Managed edge guide
Managed Edge vs DIY: TCO, Staffing and Operational Risk
Compare the operating model, not just the platform invoice: who owns edge changes, incident coordination, evidence, and recovery when the customer journey is at risk?
On this page
The useful comparison is not a managed-service fee against a CDN subscription. Both models retain platform spend and customer accountability. The decision is whether the organisation can sustainably operate the chosen scope: cache and routing policy, WAF tuning, DNS changes, vendor escalation, evidence, and recovery.
Overview
Outcome
Build a three-year, buyer-specific decision record for a critical web estate. It separates platform usage from operating capacity, transition work, and scenario-based incident exposure instead of claiming a universal saving.
Define the operating scope before comparing prices
DIY means the customer selects platforms and owns implementation, review, monitoring, change control, incident command, and supplier escalation. A managed model can operate an agreed CDN, DNS, WAF, bot, routing, and observability scope, but the customer still owns its application, data, business decisions, and risk acceptance.
- Business journeys
Define browse, login, checkout, APIs, and their failure tolerance.
- Platform controls
CDN, DNS, WAF, routing, logs, and origin access are selected.
- Operating ownership
Name change, on-call, review, escalation, and evidence owners.
- Tested recovery
Exercise cache, policy, provider, and origin failure paths.
A platform is one dependency. The operating model determines who turns its controls into a dependable customer journey.
Model total cost of ownership honestly
Use actual contracts, loaded internal role costs, traffic history, and incident records. Do not turn avoided engineering hours or hypothetical outages into savings until a budget or capacity decision actually changes.
DIY TCO = platform usage + migration + internal edge/security time
+ on-call, tooling, tests, supplier management
+ contingency + scenario-based incident exposure
Managed TCO = platform usage + onboarding + operating fee
+ retained customer ownership + excluded tools
+ contingency + residual incident exposure| Dimension | Lean DIY when | Lean managed when |
|---|---|---|
| Expertise | Dedicated operators have demonstrated edge and security ownership | Expertise is thin, concentrated, or displaces product work |
| Change and cover | Changes are automated, reviewed, and supported by sustainable on-call | Campaigns, launches, or incidents depend on ad hoc availability |
| Complexity | One stable, documented platform is enough | Multiple providers, regions, brands, or regulatory constraints must agree |
| Evidence | Logs, configuration history, runbooks, and exercises are routine | Evidence or escalation paths are fragmented or untested |
Score operational risk, not team confidence
Ask who can make and reverse a cache-key, DNS, routing, or WAF change; which actions are covered outside business hours; how provider tickets are escalated; and whether recovery has been tested against a real user journey. Infrastructure as code improves review and repeatability, but it does not decide cache correctness, approve risky changes, or command an incident.
NIST and ENISA procurement guidance support evaluating supplier dependencies according to business criticality, contract evidence, monitoring, and exit planning. A high platform uptime figure does not answer whether a customer-specific configuration error, direct-origin bypass, or unsupported integration can be diagnosed and recovered safely.
Make a decision that can be revisited
Score each model from 0 to 5 for specialist coverage, automation, observability, incident readiness, provider concentration, data requirements, and exit readiness. A low DIY score is not an argument to outsource blindly; it is a funded capability gap that needs either a managed scope or an internal operating plan.
Troubleshooting
Decision failures to avoid
- Comparing a managed fee with platform usage while omitting internal operating time.
- Buying a platform and assuming its shared-responsibility model owns customer policy decisions.
- Treating a named escalation contact as tested incident capability.
- Calling a design provider-neutral without proving configuration export and migration support.
Related guides
Authoritative references
- NIST SP 800-161r1-upd1: Cybersecurity Supply Chain Risk Management
- ENISA: Security Guide for ICT Procurement
- CISA: Understanding and Responding to DDoS Attacks
- AWS: Shared responsibility for resiliency
Compare operating models using your own evidence
Optimi can assess the ownership, supplier, observability, and recovery work behind your edge stack without assuming one provider is always the answer.
Assess your edge model