This is the second post in our four-part series: Assess, Mobilize, Migrate, Modernize. 

The first covers how DuploCloud approaches Assess and why people and processes matter as much as technology. 

You can find that post here.

In this post, we’ll discuss Mobilize. It is here that assessment insights turn into enforced infrastructure. This is where we begin to set the patterns for migration success.

This guide is specifically for teams ready to move forward. It may also service those who need a reset in order to get migrations back on track.

What Mobilize Looks Like in Practice 

Here’s what we’re looking at in this phase: 

Your assessment is complete. 

You know what you’re running, what you want to migrate, and which modernization opportunities matter most. 

The question your team is facing next is: how do you translate those findings into a production-ready AWS foundation? And how do you do it without losing months to infrastructure plumbing, security rework, and decision gridlock? 

This is where the Mobilize phase comes in. At DuploCloud, Mobilize is where you build core capabilities across your team and AWS environment. It’s where you’re validating security and automation in a scalable landing zone. 

We structure Mobilize around eight workstreams delivered across eight two-week sprints. And we do this so that migration can proceed as a repeatable blueprint rather than a sequence of one-off projects.

Why Mobilize is Where Most Migrations Quietly Fail

Most organizations underestimate what Mobilize demands. The root causes of stalled migrations consistently trace back to foundational gaps that should have been closed during Mobilize

You’re looking at: 

  • Inconsistent environments
  • Security controls bolted on after the fact
  • Compliance requirements discovered mid-migration
  • Teams that lack the operational patterns to manage what they have built

For teams already on AWS, Mobilize often means rationalizing years of organic growth. This means: 

  • Multiple account structures with inconsistent security configurations
  • Teams deploying through different toolchains
  • Compliance controls that exist as policy documents but are not enforced as guardrails. 

The assessment surfaced these patterns. Mobilize is where you fix them before scaling.

For teams migrating from on-premises, the stakes are higher. Mobilize is more than a configuration; it’s a translation. Network perimeter security models don’t map directly to IAM and security groups. Change management processes designed for physical infrastructure don’t translate to infrastructure as code. The operational knowledge concentrated in individuals needs to be encoded into: 

  • Automation
  • Runbooks
  • Self-service tooling 

And you need to get this coding done before migration begins.

For teams whose migrations have stalled, Mobilize is a structured reset, not a delay. Rebuild the wave plan using dependency data and the seven Rs. Establish benefit tracking and KPIs. Close the landing zone, security baseline, and operations gaps that are creating rework in every wave. 

If bandwidth or expertise is the constraint, you can count on Partner expertise and tailored training to be accelerators. Use them to increase decision speed and delivery capacity, yes. But be sure to keep ownership of governance and security requirements inside your organization.

What Mobilize Must Accomplish: The Eight Workstreams

DuploCloud defines eight Mobilize workstreams, aligned to the AWS Migration Acceleration Program. Note that if even one is missing, your migration waves inherit the same gaps your assessment identified. 

Most migrations stall because one or more of these workstreams were treated as optional or deferred to the Migrate phase.

  1. Business case and value alignment. Mobilize is not just building the platform. This workstream tracks planned versus actual benefits through KPIs. So you can keep security and platform choices aligned to leadership’s expectations. 
  2. Stakeholder alignment and governance. Mobilize is where teams align on decision rights and accountability before migration begins.
  3. Skills, training, and a Cloud Center of Excellence. DuploCloud prioritizes skills gap assessment and training plans. It also prioritizes acquiring the bandwidth to operate workloads while migrating in parallel. A Cloud Center of Excellence standardizes governance and best practices across waves.
  4. Landing zone and organizational setup. DuploCloud defines a landing zone as an orchestration framework for your foundational AWS environment. You’re dealing with multi-account architecture, identity and access management, governance, network design, data security, and logging. Control Tower and custom landing zones are the two main implementation approaches.
  5. Governance and change management. DuploCloud treats governance and change management as first-class Mobilize deliverables. Change and release management must be adapted for cloud operating models. Operational drift happens when governance is implicit. Mobilize is where you make it explicit and lightweight.
  6. Security and compliance baselines. DuploCloud structures the security and compliance workstream around five capability areas: 
  • Identity
  • Detective controls
  • Infrastructure security
  • Data protection
  • Incident response

These are validated continuously with monitoring and evidence collection.

  1. Cost management and FinOps. DuploCloud ties Mobilize cost management to four disciplines: 
  • Refining the business case
  • Addressing readiness gaps
  • Building the landing zone
  • Controlling cloud spend during the transition period
  1. Wave planning and pilot migration. Mobilize is where wave planning becomes dependency-driven rather than gut-driven. It’s also where a wave 0 pilot validates landing zone, security playbooks, and operational runbooks before scaling.

