Without the second Trump Administration, we would surely not have discovered, and most importantly, acted upon, the fraud being committed around the country, most notably in blue states like Minnesota and California. So much has been discovered so rapidly, President Trump appointed Vice President Vance to head an anti-fraud task force, and the DOJ hired additional prosecutors to handle the dramatically increasing number of cases. Federal officials are suggesting the sheer amount of fraud, discovered and yet to be discovered, is so staggering clawing back that money could balance the federal budget.
Instrumental in exposing sufficient fraud so it could no longer be ignored by local or state officials is independent journalist Nick Shirley, who exposed the infamous “Quality Learing Center” day care fraud in Minneapolis, as well as many less well-known fraudulent day cares. So effective was Shirley, and so quickly did his work anger local fraudsters and state officials, Shirley received so many death threats he apparently decided to give California a try. This was the immediate result:
Graphic: X Post
Independent journalist Nick Shirley has released a devastating 40-minute investigative video that exposes what appears to be massive waste and potential fraud in California’s hospice, Medi-Cal, and daycare programs. His report, now viewed more than 7.7 million times on X, uncovers over $170 million in questionable billings tied to ghost hospice and daycare operations that show virtually no signs of actually caring for patients or children.
Shirley found that focusing mostly on Victory Blvd. in Van Nuys:
Graphic: X Post
In Minnesota and California, honest public employees tried for years to expose fraud, but their superiors and the state Attorney General’s Office ignored them. But with Shirley’s discovery of incredible levels of fraud, the California Legislature was prodded into action: they’re criminalizing exposing fraud:
Independent journalist Nick Shirley accused California lawmakers of trying to shield taxpayer-funded organizations from scrutiny after the state Assembly advanced AB 2624, dubbed the "Stop Nick Shirley Act," a bill the author says is intended to protect immigration service providers from harassment and threats.
"I obviously hit a nerve," Shirley said during an appearance Wednesday night on "Fox News @ Night" with Trace Gallagher.
"What's interesting about this, this bill is it's protecting NGOs and nonprofits," Shirley said. "These are organizations and groups that receive our tax dollars, yet they want to make it so we can't find out what they're doing with our tax dollars."
Shirley argued the proposal would discourage investigations into organizations receiving public funds.
And that’s obviously the point of the legislation. But why would legislators, people sworn to protect the public, presumably at least in part by catching criminals defrauding taxpayers of billions, want to protect those criminals? It’s a puzzler, unless, perhaps, those NGOs and nonprofits are primary funding sources of the Democrat Party and Democrat politicians? But surely that can’t be happening in a single-party state like California, where corruption is all but nonexistent? Shirley explained:
"The Somalis in Minnesota, they stole hundreds of millions, billions of dollars, and then the hospice fraud that took place inside California," Shirley said.
"Everyone was saying that was bogus. And then her husband actually tried to take credit for exposing the hospice fraud after I had went and exposed the hospice fraud."
Shirley was referring to Assemblymember Mia Bonta's husband, California Attorney General Rob Bonta, who has not responded to Fox News Digital's request for comment.
"The fraud has been going on for so long. These fraudsters thought they could get away with it for so long that so many people started committing this fraud."
Graphic: X Post
What’s really amazing, though utterly unsurprising, is Shirley is only talking about hospice fraud. That’s only the shrink-wrap packaging on the box of a 100-story-tall fraud package.
To paraphrase Shakespeare, something is rotten in the bluer than blue state of California.
Mientras el mandatario neoliberal ecuatoriano celebra estabilidad macroeconómica pero oculta que la remesas son lo que sostiene el día a día de las familias. Con 7.729 millones de dólares en 2025, las remesas de la diáspora ecuatoriana por el mundo, superan ya las exportaciones de petróleo.
Las Fuerzas Armadas iraníes han alertado a Israel sobre la continuación de aatques israelíes contra Líbano, advirtiendo a los colonos israelíes que abandonen las zonas del norte si no quieren sufrir daños.
