Level 5 - Optimize

You are revisiting decisions made earlier and monitoring applications and infrastructure for optimization.


People Overview

You’ve reached maturity, the organization is skilled and you have DevOps and DevSecOps working. Teams are comfortable experimenting with new technologies and sandbox trials.

Organizational Change

At maturity, the entire organization is committed and onboarded to the cloud native environment.

Teams and Decentralization

You now have self-provisioning amongst different groups, along with organizational acceptance of the self-service portal. The business benefits from service ownership.


You will be actively developing security internally, with the community and regulators.

Developer Agility

The group has strong ability to recover and maintain throughput tolerating individuals joining and leaving. Business decisions are well informed by rich and accurate data across all teams in the organization allowing adoption of FinOps.

Upskilling Developers

Advanced testing and release patterns developed and in use, such as blue/green or canary


Process Overview

Achieving process maturity will see you build design capabilities for cloud native. You’ll also automate responses by using monitoring failures to restart or manage problematic and failing resources. Resource usage data will help you optimize spend and your process will include providing the business cost analysis.


Achieving maturity ensures you can demonstrate the benefit of your CI/CD process to the organization. You’ll be able to clearly see an increase in velocity, continuous deployment speed and see the effect on your business. For example, you will ship new features faster.

Change Control

You now have quality engineering (QE) capability. That means you have quality guardrails in place, continuous deployment to production with only a failed automated test preventing an update being automatically released to production. You are seeing fewer defects, hotfixes and bug fixes being released. You now have best practices in place and have removed human access from production in favor of service accounts. You are also using monitoring failures to restart or manage problematic and failing resources.


The software supply chain is secured, with reproducible builds and software bills of materials providing insight into code and dependencies, with clear code provenance and secured release pipelines.You’ve shifted security left. You are preserving security by continuously monitoring Kubernetes for security and vulnerabilities.

Audit and Logs

You are enforcing audits.


Policy Overview

Based on your learnings, you will refine your policies as your organization achieves maturity, taking advantage of technologies such as machine learning in order to improve detection and enforcement.

Policy Creation

Contribute policies to the open source community and active engagement with regulators and other external stakeholders.


Compliance never ends! You will tighten the feedback loop with stakeholders and take advantage of advanced machine learning and other tooling to understand what is normal for your environment and ensure visibility of anomalous conditions in a large volume of compliance data.


Technology Overview

Your investment is now focused on automation in functional and non-functional areas such as scanning, policy, security and testing. You’ve got operators doing your operations for you and you’re fully automated.


Here you are managing your complete infrastructure lifecycle through software and tooling. Builds, upgrades, decommissioning is all taking place through code.

Container and Runtime Management

You’re now automating the response to events, and you have all your security data in one central repository. The platform is able to respond to events.

Application Patterns and Refactoring

Unless applications have specific requirements, such as extremely low latency, new greenfield applications are cloud native. You’ll look to onboard your existing portfolio of applications to your cloud native platform using your proven process. You’ll see now that your application matches your platform strengths and capabilities.

Application Release and Operations

You’re now in full production with GitOps operators and controls, and your release and operations workflows reside within Git.

Security and Policy

Here you will have ongoing optimization and adjustment in line with new requirements, aligning with the ongoing threat environment. Exceptions to policy are both minimized, and are formally controlled. You may incorporate machine learning as part of your threat detection practices.

Testing and Issue Detection

Here we further optimize the automation used in responses to issues by working to prevent mistakes from entering production in the first place.

Business Outcomes

This phase of optimization will see lots of changes with people, process, policy and technology. For the business, you should have achieved your business goals and have the measurable results to show your leadership teams, CEO, CFO or the board.

You will continue to optimize your workloads against further / more advanced cost and performance metrics. You will never stop optimizing your cloud native infrastructure and apps. Here the expected business outcome is the ability to track how optimization continues to move the bar against established goals.

You may also revisit your goals at this point, adjusting them to what has been achieved and what you want to achieve in future.

You’ll automate as much as possible according to cloud native best practices to remove human error as to avoid security and performance problems.