Case Study · 005Multi-quarter engagement

From security liability to a foundation that scales.

Client: ARTi
Sector: Cleantech · Pyrolysis & biochar
Engagement: Security & infrastructure
Duration: Multi-quarter · ongoing
Mission: Convert organic waste into biochar
Why us: Harden without halting the business

Single → resilientServer posture (consolidated → resilient)

MFA + access controlsIdentity & access hardening

CI/CDRelease discipline established

vulns closedSecurity vulnerabilities remediatedTBD

01Mission-driven cleantech, fragile foundation.

Software that grew organically — into the company's biggest technical risk.

Industry: Cleantech · Industrial · Sustainability
Product: Pyrolysis & biochar technology
IP profile: Proprietary R&D; high-value
Engagement type: Security + infrastructure + process
Stack inheritance: Laravel / Angular / single server

ARTi pioneers pyrolysis and biochar — converting organic waste into a sustainable carbon product that locks carbon into soil and replaces virgin material in industrial processes. The science is the moat. The software was supposed to support it.

Instead, the internal software had grown the way most early-stage software does: by accretion. Shared accounts. No multi-factor authentication. A single server with no backups and no disaster recovery. Outdated dependencies sitting under critical workflows. No Git workflow, no code reviews, no CI/CD.

For a cleantech company whose intellectual property is the entire business, that posture wasn't just inconvenient — it was a quiet, growing risk. ARTi needed a partner who could fortify the foundation without halting the operation it was supporting.

02The Challenge

Four risks compounding on top of each other.

ARTi's exposure didn't come from any single failure. It came from layers: identity, infrastructure, process, and IP — each a problem on its own, and each amplifying the others. The order in which we addressed them mattered as much as the work itself.

Open doors around valuable IP.

Shared accounts, no MFA, insecure email practices, and unprotected communication channels. The very systems holding ARTi's IP were the least-defended part of the company. For a business whose value is its proprietary R&D, the exposure was structural, not incidental.

Security exposure

One server between ARTi and an outage.

A single server. No formal backups. No disaster-recovery plan. Outdated dependencies under live workflows. The infrastructure that the business actually ran on couldn't survive a bad afternoon — let alone scale to the next phase of the company.

Infrastructure fragility

Code shipped on trust, not on process.

No Git workflow with reviews. No CI/CD. No formal release process. Changes went to production through habit, not through a pipeline. Mistakes were easy to make and hard to trace — and the team had no shared discipline to lean on as they grew.

Engineering discipline

When the mission is the IP.

The IP that makes ARTi defensible — pyrolysis process knowledge, biochar formulation data, customer integrations — was held in the same fragile systems. A breach wasn't just an operational event; it was an existential one. The challenge wasn't only technical; it was about protecting the mission.

IP & mission risk

Streaver turned our biggest technical risk into a foundation we can build on — and pushed us harder than we'd have pushed ourselves.

Bernardo del CampoFounder & CEO · ARTi

03Selection

Why ARTi trusted us with the foundation.

Hardening a mission-driven company's software is delicate work. You're asking a team to change how they log in, how they ship, and how they trust each other — without taking down the operation those changes are meant to protect. Four reasons ARTi let us drive it.

Security hardening without disruption.

ARTi couldn't pause the business while the foundation was rebuilt. Streaver had a track record of hardening security and tightening access without forcing teams off the tools they rely on every day. The hardening landed in layers — visible to the people who needed to see it, invisible to everyone else.

Infrastructure modernization with zero downtime.

Moving off a single server is the kind of work that's easy to break in a hundred ways. Streaver's platform engineers had decoupled production estates before — staged the migration, kept backups warm, and rolled forward without a planned outage window.

Cultural transformation, not just tooling.

Process maturity isn't a deliverable; it's a habit. Streaver took ownership of bringing Git workflows, code reviews, CI/CD, and Agile cadence into the team in a way that stuck — not as a one-off training, but as the new default way of working.

A partnership for mission-driven orgs.

Mission-driven companies need partners who understand why the work matters, not just what the work is. Streaver invested in understanding ARTi's pyrolysis and biochar mission before recommending anything — so the technical choices stayed in service of the science, not the other way around.

04The Drop

From risk surface to hardened, in layers.

Each item on the left was a real, named exposure when we started. Each item on the right is now the company's default. The transition wasn't a single big-bang migration — it was a sequence of small, deliberate changes, each one earning the next.