Llevamos años oyendo que la expansión de los parques solares amenaza al campo. La imagen mental que solemos tener es la de hectáreas y hectáreas de paneles negros bajo un sol implacable, arrasando el paisaje y sin un solo pájaro en kilómetros a la redonda. Sin embargo, los datos empiezan a contar una historia radicalmente diferente. Hay más vida dentro que fuera. Para entender este fenómeno, solo tenemos que mirar los datos más recientes en España. Según un informe de la Unión Española Fotovoltaica (UNEF), avalados por la consultora ambiental
Los acreedores afectados por el impago de los laudos derivados del recorte retroactivo de las primas a las energías renovables de 2013 han certificado la toma de posesión efectiva del inmueble que alberga la sede del Instituto Cervantes en Utrecht (Países Bajos), en ejecución de las resoluciones dictadas por la justicia neerlandesa. Los acreedores se han personado en el inmueble para formalizar los trámites asociados a la ejecución decretada por los tribunales holandeses. Relacionada: menea.me/2hfoh
etiquetas: holanda, embargo, instituto cervantes, renovables, recortes
Imágenes satelitales y videos analizados por BBC Verify muestran que Irán ha dañado 20 instalaciones militares estadounidenses desde el inicio de la guerra, lo que sugiere que los ataques son más extensos de lo que se ha reconocido públicamente. Desde finales de febrero, Irán ha atacado instalaciones clave en ocho países de Medio Oriente, causando daños por valor de millones de dólares a sistemas de defensa aérea de última generación, aviones de reabastecimiento de combustible y radares. Teherán ha atacado bases estadounidenses e instalaciones.
Mo Gawdat believes up to 30% of jobs in certain sectors could disappear by 2028.
That stopped me in my tracks.
Mo was one of the first people to come on this podcast and warn me about AI, long before most of the world was talking about it.
At the time, it felt early.
Now, it feels like the world is catching up to what he was seeing.
I’m still trying to understand what AI actually means for our lives.
Not just whether it can write emails, create images or make us more productive. I mean what it does to jobs. What it does to power. What it does to education. What it does to human connection…
That’s why I wanted to have this discussion with Mo again.
What makes Mo worth listening to is that he saw these systems inside Google years before most of us had even heard the term AI. His book *Scary Smart* now feels like it was written for this exact moment.
Let me explain why this discussion matters.
Mo believes we’re not just entering an AI revolution. We’re entering a period where AI, robotics, economics, surveillance, digital currencies and global instability are all colliding at the same time.
That’s a lot for any of us to process.
We spoke about:
- The jobs Mo believes are most at risk from AI. - Why he believes that AI is actually underhyped! - The mistake almost everyone is making with ChatGPT. - The prediction that changed even his own view of the future.
The part that stayed with me was this idea that human connection may become the real currency.
Because if AI can produce the information, write the report, analyse the data, then what is left?
I don’t think this conversation gives neat answers. That’s probably why it’s worth watching.
It helped me think more honestly about what’s coming.
El embajador José Antonio Zorrilla analiza las últimas noticias más preocupantes y que todos nos afectan, con su estilo único y con el mayor rigor y conocimiento, sin pelos en la lengua. Lo que nos gusta y necesitamos oír.
ME DESPIDO PORQUE NOS VAN A CENSURAR, NO ME VOY, ME PREPARO para MAS BATALLA PARA LA GUERRA por la LIBERTAD y VERDAD QUE NOS VA A TOCAR BREAR. En este vídeo, comparto mi despedida de las redes sociales, una decisión motivada por los recientes acontecimientos que justifican esta decisión. Abordo las últimas noticias y la actualidad política, incluyendo un análisis de cómo ciertos eventos en el ámbito de la política internacional están generando un intenso news commentary. No te pierdas este análisis profundo sobre los world events y las trending news que nos afectan a todos.
Sarah Wynn-Williams, autora de 'Los irresponsables', no pronunció palabra en un evento previsto con ella en el festival literario de Gales, que canceló la venta de su libro crítico con Facebook tras una denuncia de la empresa
Quisimos entrevistar a esta exdirectiva de Facebook. Mark Zuckerberg no lo ha permitido
Sarah Wynn-Williams, abogada y antigua jefa de política pública global de Facebook, se subió este domingo al escenario del Hay Festival, el encuentro literario anual en un pueblo de Gales. Se sentó entre Tim Wu, catedrático de la Universidad de Columbia, y la periodista Carole Cadwalladr. Wynn-Williams permaneció en silencio todo el evento para evitar una sanción de Meta, la propietaria de Facebook, Instagram y WhatsApp.
