# BlueArch > BlueArch is FinOps Best Practices as a Service for AWS. Two products (BlueArch CLI, Tag Manager), three executive solutions (EDP/PPA insurance, Cloud Efficiency Metrics, Claude Governance), and the open Governance Hub — all self-hosted in your VPC. ## Products - [BlueArch CLI — AI-native AWS alerts for SREs](https://www.bluearch.io/products/cli): AI-native AWS alerts, sorted by business impact and dollars at risk — runs in your VPC. - [Tag Manager — AWS tagging with business workflows](https://www.bluearch.io/products/tag-manager): AWS tagging that drives lifecycle workflows — TTL, ownership, cost cleanup, exception handling. ## Solutions - [EDP / PPA Insurance — BlueArch](https://www.bluearch.io/solutions/edp-ppa): Forecast, insure, and mitigate AWS EDP / PPA commitments. For CFOs and Heads of FP&A. - [Cloud Efficiency Metrics — BlueArch](https://www.bluearch.io/solutions/cloud-efficiency): Pair AWS cost with revenue, product, and headcount data — board-grade IT efficiency metrics. - [Claude Governance — BlueArch](https://www.bluearch.io/solutions/claude-governance): Bespoke Claude system prompts, scoped tool catalogs, and policy that cut token costs 30–60%. ## Company - [BlueArch — FinOps Best Practices as a Service](https://www.bluearch.io/): FinOps Best Practices as a Service for AWS — the control plane that ties infrastructure to revenue. - [Governance Hub — open AWS misconfiguration catalog](https://www.bluearch.io/governance-hub): The largest free, LLM-formatted database of AWS misconfigurations — MIT licensed, MCP-ready. - [About BlueArch](https://www.bluearch.io/about): Founders, story, principles, and investors behind BlueArch — formerly Blueprint Architectures. ## Optional - [Full content](https://www.bluearch.io/llms-full.txt): every page in one file, llms.txt convention. - [Misconfiguration repo](https://github.com/bluearchio/aws-misconfig-db): MIT-licensed source of truth for the Governance Hub. --- ## BlueArch — Home (https://www.bluearch.io/) > FinOps Best Practices as a Service for AWS. BlueArch ties infrastructure to the business outcomes it powers — so engineering teams can run AWS like the engine of revenue it is. ### Headline numbers - **6.2% of ARR** — Avg. AWS spend on BlueArch · industry runs ~13% - **2.4 × ** — Infra-spend managed per engineer (vs. baseline 1×) - **12 min** — Architecture due diligence · was 3 weeks - **96.4%** — Forecast accuracy · 30-day spend, ±5% ### Capabilities - **01 / Forecast · Scenario Modeling** — Simulate region adds, schema migrations, and traffic surges against your real workload before you commit code. _(±5% on 30-day spend)_ - **02 / Architect · Decision Pairing** — InfraGPT joins logs with live AWS pricing and a synthetic user population, so each design choice carries a number. _(Logs × pricing × users)_ - **03 / Audit · Due Diligence** — Generate the SOC 2, M&A, or board-meeting infrastructure pack from live state — every claim linked to its evidence. _(3 weeks → 12 minutes)_ - **04 / Govern · Lifecycle Policies** — TTL, ownership, and tag rules declared in code, enforced from CLI, audited from the dashboard. _(14 policy templates)_ - **05 / Detect · Misconfigurations** — CIS, AWS Well-Architected, and your house rules — scanned continuously, scored by business impact, not severity. _(320+ checks)_ - **06 / Map · Resource Graph** — Every dependency, every account, every region — queryable, exportable, and diffable across deploys. _(Multi-account aware)_ - **07 / Observe · Unified Telemetry** — CloudTrail, CloudWatch, and CUR joined in one queryable surface, retained on your terms — same data InfraGPT models on. _(S3-backed · your retention)_ - **08 / Operate · AI Operations** — Ask in English. Get the diff, the runbook, the dollar impact — with an audit trail before anything ships. _(Claude · BYO key)_ ### Pricing | Plan | Price | Description | | --- | --- | --- | | Free | $0 | Run BlueArch CLI or Tag Manager CLI on your own AWS account. Read-only dashboard, baseline discovery, and the full misconfig catalog. | | Pro | $480/ mo | Cross-account scanning, lifecycle policies, CloudWatch alarms, AI log analysis, and the multi-user web dashboard. | | Enterprise | Contact | For governments, defense, banks, and other high-security teams that need SOC 2 and bespoke deployment support. | ### Home FAQ **Is BlueArch a dashboard, a CLI, or a consulting service?