A global fintech platform handling traditional finance and digital assets needed its AWS infrastructure modernised after an initial Heroku migration. We delivered Graviton compute migration, preview environments, CI/CD improvements, and a full security modernisation achieving 93% reduction in manual security overhead.
Industry
Fintech, Digital Assets
Location
United Kingdom / Cayman Islands
Time
09.2024 - Present (Active Client)
Company
UK/Global Startup, Fintech, Digital Assets Platform
Our client is a global fintech platform operating at the intersection of traditional finance and digital assets. Their investment portfolio management system handles everything from classical ETFs and securities to crypto and NFTs for clients worldwide. The company has roughly 50 employees and is pursuing a UK banking license, which means meeting the same strict security and operational standards that major financial institutions follow.
We were initially brought in through a partner software house that serves as the client’s development team. Our role was, and continues to be, the dedicated cloud infrastructure and security operations partner.
Devopsity had already completed the initial migration of the client’s workloads from Heroku to AWS in an earlier engagement. The migration was fast and focused: the priority was getting off Heroku and onto a stable AWS foundation before the client’s business timeline ran out.
It worked. The platform was running on AWS, stable, and serving production traffic. But speed had come at a cost. Several decisions made during the migration were deliberately pragmatic rather than optimal, the kind of tradeoffs you make when the priority is “get to production first, refine later.”
A few months into production, the shortcomings became clear:
The client needed a second phase of work: not a migration this time, but a modernisation of what was already there.
This project demonstrates our CloudOps and maintenance services combined with security and compliance expertise applied to a regulated fintech environment.
Our approach was to treat this as an internal AWS migration. Rather than patching the existing setup incrementally, we built a new set of optimised resources alongside the running infrastructure, validated them, and migrated workloads over. This minimised risk and gave us a clean baseline.
We replaced the entire ECS Fargate compute layer, moving from Intel-based (x86) tasks to AWS Graviton (ARM) processors. Graviton instances deliver roughly 20% better price-performance for the same workload, and for a platform running dozens of containerised services around the clock, that adds up quickly.
This wasn’t a simple config change. Every container image needed to be rebuilt for ARM architecture, tested against the application’s dependencies, and validated in staging before production cutover. We worked closely with the development team to ensure their build pipelines produced multi-arch images and that nothing broke in the process.
The result was a meaningful reduction in the monthly compute bill with no degradation in performance: the same workloads running faster on cheaper infrastructure.
We introduced ephemeral preview environments built on ECS Fargate. Each pull request now spins up a short-lived, isolated environment where the development team can see their changes running in a realistic setup, complete with its own services, database connections, and networking, before anything touches the shared staging environment.
This was one of the changes the development team felt most immediately. Instead of queuing behind each other on a single staging environment, developers could work independently and get feedback on their changes without coordination overhead. Review cycles shortened, merge conflicts dropped, and the overall pace of feature delivery picked up noticeably.
We rebuilt the CI/CD pipelines to address the friction points the development team had been dealing with since the initial migration. This included faster build times through better caching and parallelisation, automated testing stages that caught issues earlier, streamlined deployment steps that removed manual gates, and clearer feedback so developers could see exactly what failed and why without digging through logs.
The goal wasn’t to add complexity. It was to remove the small annoyances that compound into real velocity losses when a team is deploying multiple times a day.
With the client actively pursuing a UK banking license, security wasn’t a nice-to-have. It was the work that unlocked the business opportunity. We addressed the Well-Architected HRI backlog systematically and built a continuous security operations practice around the platform.
AWS Security Hub became the centralised dashboard for all security findings. We review it daily and work findings under SLA based on severity. This replaced the fragmented, manual approach where security issues were tracked inconsistently across spreadsheets and tickets.
Amazon GuardDuty monitors network traffic, DNS logs, and API calls for threats. When it flags suspicious activity, our team investigates immediately as part of the SLA.
Amazon Inspector scans container images continuously. New vulnerabilities trigger our remediation workflow automatically, and critical findings block deployment. Vulnerability mean time to resolution dropped from 48+ hours to under 8 hours.
AWS Config monitors infrastructure against compliance baselines and catches configuration drift before it becomes a security problem.
IAM Identity Center replaced scattered IAM users with centralised SSO and enforced MFA. Permission sets map to job functions, sessions expire automatically, and audit trails are clean. No more long-lived credentials floating around.
AWS Secrets Manager handles all application credentials. We eliminated hardcoded secrets from the codebase entirely and implemented automatic rotation.
AWS KMS provides customer-managed encryption keys for data at rest, a requirement for financial services handling customer assets.
We also implemented a comprehensive backup strategy with 7-year retention to meet financial industry record-keeping requirements. The disaster recovery plan includes cross-region backups, documented recovery procedures, and annual table-top DR exercises.
The combined effect was a 93% reduction in manual security overhead and a platform that could demonstrate its security posture to regulators and auditors with evidence rather than assertions.
Beyond the Graviton migration, we worked through several additional cost optimisation opportunities:
Each recommendation came with a cost impact estimate so the client could prioritise based on effort versus savings.
The modernisation phase transitioned naturally into an ongoing production maintenance retainer. We continue to serve as the client’s cloud operations and security team, managing infrastructure, monitoring security findings under SLA, supporting the development team with deployments and troubleshooting, and continuously optimising costs. The platform that started as a fast Heroku migration is now a security-hardened, cost-optimised, and operationally mature AWS environment ready for financial regulation.
AWS Services: Amazon ECS (Fargate), Amazon ECR, Application Load Balancer, Amazon RDS, Amazon ElastiCache, Amazon DocumentDB, AWS Secrets Manager, AWS KMS, AWS IAM Identity Center, AWS Security Hub, Amazon GuardDuty, Amazon Inspector, AWS Config, Amazon CloudWatch, AWS CloudTrail, Amazon S3, AWS Certificate Manager, Amazon Route53
Tools: Terraform, GitHub Actions, Docker
The platform that started as a fast Heroku migration is now a security-hardened, cost-optimised, and operationally mature AWS environment ready for financial regulation. Vulnerability MTTR dropped from 48+ hours to under 8 hours. Manual security overhead reduced by 93%. The platform passed a major US bank's due diligence review with zero critical findings.