Maturity Model (Cost Optimization)

The Cost Optimization maturity model enables a structured self-assessment and defines a clear development path from reactive cost visibility to strategic cost governance.

The Five-Level Model

Level	Label	Characteristics
Level 1	Reactive / Undocumented	No systematic tagging strategy. Budgets are missing or set in the console UI. Costs are only discovered after the month in the bill. No ownership defined. Resources run continuously without utilization review. No lifecycle policies.
Level 2	Documented & Defined	Tagging taxonomy exists and is documented, but not technically enforced. Budgets are set (even manually). First ownership assignments present. Monthly ad-hoc reviews take place. Some lifecycle policies exist. No structured FinOps process. No ADR cost sections.
Level 3	Enforced & Monitored	Mandatory tagging enforced in CI gate. All budget resources in IaC. Automated alerts at 80% and 100% budget consumption. Monthly FinOps reviews with action item tracker. Lifecycle policies for all storage and log resources in IaC. Rightsizing tags are mandatory on compute resources. Cost impact assessment section in ADR template present and used. Cost debt register exists (even if not yet complete).
Level 4	Measured & Automated	Automated rightsizing recommendations are incorporated into reviews and implemented. Cost debt register actively maintained with owner and paydown plans. FinOps reviews are mandatory (not optional). Quarterly architecture board review including cost debt sign-off. Full TCO tracking for all production workloads. RI/SP coverage optimization based on utilization data. Observability costs controlled through tiering. Anomaly detection for costs configured (AWS Cost Anomaly Detection or similar).
Level 5	Optimized & Predictive	Predictive cost modeling: costs are modeled for new features before launch. Auto-remediation of waste (idle shutdown, oversized flagging). Continuous cost debt paydown: backlog always contains active paydown tasks. FinOps as a strategic competitive advantage: cost efficiency as a product feature. ML-supported commitment optimization. Open source vs. proprietary decisions fully TCO-documented. Cost efficiency flows into engineering performance metrics.

Level

Label

Characteristics

Level 1

Reactive / Undocumented

No systematic tagging strategy. Budgets are missing or set in the console UI. Costs are only discovered after the month in the bill. No ownership defined. Resources run continuously without utilization review. No lifecycle policies.

Level 2

Documented & Defined

Tagging taxonomy exists and is documented, but not technically enforced. Budgets are set (even manually). First ownership assignments present. Monthly ad-hoc reviews take place. Some lifecycle policies exist. No structured FinOps process. No ADR cost sections.

Level 3

Enforced & Monitored

Mandatory tagging enforced in CI gate. All budget resources in IaC. Automated alerts at 80% and 100% budget consumption. Monthly FinOps reviews with action item tracker. Lifecycle policies for all storage and log resources in IaC. Rightsizing tags are mandatory on compute resources. Cost impact assessment section in ADR template present and used. Cost debt register exists (even if not yet complete).

Level 4

Measured & Automated

Automated rightsizing recommendations are incorporated into reviews and implemented. Cost debt register actively maintained with owner and paydown plans. FinOps reviews are mandatory (not optional). Quarterly architecture board review including cost debt sign-off. Full TCO tracking for all production workloads. RI/SP coverage optimization based on utilization data. Observability costs controlled through tiering. Anomaly detection for costs configured (AWS Cost Anomaly Detection or similar).

Level 5

Optimized & Predictive

Predictive cost modeling: costs are modeled for new features before launch. Auto-remediation of waste (idle shutdown, oversized flagging). Continuous cost debt paydown: backlog always contains active paydown tasks. FinOps as a strategic competitive advantage: cost efficiency as a product feature. ML-supported commitment optimization. Open source vs. proprietary decisions fully TCO-documented. Cost efficiency flows into engineering performance metrics.

Maturity per Control

Control	L1	L2	L3	L4	L5
WAF-COST-010 Cost Allocation Tagging	No tagging standard	Taxonomy documented	CI gate enforces tags	Automatic remediation	Full chargeback automation
WAF-COST-020 Budgets & Alerting	No budget	Budget set manually	Budget as IaC, alerts configured	Forecasting alerts, anomaly detection	Predictive budget management
WAF-COST-030 Rightsizing	No oversight	Manual ad-hoc reviews	Rightsizing tags mandatory, review cycle	Automated recommendations integrated	Auto-rightsizing with guardrails
WAF-COST-040 Retention Lifecycle	No lifecycle policies	Some retention settings	All resources with lifecycle in IaC	Tiered storage automated	Value-based intelligent tiering
WAF-COST-050 Cost Impact in ADRs	No cost in ADRs	Informal cost notes	Structured cost assessment in ADRs	TCO model with actuals comparison	Automated cost impact from IaC plan
WAF-COST-060 FinOps Review Cadence	Ad-hoc reviews	Monthly reviews (informal)	Structured review cycle with owners	Anomaly-triggered reviews	Continuous FinOps with real-time dashboard
WAF-COST-070 Observability Cost Tiers	All logs unlimited	Some retention values set	Tiered retention in IaC	Log value analysis	Automated intelligent tiering
WAF-COST-080 Reserved Capacity	Everything on-demand	First reservations present	Baseline fully reserved	Savings plans optimized	ML-supported commitment optimization
WAF-COST-090 Egress Cost Management	Uncontrolled egress	Egress budget set	VPC endpoints deployed, CDN configured	Egress anomaly detection	Data gravity optimization automated
WAF-COST-100 Cost Debt Register	No register	Informal list	Structured register in repository	Register linked to ADRs and actuals	Automated cost debt detection

