTelemetry, and Sentry are wired in. Four golden signals dashboarded; SLOs and error budgets configured.
Deliverables
Production EKS cluster with managed node groups
End-to-end CI/CD pipeline — reference workload deployed
Prometheus & Grafana — four golden signals dashboard
SLO & error-budget tracker for the reference service
Hardening, handover & 30-day support
Pen test · Runbooks · Knowledge transfer · POPIA pack
Weeks 5–6
An automated security scan and a manual configuration review against CIS AWS Foundations Benchmark. Findings are remediated to closure or accepted-risk. Runbooks are written for incident response, rollback, model swap, and on-call rotation. Two knowledge-transfer sessions run with your platform team. The 30-day post-delivery support window starts on go-live.
Deliverables
CIS Foundations Benchmark assessment with remediation report
Runbooks — incident response, rollback, on-call rotation
POPIA Section 72 evidence pack — residency, encryption, audit
30 days of priority support and tuning included from go-live
07 · Scope

Exactly what's in. Exactly what's not.

Fixed-scope means we have to be explicit about boundaries. The lists below are the standard inclusions and exclusions for the R75,000 starting price. Anything in the right column can be quoted as a separate engagement — or rolled into a Cloud Console / Pipeline Builder subscription on conversion.

Included
In the fixed-scope engagement
  • Discovery workshop, scoping document, POPIA risk register
  • Single AWS account in af-south-1 (or Azure SA North / GCP africa-south1)
  • Production VPC with multi-AZ private/public subnet topology
  • Region-lock SCP at the AWS organisation level
  • Identity Center / SSO integration with your IdP
  • EKS cluster with managed node groups & cluster autoscaler
  • Single RDS PostgreSQL instance with encrypted snapshots
  • S3 buckets with versioning, lifecycle policies, KMS encryption
  • Cloudflare WAF, DDoS, and rate limiting at the edge
  • OIDC federation from GitHub Actions to AWS — no static keys
  • End-to-end CI/CD for one reference workload
  • SAST (semgrep, gitleaks) & SCA (trivy) gated in CI
  • Prometheus, Grafana, OpenTelemetry, Sentry — configured
  • Four-golden-signals dashboard & SLO tracker
  • CIS AWS Foundations assessment with remediation
  • Runbooks: incident response, rollback, on-call rotation
  • POPIA Section 72 evidence pack
  • Two knowledge-transfer sessions with your team
  • 30 days of priority support from go-live
Out of scope
Quoted separately
  • Application development — we deploy yours, we don't write it
  • Migration of existing workloads — quoted per workload
  • Multi-cloud (resources spanning AWS + Azure or AWS + GCP)
  • Cybersecurity penetration testing by a third-party assessor
  • SOC 2 / ISO 27001 audit preparation work beyond foundations
  • 24/7 SOC monitoring — available as a Cluster 2 retainer
  • Disaster recovery drills beyond initial runbook validation
  • On-premises or hybrid network engineering (VPN, Direct Connect)
  • AWS / Azure / GCP cloud spend — billed to your account
  • Third-party SaaS subscriptions (Datadog, New Relic, etc.)
  • Long-running operational support beyond the 30-day window
08 · Performance metrics

DORA metrics, measured at handover.

The four DORA metrics are the industry-standard view of high-performing engineering organisations. Below is what a typical engagement delivers as a starting baseline — not aspirational targets, but what the architecture actually achieves on the reference workload at go-live. Your team builds from this baseline, not from zero.

Metric A
~30 min
Lead time for changes
From commit on a feature branch to that change running in production. Depends on test suite duration; assumes a passing pipeline.
DORA tierElite
Metric B
On demand
Deployment frequency
A deployment is one merge to main. Rate-limited only by the team's velocity, not by infrastructure.
DORA tierElite
Metric C
< 1 hr
Time to restore service
Helm rollback completes in seconds. The hour budget is for detection and decision — not the rollback itself.
DORA tierElite
Metric D
< 5%
Change failure rate
A failed change is one that triggers rollback or requires a hotfix. Tracked from go-live; we report it monthly to the platform team.
DORA tierElite

Values shown are typical baseline performance for the reference workload at go-live. Real-world numbers depend on your team's testing discipline, release cadence, and incident response practices. The architecture creates the conditions for elite performance — the team has to use them.

09 · POPIA & data residency

Compliance designed in — not bolted on later.

South African enterprise procurement teams ask two questions about any cloud architecture: where does the data live, and who can prove it? The four cards below are the controls every engagement ships with, and the evidence pack you receive at handover.