** All three work together. BlueArch gives executives and architects the dashboard view, while the CLI lets engineers act on the same data from their terminal. **Does data leave our AWS account?** The product is designed around self-hosted deployment. Operational data stays in your AWS environment while BlueArch provides the control plane, workflows, and governance model. **What is included in Free?** Free covers one user, one AWS account, read-only discovery, and the misconfiguration catalog. Pro unlocks cross-account and team workflows. **How fast can we run an efficiency review?** A first pass can happen in a short review call. The deeper assessment connects spend, usage, tags, logs, and business context so decisions can be modeled before they ship. ### Contact - Email: support@bluearch.io - Phone: 931-683-3511 - LinkedIn: https://www.linkedin.com/company/bluearchgroup - GitHub: https://github.com/bluearchio ## BlueArch CLI — AI-native AWS alerts for SREs (https://www.bluearch.io/products/cli) > Alerts from the largest AWS misconfiguration database, scored by business impact, with AI-native triage and per-finding engineer notes. **Audience:** For SREs & solution architects **Eyebrow:** Flagship product · AI-native ### Headline Alerts that know your business. ### Overview BlueArch CLI pairs the world's largest AWS misconfiguration database with your business context — revenue tags, customer tiers, regional exposure — so the first alert you see is the one that actually matters. Notes, runbooks, and AI triage, one terminal away. ### Outcomes - **71%** — Faster mean-time-to-remediate (Median across 84 SRE teams running BlueArch for >90 days.) - **83%** — Findings auto-triaged (By business impact, before a human ever opens the terminal.) - **24 ×** — Spend managed per SRE (Up from baseline 1× — one engineer can now cover 2–4× the footprint.) - **2147** — Rules out of the box (Sourced from the Governance Hub. New rules ship daily.) ### What it does - **01 · Signal · Business-aware severity** — Every finding is paired with your revenue tags, customer tiers, and regional exposure. The CLI sorts by dollars at risk — not by "high / medium / low." Critical means the order pipeline. Low means a dev sandbox. _(2,147 rules · Hub-backed)_ - **02 · Triage · AI-native notes & snoozes** — Per-finding notes that travel with the engineer, not the resource. Snooze with reason, escalate to JIRA, or ask InfraGPT to draft the remediation PR. State is shared across your team, not stuck in someone's terminal history. _(Notes · Snooze · Escalate · Draft PR)_ - **03 · Action · Reversible fixes, suggested** — Every finding ships with a tested remediation — Terraform, CDK, or raw AWS CLI. Apply it as a dry-run, review the diff, and ship. No SaaS in the loop; the CLI runs in your VPC and writes to your account. _(terraform · cdk · awscli)_ ### Install ``` brew install bluearchio/tap/bluearch ``` Trust: Self-hosted in your VPC · macOS · Linux · Windows · Docker · Read-only IAM by default ### Customer evidence > "We went from triaging Security Hub findings on Mondays to a 9am Slack digest with three things to fix. BlueArch knows which of our buckets actually serve customer traffic — Security Hub never did." > — J. Morales, Staff SRE · Logistics platform · $9M AWS / yr _30-day result:_ Critical alerts / week: ↓ 78% · Time on triage: −9.4 hrs · P1 incidents avoided: 3 · ARR protected: $1.1M ### FAQ **Does the CLI need access to my AWS account?** Read-only IAM by default. Remediation actions require explicit per-action approval and a separate write role — you control which actions are pre-authorized vs. require a PR. **Where does the business context come from?** A YAML file (finops-tags.yml) you keep in your infra repo. It maps AWS tags to revenue, tiers, and ownership. Tag Manager can generate it for you from existing tags. **Does data leave my VPC?** No. The CLI runs entirely in your environment. The Governance Hub manifest is pulled over HTTPS at startup; everything else stays local. AI features call an LLM endpoint of your choice (Bedrock, Anthropic API, or your own). **How does it compare to Security Hub / Wiz / Prowler?** Those tools are great at producing findings. BlueArch is built around what to do with findings — business-aware ranking, shared notes, AI-drafted remediation. It happily ingests Security Hub findings as one of its inputs. **Pricing?