Blacktip Refine

Multi-Cloud Cost Intelligence — Self-Hosted

FinOps for AWS, Azure, and Google Cloud — running inside your own account. Read-only, customer-owned data, one prioritized ranking across all three clouds.

What Refine does

Refine is a self-hosted cost-intelligence platform that connects read-only to AWS, Azure, and GCP and ranks every cost-optimization opportunity across all three clouds in a single prioritized list — with dollar impact, executable CLI commands, and a Suggested → Accepted → Implemented → Verified audit trail.

It runs as a Docker container inside your own AWS account. Per-cloud collectors write summary data to buckets you own. No data ever leaves your environment.

Read-only by design Air-gap-ready FedRAMP-deployable FinOps Foundation aligned

Capabilities

One product, three clouds, every cost lever.

⚡

Rightsizing across the stack

Compute (EC2, Azure VMs, GCE), databases (RDS, Azure SQL, Cloud SQL), containers (Fargate, AKS, GKE), serverless (Lambda, Functions), caching (ElastiCache, Redis), and the long tail of orphaned disks, idle NAT gateways, oversized log retention, and unused public IPs.

📊

Commitment optimization

AWS Savings Plans + Reserved Instances, Azure Reservations + Savings Plan for Compute, and GCP Committed Use Discounts — with utilization tracking and guardrails that block recommendations which would underwater an active commitment.

🎛️

Customer-tunable thresholds

Conservative / Default / Aggressive presets per resource class, plus per-resource policy flags (Permanent, Size-Locked, Exclude-from-Commitments) so a contractual resource never produces an unwanted recommendation.

🧹

Multi-cloud Cost Cleanup

Tag-based and signal-based cleanup of stale resources across all three clouds, with ready-to-run aws, az, and gcloud scripts your administrators review and execute. Refine never touches your environment.

🔐

Self-hosted & sovereign

Runs inside your AWS account. Collectors write to your S3 / Blob / GCS buckets. Air-gap-deployable. Ed25519-signed offline license. No SaaS ingest, no telemetry, no Blacktip-side store.

👥

Enterprise auth & RBAC

LDAP / Active Directory / Entra ID SSO with ROOT / ADMIN / USER roles and per-account-group scoping. Every recommendation lifecycle event is logged with the user who took it.

Subscribe through AWS Marketplace

Refine is a CloudFormation product on AWS Marketplace. One-click subscribe, launch the stack in your account, and Refine pulls itself from AWS Public ECR. We deliver your Ed25519-signed license to your CFN-provisioned S3 bucket; a license-watcher daemon installs it within 60 seconds and Refine boots.

Free trial: 30 days, full functionality

Pricing: Bring Your Own License (BYOL) — flat per monitored cloud account

EULA: AWS Standard Contract for Marketplace (SCMP)

Channels: Commercial AWS Marketplace + GovCloud (Phase 2)

Refund: 30-day money-back guarantee on the first annual subscription

Live link to the AWS Marketplace listing will be published here once AWS completes review. In the meantime, email corporate@blacktip-ops.com for an early-access conversation.

How it works

From subscribe to first dashboard in 10–30 minutes.

Subscribe on AWS Marketplace

Accept the Standard Contract for Marketplace (SCMP). Subscription is free — your AWS bill only reflects the EC2/EBS resources the stack provisions in your own account.

Launch the CloudFormation stack

One-click from the Marketplace listing. The stack provisions an EC2 host, an IAM role scoped to S3 + SSM, an S3 license-delivery bucket, and (optionally) an HTTPS Application Load Balancer with your ACM certificate.

EC2 pulls Refine from AWS Public ECR

On first boot the EC2 pulls public.ecr.aws/blacktip/refine:vX.Y.Z and starts in a waiting-for-license loop. No waiting on Blacktip.

Submit your license request

Fill in our one-page license-request form with your CFN Outputs and the cloud accounts Refine will monitor. Blacktip emails you a ~500-byte Ed25519-signed license file within one business hour.

Drop the license into your bucket

One aws s3 cp refine.license s3://<your-DeliveryBucketName>/ from any shell with access to your AWS account — Commercial or GovCloud, works the same since the upload runs from your environment. ~5 seconds.

License-watcher installs it automatically

A watcher daemon on the EC2 polls the bucket every 60 seconds, atomic-swaps the license in, and restarts the container. Refine validates the license offline against an Ed25519 public key baked into the image, and the UI is live ~30 seconds later.

Add your cloud accounts

AWS — one-click CloudFormation per account. Azure — one-line curl | bash in Cloud Shell. GCP — a Terraform module. First recommendations appear within minutes of the first sync.

Security & compliance posture

Read-only by design

Refine never requests or accepts write credentials. Per-cloud collector roles are strictly Describe / List / Get. The host stack creates only S3-read + SSM permissions.

Customer-owned data path

Cost and inventory summaries land in S3 / Blob / GCS buckets you own. Refine reads from those buckets. There is no Blacktip-side store and no network path back to Blacktip.

Ed25519 offline license

License is a ~500-byte signed payload bound to your installation ID. Verified offline against a public key baked into the binary. No phone-home, no internet dependency.

Compliance inheritance

Refine inherits the customer's account-level boundary — FedRAMP via GovCloud, HIPAA via AWS BAA, ISO 27001 / SOC 2 via AWS. Blacktip holds no standalone authorizations because there is no Blacktip-side data path to authorize.