Tallence Cloud - SaaS Platform & Lead Magnet

Overview

Tallence Cloud is the SaaS platform from Tallence AG that brings two jobs into a single codebase: a public consulting website for AWS services and a free AWS compliance tool. After cross-account onboarding, the platform scans customer AWS accounts against GDPR, ISO 27001, CIS, PCI-DSS, HIPAA, NIST 800-53, SOC 2 and the AWS Well-Architected Framework, then delivers prioritised findings, a risk score and a PDF report.

I built the platform from scratch as a one-person team between January and May 2026: architecture, frontend, 22 Python Lambdas, 17 Terraform modules, the ECS Fargate scan engine and the OIDC-based GitLab CI/CD pipeline. The platform runs in production at cloud.tallence.com.

Lead magnet entry: free AWS Compliance Check as a funnel into the consulting offerings

Challenge

Tallence needed a lead magnet that exposes real compliance gaps in mid-market AWS environments and pulls those leads into the consulting funnel. Enterprise CSPM platforms like Wiz or Orca are too expensive and too complex for the target audience, and the Prowler CLI is unreachable for non-technical buyers. Between DIY open-source and six-figure licences, there was no pragmatic entry point.

My personal hurdle was the role switch. For more than ten years I had orchestrated teams as a Product Owner and Architect and wrote production code only occasionally. On this project I wrote, reviewed and shipped everything myself. I had not used the modern Next.js stack in depth before kickoff. Terraform and Python Lambdas were familiar territory, Next.js, the Cognito SRP flow and Amplify Hosting were not.

On top sat a commercial constraint: the platform had to run serverless and cheap. Baseline cost had to stay well below market for comparable SaaS platforms so the free-tier strategy stays commercially viable.

Role

I was the entire team and held the following responsibilities in parallel:

• Product Owner: backlog, roadmap, funnel logic (lead scoring, HubSpot sync, lifecycle qualifier)
• System Architect: multi-tenant model with External ID, multi-region setup, cross-account security
• Full-Stack Engineer: Next.js frontend, 22 Python Lambdas, 17 Terraform modules
• DevOps Engineer: GitLab CI/CD with OIDC, KICS IaC scanning, secret detection, ShellCheck
• QA Engineer: pytest, Vitest, Playwright with Axe accessibility

AWS Kiro acted as a code accelerator and sparring partner. Architecture decisions, security assumptions and refactorings stayed with me.

Process

I started with tenant isolation as the load-bearing architectural principle. Every user receives a randomly generated External ID in the Cognito post-confirmation trigger, and that ID travels as a mandatory condition on every STS AssumeRole. DynamoDB items partition by user and account ID, S3 objects by user and scan prefix. The security baseline was in place before the first Lambda ran.

The compliance engine runs Prowler 5.x as an ECS Fargate task in a private subnet, with an AWS Distro for OpenTelemetry sidecar piping traces into X-Ray. A parser Lambda lifts raw findings from S3 into an internal schema. The report generator renders PDFs with ReportLab.

I learned the frontend stack along the delivery tickets rather than upfront. Next.js with static export, Cognito SRP flow via the Amplify SDK, Tailwind for components. CloudFront is managed through Amplify Hosting, WAFv2 protects the API endpoints, and CloudWatch RUM measures real-user performance.

Infrastructure lives in two isolated accounts with separate Terraform states in the GitLab HTTP backend. OIDC replaces static AWS credentials. All data at rest sits under customer-managed KMS keys. The primary region is eu-central-1, eu-north-1 serves as a fallback, and us-east-1 hosts only the resources that must live there (CloudFront certificates, Route 53 query logging).

Decisions

Serverless as the default, not an option. Lambda for every async workload, Fargate only where Prowler needs a long-running container. No EC2 instance anywhere. The choice pushed baseline cost down to around 100 USD per month at idle.

Static export over SSR. Next.js renders the entire marketing frontend at build time. The auth area calls Cognito and API Gateway client-side via the Amplify SDK. That removes a whole SSR Lambda layer, and the site caches fully on CloudFront.

Hand-rolled tenant isolation over third-party IAM. Cognito plus a self-generated External ID plus a cross-account role with a mandatory condition. No request leaves the platform without an explicit audit trail, and the scan engine receives strict read-only access to the customer account.

AI as code accelerator, not reviewer. AWS Kiro produced boilerplate, scaffolding and test stubs. Architecture decisions, security assumptions and refactorings stayed with me. Without that separation, the role switch from Product Owner back to Engineer would have collapsed into black-box programming.

Results

• Full-stack MVP shipped in one month, from repo init to preprod-ready
• 22 Python Lambdas, 17 Terraform modules and one Next.js app in a single monorepo
• Baseline cost of around 100 USD per month in a productive multi-region setup (eu-central-1, eu-north-1, us-east-1)
• Seven-stage GitLab pipeline with path-based change detection, Lambda build, KICS, secret detection, pytest, Vitest, Playwright and Axe accessibility
• Security baseline by design: KMS CMKs everywhere, OIDC instead of static keys, WAFv2 in front of APIs, VPC with flow logs and an RDP-deny network ACL
• The funnel encoded in code: free scan → Security & Risk Assessment → Cloud Governance Accelerator → Tallence Cloud Foundation or Container Operations
• Three productised consulting offers listed in the AWS Marketplace and linked directly from the platform

The most important personal lesson: switching back into implementation took more energy than expected, but it sharpened the architectural intuition that flattens in a pure Product Owner role. Building a system yourself makes you cut the next one cleaner.