From risk surface to hardened

Before · Risk surface

Shared accounts, no MFA
Insecure email & comms channels
Single server, no backups, no DR
No Git workflow or CI/CD
Outdated dependencies
No code reviews

After · Hardened

MFA + password managers enforced
Secure domains & encrypted channels
Decoupled infra · backups · DR
Git reviews + CI/CD pipelines
Updated deps · security headers
Formal review & merge gates

The hardening landed as a sequence, not a switch — identity first, infrastructure second, process third. Each layer earned the next.

+ Image placeholder

Photo of ARTi's pyrolysis equipment or biochar output for physical context. Cleantech is a tangible business — the hardening work matters because the IP behind that hardware is what makes the company defensible.

05Decisions

Three calls that defined the sequence.

Security-first, before infrastructure-first.

Before touching infrastructure, we hardened identity, access, and channels. The reasoning was simple: if you modernize infra while the access layer is still open, you're just moving a vulnerability into a nicer building. MFA, password managers, secure domains, and removal of shared accounts came first — then everything else followed on top of a foundation we could trust.

PrincipleThe most expensive security incident is the one that happens during a modernization project, because no one can tell whether it was the infra change or the existing exposure.

Decouple the infrastructure. Earn resilience.

Decoupling the single server into resilient, backed-up, recoverable infrastructure was the structural fix. We staged the move — services first, environments second, data layer last — so each step could be validated before the next one started. No outage window was requested. None was needed.

ResultSingle server → decoupled services + environments, with backups and a documented disaster-recovery posture. The path to AWS / AWS CDK is now open.

Process maturity, modeled from the inside.

Tooling alone doesn't change how a team works. We rolled out Git with required reviews, CI/CD pipelines, structured Agile, and traceable project tooling — and we did it as an embedded part of the team rather than as a consultant's deck. The change took longer than the technical work. It's also what makes the technical work last.

06Honest

What we didn't measure. What took longer than the work.

Measurement · Day 0

We hardened without a baseline number.

We didn't quantify the security gap at the start of the engagement — no vulnerability count, no external audit baseline. The hardening was real and the exposure is materially lower, but we can't put a number on it after the fact. Future security engagements get a baseline scan on day one.

Velocity · TBD

We can describe the velocity gain, but not chart it.

Deploy frequency before vs. after CI/CD would be a powerful single-figure outcome. We didn't capture the 'before' rate, so the 'after' improvement is qualitative — the team ships safely now, and they didn't before. That's true. It's just not a chart.

Culture · ongoing

The culture change was the slowest part.

Security hardening took weeks. Infrastructure modernization took months. Engineering discipline took longer than either — because it's the part that lives in people, not in systems. We were honest with ARTi about that timeline, and they were honest with us about how hard it was to absorb.

07Outcomes

The foundation ARTi can now build on.

Each outcome below is paired with the posture it replaced. The figures with TBD badges are the ones we'd like to measure properly with ARTi before quoting them publicly — the work is real; the numbers are honestly unfinished.

Shared accounts, no MFA, open channelsMFA + access controls + secure channels

Security posture

Identity, access, and communications hardened across the company. The gaps that exposed ARTi's IP closed, not as a project but as a new default posture.

Single server, no backupsDecoupled services + backups + DR plan

Infrastructure resilience

Infrastructure moved from a single point of failure to a resilient, recoverable footprint. The path to cloud-native (AWS / AWS CDK) is open and incremental.

No formal workflowGit reviews + CI/CD + structured Agile

Development process maturity

Engineering discipline embedded into the team. Every change goes through review, every release goes through a pipeline, every sprint has a structure people trust.

Outdated deps, no error handling, no testsFaster, accessible, SEO-clean

Performance & UX

Dependencies updated, error handling and security headers added, dead code removed, tests introduced. The platform feels different to the people who use it every day.

IP held in fragile, exposed systemsIP held in hardened, audit-ready systems

IP protection

Proprietary pyrolysis and biochar IP now lives behind the access controls, backups, and recovery posture that a cleantech company's IP requires.

Not audit-readyFoundation in place for SOC-2 / ISO 27001

Audit-readiness foundation

The hardening, documentation, and process work created the groundwork for a formal certification path when ARTi chooses to pursue one.

TBD · engineer to verify

08The Team

Four Streavers. One mission. A foundation that outlasts us.

Mission-driven companies deserve continuity. The same team that sequenced the hardening also documented it — so that the work, the decisions, and the new defaults are knowable to anyone ARTi hires tomorrow.