Building the Landing Zone: Your First Production-Grade Decision

The landing zone is the single most consequential Mobilize deliverable. It defines your account structure, network topology, security boundaries, logging architecture, and governance model. 

Every workload you migrate or modernize will inherit the patterns you establish here.

A well-architected landing zone includes a multi-account structure with organizational units for production, staging, and development workloads. You’ll also have centralized logging through CloudTrail and AWS Config. Of course, you need network segmentation with properly scoped VPCs and subnets. Plus, you’ll get IAM boundaries enforced through service control policies. Last, encryption defaults are applied at the account level. 

Control Tower is the recommended starting point for most customers. You’ll get custom landing zones reserved for organizations with specific requirements that Control Tower cannot satisfy.

The common failure pattern treats the landing zone as a one-time setup task rather than a governed, reproducible system. Teams manually configure accounts through the AWS Console and establish security groups through ad-hoc requests. They then create environments that cannot be audited, reproduced, or scaled. 

When migration waves begin, each new environment introduces drift from the original baseline.

At DuploCloud, we approach landing zones as golden blueprints. These are version-controlled, compliance-embedded infrastructure templates that encode your security posture, network topology, and governance model into reusable code. 

You author those blueprints in the IaC toolchain your team already uses, whether that’s Terraform, CloudFormation, or a combination. And every environment provisioned from that blueprint inherits the same auditable baseline.

For teams that want to accelerate further, DuploCloud ships a library of pre-built agents available directly in the platform for you to use. 

These agents are trained on AWS best practices and DuploCloud constructs. This means they understand how to provision infrastructure correctly from the start. And they come with compliance requirements and deployment patterns already baked in. 

Rather than building automation from scratch, your team starts from a foundation that reflects both AWS architectural guidance and your organization’s defined standards. 

The blueprint enforces the standard; the agents remove the friction of instantiating it.

Each workload is then placed into a Workspace, which in DuploCloud is defined as an isolation boundary. This is a logically segmented environment with its own IAM scope, network perimeter, and resource inventory. So your applications never share blast radius, even within the same AWS account. 

In under 10 minutes, a new environment is fully provisioned. You get VPC, subnets across availability zones, NAT gateways, route tables, security groups, encryption defaults, and other AWS resources as required.

Security Baselines That Are Enforced, Not Just Documented

The Assess phase drew a distinction between security intent and security posture. Basically, what your policies say versus what is actually configured. Mobilize is where you close that gap permanently.

DuploCloud organizes foundational security controls into five capability areas: 

  • Identity and access management
  • Detective controls
  • Infrastructure security
  • Data protection
  • Incident response

A defensible security baseline implements controls across all five. It also validates them continuously with monitoring and evidence collection. Finally, it should embed remediation into provisioning workflows rather than treating it as a separate audit cycle.

DuploCloud has codified the NIST 800-53 control set directly in the platform. Every other compliance framework organizations commonly need. SOC 2, HIPAA, PCI DSS, HITRUST, and FedRAMP are a subset of NIST 800-53 in the infrastructure context. 

That means controls implemented through DuploCloud generate evidence that maps across frameworks. And they don’t require separate remediation tracks for each one. Certification under any framework still depends on scope definition, evidence completeness, and audit outcomes.

The platform accelerates the work, but it doesn’t replace the process.

Post-provisioning, the platform layers continuous monitoring through integrated SIEM capabilities, vulnerability scanning, file integrity monitoring, and malware detection. 

Security agents are installed automatically on every virtual machine. Drift detection identifies when configurations deviate from the established baseline and generates real-time alerts.

CI/CD Foundations and Team Enablement as Mobilize Deliverables

Landing zones and security baselines get the most attention during Mobilize. But two other deliverables are equally critical: 

  • CI/CD pipeline foundations 
  • Team enablement

Your assessment likely identified inconsistent deployment processes. Maybe you’ve got one team using Terraform. You’ve got another using CloudFormation. And you have a third deploying manually through the console. 

Mobilize is where you establish the deployment patterns that every migration wave will follow:

  • Standardized infrastructure-as-code toolchain
  • Automated build and deploy pipelines
  • Testing frameworks
  • Defined workflows that move changes from development through staging to production

DuploCloud’s forward-deployed engineers work directly alongside your team to establish these foundations. They go beyond simply handing you documentation and stepping back. They configure the CI/CD pipelines, wire up the deployment toolchain, and validate the end-to-end workflow within your environment. 

