The IFO4 Tool
Grading Standard

Ingest billing + usage data from AWS, Azure, GCP, OCI into a single normalized data model.

All cost lines come paired with usage data sufficient to drive optimization recommendations.

Ingest SaaS subscription cost + usage from finance, SSO, and direct vendor integrations.

Per-namespace, per-workload, per-pod cost attribution inside K8s clusters across cloud and on-prem.

Datacenter, private cloud, and colo cost modeling unified with public cloud cost.

Sub-day cost telemetry rather than batch refresh.

User can see exactly when each cost line was last refreshed.

Match ingested cost to actual cloud invoices and surface deltas.

Drill from invoice down to individual resource (instance, bucket, function, pod).

Cost split by cloud service (EC2, S3, Lambda, BigQuery, etc.) with deep service taxonomy.

Multi-region, multi-account, multi-subscription views with org-aware hierarchy.

Roll up dev / staging / prod or business-unit views with consistent allocation.

Group cost by cloud-resource tags / labels.

K8s / cluster label allocation distinct from cloud tags.

Allocate by AWS account / Azure subscription / GCP project.

Distribute platform / network / shared cost across consumers using configurable rules.

Per-consumer allocation of K8s control-plane and network costs.

Distribute costs by configurable ratios.

Static dollar amounts assigned to consumers.

Surface and route untagged / unallocated cost.

Generate invoices to internal cost-centers in finance-grade format.

Log every change to allocation rules with attribution and effective dates.

Detect unattached storage, unused IPs, orphaned snapshots.

Distinguish "doing nothing" from "doing too little".

Tier storage by access pattern, identify cold-on-hot waste.

CPU / memory / network analysis driving instance recommendations.

Volume / tier recommendations.

Recommend newer-generation families for cost / perf gains.

Detect inefficient design patterns, not just resource sizing.

Recommend reserved capacity / savings plans / committed use discounts.

Track how much of spend is covered by commitments.

Classify workloads as spot-suitable.

Programmatically apply fixes (terminate, resize, retire).

Verify recommended savings actually realized.

Project future spend across horizons.

Project future consumption (vCPU-hours, GB-months, tokens).

Track and explain forecast accuracy over time.

Connect to FP&A budgets, enforce limits.

What-if cost simulations.

Tie cost forecasts to business drivers (orders, users, transactions).

Sync to NetSuite / SAP / Workday / Oracle ERP.

Project SaaS / commitment / license renewals.

Webhook / event-bus triggers for cost actions.

Jira / ServiceNow / Asana / Linear integrations.

Public REST / GraphQL covering all UI features.

Terraform / Pulumi / CloudFormation integration for cost gating.

Programmatic shutdown of idle / orphaned resources.

Automatic resizing under safety policies.

Codified rules that block / quarantine non-compliant cost.

Role-based access control with org-hierarchy support.

Multi-step approval flows for actions / budget overrides.

Immutable record of all user / system actions.

ML / heuristic detection of cost anomalies.

Mapping to SOC 2 / ISO 27001 / FedRAMP / HIPAA.

Per-call token-cost telemetry across LLM providers.

Cost attributed per model version / variant.

GPU memory / SM utilization with cost overlay.

Split training cost from inference cost cleanly.

Per-agent / per-task cost for autonomous AI workflows.

Tie model cost to business outcomes (deflection, retention, automation).

Range of sources / formats the SIEM ingests cleanly.

Out-of-the-box and custom detection rule library.

Detections mapped to MITRE ATT&CK techniques.

User / entity behavioral anomaly detection.

Correlate signals across multiple data sources.

Mean time to detect / respond reporting.

SOAR-style automated response playbooks.

Deep historical telemetry and replayable timelines.

Detect cloud misconfigurations against benchmarks.

Detect drift from approved baselines.

Single pane across AWS / Azure / GCP / OCI.

Pre-deploy scanning of Terraform / CloudFormation / Helm.

Pre-built mappings to common compliance frameworks (CIS / NIST / PCI / HIPAA / FedRAMP).

Surface findings by exploitability + asset criticality.

Number of integrated SaaS apps via SAML / OIDC / SCIM.

Policy-driven MFA enforcement at scale.

Vaulting, session recording, just-in-time elevation.

Detect identity-based attacks (token theft, OAuth abuse).

Live session telemetry for high-risk users / actions.

Breadth of asset types scanned (cloud, on-prem, OT, container).

Authenticated / agent-based scanning depth.

Track patch state and SLAs across the fleet.

EPSS / CVSS / asset-criticality combined.

Cost of each security tool surfaced to FinOps view.

Track seat / capacity utilization for security platforms.

Cost-per-alert / cost-per-true-positive metrics.

Coverage outcome divided by tool spend.

Detect overlapping capabilities across security tools.

Quantified return per security control / category.

Tools that demonstrably affect cyber-insurance premiums.