This is the gap DevOps maintenance services fill. Not project work. Not a migration. The ongoing, unglamorous, critical work of keeping cloud infrastructure healthy, secure, and cost-efficient after the initial build is complete.
This post covers what a DevOps maintenance retainer actually includes, when it makes sense to invest in one, and how to evaluate whether your team needs external cloud maintenance support.
What DevOps maintenance services include
A cloud maintenance retainer is an ongoing engagement where an external DevOps team takes operational responsibility for your infrastructure. The scope typically covers everything that happens between feature deployments: the operational layer your development team depends on but probably does not want to own.
Monitoring and incident response
The foundation of any maintenance service is knowing what is happening in your infrastructure before users notice. This means:
- 24/7 alerting on infrastructure metrics (CPU, memory, disk, network, database connections)
- Application performance monitoring (APM) with latency and error rate thresholds
- On-call response with defined SLAs for acknowledgment and resolution
- Incident postmortems and runbook creation for recurring issues
- Escalation paths and communication protocols during outages
The difference between monitoring you set up yourself and monitoring in a maintenance retainer: someone actually responds to the alerts. In-house teams often end up with alert fatigue where notifications are muted because nobody has time to triage them. A dedicated maintenance team operates under SLA.
Security patching and updates
Cloud infrastructure requires continuous security maintenance. Operating system patches, container base image updates, dependency vulnerability fixes, and cloud service configuration changes. These are not optional, they are ongoing obligations.
A maintenance retainer handles:
- OS-level patching for EC2 instances and container hosts
- Container base image updates and vulnerability scanning
- Terraform provider and module updates
- SSL certificate rotation and monitoring
- AWS service deprecation tracking and migration
- Security advisory triage (which CVEs affect your stack, which can wait)
Left unmanaged, these accumulate into security debt. The longer you wait, the harder each update becomes as dependencies drift further from current versions.
Cost optimisation (FinOps)
Cloud costs drift upward without active management. Reserved Instances expire. Teams spin up resources for testing and forget to terminate them. New service releases offer better price-performance ratios that nobody evaluates.
A maintenance retainer includes:
- Monthly cost reviews and spend reporting
- Rightsizing recommendations based on actual utilisation data
- Reserved Instance and Savings Plans management
- Unused resource identification and cleanup
- Architecture recommendations that reduce cost without sacrificing reliability
In our experience, the first cost review in a new retainer typically identifies 15-30% savings. Not because the original architecture was wrong, but because cloud environments drift as usage patterns change. See our FinOps services for how we approach this systematically.
Infrastructure maintenance and updates
Beyond security patches, infrastructure evolves. Terraform providers release new versions. AWS announces end-of-life dates for services you depend on. Your application team needs a new environment or a configuration change.
Ongoing infrastructure maintenance covers:
- Terraform state management and drift detection
- Environment provisioning for new projects or teams
- Scaling adjustments based on traffic patterns
- Database maintenance (vacuum, index optimisation, version upgrades)
- Backup verification and disaster recovery testing
When to move from ad-hoc to a retainer
Most teams start with ad-hoc DevOps support. A consultant comes in for a migration, sets everything up, writes some documentation, and leaves. This works until:
Incidents have no owner. Something breaks at midnight. Your developers can debug application code, but nobody understands why the ECS service stopped accepting traffic or why the RDS connection count spiked. The person who built the infrastructure left or is not available.
Security patches fall behind. Nobody assigned to update the container base images. The CVE backlog grows. An auditor asks when the last OS patch was applied and nobody has a clear answer.
Costs creep up unnoticed. The AWS bill is 20% higher than three months ago. Nobody has time to investigate why. Reserved Instances expired. A forgotten staging environment runs 24/7.
Knowledge lives in one person’s head. The senior engineer who set up the infrastructure moves to another team. Nobody else knows how the Terraform modules work or what the monitoring thresholds mean.
If you recognise two or more of these, a maintenance retainer is cheaper than the cost of the next incident where nobody knows what to do.
What a retainer does NOT include
Clarity on scope prevents misunderstandings. A standard DevOps maintenance retainer typically excludes:
- Application code changes (bugs, features, refactoring)
- New architecture design (major re-architecture projects)
- Full platform migrations (these are scoped as separate projects)
- Compliance audit preparation (though findings remediation is included)
These are not off-limits. They are scoped separately because they require different planning, timelines, and often different pricing. A maintenance retainer handles the steady-state. Projects handle the step-changes.
How we structure maintenance retainers
At Devopsity, our DevOps maintenance services follow a model refined across fintech, healthcare, and e-commerce clients:
Monthly hours pool. A fixed number of engineering hours per month covering all routine maintenance. Unused hours do not roll over. Overages are billed at the same rate.
Defined SLA. Response time targets based on severity. Critical production issues: 30 minutes. High priority: 2 hours. Normal: next business day.
Monthly reporting. A summary of work completed, incidents handled, cost changes, and recommendations for the coming month. Full transparency on where time goes.
Quarterly reviews. A deeper architecture and cost review every quarter. This is where we identify opportunities to reduce spend, improve reliability, or simplify operations.
The typical retainer covers 2-5 client environments (production, staging, development). For teams with a single production environment, the baseline starts at 8 hours per month. Multi-environment setups with compliance requirements typically need 16-24 hours.
Real example: ongoing retainer after migration
Our EC2 to ECS modernisation case study started as a migration project. After the migration was complete, the client’s healthcare platform needed ongoing infrastructure support: security patching, monitoring, deployment support, and compliance maintenance for NHS requirements.
The project transitioned into a maintenance retainer. We handle infrastructure operations, the client’s development team handles application features. Clear ownership, no gaps, no surprises.
This is the typical pattern: migration or modernisation project followed by an ongoing retainer. The team that built the infrastructure maintains it, because context transfer to a new party would cost more than continued engagement.
How to evaluate if you need external maintenance
Ask these questions:
- Who gets paged at 2am? If the answer is “a developer who is not qualified to debug infrastructure,” you have a gap.
- When was the last security patch applied? If nobody knows, that is the answer.
- What is your current cloud spend trend? If nobody tracks it monthly, money is being wasted.
- What happens when your DevOps person takes leave? If the answer is “we hope nothing breaks,” you are one holiday away from a crisis.
- Can you reproduce your infrastructure from code? If not, your disaster recovery is a lie.
If three or more of these reveal gaps, a maintenance retainer will cost less than the accumulated damage of leaving those gaps open.
Need DevOps maintenance for your cloud?
Book a free 30-minute call. We will review your current setup and recommend a retainer scope.
FAQ
What is the difference between DevOps maintenance and managed services?
DevOps maintenance services focus on infrastructure operations: monitoring, patching, incident response, and cost management. Managed services is a broader term that can include application management, help desk, and end-user support. Our maintenance retainers are infrastructure-focused, working alongside your development team rather than replacing it.
How much do DevOps maintenance services cost?
Pricing depends on environment complexity and hours needed. A baseline retainer for a single production environment starts at 8 hours per month. Multi-environment setups with compliance requirements typically need 16-24 hours. Contact us for a quote based on your specific infrastructure.
Can you take over maintenance from another provider?
Yes. We start with a handover assessment: documenting infrastructure, access credentials, existing automation, and known issues. Most transitions complete within 2-4 weeks. See our infrastructure improvement case study for an example.
Do you provide 24/7 support?
Yes. Critical production alerts are monitored 24/7. Response times depend on severity level defined in the SLA. Non-critical maintenance work is performed during European business hours.