** Free for individual SREs (limit: 1 account, 1k resources). Team plan starts at $1,200 / month per AWS organization. See the pricing page. ## Tag Manager — AWS tagging with business workflows (https://www.bluearch.io/products/tag-manager) > Apply and monitor AWS tags, and build business processes around them — TTL, ownership, lifecycle — eliminating manual custodial work. **Audience:** For SREs & solution architects **Eyebrow:** Flagship product · lifecycle governance ### Headline Stop being your own cloud janitor. ### Overview Tag Manager turns AWS tags into a workflow engine. Apply and audit tags across accounts, then attach business processes — TTL, ownership, approval, archival — directly to them. The custodial work that used to eat your sprints just runs itself. ### Outcomes - **94%** — Resources with known owner after rollout - **12% of AWS bill** — Recoverable unmanaged spend - **0** — Manual cleanup spreadsheets required - **48 hr** — Default review window before expiration ### What it does - **Lifecycle ownership** — TTL, owner, environment, service, and exception tags become workflow triggers. - **Cost cleanup** — Find idle, orphaned, oversized, or expired resources before they become spend drift. - **CLI plus web** — Platform teams can enforce policies from terminal workflows and review evidence in the dashboard. ### Install ``` brew install bluearchio/tap/tag-manager-cli ``` Trust: Runs in your account · Terraform / CDK / CLI · Slack · PagerDuty · JIRA hooks ### FAQ **Do we need perfect tags first?** No. Tag Manager is built to discover gaps, propose owners, and create the policy trail. **Can it run read-only?** Yes. Discovery can run read-only, then write workflows can be enabled only where your team approves them. **Can it pair with BlueArch CLI?** Yes. Tag Manager handles lifecycle governance while BlueArch CLI prioritizes risk and operations. ## Governance Hub (https://www.bluearch.io/governance-hub) > The world's largest free, LLM-formatted database of AWS misconfigurations. MIT licensed. Mirrored live from https://github.com/bluearchio/aws-misconfig-db. ### Catalog snapshot - **323** recommendations loaded - **46** AWS service groups covered - **27** high-severity entries - License: MIT - Source: https://github.com/bluearchio/aws-misconfig-db Every entry is structured with: id, severity, business impact, alert criteria, recommendation, IaC patches, and an MCP-formatted body. Drop one into a model context to give it the rule, the impact, and the fix. ## EDP / PPA Insurance — BlueArch (https://www.bluearch.io/solutions/edp-ppa) > Forecast AWS EDP and PPA commitments. Insure against shortfall. Mitigate existing overages. For CFOs and heads of FP&A. **Audience:** For CFO & Head of FP&A **Eyebrow:** Solution · Financial protection ### Headline AWS commitments, underwritten. Not undertaken. ### Overview EDP and PPA contracts are unforgiving — miss the commit and AWS claws back every dollar of discount. We help you forecast the right number, insure against shortfall, and — if you're already over your skis — negotiate the overage down. _Quick facts:_ 30+ EDPs renegotiated · $140M in commitments under management · NDA-first engagement ### Outcomes - **58%** — Median overage recovered (For customers entering with an active EDP/PPA shortfall.) - **140 M** — Commitments under management (Across 47 active customers; aggregate notional.) - **30 +** — EDPs renegotiated (By BlueArch advisory team since 2022.) - **4 weeks** — To insurance bind (From kickoff to underwritten policy.) ### What we ship - **01 · Forecast · Plan a commitment you can actually hit** — We model your 36-month AWS run-rate against revenue forecast, product roadmap, and seasonality — then size the EDP / PPA so the discount is real and the risk is bounded. Net new customers run this before signing. _(Pre-signature · 4–6 week engagement)_ - **02 · Insure · Shortfall insurance, underwritten** — If your committed spend falls short, our insurance covers the clawback up to your policy limit. Premiums are a fraction of a percent of commit. Underwritten quarterly against your actual usage; no surprises. _(In-term · annual renewable)_ - **03 · Mitigate · Negotiate down an existing overage** — Already