Skip to content
RuntimeForge RuntimeForge

RuntimeForge LLC  ·  Independent DevOps Practice

Production infrastructure,
forged to spec.

For startups standing up their first real AWS. For growth-stage teams cleaning up the one that got away from them. For anyone who’d rather ship than explain a post-mortem.

Services

What I do, and who it's for.

Engagements are scoped to the problem, not packaged. Three kinds of work, most of them overlap.

  1. Lane 01

    First real AWS

    For early-stage startups

    You've been running on a single EC2 instance and a Heroku knockoff. You just closed a round, hired your second engineer, and production is held together with SSH sessions and hope. You need real infrastructure before you scale a bug into an incident.

    What that usually includes

    • Terraform foundations — VPCs, ECS, Aurora, ALB, Route 53, Secrets Manager — structured so your next hire can read it
    • Staging and production that are actually isolated — separate accounts, separate state, no shared credentials
    • GitHub Actions deploys you don't have to babysit
    • Documentation written for the engineer who joins six months from now
  2. Lane 02

    Clean up and move

    For growth-stage teams

    The infrastructure that got you to Series A isn't the one that gets you to Series B. There's drift between staging and prod, someone's personal AWS key is buried in a dozen Lambdas, the bill doubled last quarter for reasons nobody can fully explain, and the engineer who originally built it left eight months ago. You need an outsider who can map it, fix what's urgent, and leave your team owning it again.

    What that usually includes

    • Full infrastructure audit — what's running, what's costing, what's unpatched, what's unreachable
    • Cost optimization with actual math — savings plans, rightsizing, unused everything
    • Migrations that don't break production — Terraform adoption of existing resources, account splits, region moves
    • Handoff your team can work from — documentation, runbooks, and a pairing week if you want one
  3. Lane 03

    Security and hardening

    For teams after an incident, an audit, or a compliance ask

    You got a SOC 2 readiness checklist. Or an IAM account with 47 admin users. Or a Google Workspace tenant where 30 accounts had unauthorized secondary addresses added last Thursday. You need someone who's actually responded to these, not someone reading from a compliance template.

    What that usually includes

    • IAM review and least-privilege refactor — across accounts, across federated SSO
    • Secrets hygiene — rotation, storage, access trails, leak detection
    • Incident response — containment, scoping, eviction, post-mortem
    • Hardening passes on what you already have — Google Workspace, AWS, whatever's actually in scope

Not sure which lane? Start a conversation — we'll figure it out together.

Start a Conversation

The Forge

Things I've built.

Mostly tools I needed for myself that turned out useful to other people. Half-productized, kept alive because I still use them.

  • Debian · Python · React · nftables · WireGuard

    AegisGuardOS

    A bootable unified threat management OS — firewall, VPN, IDS/IPS, and a plugin architecture — because nothing off-the-shelf does exactly what I want on the edge of my network.

    Private · In development
  • Docker · ELK · Zeek · Suricata · Python

    NoSleep Ops

    A Dockerized attack-and-detection lab. SSH brute-force, web exploits, and C2 beaconing piped through ELK with Zeek and Suricata — so you can tune SOC tooling against realistic traffic without pointing it at anything that matters.

  • C · Router firmware

    Asuswrt-Merlin · DSL-AC68U

    Keeping a DSL-AC68U alive on current Asuswrt-Merlin after the manufacturer walked away — because the router still works, and replacing working hardware to chase a security patch is the wrong fix.

  • C++ · 3D printer firmware

    Marlin · Tronxy X5SA / SKR Pro

    A Marlin 2.0.5.3 build for a Tronxy X5SA upgraded to an SKR Pro v1.1 board with TMC2208 drivers and a BLTouch on the dedicated BLTouch port — a configuration the upstream Marlin examples don't ship.

  • Node · Express · SQLite

    eBay Sold Scraper

    Scrapes eBay sold-listing data the official API won't expose, surfacing average prices, demand scores, and volatility — because completed-transaction prices are the only honest signal of what anything is actually worth.

  • More work

    See the full list on GitHub

    Scripts, one-offs, older forks, and work in progress.