Era una de las charlas más esperadas del festival, y se presentaba como una conversación con Wynn-Williams y Wu, que acaba de publicar The Age of Extraction, un ensayo sobre cómo las grandes plataformas se han convertido en un factor de inestabilidad y desigualdad. Hace dos décadas, Wu acuñó el término neutralidad de la red como un principio por el que los proveedores de Internet deben tratar el tráfico de datos sin discriminar ni priorizar contenidos para garantizar una red abierta donde los operadores no favorezcan sus propios servicios o no cobren extra a otros. Cadwalladr es la reportera que en 2018 reveló en el Observer el escándalo de Cambridge Analytica, una consultora que utilizó datos personales de millones de usuarios de Facebook sin consentimiento para la campaña de Donald Trump en 2016.
Wynn-Williams es la autora de Los irresponsables, una crónica de sus siete años en Facebook (ahora la empresa se llama Meta) que denuncia el desdén de líderes egocéntricos y superficiales ante el impacto negativo de la red en la política y la salud, la complicidad con regímenes autoritarios y un ambiente de supuestos abusos laborales y sexuales que llegaba hasta la cúpula, incluida Sheryl Sandberg, la exdirectora ejecutiva. El retrato de Mark Zuckerberg es el de un líder caprichoso, deseoso de atención de los políticos y de la adulación constante de sus empleados. El título original en inglés, Careless People (gente descuidada) viene de una cita de El gran Gatsby, la novela de Scott Fitzgerald: “Eran gente descuidada. Tom y Daisy destrozaban cosas y criaturas y luego se refugiaban en su dinero o en su inmensa despreocupación, o lo que quiera que los mantuviera juntos, y dejaban que otras personas limpiaran el desastre que habían causado”.
Meta dice que el libro de Wynn-Wlliams contiene información “falsa y difamatoria”, aunque no entra en detalles.
El evento en el Hay Festival prometía ser una “conversación abierta y sincera” sobre “los entresijos de la influencia sin precedentes de las redes sociales, las fuerzas ocultas que moldean nuestra vida online y las preguntas urgentes sobre la democracia, la privacidad y la rendición de cuentas en la era digital”. En cambio, la exempleada de Facebook no pudo pronunciar palabra.
Sarah Wynn-Williams, autora de 'Los irresponsables' y exempleada de Facebook, en el Hay Festival, este domingo en Hay-on-Wye, Gales.
Silencio
Wynn-Williams está acostumbrada al silencio sobre su libro, que se publicó en marzo de 2025 en inglés. Entonces Meta acudió al sistema de arbitraje que en Estados Unidos se ocupa de disputas comerciales y argumentó que su antigua trabajadora no debería poder hablar sobre el libro por el contrato que firmó para recibir una indemnización por despido en 2017.
Unas horas después de que el libro llegara a las librerías en Estados Unidos, Meta logró una orden legal para impedir que Wynn-Williams lo promocionara. La decisión del árbitro no afectaba a la editorial ni a la publicación de libro, que ha vendido más de 150.000 ejemplares y que la editorial Península editó el pasado julio en español. Pero Wynn-Williams no podía “amplificar” de ninguna manera el contenido de su libro que podría ser considerado una forma de “comentarios críticos o dañinos” para su antigua empresa.
La autora no dio entonces las habituales entrevistas para la promoción de su libro y no apareció durante casi un año en eventos públicos para hablar de su libro. En marzo de este año, Wynn-Williams, que es diplomática neozelandesa y ahora vive en el Reino Unido, se atrevió a participar en algunas charlas públicas para hablar sobre tecnología, democracia y la inteligencia artificial, su campo de especialización ahora, pero sin mencionar a Meta o lo que cuenta su libro.
En uno de los pocos eventos que hizo a principios de marzo, en una pequeña sala de la librería Blackwell’s en Oxford, sin streaming ni apenas cobertura (por la pobre infraestructura local), Wynn-Williams permaneció en silencio, con aire impasible, mientras la moderadora leía pasajes de Los irresponsables. Incluso esos párrafos fueron elegidos con cuidado para evitar las partes más polémicas o críticas con Facebook.
Pero eventos como el de Oxford molestaron a Meta, que volvió a pedir la intervención de urgencia del árbitro para impedir que Wynn-Williams participara en foros públicos donde se mencionara o se vendiera su libro. Después de los renovados esfuerzos de Meta, la abogada de Wynn-Williams le aconsejó que no dijera nada de nada en el evento ya previsto en Gales. El festival, en lugar de cancelar la charla o quitar a la autora del panel, optó por escenificar el silencio por mandato legal.