The goal is to leave your team with a fully operational deployment system, not just a blueprint for building one.

DuploCloud supports authoring environments in Terraform or CloudFormation. This reduces code volume by up to 10x compared to writing against native AWS resources directly. 

A complete environment with EKS, networking, and security controls can be defined in fewer than ten lines of HCL. And you’ll get compliance defaults and security baselines embedded automatically.

Once the foundations are in place, DuploCloud provides two resources your team can use directly in the platform. 

The first is a native MCP (Model Context Protocol) server. This allows engineering teams to integrate DuploCloud into their existing AI-assisted workflows and toolchains. 

The second is a library of pre-built agents trained on AWS best practices and DuploCloud constructs. 

These agents can provision infrastructure, create Workspaces, deploy services, and query compliance posture. This reduces toil during migration waves and lets engineers focus on architectural decisions that require human judgment.

For teams already on AWS, DuploCloud meets infrastructure engineers where they are. We support the IaC toolchain they already use with dramatically reduced complexity. 

For teams migrating from on-premises, where infrastructure-as-code adoption may be minimal, DuploCloud’s pre-built agents provide a path to self-service provisioning. And the agents won’t require a months-long upskilling effort before migration can begin.

The Workspace model reinforces this enablement pattern. 

A Workspace is an isolation boundary. It’s a logically segmented environment with its own IAM scope, network boundary, and compliance posture. 

When a developer creates one, it inherits those controls automatically. They can deploy containers, provision databases, and configure services. And they don’t have to wait for a platform team to manually configure each resource. This is because the boundaries are enforced by the platform, not by human review. 

So platform engineering is transformed from a bottleneck into a self-service capability. This is the operating model shift that sustainable migration requires.

Managing Cloud Costs During Mobilize

Cost issues often surface before migration velocity does. Overlap costs (running on-premises infrastructure alongside new AWS environments) and experimentation costs rise early in Mobilize. Sometimes, teams that expected immediate savings are surprised. 

This is normal, but it requires active management.

DuploCloud ties Mobilize cost management to four disciplines: 

  • Refining the business case so that planned versus actual costs can be tracked
  • Closing readiness gaps before they generate rework charges downstream
  • Building a landing zone that prevents environment sprawl
  • Developing the cloud skills that reduce operational inefficiency

A Cloud Center of Excellence is the recommended mechanism for enforcing these disciplines consistently across teams.

DuploCloud contributes to cost control during Mobilize by standardizing how environments are created and decommissioned. 

When every environment is provisioned through the same automation, sprawl is visible and controllable. Environments that exist outside the platform cannot be provisioned in the first place. This eliminates a common source of shadow spend during migration programs.

Migration Wave Planning Starts in Mobilize, Not Migrate

A common mistake is treating migration wave planning as a Migrate-phase activity. 

The sequencing, dependency mapping, and prioritization of application groups need to be established during Mobilize. This means that the Migrate phase can execute against a defined plan rather than discovering dependencies in real time.

DuploCloud recommends using the seven Rs: retire, retain, rehost, relocate, repurchase, replatform, and refactor. 

These categories help clearly define applications. You can then blend those categories with dependency and complexity information to iteratively mature the plan. We recommend maintaining a planning horizon of four to five waves in advance. Make sure to keep initial waves intentionally small to validate the approach before scaling. 

Refactor is complex to execute at scale during migration. So rehost, relocate, or replatform first, and then modernize after workloads are stable.

The DuploCloud assessment delivers a prioritized roadmap that connects technical findings to business outcomes:

  • Deployment frequency
  • Mean time to recovery
  • Time to compliance certification
  • Infrastructure cost per environment

These KPIs are tracked through observability dashboards established during the Assess phase. They then become the success metrics for each migration wave.

Wave 0: Validate Before You Scale

But Mobilize isn’t complete just because the platform is ready. DuploCloud defines Mobilize completion as building operational capability with hands-on migration experience. This means a wave 0 or pilot migration that validates the landing zone, security playbooks, and operational runbooks before scaling.

Wave 0 should be a small, representative application group with enough complexity to exercise the foundation. You should have little enough business criticality to create unacceptable risk. 

The goal is to surface gaps in the runbooks, the CI/CD patterns, the security baseline, and the operational model. Meanwhile, you’ll keep the cost of fixing them low. Teams that skip wave 0 and proceed directly to migration at scale consistently discover the same gaps later. And at that point, fixing them requires pausing migration waves and reengineering the foundation.

DuploCloud typically supports wave 0 as a structured proof of concept that exercises: 

  • Infrastructure provisioning 
  • Workspace creation
  • CI/CD pipeline integration
  • Compliance evidence generation

The outcome is a validated, repeatable deployment pattern that serves as the template for every subsequent wave.

