// Cloud Intelligence

Migration, optimization, and rationalization intelligence.

Built vendor-neutral. Delivered inside Barrier engagements.

Get in touch → Request a walkthrough →
Migration to cloud Cloud-to-cloud arbitrage In-cloud rationalization M&A diligence
// What it does

Three capabilities. One assessment workflow.

Multi-cloud TCO, dependency mapping, wave planning. Used in every Barrier engagement.

01 / TCO

Multi-cloud TCO

AWS, Azure, GCP, OCI, and on-prem comparison with itemized run-rate, migration cost, and decommission savings. Every dollar traceable to a formula.

02 / Graph

Visual dependency mapping

Interactive graph with business overlays (criticality, 6R, initiative band, cost), what-if migration simulation, AI narrative explanation, drift mode, and trust-boundary overlays.

03 / Waves

Wave planner

Topological dependency-ordered migration waves with capacity caps, cycle detection, and within-wave priority by criticality + effort + fan-out. Drag-and-drop adjustments preserved across re-runs.

// Scenarios

Four scenarios. One workspace.

Migration is the most common destination but not the only one. The same questionnaire, dependency graph, and cost engine answer four distinct engagement types.

01 / Migration

Migration to cloud

Move from on-prem (or co-lo, or hosted) to a public cloud. Multi-cloud cost modeling, dependency-ordered wave plan, 6R disposition per app.

02 / Arbitrage

Cloud-to-cloud arbitrage

Already in AWS or Azure? The same engine compares all four clouds. Includes egress and re-architecture costs.

03 / Rationalize

In-cloud rationalization

For orgs already cloud-native: which apps to keep, kill, modernize, or replace. Same 6R framework, no migration required. Most common follow-up to a cost overrun.

04 / M&A

M&A / carve-out diligence

IT portfolio diligence pre-deal, separation planning during integration, post-merger rationalization. Fortune 500 carve-out case study below.

Gartner classifies the underlying capability as Application Discovery and Dependency Mapping (ADDM), a $4B+ market. Barrier delivers it inside the Public Cloud IT Transformation Services engagement model.

// In engagements

What we deliver inside an engagement.

Mid-market and Fortune 500 organizations running migration, optimization, or rationalization engagements with Barrier. Engagements typically run four to eight weeks.

Fortune 50 retail

4 months → 4 weeks

Migration assessment for a Fortune 50 retailer's app portfolio. Replaced an 18-week external assessment with a 4-week structured run using the multi-cloud TCO module and the wave planner.

Fortune 500 carve-out

240 apps mapped in 9 days

Day-1 IT separation for a tech-heavy carve-out. The dependency graph plus AI narrative resolved 90% of the application disentanglement question set inside the first sprint.

Engagement summaries anonymized. Read the full case-study catalog →

// Built right

How your data is protected.

  • Each engagement is isolated at the database layer. Cross-engagement reads return zero rows by policy.
  • Access tokens are per-engagement, rotatable and revocable.
  • Nightly backups, weekly recovery test that restores into a scratch database.
  • Rate-limited logins and API endpoints.
  • Content-Security-Policy restricts the page to Barrier-served scripts only.
  • TLS 1.3 in flight. Storage-layer encryption at rest.
  • No third-party analytics, marketing pixels, or telemetry.
  • Every byte exportable as PDF, CSV, Excel, or REST API.
// FAQ

Common questions.

How does this differ from CloudHealth, Apptio, or Flexera?

Those are FinOps tools for ongoing cloud spend management once you are already in cloud. Cloud Intelligence is an assessment platform for migration, arbitrage, rationalization, and M&A diligence, the work that happens before workloads move (or before they get cut). Different buyer, different workflow, different output (a wave plan and a defensible TCO model, not a monthly chargeback report).

Do you replace AWS Transform or Azure Copilot Migration Agent, or sit alongside them?

We sit alongside, and we are explicitly neutral. AWS Transform shipped September 2025 and optimizes for AWS landing zones. Azure Copilot Migration Agent shipped the same month and optimizes for Azure. Both are useful inside their respective clouds. Neither will tell you to pick the other. Cloud Intelligence scores AWS, Azure, GCP, and OCI on the same matrix, weighted by your scenario, we have no landing-zone quota.

Can I import from ServiceNow, a CMDB, or another inventory tool?

CSV import works today and is the path most engagements use. ServiceNow and Device42 connectors are on the roadmap. The XLSX round-trip with the v5.1 Excel template covers the cases where your client gives you a spreadsheet and wants the answer back in the same format.

How is my data protected?

Each engagement runs in its own isolated workspace. The database itself refuses to return one client’s data to a different client’s session, this is enforced at the database layer, not just in the application code, so even a software bug cannot leak data across engagements.

Specifically:

  • In flight: All traffic uses TLS 1.3, the same encryption standard banks and payment networks use. The connection negotiates TLS 1.3 with modern ciphers; older protocols are refused.
  • At rest: The storage layer is encrypted by the cloud provider (Oracle Cloud Infrastructure block-volume encryption). A physically removed disk reveals nothing readable.
  • Authentication: Access is gated by per-engagement Bearer tokens. Tokens are stored as salted SHA-256 hashes, the database does not retain the raw token. Each token can be rotated or revoked instantly without affecting other engagements.
  • Authorization: Postgres Row-Level Security policies are FORCED on every table that holds engagement data (15 tables verified). A query without engagement context returns zero rows by policy; the database, not the app, is the boundary.
  • Brute-force protection: Login attempts and authenticated API calls are rate-limited per IP and per engagement. Repeated failed logins lock out the source within seconds.
  • Browser hardening: Strict Content-Security-Policy (CSP) blocks script injection. HSTS forces HTTPS. X-Frame-Options blocks click-jacking. Permissions-Policy disables camera, microphone, geolocation, and FLoC tracking.
  • Backups and recovery: A full database dump runs every night with 30-day retention. A weekly restore test actually restores the most recent dump into a scratch database and verifies row counts, if a backup is silently broken, the next weekly test catches it.
  • Tracking: No Google Analytics, no Facebook pixel, no HubSpot, no Segment, no Amplitude, no telemetry of any kind. Your engagement data is never sent to a third party. Only library code (Chart.js, Cytoscape, html2canvas) loads from public CDNs, and the CSP restricts even those origins.
  • Export rights: Every byte you put in is exportable at any time as branded PDF, CSV, Excel, or REST API. Your data is yours, irrevocably.

Need to hand this answer to your security team for review? Get the long-form security brief.

Can I export everything?

Yes. Branded PDF report, CSV of every table, XLSX round-trip with the v5.1 Excel template, and REST API. Your assessment outputs are yours; we never gate the export.

How does scope work?

Scope is set per engagement, not per tier. There is no hardcoded app or server cap. Whether the engagement covers 50 apps for a mid-market carve-out or 5,000 apps for a Fortune 500 multi-year migration, the tool runs at the size of the work. The shape of the engagement is something we agree before we start; talk to us about the assessment in front of you.

Used in Barrier Consulting engagements.

To see it run on your migration, arbitrage, rationalization, or M&A engagement, get in touch.

Get in touch → Request a walkthrough →