Consulting & Expertise

We run Java platforms in production every day, and that experience is the bench behind every managed plan we offer. When your team needs a specific problem solved, you get senior engineers directly: no procurement maze, no junior hand-offs. 25+ years of Java, from people who still operate it daily.

Java & Quarkus development

We build Java platforms as well as run them. Our own control plane, Barista, is a Quarkus application, so we know the framework from the inside: Dev Services, native images, the build pipeline, and the sharp edges that only show up in production.

What this looks like in practice

Diagnosing a JDK 25 AOT cache crash. A Quarkus service started dying with SIGILL on startup. We traced it through the hs_err dump to an AOT cache trained on an AVX-512 CPU and loaded on hardware that lacked it: a portability trap JEP 483's own docs don't warn you about. The full post-mortem is here.

Quarkus development and modernization. Building new services and bringing older Java applications onto Quarkus, with Dev Services for tests, native images where they earn their keep, and Maven and Gradle releases flowing through GitOps pipelines.

Migrations & platform modernization

From monolith to microservices, physical servers to containers, or legacy application servers to modern stacks. We handle the analysis, plan the transition, and guide execution so your team navigates the migration smoothly without disrupting production. We explain what we changed and why, so your team can maintain it going forward.

What this looks like in practice

Keycloak production hardening. Deployed Keycloak with WebAuthn 2FA, brute-force protection, and OIDC/SAML federation across infrastructure tooling. Two-realm architecture separating internal admin from customer access. Experience running Keycloak both on Kubernetes and standalone, choosing the right deployment model per situation.

Java 21 to 25 LTS migration. Updated compiler targets, container base images, test frameworks, and connection pool sizing across a Quarkus application. Zero production issues.

Docker Compose to Kubernetes. Migrated legacy Docker Compose stacks to Kubernetes, including fixing API version compatibility breakage and container restart policy gotchas.

Performance analysis & troubleshooting

Slow response times, memory issues, or unexplained crashes? We dig into the stack, analyze JVM metrics, query patterns, databases, and infrastructure, then deliver concrete fixes with measurements that prove they work.

What this looks like in practice

PostgreSQL tuning for monitoring platform. Stock defaults on a server with plenty of memory. Tuned memory allocation, checkpoint settings, and maintenance parameters to match actual workload. Diagnosed and fixed bulk-delete freeze spikes, reclaimed gigabytes from bloated tables. Result: zero freeze spikes.

Observability noise reduction. Debug logs consuming 95% of log volume: 2.4 million lines per hour cluster-wide. Added path exclusions and drop stages. Result: 97.6% reduction to 51K lines per hour.

Database optimization. Heavy queries on large datasets without proper indexing. Analyzed query planner behavior, recommended the right index strategy and query timeouts.

Security & architecture reviews

Sometimes you need someone to look at your setup with fresh eyes. We review your architecture, identify risks, and harden your platform, from identity management to intrusion detection. We fix the problem and write down why, so your team can maintain it afterwards. No 60-page report, just the changes and the reasoning.

What this looks like in practice

Multi-site identity & secrets architecture. Designed and deployed OpenBAO (Raft cluster across 3 datacenters) and Keycloak SSO with WebAuthn across admin tooling. Chose the right deployment model for each component based on dependency chains and operational requirements.

CrowdSec IDS/IPS/WAF. Centralized intrusion detection with syslog aggregation from network equipment. OWASP CRS rules on HAProxy, path-based scanner blocking, automated IP blocking via community and local threat intelligence.

Kubernetes disaster recovery. Encryption keys for sealed secrets lost after infrastructure change. Recovered from etcd backup, restored all secrets. Cluster operational same day.

Vulnerability management pipeline. Trivy scanning across every host with a custom dashboard for change detection: new findings, resolved findings, severity shifts. ISO 27001-aligned workflow with suppression rules and expiry tracking.

This is the engineering depth that backs every managed platform, available directly when your team needs it. Tell us what you're facing and you'll get an honest take on whether we can help.