Technology Health Scorecard
Executive Summary
Northwind's engineering organization is shipping at roughly half the velocity its headcount and roadmap would suggest. The cause is not effort and not talent. It is accumulated debt in three forms: dead code, fragile architecture, and uncontrolled cloud spend that compound on each new feature.
Three findings warrant your direct attention. Twenty-two live credentials are committed to source code, including a Stripe production key. Cloud spend is running approximately $190K per year above what the workload requires, recoverable in the first 60 days with no functional changes. And the checkout pipeline is a single point of failure for all revenue, with documented incident history your engineering team has been managing reactively.
None of these are unusual findings. What is unusual is having all three on the same page, sourced to the system itself, with a sequenced action list. The 30/60/90 below is what we would do if this were our company.
30/60/90 Action List
What we'd do, in this order, starting Monday.
| Priority | Action | Timeframe | Business Impact |
|---|---|---|---|
| 1 | Rotate the 22 committed credentials. Stand up secrets management. Communicate to security insurer if required. | Week 1 | Eliminates active breach liability. Removes a likely blocker for next financing or strategic conversation. |
| 2 | Right-size cloud compute and storage against actual usage. Apply lifecycle policies to cold data. | Day 1–30 | Recovers ~$190K annualized. Pays for the engagement and the next quarter's modernization work. |
| 3 | Decouple checkout into async pipeline with retry and dead-letter handling. | 30–90 Days | Eliminates revenue-impacting checkout outages. Removes the largest single business-continuity risk. |
| 4 | Begin systematic dead code removal. Set test coverage floor for new code. | 60–180 Days | Restores engineering velocity. Reduces new-hire ramp time from months to weeks. |
| 5 | Document architecture decisions and ownership map. Establish quarterly architecture review. | Ongoing | Compounds over time. Makes future hiring, M&A, and AI adoption materially easier. |
What's Slowing the Team
Three structural issues account for most of the velocity gap. Each is fixable.
Every change your team makes happens in the presence of code that no longer runs but still has to be read, understood, and worked around. New hires spend their first six weeks learning what not to touch.
The team has been compensating with experience and tribal knowledge, but that compensation does not scale and it walks out the door with attrition.
Payment processing, inventory decrement, email confirmation, and fraud checks all live in one synchronous chain. When any external service slows down, checkout slows down. When any external service fails, checkout fails.
There are documented incidents in the last twelve months consistent with this pattern.
Internal architecture documents describe a system that does not fully match the deployed code. Different engineers describe the same systems differently.
The result is meeting time spent re-establishing shared context and engineering decisions made on incomplete shared understanding.
Where the Money Goes
Northwind's annual cloud bill is approximately $560K. Approximately $190K of that is recoverable without any change to the product.
| Service | Current Annual | Optimized | Recovery | What This Looks Like |
|---|---|---|---|---|
| Compute (EC2) | $228K | $116K | $112K | Three production instances running below 4% CPU. Right-size and reserve. |
| Database (RDS) | $164K | $82K | $82K | Provisioned for ~3x actual workload. Downsize and add read replicas as needed. |
| Storage (S3) | $76K | $44K | $32K | No lifecycle policies. Move year-old data to lower-cost tier. |
| Search (Elasticsearch) | $52K | $40K | $12K | Sized for projected document volume that did not materialize. |
| Other | $40K | $36K | $4K | Minor cleanup. |
| Total | $560K/yr | $318K/yr | $190K/yr | 34% reduction. ~60 day implementation. |
What Northwind Actually Runs
A simplified view of what's actually deployed. The full architecture map and dependency graph live in the Technical Deep Dive.
Questions for Your CTO
These questions surface information that a codebase audit can't see. Bring them to your next 1:1. Most can be answered in one conversation.
- The 22 committed credentials have been in source code for some time. Who has had access to the affected repositories in the last 18 months, and is there an incident response process if exposure is confirmed?
- The checkout outages in the last year: how have they been characterized internally, and what is the current customer-facing impact estimate?
- AWS spend has grown faster than headcount and revenue. Is there a quarterly cloud cost review, and who owns it?
- Engineering velocity is below where this team's experience and headcount suggest it should be. What does the team report as the top three blockers, and how does that compare to the findings here?
- AI-assisted development tools (Cursor, Copilot, Claude Code): what is the current adoption posture, and is there a baseline before broader rollout?