Built for growth-stage platform teams who’ve outgrown ticket queues but can’t open the floodgates.
One Click.
Any Resource.
Anyone in Your Org.
Your platform team publishes the patterns. The org consumes them from the catalog. Governance, audit, and cost attribution run on every deploy — not as a tier you upgrade to.
Team Workspace
Composite shape - 4 resources
This will provision:
Wraps the infrastructure-as-code, containers, and scripts your team already uses
The bind every growing platform team gets caught in
Centralised — and the org waits weeks for tickets.
Decentralised — and nobody knows who provisioned what.
The middle is what every growing platform team is trying to find.
Symptoms of a platform that hasn’t found the middle
Stuck behind the ticket queue
Need a new cloud account? File a ticket. GitHub org? Another ticket. IAM groups? Three more tickets. Wait weeks.
The platform team is the bottleneck
Every resource request flows through the same swamped team. Projects stall while a handful of engineers fight a queue they can’t drain.
Shadow IT or Slow IT
Teams either wait for approved resources or go rogue with ungoverned workarounds. Neither is acceptable.
Five Consoles, One Task
Provisioning a team workspace means logging into AWS, GitHub, Artifactory, Okta, and more. Separately. Manually.
A self-service catalog your platform team controls
Your platform engineers curate what goes in — best-practice infrastructure-as-code or your own, distilled to the minimum set of options anyone needs to pick. The org self-serves the result. Governance and audit are part of the substrate, not bolted on top.
The org self-servesfrom a catalog of patterns your team has ratified. No tickets, no infrastructure-as-code knowledge, no five-console choreography — just a button, a form, and a deployment that lands governed.
Governance runs on every deploy by default.Approval policies, plan review, and audit are not a tier you upgrade to — they sit on the same path as every action and apply whether the change came from a developer, an automation, or an executive in a hurry.
Cost and adoption become structural. Every resource carries the shape and team it came from, so the cloud bill explains itself. Every shape carries adoption signal, so your team finally has evidence of what their work is worth.
It wraps the runtime you already trust.Terraform, OpenTofu, Bicep, Pulumi, containers, shell scripts — if you can script it, you can shape it. No Platform Shape-specific language; the executor stays yours.
One blueprint ships many platforms.A team workspace is never just an AWS account — it’s the AWS account, the GitHub team, the IAM role, the Slack channel. One composite shape ships them as one atomic unit, executed as a graph by the platform.
Where this fits in your stack
Catalog and execute. Internal developer portals catalog what’s available. Platform Shape publishes, governs, andexecutes — the catalog is the deployment surface, not just the inventory.
Built for the broader org.Most IDPs surface developer tooling for engineers. Platform Shape extends governed self-service to the rest of your org — team leads, PMs, ops — anyone who needs governed infrastructure without being an engineer.
Your platform team’s work becomes visible, consumable, and measurable— without becoming the bottleneck that delivers it.
Everything platform teams need to ship governed self-service
Grouped around the five outcomes a platform team actually has to deliver.
Self-service
The whole org browses a catalog of patterns your team has published, picks one, and clicks deploy — no tickets, no HCL, no five-console choreography.
Shape Marketplace
Browse production-ready shapes for team workspaces, dev environments, data pipelines. Azure Verified Modules wrapped and live today.
Delegated provisioning
Team leads and product owners provision the resources their teams need — without losing the guardrails the platform team encoded into the shape.
Minutes, not weeks
Resources land in minutes. No tickets, no queues, no waiting on the right engineer to be available.
Governance
Approval policies, automated plan review, and audit run on the same path as every deploy — by default, not by configuration.
Pre-approved shapes
Platform teams publish shapes that already meet organisational standards. Consumers deploy only what’s been vetted.
Smart approval routing
Every plan is reviewed before the gate; the obviously fine ones flow, the risky ones queue for a human. Approvals never escalate beyond what your policy already grants.
Approval Workflows
Require sign-off on sensitive deployments. Route to the right reviewers, keep an audit trail, and move on — no chasing approvals in Slack.
Role-Based Access
Control who can create shapes, who can deploy, and who can approve. Granular RBAC that scales with your org.
Accountability
Every cost accountable. Every shape measured. The cloud bill explains itself; your team finally has signal on which work matters.
Audit log
Every login, role change, shape publication, deployment, and approval captured per org — queryable by actor, action, or outcome.
Cost attribution by shape
Tagging conventions baked into the shape. Every resource carries the team and shape it came from, so cost attribution becomes structural.
Version-Controlled Shapes
Shapes are versioned. Track changes, roll back mistakes, see exactly which version provisioned which resource.
Per-team isolation
Each team gets its own scope — resources, permissions, and audit boundary — without the platform team running a ticket queue to keep them separate.
Interoperability
A shape is a contract — inputs, outputs, schema. What runs inside is whatever your team already trusts: Terraform, OpenTofu, Bicep, Pulumi, containers, bash. If you can script it, you can shape it.
Wraps Any Runtime
Terraform, OpenTofu, Bicep, Pulumi, kubectl, your own internal binaries. No Platform Shape-specific DSL; the runtime stays yours.
