PRODUCT ARCHITECTURE

Read-only Azure cost audits,
to verified action.

Costframe connects to Azure read-only, normalizes daily cost data, detects cloud waste, prices each finding at your net rate, and tracks savings until they show up in the bill.

01 · PIPELINE ARCHITECTURE

How Costframe works

Seven steps from connection to realized savings. Each one leaves an audit trail your engineering and finance teams can check.

CONNECT01

Read-only access

Create a Service Principal with Reader and Cost Management Reader roles. You restrict the scope to specific subscriptions; Azure's security model enforces it.

$az ad sp create-for-rbac --role "Reader" --scopes "/subscriptions/..."
NORMALIZE02

Unified ledger

Costframe ingests daily ActualCost records, resource inventory, and tags into one normalized ledger per organization. One queryable source of truth.

$source: ActualCost · sync: daily · currency: USD · timezone: UTC
DETECT03

More than 20 detectors

More than 20 detectors evaluate utilization over time and resource state to catch idle and oversized compute, stopped-but-billing VMs, unattached disks, unused public IPs, and more.

$rules_loaded: 23 · scope: compute, storage, network, sql
PRICE04

Actual negotiated net rates

Savings are quoted at your net rate. Costframe applies your organization discount and the weekly-synced Azure Retail Prices catalog, not generic retail estimates.

$net_rate = list_rate * (1 - discount_pct) · catalog: weekly sync
VERIFY05

Evidence attached

Every finding carries the CPU utilization history and price references behind it. Engineers review with the same numbers Costframe used.

$finding_id: fnd_ea_vm_982b · status: verified_evidence
ACT06

Resolve with confidence

Each finding states the recommended change and your team executes it. Costframe holds no write access, so every change stays in your hands.

$action_type: resize_vm · target_sku: Standard_D2s_v5
REPORT07

Invoice reconciliation

Resolved findings are tracked against the daily cost sync, so realized savings reflect what Azure actually bills, not what a model predicted.

$realized_savings: tracked against daily ActualCost sync
02 · THE WORKING SURFACE

Real-world audit evidence, styled like a ledger.

No black-box recommendations. Each finding reads like a verification sheet: the CPU baseline, the current and recommended SKU, and the catalog price reference behind the savings number.

Telemetry-verified baselines

Findings cite CPU utilization from Azure Monitor, so an oversized VM is proven by its own history, not guessed from its size.

Clear engineering owners

Findings carry their resource group and tags, so the owning team can pick them up without a hunt through the portal.

Frosted glass audit evidence card with specific details and telemetry sparklines

Cost Explorer · Illustrative Savings Model

Net Discount vs. Retail List Reconciliation

EA PROFILED
Azure Retail List ($12,480)Your EA Net Rate ($8,436)Audit Reconciled PointSaved GAP ($4,044/mo)
Actual Invoiced Spend
List Retail Cost
03 · RECONCILIATION ENGINE

Net price aware optimization.

Generic optimization tools quote savings at Azure retail list prices. If you have an Enterprise Agreement or partner discount, those numbers are wrong for you.

Costframe applies your organization discount to quote each recommendation at the post-discount rate you are actually invoiced. The list price is shown alongside, never counted twice.

AI COST ADVISOR FAQ

Can't I just use ChatGPT, Gemini, or Copilot to find these savings?

You can get a rough one-off estimate that way, but not a number finance will sign off on. A general AI assistant prices against Azure list rates rather than your negotiated net rate, has no verified utilization data behind its claims, and would need ongoing access to your production tenant to stay current. Costframe attaches the resource ID, utilization history, and price math to every finding, prices at your net rate, and reconciles realized savings against the actual invoice.

Compare Costframe with general AI assistants →
service-principal · requested roles
# acceptable scopes (read-only)
Reader
Cost Management Reader

# rejected scopes (contributor)
Owner, Contributor, or write access

# cryptography standards
AES-256-GCM · stored encrypted at rest
Decrypted strictly inside isolated worker nodes

04 · TRUST BOUNDARIES

Read-only by design.

Costframe requests two roles: Reader and Cost Management Reader. The Azure clients contain no write paths, so no person or process on our platform can deploy, shut down, modify, or delete a resource in your tenant.

Read the security architecture →

Turn cloud waste into a verified action list.

Grant Reader and Cost Management Reader, run the first audit, and review the findings with engineering and finance at the same table.