What a DuploCloud-Accelerated Mobilize Phase Looks Like in Practice

The pattern we see across successful Mobilize engagements is consistent regardless of industry or scale. The teams that complete migration on schedule are the ones that invested in automation, governance, and repeatable patterns during Mobilize.

Rather than describe a single outcome, the examples below represent the types of results DuploCloud customers have achieved during Mobilize-phase engagements. 

Customer-approved case studies are linked in the appendix as they become available.

In each engagement, the consistent accelerators are the same:

  • Automated landing zones remove weeks of manual configuration
  • Security baselines are enforced at provisioning time rather than validated after the fact
  • Self-service deployment patterns free engineering teams to focus on application-level migration decisions rather than infrastructure plumbing

Getting Started: Two Entry Points

Starting your Mobilize from a completed assessment

If you’ve completed the Assess phase, whether with DuploCloud or independently, you have a picture of where your deployment consistency, security posture, operational ownership, and compliance readiness stand today. 

The next step is to map your assessment findings to the eight Mobilize workstreams. You’ll want to assign owners, define KPIs tied to the business case, and plan a wave 0 pilot that validates foundations before scaling.

DuploCloud accelerates this by collapsing what traditionally requires months of manual infrastructure work into automated, repeatable, compliance-embedded platform capabilities. 

A new landing zone with VPC, subnets, security groups, and EKS is provisioned in under 10 minutes. Security baselines are enforced at provisioning time. Teams are enabled through self-service tooling that does not require deep DevOps specialization. 

Every environment, from the first development Workspace to the hundredth production workload, inherits the same governance, security, and compliance posture.

Resetting a stalled migration

If your migration has stalled, Mobilize is a structured reset. The most common reset sequence is: 

  1. Audit the landing zone for drift and remediate before continuing
  2. Rebuild the wave plan using dependency data and the seven Rs rather than application-owner estimates
  3. Establish KPI tracking so that progress is measurable
  4. Run a wave 0 pilot against the remediated foundation before resuming migration waves

If bandwidth is the constraint, DuploCloud can increase delivery capacity for infrastructure and compliance work. So your team can focus on the application-level decisions that require organizational context.

Teams can engage DuploCloud in two ways: 

Schedule a conversation with a Solutions Architect to map your assessment findings to the eight Mobilize workstreams and build a delivery plan

Or

Start with a guided proof of concept. Here, DuploCloud provisions a representative environment, wires up a CI/CD pipeline, and generates compliance evidence. That way, your team can evaluate the platform against your actual workloads before committing to a full-scale engagement. 

Start here

Frequently Asked Questions

Why is the Mobilize phase separate from the Migrate phase?

Mobilize establishes the foundational capabilities. This includes landing zones, security baselines, deployment automation, governance models, and a validated wave 0. Every migration wave depends on each of these. Organizations that skip or compress Mobilize typically discover these gaps mid-migration. But by that point, fixing them requires pausing waves and reengineering the foundation. The investment in Mobilize pays compound returns as each subsequent wave executes faster than the last.

How does DuploCloud handle compliance during the Mobilize phase?

DuploCloud has codified the NIST 800-53 control set directly in the platform. Every other framework organizations commonly need, including SOC 2, HIPAA, PCI DSS, HITRUST, and FedRAMP, is a subset of NIST 800-53 in the infrastructure context. Controls implemented through DuploCloud generate evidence that maps across frameworks without requiring separate remediation tracks for each one. Certification still depends on scope definition, evidence completeness, and audit outcomes. The platform accelerates the work, but it won’t replace the process.

Can teams use their existing IaC toolchains with DuploCloud?

Yes. DuploCloud supports Terraform and CloudFormation. We produce identical, auditable infrastructure regardless of which toolchain the team uses. You’ll reduce your code volume by up to 10x compared to writing against native AWS resources directly. And your compliance defaults and security baselines are embedded automatically.

What is wave 0, and why does it matter?

Wave 0 is a pilot migration. It’s a small, representative application group that validates the landing zone, security playbooks, and operational runbooks before scaling. DuploCloud treats Mobilize as incomplete until a hands-on migration experience has tested the foundation. Teams that skip wave 0 consistently surface the same gaps later, at higher cost. Wave 0 is the exit criteria for Mobilize, not the starting point for Migrate.

DuploCloud is an AWS Premier Tier Services Partner with competencies in DevOps, Migrations, and Security. Learn more about DuploCloud’s AWS Modernization approach on AWS Marketplace or request an assessment to start your modernization journey.