Trigger From Anywhere
Kick off deployments from ServiceNow, CI pipelines, or ticketing tools with a secure per-shape webhook. Approvals and guardrails still apply.
Scoped API Tokens
Issue per-user or org-wide access tokens with the exact scopes they need. Built-in rate limits and full audit trail keep automation safe by default.
Composability
A team workspace is never just an AWS account. It's an AWS account and a GitHub team and an IAM role and a Slack channel. One composite shape ships them as one atomic unit.
Composite Shapes
Provision AWS accounts, GitHub orgs, Artifactory repos, and IAM groups as one versioned blueprint, executed as a DAG by the platform.
Failure-resilient composites
Mark any shape in a composite to always run last — regardless of upstream failures. Clean-up, notifications, and reporting steps execute every time.
Auto-wired composites
Compose multiple shapes into one blueprint and let the platform propose how they wire together. Review, accept or discard as a batch — authoring stays fast and you stay in control.
One-Click Onboarding
Onboarding stops being five-systems-and-a-runbook. One published blueprint, one catalog entry, one executed graph across every executor.
From your team’s catalog to the org’s self-service
Platform engineers wrap and publish what the org consumes. Every step traceable, every action attributable.
Author
Wrap your existing IaC, scripts, or containers
Platform engineers wrap Terraform, OpenTofu, Bicep, Pulumi modules, scripts, or container images as shape contracts — inputs, outputs, and an executor reference. No Platform Shape-specific DSL; your runtime stays yours.
name: postgres-cluster
version: 1.2.0
inputs:
- name: environment
type: select
options: [dev, staging, prod]
- name: instance_size
type: select
options: [Small, Medium, Large]
executor:
type: docker
image: hashicorp/terraform:latestPublish
Ratify into the catalog with approval policy attached
Attach the approval policy, set the audit scope, tag for cost attribution. The shape becomes a catalog entry — the org self-serves only what your team has vetted, only where it's been allowed.
Publish: PostgreSQL Cluster v1.2
Consume
Anyone in the org self-serves from the catalog
The org browses the catalog, picks a shape, fills the form, and clicks deploy. No tickets, no infrastructure-as-code knowledge, no five-console choreography. Just the patterns your team trusts.
Deploy PostgreSQL Cluster
Audit
Every action attributable, queryable, traceable
Every publish, approval, deploy, and configuration change captured per organisation. When the auditor asks who provisioned this, it's one query — not a Slack archaeology dig.
Audit log · acme-engineering
See self-service provisioning in action
Platform engineers publish shapes the org consumes from the catalog — no tickets, no YAML for the consumer, no waiting.
Marketplace
From a publishing system to a publishing network
Microsoft’s Azure Verified Modules— the curated, peer-reviewed catalogue of well-architected Azure patterns — are wrapped as Platform Shape shapes and live in the marketplace right now. Hundreds of patterns, governed and executable from day one.
A sample of what’s live
Bring your own
Wrap any Terraform, OpenTofu, Bicep, Pulumi module, container, or script in a shape contract. Publish it to your org’s catalog the same day.
The network compounds
Every published shape compounds the next. Orgs consume curated, well-architected patterns instead of reinventing them — and your team focuses on the work that’s actually unique to you.
Same features, different limits
Security shouldn't be a premium feature. Every plan includes encryption, SSO, RBAC, and audit — you pay for capacity, not for the controls.
Included in every plan
Starter
Spin up one team, prove the value, then scale
Usage limits
- 1 organization
- 5 users with OIDC
- 10 active services
- 1 concurrent agent
- 100 deployments/month
- 7-day log retention
- Community support
Pro
Lock in launch pricing as one of our first paying teams
Usage limits
- 3 organizations
- 25 users with OIDC
- 100 active services
- 5 concurrent agents
- 1,000 deployments/month
- 90-day log retention
- Email support (24hr response)
Enterprise
For organizations that need scale, compliance, and dedicated support
Usage limits
- Unlimited organizations
- Unlimited users with OIDC
- Unlimited services
- Unlimited agents
- Unlimited deployments
- 1-year log retention
- Dedicated support (4hr SLA)
- Custom integrations
- Compliance roadmap: SOC 2, ISO 27001, GDPR DPA
Have questions? Contact us
Velocity, governance, and audit posture — in the same product
The three things every platform leader gets asked about — answered in the product, not on a roadmap.
Approvals that flow at the speed of self-service
The risky changes still queue for a human. The boring ones don’t. Every plan is reviewed before the gate; only the changes that warrant attention reach a reviewer. Your team stops drowning in low-risk approvals and starts spending time on the ones that matter.
Your data stays inside your boundary
Every organisation gets its own encryption key, isolated state, and no shared keys across tenants. Service-to-service traffic is identity-verified and encrypted end-to-end. No noisy neighbours, no read-across, no exceptions.
Audit-ready without the audit drill
Every login, role change, shape publication, deployment, and approval is captured per organisation and queryable by actor, action, and outcome. When the auditor asks “who provisioned this?”, it’s one query — not a Slack archaeology dig.
Bring one pathfinder
use case.
A “if we could provision this in one click, the whole org would use it”candidate. We’ll model it as a shape together, publish it, and show you what self-service for it looks like the following week.