in shortfall? We've renegotiated 30+ EDPs and PPAs — restructuring terms, redirecting eligible spend, and where appropriate, working directly with AWS on your behalf. Typical mitigation: 40–70% of the overage. _(Remediation · success fee)_ ### Customer evidence > "We were 18 months into a four-year EDP and tracking $2.3M short. BlueArch restructured the commit, recovered $1.6M of the overage, and underwrote the rest. The board went from a write-down conversation to a "well done" one." > — M. Voss, CFO · Healthcare SaaS · $26M AWS commit _Recovery snapshot:_ Overage exposure: $2.3M · Recovered: $1.6M · Insured (residual): $0.7M · Net P&L hit: $0 ### FAQ **How does the insurance product actually work?** A captive policy underwritten quarterly against your AWS usage. If, at the end of your EDP/PPA term, your committed spend is short of contract, the policy pays the gap up to the policy limit. Premiums scale with measured risk; you can lower them by tracking ahead of forecast. **What does "negotiate down an overage" mean?** A combination of restructuring the contract (extending term, reallocating eligible spend categories), recovering eligible-but-unattributed spend (e.g. marketplace, partner-resold), and where appropriate, direct advocacy with your AWS account team. Success-fee based. **Are you an AWS reseller?** No. We are an AWS Advanced Tier Partner but commit directly to you — your AWS contract remains a direct relationship. Independence is what lets us advocate for your side of the table. **What size commitments do you work with?** $1M / year is the practical minimum for insurance to be cost-effective. Forecasting and mitigation engagements run smaller; the largest commit currently under management is $48M / 5 years. **How does this pair with BlueArch's engineering products?** The CLI and Tag Manager improve the underlying spend efficiency — which is exactly what makes the insurance economical. Customers using both products see lower premiums and higher mitigation recoveries. ## Cloud Efficiency Metrics — BlueArch (https://www.bluearch.io/solutions/cloud-efficiency) > Pair revenue, product, and business data with AWS infra. Turn IT from a cost center into a revenue driver — with metrics your board actually cares about. **Audience:** For CIO & Head of IT **Eyebrow:** Solution · IT as revenue ### Headline Stop reporting spend. Start reporting efficiency. ### Overview Your board doesn't care that AWS bill went up 12%. They care that infra spend per active customer dropped 18% — and that you can prove it. We pair AWS data with revenue, product telemetry, and headcount to give IT metrics the C-suite reads. _Quick facts:_ Snowflake · BigQuery · Redshift · Salesforce · Stripe · HubSpot · Read-only by design ### Outcomes - **18% ↓** — Cost per active user, YoY (Customer median across 30 mid-market accounts.) - **62% of ARR** — Avg. AWS spend after onboarding (From industry baseline of ~13%, down to 6.2%.) - **3 quarters** — To board-defensible metrics (Includes data wiring and the first benchmark cycle.) - **14** — Pre-built executive views (Customizable per board pack template.) ### What we ship - **01 · Unit economics · Infra cost per business unit** — $ per MAU, $ per order, $ per API call, $ per closed ticket. Pulled from your data warehouse and product analytics, attached to the AWS resources that produced them. A 22% drop in $/MAU is a story the board understands. _(Snowflake · BigQuery · Redshift)_ - **02 · Revenue ratios · Infra as % of revenue, by segment** — Sliced by product line, customer segment, and geography. Compare against industry benchmarks (we maintain them — 13% is normal, <7% is best in class). Surfaces which products are getting more efficient and which are silently bleeding margin. _(Salesforce · Stripe · HubSpot)_ - **03 · Productivity · Spend managed per engineer** — How much AWS footprint a single engineer can responsibly run. Industry baseline is ~$200k / engineer / year. With BlueArch in the loop, our customers run 2–4× that — and the metric shows up as hiring leverage on the IT P&L. _($ / eng · 2-4× lift)_ ### Customer evidence > "For the first time I walked into a board meeting with one chart: cost per active customer, down four quarters in a row. The conversation changed completely. IT stopped being a line item to defend." > — D. Tanaka, CIO · B2B SaaS · ~$22M cloud / yr _12-month outcome:_ Cost / MAU: ↓ 24% · Infra · % of ARR: 5.8% · Board reports / yr: 4 · Hiring leverage: +1.7× ### FAQ **Do you build dashboards or replace them?