Engineering LeadTBD

Engineering Lead

Owned the engagement end-to-end. Set the security-first sequencing and the cadence with ARTi leadership.

Platform EngineerTBD

Senior Platform / DevOps

Led the infrastructure decoupling, the backup and DR work, and the CI/CD pipelines. Mapped the path to AWS / AWS CDK.

Full-stack EngineerTBD

Senior Full-Stack (Laravel / Angular)

Carried the Laravel / Angular feature work alongside the hardening — keeping ARTi's roadmap moving while the foundation was rebuilt.

Security EngineerTBD

Security-focused engineer

Drove the security workstream: MFA rollout, password managers, access controls, dependency updates, security headers, header & tests hygiene.

How the engagement is structured

Cadence

Weekly working session with ARTi leadership. Daily async updates inside the joint Slack. On-call ownership shared, with Streaver leading platform incidents and ARTi leading product context.

Communication

All comms moved off insecure channels onto a company domain with MFA. Documentation lives in a system ARTi owns, so the institutional knowledge survives any future vendor change.

Pricing

Milestone-based pricing tied to the hardening roadmap — security, infrastructure, process. Renewal anchored to capability handover, not headcount.

IP & transfer policy

ARTi owns every credential, every repository, every infrastructure account. Streaver operates the systems on ARTi's behalf and hands the keys back the moment ARTi chooses to take them.

The hardening, traced

WEEK 00Security audit completeCataloged every account, every server, every dependency, every channel. The first list of exposures was longer than the first list of features.

WEEK 04Identity & access hardenedMFA enforced across the company. Shared accounts removed. Password managers rolled out. Communications moved onto secure, company-owned domains.

WEEK 08Infrastructure decoupledSingle server decoupled into services and environments. Backups warm. Disaster-recovery posture documented. The first true rollback test passed.

WEEK 16CI/CD landedGit workflow with required reviews live. CI/CD pipelines running on every change. Production stops being a place anyone can push to directly.

WEEK 24Process maturityStructured Agile cadence inside the engineering team. Project tooling tied to the repo for traceability. Dependencies updated, security headers added, tests introduced.

WEEK 32Partnership renewedEngagement renewed. ARTi shifts from hardening posture to a scaling posture — the foundation is now stable enough to build on, which was the whole point.

09Stack

Familiar tools, hardened defaults.

We didn't replatform the stack. We hardened it. Laravel and Angular stayed; the way they're deployed, monitored, and protected is what changed. The cloud-native path through AWS / AWS CDK is now an option, not a forced migration.

Languages & Frameworks

TypeScriptstrict, across newer surfaces
PHPcore backend surface
Laravelprimary backend framework

Frontend

Angularprimary client framework

Data & Infrastructure

AWStarget cloud (in flight)
AWS CDKIaC for the cloud-native path
Dockercontainerization across environments
MySQLprimary database
Grafanaobservability & dashboards

10What's Next

The next chapter is growth, not rescue.

With the foundation hardened, ARTi can pursue the certifications, the cloud-native optimizations, and the team scaling that the mission deserves. The rescue is done. The build-out is just starting.

SOC-2 / ISO 27001 certification.

With the foundation in place, the next phase is formalizing what's already true. SOC-2 / ISO 27001 readiness would let ARTi pursue enterprise partnerships and grant opportunities that today require a paper trail Streaver has been quietly producing all along.

Cloud-native optimization.

The path to AWS / AWS CDK is open. The next chapter is moving from decoupled services on owned infrastructure to cloud-native primitives — leaning on managed services where they free the team to focus on the science, not the systems.

Team scaling on hardened ground.

ARTi is hiring against the foundation we built. The reason that's possible is that the foundation is now boring — new engineers can land on a system with reviews, pipelines, and documentation rather than tribal knowledge.

Software grown into a security liability?

Let's turn the risk into a foundation.

Streaver hardens mission-driven companies' software without halting the operation it supports. Security first. Infrastructure second. Engineering discipline that stays after we're gone.

Book a discovery call See more case studies

11Continue reading

Featured

Live

AIBuildRegulatedPublic Affairs · Switzerland

DELOS AG

First paying enterprise customers in sixteen weeks

91% precision · 4-agent systemRead the case study

Featured

Live

BuildScaleAISports tech · Marketplace · US

Supreme Golf

Building a $1M product for $125K with a non-technical CEO at the keyboard

8× lower cost · 3–5 deploys/dayRead the case study

Back to all case studies