Infrastructure Control

The Vendor Hostage Pattern: Why You Don't Actually Own Your Infrastructure

By Jeff Wray

*Examples in this article are based on real client engagements with identifying details modified for confidentiality.*

"We want to bring development in-house, but our vendor says it'll take 3-4 months and cost $75K to transition everything." The CEO was stunned. "We've paid them $400K over two years. Don't we own this?"

Turns out: No. They didn't own any of it.

The Pattern: How It Happens

You hire a development shop. They're professional, responsive, and deliver on time. The application works great. Everything seems fine. Then one day you need to make a change—hire a new developer, switch vendors, or bring things in-house—and you discover the trap.

What You Think You Own vs. What You Actually Control:

What's in the vendor's control:

  • ✗ AWS/Azure/GCP admin console
  • ✗ Production database
  • ✗ CI/CD pipeline
  • ✗ All API keys and secrets
  • ✗ Domain/SSL certificates
  • ✗ Monitoring and logs
  • ✗ Third-party service accounts

What you have access to:

  • ✓ Read-only GitHub access
  • ✓ Staging environment URL
  • ✓ ...that's it

The $75K Separation

When you finally decide to leave, here's what "transition" actually means:

  • 1.
    Create new infrastructure from scratch - Can't just transfer their AWS account to you. Have to rebuild everything in your account. (4-6 weeks)
  • 2.
    Migrate the database - Export, test, verify, switch over. Hope nothing breaks. (2-3 weeks)
  • 3.
    Recreate all API integrations - New keys, new webhooks, new service accounts. (1-2 weeks)
  • 4.
    Transfer the domain - Unlock, get auth codes, hope they cooperate. (1-2 weeks)
  • 5.
    Document everything they never documented - Figure out what they built and how it works. (Ongoing nightmare)

Timeline if they cooperate:

8-10 weeks, $50-75K in migration costs

Timeline if they don't cooperate:

3-4 months, $100K+, possible data loss, 2-4 weeks operational disruption

How This Should Have Been Set Up

Professional development shops set things up the right way from day one. Here's what that looks like:

1. Infrastructure in Your AWS/Azure/GCP Account

The dev shop gets IAM roles to deploy and manage. You keep ownership. You pay the cloud bills directly. No markup, full transparency.

Separation cost if this is done right: Remove their IAM access. Done. (5 minutes)

2. Repository in Your GitHub Organization

Add dev shop team members as collaborators. They can commit and deploy. You can see everything. No "code handoff" needed later—you already have it.

Separation cost if this is done right: Remove their collaborator access. Done. (2 minutes)

3. Third-Party Services in Your Name

Stripe account? Your business entity. SendGrid? Your account. Google Analytics? Your property. The dev shop helps set them up, but they're registered to you.

Separation cost if this is done right: Change who has admin access. Done. (30 minutes)

The Questions You Should Have Asked

Before you sign with a dev shop, ask:

  • "Will the application run in my cloud account or yours?"
    Good answer: "Yours." Bad answer: "Ours, for simplicity."
  • "Will I have admin access to everything from day one?"
    Good answer: "Yes, we'll set up your admin account first." Bad answer: "You don't need that."
  • "If we part ways, what's involved in me taking over?"
    Good answer: "Nothing, you already own it." Bad answer: "We'd need to migrate everything."

Why Dev Shops Do This

To be fair, it's not always malicious:

  • Habit: "This is just how we've always done it"
  • Convenience: Easier to use their existing accounts and infrastructure
  • Control: Prevents clients from accidentally breaking things
  • Revenue: Cloud markup and guaranteed ongoing engagement
  • Leverage: Makes it harder for you to leave

But regardless of intent, the result is the same: You're locked in.

If You're Already Locked In

Found yourself in this situation? Here's what to do:

Option 1: Negotiate a transition

Budget 8-10 weeks and $50-75K. Get it in writing. Expect it to take longer.

Option 2: Gradual migration

Set up new infrastructure alongside old. Migrate piece by piece. Slower but less risky.

Option 3: Accept the relationship

If they're good and prices are fair, sometimes the devil you know is better than the migration nightmare.

The Bottom Line

You can't manage what you don't control. You can't control what you don't own.

If your vendor relationship ended tomorrow—amicably or otherwise—could you:

  • • Deploy an update to your application?
  • • Access your production database?
  • • Renew your SSL certificate?
  • • View your application logs?
  • • Hire a new developer and give them access?

If the answer to any of these is "no" or "I think so, maybe?" you're in the hostage pattern.

Need Help Evaluating or Escaping Vendor Lock-In?

A fractional CTO can audit your current setup, identify dependencies, and plan your path to independence—before it becomes a crisis.

Schedule a Free Consultation