** Both. We ship a reference model and can export to the visualization layer your team already uses. **Is this FinOps only?** No. It includes FinOps, reliability, product usage, and engineering capacity signals. **What is the first deliverable?** A baseline benchmark and the first operating review format. ## Claude Governance — BlueArch (https://www.bluearch.io/solutions/claude-governance) > Bespoke Claude system prompts, tool configs, and policy that cut token usage and standardize agent behavior across your org. **Audience:** For CIO & AI Platform **Eyebrow:** Solution · AI governance ### Headline Your Claude usage is growing 40% / month. Govern it. ### Overview Bespoke system prompts, tool configs, and org-wide policy that cut token usage 30–60% and standardize agent behavior — without touching the model. We've built Claude deployments at three Fortune 500s and twenty mid-market SaaS companies. _Quick facts:_ Anthropic-recommended partner · 23 deployments · 9-figure aggregate token spend ### Outcomes - **47% ↓** — Median token cost per task (Across 23 deployments, post-rollout.) - **3 weeks** — To first rollout (Audit, design, ship to one pilot team.) - **100% of tools** — Audit-logged & role-scoped (Every MCP call is traceable to a role and policy.) - **23** — Deployments shipped (F500 + mid-market SaaS, since 2024.) ### What we ship - **01 · Prompts · Role-scoped system prompts** — A library of system prompts scoped per role — infra, support, legal, sales engineering — with output budgets, refusal policy, and tool affordances tuned to actual workflow. Replaces the "be a helpful assistant" sprawl that's eating your token bill. _(YAML · Git-versioned · CI-tested)_ - **02 · Tool configs · Scoped MCP & tool catalogs** — Most Claude deployments expose every tool to every agent. We scope tools by role and by task, slashing the system-prompt overhead Claude pays to ignore irrelevant tools. Typical savings: 35–50% on input tokens. _(MCP-native · audit-logged)_ - **03 · Policy · Governance policy & reporting** — Token budgets per team, escalation paths, refusal taxonomy, and a monthly governance review aligned to your AI Risk Committee. Maps cleanly onto SOC 2 and ISO 42001 evidence. _(SOC 2 · ISO 42001 evidence)_ ### Customer evidence > "Our Anthropic bill was growing faster than our customer count. BlueArch rewrote our system prompts, scoped our MCP catalog by team, and gave us an ISO-friendly governance review. Token spend dropped 51% in the first quarter and we passed our AI audit." > — R. Bhattacharya, Head of AI Platform · Fortune 500 retail _Quarter-1 outcome:_ Token spend: ↓ 51% · Tools in catalog: 248 → 41 scoped · Audit findings: 0 · Time-to-deploy: 3 weeks ### FAQ **Do you replace our Claude setup?** No. We harden and standardize what your teams already use. **Is this only prompt work?** No. It includes tool configuration, workflow policy, and operating guidance. **Can this connect to AWS governance?** Yes. The strongest use cases connect Claude behavior to AWS operations and BlueArch governance data. ## About BlueArch (https://www.bluearch.io/about) > BlueArch (formerly Blueprint Architectures) is FinOps Best Practices as a Service for AWS. Self-hosted, open-standard, engineer-native. Founded 2021, AWS Advanced Tier Partner, SOC 2 Type II in flight. ### Principles - **Self-hosted by default** — runs in your VPC under your IAM. No SaaS in the loop, no data egress. - **Open standards, open data** — misconfiguration catalog is public, tag schema is human-readable YAML, LLM context format is documented. - **Engineer-native, exec-legible** — CLI for SREs, control plane FP&A can quote in a board deck. - **Infrastructure isn't a cost center** — every dollar of AWS spend should map to a product, customer cohort, or revenue line. ### Investors - Bob Crimmins — https://www.linkedin.com/in/bobcrimmins/ - Right Side Capital Management — https://www.linkedin.com/company/right-side-capital-management/ - Rick Crabbe — https://www.linkedin.com/in/rick-crabbe-7b1413/ - Kris Naidu — https://www.linkedin.com/in/kris-naidu-1874b0166/ --- _Generated 2026-05-21T19:57:57.243Z from src/data/siteData.js_