What I Stopped Outsourcing (and What I'll Never Build In-House)

The average DevOps engineer stays for 2.3 years. When they leave, they take months of institutional knowledge with them — the deployment scripts they wrote but didn't document, the monitoring thresholds they tuned by feel, the incident response muscle memory that doesn't transfer through a wiki page. Replacing them takes 3-6 months including recruiting and ramp-up. That gap is the real cost of building everything in-house.

After fourteen years of making this decision in both directions — sometimes right, sometimes expensively wrong — I've landed on a framework that has nothing to do with ideology and everything to do with where knowledge lives when someone leaves.

What I stopped outsourcing

Anything that touches our clients' data or our infrastructure stays in-house. Authentication, deployment pipelines, monitoring, and the operational tooling that connects them — these are the systems where institutional memory matters most and where the cost of context loss is highest.

This is the same principle behind the two-person studio model: when the people who built the system are the same people who operate it, there's no translation layer. No handoff documentation that's already outdated by the time it's written. No "let me check with the vendor" when something breaks at midnight.

The Deloitte Global Outsourcing Survey found that 70% of organizations outsource to reduce costs. But cost reduction as a primary driver leads to the most common outsourcing failure: optimizing for the cheapest provider rather than the most context-appropriate one. Self-hosting costs are dominated by operations — and the operations cost of a misaligned outsourcing relationship is higher than the operations cost of doing it yourself.

What I'll never build in-house

Payment processing. Auth providers for standard OAuth flows. CDN and DDoS mitigation. Email deliverability infrastructure. These are solved problems with regulatory, compliance, and scale requirements that no small team should absorb.

PCI DSS compliance alone for a self-managed payment flow would consume more engineering time than our entire client delivery operation. Stripe's 2.9% per transaction isn't a hosting cost — it's a compliance and liability cost. The same logic applies to Cloudflare's WAF, Auth0's OAuth implementation, and any service where the security surface area is larger than your team's capacity to monitor it.

This is the decision framework from when to automate and when to hire, applied to infrastructure: if the failure mode is "our business is exposed to regulatory liability," outsource it to someone whose entire business depends on preventing that failure.

DevOps talent commands $180,000 to $250,000 in 2026 salaries. The global outsourcing market exceeds $1.02 trillion. But those numbers are meaningless without the context of what you're outsourcing and why. Vendor consolidation matters more than vendor cost.

The hybrid model that actually works

The most effective approach isn't purely in-house or purely outsourced — it's deliberately hybrid. Core systems that define your competitive advantage stay internal. Commodity infrastructure gets outsourced to specialists. And the boundary between those two categories gets reviewed annually, because it moves.

Something I learned through the hiring mistakes I've made: the worst outsourcing decisions happen when you outsource before you understand the problem well enough to specify what you need. If you can't clearly define requirements upfront, vague projects paired with external vendors equal budget overruns. Keep it in-house until you can articulate exactly what success looks like.

AI-first outsourcing strategies in 2026 achieve measurably higher throughput and lower rework rates. But "AI-first" doesn't mean "no humans" — it means the vendor's processes are designed around AI-augmented workflows rather than pure labor arbitrage. If a provider's value proposition centers on "more people," the cost structure is already inefficient.

The knowledge test

When I'm deciding whether to build or buy, I ask one question: "If the person responsible for this leaves tomorrow, how long does it take us to recover?"

If the answer is "we can't" — it needs to be either deeply documented or outsourced to a provider with contractual SLAs and redundancy. If the answer is "a few days" — it can stay in-house with reasonable documentation. If the answer is "we wouldn't even know it was broken" — that's the most dangerous category, and it needs immediate attention regardless of where it lives.

Building systems before you need them is the operational discipline that makes the hybrid model work. The systems aren't just the code — they're the documentation, the runbooks, and the monitoring that makes knowledge transferable instead of personal.

Related reading

• The Two-Person Studio Model: Why We Don't Scale Headcount
• The Hire You Think You Need Is Usually a Tool You Haven't Built
• When to Automate and When to Hire
• Institutional Memory That Survives Turnover
• What I Got Wrong About Hiring

Frequently Asked Questions

What should a small team never outsource?

Anything where the loss of context would be catastrophic: core product logic, client data handling, deployment pipelines, and the monitoring that tells you when something is broken. These are the systems where institutional memory has the highest value and where the cost of a vendor misunderstanding your requirements is measured in client trust, not just dollars.

What should a small team always outsource?

Payment processing (PCI compliance alone justifies it), CDN and DDoS protection, standard OAuth/OIDC authentication, and email deliverability infrastructure. These are solved problems with security and compliance surfaces larger than a small team can responsibly monitor. The cost of the managed service is almost always less than the cost of maintaining it yourself.

How do you evaluate whether an outsourcing relationship is working?

Three signals: response time to issues (measured in hours, not days), quality of documentation they produce (not just deliverables), and whether your team's understanding of the outsourced system increases over time or decreases. If you know less about what they're doing for you after a year than you did after the first month, the relationship is creating dependency, not capability.

Is the build-vs-buy decision different in 2026 than it was five years ago?

Yes. AI-augmented development tools have reduced the cost of building in-house, but AI-first outsourcing providers have also improved the quality of external delivery. The net effect is that the decision is more context-dependent than ever. The question isn't "build or buy" — it's "where does knowledge need to live for this system to be resilient when someone leaves?"