Control

WAF-COST-010 Cost Allocation Tagging

No tagging standard

Taxonomy documented

CI gate enforces tags

Automatic remediation

Full chargeback automation

WAF-COST-020 Budgets & Alerting

No budget

Budget set manually

Budget as IaC, alerts configured

Forecasting alerts, anomaly detection

Predictive budget management

WAF-COST-030 Rightsizing

No oversight

Manual ad-hoc reviews

Rightsizing tags mandatory, review cycle

Automated recommendations integrated

Auto-rightsizing with guardrails

WAF-COST-040 Retention Lifecycle

No lifecycle policies

Some retention settings

All resources with lifecycle in IaC

Tiered storage automated

Value-based intelligent tiering

WAF-COST-050 Cost Impact in ADRs

No cost in ADRs

Informal cost notes

Structured cost assessment in ADRs

TCO model with actuals comparison

Automated cost impact from IaC plan

WAF-COST-060 FinOps Review Cadence

Ad-hoc reviews

Monthly reviews (informal)

Structured review cycle with owners

Anomaly-triggered reviews

Continuous FinOps with real-time dashboard

WAF-COST-070 Observability Cost Tiers

All logs unlimited

Some retention values set

Tiered retention in IaC

Log value analysis

Automated intelligent tiering

WAF-COST-080 Reserved Capacity

Everything on-demand

First reservations present

Baseline fully reserved

Savings plans optimized

ML-supported commitment optimization

WAF-COST-090 Egress Cost Management

Uncontrolled egress

Egress budget set

VPC endpoints deployed, CDN configured

Egress anomaly detection

Data gravity optimization automated

WAF-COST-100 Cost Debt Register

No register

Informal list

Structured register in repository

Automated cost debt detection

Assessing Current Maturity

The following questions are recommended for self-assessment:

Level 2 Checklist

Is a tagging taxonomy with mandatory tags documented (cost-center, owner, environment, workload)?
Are budget limits set for all cloud accounts/subscriptions?
Is a team assigned as owner for every production workload?
Do monthly cost reviews take place (even if still informal)?
Are lifecycle policies configured at least for the largest cost drivers?

Level 3 Checklist

Does the CI pipeline gate check tagging compliance on every pull request?
Are all budget resources managed as Terraform code?
Are budget alerts automatically routed to team owners?
Do all CloudWatch log groups / Azure Log Analytics workspaces have a retention_in_days setting?
Do all S3 buckets / Azure storage accounts have a lifecycle policy?
Are rightsizing tags (rightsizing-reviewed with date) mandatory on all compute resources?
Does the ADR template contain a cost impact section?
Does a cost debt register exist (even if still incomplete)?

Level 4 Checklist

Are automated rightsizing recommendations (AWS Compute Optimizer, Azure Advisor, GCP Recommender) incorporated into reviews monthly?
Are all production workloads documented with a current TCO model (< 12 months)?
Does the cost debt register have an owner and status (paydown/monitoring/accepted) for all entries?
Does a quarterly architecture board review of the cost debt register take place?
Is RI/SP coverage >= 70% for baseline workloads?
Are observability costs kept below 20% of the total budget through log level policies and retention tiering?
Is AWS Cost Anomaly Detection / Azure Cost Alerts / GCP Budget Alerts configured?

Recommended Entry Path

For organizations not yet at level 3, we recommend the following prioritization:

Priority	Measure	Controls
Immediate (Level 1→2)	Document tagging taxonomy and name all mandatory tags	WAF-COST-010
Immediate (Level 1→2)	Set budget limits for all accounts as IaC; configure 80% alert	WAF-COST-020
Short-term (Level 2→3)	Set up CI gate for tagging compliance (no merge without mandatory tags)	WAF-COST-010
Short-term (Level 2→3)	Lifecycle policies for S3/log groups/Azure storage as IaC: all buckets/log groups with retention	WAF-COST-040
Short-term (Level 2→3)	Extend ADR template with cost impact section; make mandatory for next ADRs	WAF-COST-050
Medium-term (Level 3→4)	Create cost debt register; identify and enter top 5 cost debts	WAF-COST-100
Medium-term (Level 3→4)	Formalize monthly FinOps reviews; set up action item tracker	WAF-COST-060
Long-term (Level 4→5)	Introduce predictive cost modeling; auto-remediation for idle resources	WAF-COST-030

Priority

Measure

Controls

Immediate (Level 1→2)

Document tagging taxonomy and name all mandatory tags

WAF-COST-010

Immediate (Level 1→2)

Set budget limits for all accounts as IaC; configure 80% alert

WAF-COST-020

Short-term (Level 2→3)

Set up CI gate for tagging compliance (no merge without mandatory tags)

WAF-COST-010

Short-term (Level 2→3)

Lifecycle policies for S3/log groups/Azure storage as IaC: all buckets/log groups with retention

WAF-COST-040

Short-term (Level 2→3)

Extend ADR template with cost impact section; make mandatory for next ADRs

WAF-COST-050

Medium-term (Level 3→4)

Create cost debt register; identify and enter top 5 cost debts

WAF-COST-100

Medium-term (Level 3→4)

Formalize monthly FinOps reviews; set up action item tracker

WAF-COST-060

Long-term (Level 4→5)

Introduce predictive cost modeling; auto-remediation for idle resources

WAF-COST-030