TurboFinOps: Automated Cloud Cost Optimization

Action

A remediation workflow triggered by a user in response to a finding. Actions have a lifecycle: created - approved - executed - verified. Every action produces an audit log entry.

Action Mode

Per-scope setting that controls how TurboFinOps handles execution. Options: suggest (recommendations only), manual_approval (user must confirm before execution), safe (auto-executes low-risk actions), auto (fully automated). Default is manual_approval.

Audit Log

An immutable record of every state-changing operation in TurboFinOps, including who performed it, when, what was changed, and what evidence was produced.

BYOAI (Bring Your Own AI)

TurboFinOps's model for AI features: instead of operating a shared AI service, customers provide their own API key for an AI provider (OpenAI, Azure OpenAI, Anthropic). TurboFinOps uses that key to generate explanations and summaries.

Cloud Connection

A set of credentials (IAM role ARN, Azure App Registration, GCP service account key) that allows TurboFinOps to authenticate to a cloud provider. One connection can cover multiple scopes.

Commitment Optimizer

A feature that identifies resources eligible for Reserved Instances, Savings Plans, or committed use discounts based on observed utilization patterns.

Conflict Detection Guard

A safety check that runs before every action execution. It verifies that the target resource is not protected by an IaC ownership tag, is not within a freeze window, and is not flagged by a policy protection rule.

Detection

A logic unit that evaluates one condition against your cloud inventory. Each detection has a provider scope, severity, and optional remediation action.

Domain

TurboFinOps organizes findings into four domains: FinOps (cost waste), Security (exposure and access), Governance (policy and tagging), and Audit (evidence readiness).

Evidence Artifact

A generated document (JSON, CSV, or PDF summary) that captures the state of findings, resources, or actions at a specific point in time. Used for compliance reviews and audit readiness.

Finding

A detected issue in your cloud environment, generated from your current inventory. Each finding has a domain, severity, status, and estimated impact.

Finding Status

The lifecycle state of a finding: open (unresolved), in_progress (action underway), resolved (fixed), suppressed (acknowledged and accepted), or wont_fix (deprioritized).

Freeze Window

A configured time period during which TurboFinOps will not execute automated actions against a scope. Used to protect production deployments, release windows, or compliance periods.

Governance Policy

Organization-level configuration that defines required resource tags (owner, cost_center, environment, etc.), allowed regions, and other control requirements. Evaluated continuously against inventory.

IaC Ownership Tag

A tag applied to a cloud resource (e.g. managed-by: terraform) that signals the resource is managed by infrastructure-as-code. TurboFinOps's conflict guard checks for these tags before executing any action.

Inventory

The normalized record of all cloud resources discovered by TurboFinOps across all connected scopes. Resources are updated on each scan.

Organization

The top-level tenant in TurboFinOps. All connections, scopes, findings, users, and settings belong to an organization. Users can belong to one or more organizations.

Policy Pack

A pre-configured set of governance rules for a specific framework or use case (e.g. "AWS CIS Benchmark tags", "Cost Center compliance"). Built-in policy packs ship with TurboFinOps; custom packs are available on Professional and Enterprise plans.

Provider

A cloud service provider. TurboFinOps supports aws, azure, and gcp.

RBAC

Role-Based Access Control. TurboFinOps enforces five roles: Admin, FinOps, Security, Auditor, and Viewer. Each role has a defined set of permissions enforced server-side on every API request.

Rightsizing

The process of matching a resource's configuration (instance type, size) to its actual usage. TurboFinOps identifies rightsizing candidates and provides specific target recommendations based on observed utilization.

Scan Job

A background task that queries your cloud provider APIs for current resource state, applies all applicable rules, and generates or updates findings. Scan jobs are queued via Redis and run asynchronously. You can queue one scope, or every active scope on a provider at once (one metered job per scope). Scan type (Full, Delta, Targeted) selects which provider API groups run — it is not a diff-only incremental pass compared to your previous job.

Scope

A single discoverable unit: one AWS account, one Azure subscription, or one GCP project. Scopes are linked to a connection and define what TurboFinOps can see and act upon.

Score

A 0-100 metric per domain (FinOps, Security, Governance, Audit) that reflects the current posture of your cloud environment. Lower scores indicate more open findings with higher weighted severity.

Severity

The impact level of a finding: critical, high, medium, or low. Severity affects score weighting and finding prioritization.

Tenant Isolation

TurboFinOps is designed to keep each organization's data isolated from other tenants. Tenant-scoped queries are filtered by organizationId and enforced server-side, with monitoring and audit controls to detect regressions.

VM Scheduling

Automatic start/stop of virtual machines (EC2, Azure VMs, GCE) based on a configured business-hours schedule. Reduces cost by stopping VMs when they are not needed (nights, weekends).

Glossary

Start with one cloud scope. Prove savings fast.