The first FinOps engagement we ever ran found 31% in recoverable spend in two weeks. The team's reaction was suspicion, not delight: 'where was that money hiding?' This post is the answer.
The four places it always is
Across forty-some engagements, the recoverable spend has clustered in four categories, in roughly this order of magnitude:
- Rightsizing — instance types and storage classes provisioned for last quarter's peak, not this quarter's reality.
- Idle resources — load balancers, NAT gateways, EBS volumes attached to nothing, RDS replicas no one reads.
- Reserved capacity — Savings Plans and RIs that should exist and don't, or do exist and aren't being used.
- Storage tiering — S3 buckets full of objects that have been cold for two years, sitting on standard.
The split varies by industry. Healthcare estates lean heavy on rightsizing because regulatory data minimums make storage cleanup awkward. Fintech estates lean heavy on reserved capacity because deployment growth is predictable. SaaS estates are usually balanced across all four.
What 'audit' actually means
An audit is not a tool's dashboard. We start every engagement by writing two queries against billing data:
-- Top 20 service / team pairs by monthly spend
SELECT
service,
COALESCE(tags['team'], 'unallocated') AS team,
SUM(unblended_cost) AS monthly_cost
FROM cost_and_usage
WHERE billing_period = DATE_TRUNC('month', CURRENT_DATE)
GROUP BY service, team
ORDER BY monthly_cost DESC
LIMIT 20;The second query is the same thing aggregated by linked-account or project. The two together tell you which services are running where, who owns them, and what they cost. About 70% of FinOps work follows from looking at those two outputs honestly.
About 70% of FinOps work follows from looking at two billing queries honestly.
The 20–40% range
Every engagement claim is calibrated. The 20–40% number isn't aspirational; it's the actual range of recovered spend across our last twenty engagements, measured at the three-month mark. The low end of the range happens when the estate is already mature; the high end happens when nobody's looked.
If you're below the 20% number, the engagement isn't FinOps anymore — it's architecture. If you're above the 40% number, you've likely got an organisational problem the bill is just symptomatic of. Both are interesting, neither is what the audit alone solves.