Key takeaways
- The cloud bill is the small cost; engineering labour dominates 5-year TCO.
- Building means owning identity, OTA, RBAC, multi-tenancy, audit and SOC 2 forever.
- Hidden costs (maintenance, on-call, key-person risk) dominate years 2–5.
- Build only if the platform is your differentiator and you can own it long term.
- A managed platform still interfaces with AWS/Azure when needed — buying isn’t lock-in.
The estimate that gets it wrong
Build-vs-buy decisions usually start from the wrong number: the monthly cloud bill. That comparison makes “build” look obviously cheaper. But the cloud bill is not the cost of a platform — the cost of a platform is the people who build, run and secure it. Reframe the comparison around five-year total cost of ownership and the picture inverts.
What “build” actually includes
| Cost | Build on hyperscaler | Buy a managed platform |
|---|---|---|
| Time to first product feature | 12–24 months of platform work first | Day one |
| Device identity, OTA, RBAC, multi-tenancy | You design and own all of it | Included |
| Audit trail & SOC 2 evidence | Your responsibility to build & certify | Within the platform’s perimeter |
| Maintenance, security patching, on-call | Forever, your team | Vendor |
| Key-person risk | High when platform authors leave | Low |
| Cloud fees | Yours | Bundled / passthrough |
The hidden costs that dominate years 2–5
First-year estimates almost always omit the costs that actually pile up: ongoing maintenance, continuous security patching, on-call rotations, the work of producing and renewing compliance evidence (a SOC 2 report doesn’t happen by itself), and the key-person risk when the engineers who built the platform move on. Add the opportunity cost — those senior engineers are not working on your product — and the build path’s TCO climbs well past the buy path for most teams.
When building is the right call
Build when the platform itself is your product, or a core and defensible differentiator, and you have a team committed to owning it for the long term. If your customers buy you because of your platform, own it. If they buy your device and your application, the platform underneath is plumbing — and undifferentiated plumbing is cheaper bought than built.
Buying isn’t lock-in
A common objection is that buying a platform cuts you off from the hyperscalers. It doesn’t have to. A managed platform like Fundamentum gives you the control plane — device identity, governed OTA, RBAC, SOC 2 Type II audit trail — on day one, and still interfaces with AWS, Azure or Google Cloud where your architecture requires it. You buy the plumbing and keep building your differentiator.
Where Fundamentum fits
Fundamentum is the ‘buy’ option in this analysis: a Canadian IoT platform that hands you device identity, governed OTA, role-based access and a SOC 2 Type II audit trail on day one — and still interfaces with AWS, Azure or Google Cloud if your architecture requires it. You skip the 12–24 month platform build and put your engineering where it differentiates the product. Explore Fundamentum →
Frequently asked questions
Isn’t building on AWS/Azure cheaper than paying for a platform?
Only if you ignore engineering cost. The hyperscaler bill is the small part; the expensive part is the 12–24 months of senior engineers building identity, OTA, RBAC, multi-tenancy, audit and residency — then maintaining and securing it for years. Over five years, build TCO is usually dominated by labour, not cloud fees.
What hidden costs does the build path carry?
Ongoing maintenance, security patching, on-call, compliance evidence (SOC 2 doesn’t happen by itself), key-person risk when the platform’s authors leave, and the opportunity cost of engineers not working on your product. These rarely appear in the first estimate and dominate years 2–5.
When does building your own platform make sense?
When the platform itself is your product or a core, defensible differentiator, and you have the team to own it for the long term. For most companies whose product is the device and the application, the platform is undifferentiated plumbing — better bought.
Does buying a platform lock me out of AWS or Azure?
No. Fundamentum can interface with AWS, Azure or Google Cloud where your architecture requires it, while keeping a governed, residency-aware control plane over the devices. You get the managed control plane without giving up cloud interoperability.
Related reading
Talk to an IoT engineer — free
Book a FREE 30-minute consultation with our team. No slides, no obligation — a working session on your connectivity, platform or compliance questions.
