Operating systems
Managed Ubuntu — patched, hardened, audited.
The boring discipline that keeps Ubuntu fleets out of headlines. Unattended-upgrades policy you can defend in an audit, kernel live-patching via Livepatch, CIS Ubuntu benchmark applied and drift-detected, auditd configured properly.
What we manage
Patching cadence
Unattended-upgrades policy tuned to your risk profile, security patches automatic, kernel patches via Livepatch, scheduled reboot windows.
Hardening
CIS Ubuntu benchmark applied, AppArmor profiles, sysctl hardening, removed unnecessary packages, SSH hardened (key-only, no root, MFA via duo or yubikey).
Network policy
ufw / nftables policy as code, port surface review, fail2ban, rate-limited SSH, network segmentation where workload demands it.
Audit & compliance
auditd rules for SOC 2 / ISO 27001 evidence collection, login records, file-integrity monitoring, encryption at rest where applicable (LUKS).
Fleet management
Ansible / Salt / Puppet inventory, image baking via Packer, predictable AMI lifecycle, dead-instance pruning.
Observability
Node exporter / Prometheus metrics, journald / structured logs shipped centrally, OS-level SLO monitoring (CPU steal, IO wait, swap).
Compatible across every cloud we manage
Same playbook on AWS, Google Cloud, Microsoft Azure and DigitalOcean — pick the cloud, we'll run the stack.
How we engage
1. Assess
Two-week audit of your current cloud setup against the provider's Well-Architected / Architecture Framework. Concrete findings, no fluff.
2. Stabilise
We close the top security, reliability and cost gaps before going into steady-state operations.
3. Operate
24/7 monitoring, on-call, change management, monthly reviews and a roadmap for the next quarter.
DIY guides & field notes
Build it yourself — or have us do it for you
Short articles, runbooks and field notes from our engineers. Each one starts here as a snippet and continues on Medium.
May 16, 20261 min read
Ubuntu Server 24.04 fresh-install hardening checklist
The exact steps we run on every new Ubuntu 24.04 host before any workload arrives — SSH, UFW, fail2ban, AppArmor, auditd, and the small details that actually matter.
Read snippetMay 15, 20261 min read
Applying the CIS Ubuntu benchmark — the controls that matter and the ones we skip
A pragmatic walk through CIS Ubuntu 22.04 and 24.04 Level 1 and Level 2: which controls move attacker economics, which produce yellow ticks for auditors, and how to audit at scale.
Read snippetMay 14, 20261 min read
Canonical Livepatch in production — patching kernel CVEs without rebooting
How Livepatch actually works, what it can and can't patch, the Pro subscription economics, and the alternatives if you can't or won't use it.
Read snippetMay 13, 20261 min read
Configuring unattended-upgrades on Ubuntu the way production actually needs it
Which security patches you want auto-applied, which ones you don't, and how we handle reboots across a fleet of thousands of servers.
Read snippet
Ready to take the operational load off your team?
Book a 30-minute discovery call. We will audit your current cloud setup and show you exactly where we add value.