POPIA s.72
Region lock at the IAM layer
Service Control Policy at the AWS organisation level prevents resource provisioning outside af-south-1. Override requires explicit approval from a designated security role — logged and reviewable.
POPIA s.19(1)
AES-256 at rest, TLS 1.3 in transit
KMS keys for RDS, S3, EBS, and Secrets Manager. ACM-managed certificates with TLS 1.3 cipher suite enforcement on the ALB. Long-lived credentials prohibited; OIDC federation from CI to AWS.
POPIA s.19 · CloudTrail
Audit log everything
CloudTrail in all regions. VPC flow logs to S3. Application logs to CloudWatch with retention policies. Trails are tamper-evident; deletion attempts trigger an alert in PagerDuty.
POPIA s.19(2)
Least-privilege identity
IAM Identity Center / SSO with role-based access. Permission boundaries restrict what privileged roles can do. Access reviewed quarterly. MFA enforced for all human users.

Independent reference: sonofgraig publishes a complete POPIA compliance statement and a long-form security overview. The architecture in this engagement matches both documents — not a simplified version of either.

10 · Technology stack

An opinionated stack. Open source where it matters.

We do not invent the engine; we invest where the value is. Every component below is production-grade open source or a managed service we consciously chose not to rebuild. You inherit the same engineering decisions sonofgraig's own platform was built on — and you keep the source code.

Component
Category
Role in your cloud
Terraform
IaC
Every resource defined as code. Modular layout, remote state in S3 with DynamoDB locking, plan output enforced in pull request before apply.
AWS af-south-1
Cloud
Default region. EKS, RDS, S3, ALB, NAT, IAM Identity Center, KMS, Secrets Manager, CloudTrail. Multi-AZ for production resources.
Amazon EKS
Orchestration
Managed Kubernetes for workloads. Cluster autoscaler, HPA, ALB ingress controller, network policies, private cluster endpoint.
Helm
Packaging
Application deployment with versioned releases and rollback. Values file per environment. Chart linting in CI.
GitHub Actions
CI/CD
Build, test, scan, deploy. OIDC federation into AWS — no static keys. Branch protection on main and production branches.
semgrep · gitleaks
SAST
Static analysis on every commit. Critical findings fail the pipeline. Secret detection prevents accidental credential commits.
trivy
SCA
Dependency and container image scanning. Critical vulnerabilities block merge. Daily scheduled scan against the production registry.
tfsec · checkov
IaC scan
Terraform misconfiguration detection in CI. Catches public S3 buckets, unencrypted databases, over-permissive IAM policies before they merge.
Prometheus + Grafana
Metrics
Metrics scraping, dashboards on the four golden signals, SLO tracker per service. Alertmanager integrated with Slack or PagerDuty.
OpenTelemetry
Tracing
Vendor-agnostic distributed tracing instrumentation. Sends to your tracing backend of choice (Tempo, Jaeger, Honeycomb, Datadog).
Sentry
Errors
Error capture for frontend and backend. Performance monitoring. Session replay for frontend issues. EU-region default.
Cloudflare
Edge
WAF with managed OWASP rules, DDoS mitigation, bot management, rate limiting per IP and per organisation.
11 · Pricing

One number. No hourly surprises.

sonofgraig service projects are deliberately simple to procure. The price is the price. Scope is fixed before contracting. Variations are quoted in writing and signed before any additional work is performed.

Cloud Architecture & DevOps
Fixed-scope engagement
R75,000 ZAR
Starting price. Final figure depends on the cloud provider, the workload count, and the complexity of identity integration surfaced during scoping.
Single payment. 50% on contract signature, 50% on go-live.
4–6 weeks. Standard delivery on AWS af-south-1. Add 5 business days for Azure or GCP.
30 days of post-delivery support. Tuning, dashboard refinement, on-call shadow.
POPIA Section 72 documentation included. No separate compliance bill.
Book a scoping call
What sits outside the engagement price
Cloud spend (AWS / Azure / GCP) Your account
Cloudflare subscription & pass-through Your account
Sentry / observability SaaS subscriptions Your account
Additional reference workload beyond the first +R15K each
Multi-cloud architecture (two clouds simultaneously) +R45K
Migration of existing workloads Quoted per workload
Third-party penetration test by external assessor From R35K
24/7 SOC monitoring & incident response From R28K/mo
Continued support after 30-day window From R15K/mo
Convert to platform on close. The infrastructure moves directly onto a sonofgraig Cloud Console subscription (Q2 2027) or a Pipeline Builder subscription with no rebuild. Founding-customer terms credit your first three months on the corresponding plan against the implementation fee.
13 · Frequently asked

Questions procurement, security and platform teams ask.

