Two narrow audits. Fixed price. One week.
By someone who builds the things you're auditing.
I'm Jonathan Putney. I'm a VP of Technology at a B2B SaaS company, 17 years building software. My day job is architecting a multi-tenant AWS platform and the LLM service layer running on top of it, both under SOC 2 Type II and 21 CFR Part 11. I write production-grade open source on the side, including scorm-again, mjml-java, and Ratchet.
If your AWS architecture or your AI pipeline is hurting more than it should, I will spend a week reading it and tell you what's wrong, why, and what to do about it.
Multi-Tenant SaaS on AWS
$2,500 · one week · fixed price · NDA-friendly
Who this is for
- You're a B2B SaaS company on AWS, roughly $1M to $50M ARR, 5 to 50 engineers.
- Your AWS bill is growing faster than your customer count and you're not sure why.
- Your "multi-tenancy" is mostly a tenant_id column and a lot of hope.
- You have a SOC 2 audit on the calendar and you suspect your AWS account is going to be the painful part.
- You inherited the architecture from whoever set it up first, and there hasn't been time for a real review since.
What you get
- 1-hour intake call.
- I read your IaC (or document the lack of it), IAM, network topology, data isolation, secrets management, and observability.
- I read your AWS bill against your architecture and identify where they don't match.
- A written report covering 5 to 10 ranked architectural risks, concrete cost-reduction opportunities with estimated savings, tenant-isolation gaps, SOC 2 alignment notes, and a prioritized 90-day improvement plan.
- 1-hour walkthrough call. You leave with a punch list you can hand to engineering Monday morning.
What this is not
- An AWS Well-Architected Review pretending to be free, then upselling managed services.
- A Big Four assessment with three weeks of meetings before anyone reads code.
- Strategy consulting. I read your account, I read your code, and I tell you what's wrong.
Why me
I architect and run the AWS platform for a B2B SaaS serving ~250,000 annual users across 80+ production tenants: 350+ S3 buckets, 150+ CloudFront distributions, 5+ EKS clusters, 50+ Lambda functions, 5+ Aurora MySQL clusters, full per-tenant isolation, and automated PR preview environments. I led the on-prem to AWS migration that cut hosting costs by 75%+, and led the technology controls that achieved SOC 2 Type II certification. AWS Solutions Architect, SysOps Administrator, and Developer certified. I have current production scars in the parts of AWS most consultants haven't seen since 2019.
AI-on-AWS for Regulated SaaS
$2,500 · one week · fixed price · NDA-friendly
Who this is for
- You've shipped (or are about to ship) AI features on top of Bedrock, OpenAI, or Anthropic.
- You're under SOC 2, HIPAA, 21 CFR Part 11, or similar, and "AI" makes your auditors nervous.
- Your pipeline mostly works, but you're not sure whether it's actually production-grade.
What you get
- 1-hour intake call.
- I read your code: prompt orchestration, retrieval, guardrails, model routing, observability.
- I read your AWS account: IAM, Bedrock invocation patterns, data residency, encryption boundaries, where embeddings live.
- A written report, typically 10 to 20 pages, covering 5 to 10 ranked risks, 5 quick wins, 2 to 3 architectural concerns with options, and SOC 2 alignment notes.
- 1-hour walkthrough call. You leave with a punch list you can hand to engineering Monday morning.
What this is not
- A sales pitch for a managed service.
- A generic AWS Well-Architected Review.
- Strategy consulting. I read your code, and I tell you what's wrong.
Why me
I architected the LLM platform for an LMS used by ~250,000 annual users in regulated industries. Multi-judge validation pipeline (Claude + Nova, escalation on disagreement). RAG over Titan embeddings with hybrid chunking. WebSocket streaming. Output validation that auto-regenerates when quality fails. Built under SOC 2 Type II controls, so I've already had the conversations your auditors are about to have with you.
Process
Day 0: 20-minute fit call. If your problem isn't actually one of these two audits, I'll tell you inside the first five minutes. I've turned away work before; I'd rather not waste your week or mine.
Day 1: kickoff (1 hr). You get me a code dump or read access. NDAs are fine. I'll sign yours. I prefer an annotated tour over a wiki dump.
Days 2 to 4: I read everything. No daily status updates. You get one report, not a log.
Day 5: written report delivered.
Day 7: 1-hour walkthrough call. Q&A, prioritization, anything you want to push back on.
What I won't do
- Multi-month retainers. I take on a limited number of audits per quarter.
- Open-ended advisory. The audit is the product. If you want ongoing help, we'll talk after the audit, not before.
- Implementation. If you want me to fix what I find, that's a separate conversation, but most clients fix it themselves once they have the report.
- Tell you what you want to hear.
Booking
Email jonathan@putney.io with which audit fits and a one-paragraph description of what's going on. I'll reply with a calendar link for a 20-minute fit call. If we move forward, I invoice 50% to start and 50% on report delivery. Stripe or wire.