If your team is preparing for a vendor review or a board sign-off, the answers below cover most of what gets raised. Anything else, your account team can route to engineering directly.

Is the R75,000 fixed, or just a starting figure?
It is the starting price for the standard scope — AWS af-south-1, single account, EKS, one reference workload, full observability, 30 days of support. Your final fixed price is confirmed at the end of the scoping phase, before any contract is signed. Once signed, the price does not move unless you formally request additional scope, which is quoted in writing and re-signed before work continues.
Do you charge for the AWS / Azure / GCP cloud spend?
No. Cloud spend goes directly to your provider account so you have full visibility and can use your own enterprise discount agreement. We model expected steady-state spend during scoping based on the workloads in scope. As an order-of-magnitude reference, a typical post-engagement steady state on AWS af-south-1 lands between R8,000 and R25,000 per month for the foundation plus the reference workload — varying with traffic, RDS instance size, and EKS node-group sizing. We surface FinOps recommendations during the 30-day support window.
Why AWS af-south-1 and not Azure or GCP by default?
Three reasons. One, AWS af-south-1 is the region sonofgraig's own platform runs in — we have shipped this architecture more than 30 times on AWS, fewer on Azure or GCP. Two, AWS has the broadest service catalog available in South Africa today. Three, the Terraform AWS provider has the deepest community ecosystem. That said, if your security policy mandates Azure (Microsoft 365 / Entra customers) or GCP (BigQuery-heavy data workloads), we deliver the equivalent architecture on those providers — we just add 5 business days to the delivery window for the first engagement on a new cloud.
Who owns the Terraform code at handover?
You do. The Terraform repository, Helm charts, GitHub Actions workflows, Grafana dashboards as code, and the runbooks are committed to your Git organisation during the engagement — not at the end. sonofgraig retains no proprietary lock-ins. If you choose not to convert to a Cloud Console subscription, your platform team owns and operates the infrastructure with no vendor dependency.
Can the engagement be extended if scope changes?
Yes — through a formal change request. Common extensions are an additional reference workload (typically +R15K), a multi-cloud architecture (+R45K), workload migration from another environment (per workload), or 24/7 SOC monitoring (R28K/month). Change requests are quoted in writing, signed by both parties, and only billed once accepted. We will never present an unexpected line item at the end of the engagement.
What does the 30-day post-delivery support cover?
Priority response on platform-level issues, dashboard refinement based on real traffic patterns, FinOps tuning recommendations, runbook adjustments based on real incidents, and Terraform module extensions for the workloads in scope. It does not cover net-new workloads, additional clouds, or 24/7 operational on-call — those are quoted as continued support from R15K/month or as a 24/7 SOC retainer.
Do you provide a SOC 2 / ISO 27001 audit dossier as part of this?
Not in the standard scope, but the foundation we build is materially aligned to the technical controls in both frameworks. The CIS AWS Foundations Benchmark report we deliver maps directly to many SOC 2 CC controls. If your audit is upcoming, we recommend the engagement plus a separate compliance preparation engagement — quoted from R55K depending on the framework and the gap. The Cluster 2 Compliance Forge product (Q3 2027) automates SOC 2 / ISO 27001 evidence collection as a subscription.
Can you migrate workloads from our existing cloud or on-premises?
Yes, but as a separate engagement quoted per workload. Migration scope is highly variable — a stateless web service is a different exercise to a stateful database with strict downtime tolerance. The cleanest sequence is: this engagement first to establish the destination, then a migration engagement to move the workloads, then convert to a Cloud Console subscription for steady-state operations. We can sequence all three under a single statement of work if useful.
What identity providers do you integrate with?
Microsoft Entra ID (Azure AD), Okta, Google Workspace, JumpCloud, and any standards-compliant SAML 2.0 IdP. We integrate via AWS IAM Identity Center on AWS, Entra ID on Azure, and Cloud Identity / Workforce Identity Federation on GCP. Long-lived AWS access keys for human users are explicitly out — everyone authenticates through SSO with MFA, and CI runners authenticate via OIDC federation.
Are sonofgraig B-BBEE certified and CIPC registered?
Yes — sonofgraig is B-BBEE certified and CIPC registered. B-BBEE spend certificates are issued per invoice. All commercial documentation is available to your procurement team for supplier on-boarding.
Ready to scope

Book a 30-minute scoping call.

A senior solutions engineer joins, we step through the workloads you intend to run and your compliance constraints, identify whether it fits the standard scope, and confirm what your final fixed price will be. No commitment until contract signature.

Book a scoping call All service projects