Tim Wu, Sarah Wynn-Williams y Carole Cadwalladr en el Hay Festival este domingo, en Hay-on-Wye, Gales.
La directora de programación del festival, Helen Bagnell, anunció al público que, siguiendo el consejo legal, la autora no podía hablar, pero acompañaba a los ponentes en el escenario, y así los espectadores estaban presenciando “un acto importante de solidaridad con los silenciados”.
Wu, el catedrático de Derecho de la Universidad de Columbia, criticó lo que estaba pasando: “Esto es un ejemplo vivo de censura. Tenemos que llamarlo por su nombre. Esta es la era de la censura privada. Es una imposición de poder”, dijo. “Demuestra que algunos de los peores abusos de nuestro tiempo no se limitan a reyes, emperadores o gobiernos, sino que los comete un tipo de empresas que han asumido la soberanía y buscan imponer su poder del mismo modo que lo hacen los Estados despóticos”.
“Parpadea dos veces”
La autora se sentó en silencio y no se atrevió ni a mover la cabeza en forma de asentimiento o negación. “Esto podría ser una primera vez para el Hay, tenemos a un autor en una situación de secuestro”, dijo Cadwalladr, la periodista. “Parpadea una vez si nos oyes, Sarah; dos veces si Zuckerberg es un imbécil”.
La autora apenas se movía. Ya tiene práctica en no parpadear ni hacer gestos cuando hay referencias a Meta o a su libro. Al final del evento, el público le dedicó una ovación de aplausos tan intensa que la hizo llorar.
El camino tomado por Meta puede sentar precedente para la libertad de expresión especialmente en Silicon Valley, donde son habituales los contratos como el de Wynn-Williams para evitar críticas de sus prácticas.
La empresa ha descrito el libro como “una mezcla de denuncias anticuadas y ya contadas” sobre la compañía y “acusaciones falsas” sobre sus ejecutivos, y asegura que la despidió por sus “pobres resultados” y que sus denuncias de acoso estaban infundadas. Pero la empresa ha optado por denunciarla no por contenido del libro, sino por el contrato que firmó al marcharse y que le prohíbe decir una palabra despectiva sobre su antiguo empleador o cualquier persona que trabaje allí. Hay un proceso judicial en curso sobre la legitimidad de esta práctica y si ese contrato sigue vigente para siempre. Entretanto, Meta sigue intentando que la abogada y su libro tengan la menor difusión posible.
Durante el evento en el Hay Festival, Cadwalladr leyó la carta de la abogada de Wynn-Williams que detallaba las últimas quejas ante el tribunal de Meta. En marzo, justo cuando la autora habló en Oxford y se publicó la edición de bolsillo en inglés, Meta acudió al árbitro designado en su caso en Estados Unidos para pedir una sanción económica contra Wynn-Williams por supuestamente violar la orden preventiva por su contrato.
Según la explicación ofrecida en la carta de la abogada, Meta sostiene que la autora viola la orden “cada vez que aparece en público en un lugar donde debería saber que su libro está en venta y su presencia podría llamar la atención sobre él”, por ejemplo, en una librería. Meta identificaba la participación en el Hay Festival de manera preventiva “como una conducta que debe ser sancionada de manera formal”.
El abogado encargado del arbitraje rechazó levantar la orden temporal que pesa sobre la autora desde hace más de un año y advirtió que no debe hablar en ningún evento “donde su presencia probablemente animaría a las ventas” de su libro.
Una ministra del Gobierno británico aseguró durante un debate sobre derechos laborales en la Cámara de los Comunes que cada infracción le puede costar a la autora 50.000 dólares (más de 43.000 euros). Por precaución, el festival de Gales retiró el libro de la venta.
Meta aseguró este lunes en un comunicado compartido con elDiario.es y otros medios que “se trata de una resolución del árbitro, no de una decisión de Meta para silenciar a nadie”. “Tenemos derecho a pedir que los términos de esa resolución se cumplan”, dice la empresa, que insiste en la resolución de arbitraje provisional que Wynn-Williams aceptó y que “prohíbe explícitamente la promoción de su libro”. También destaca que el texto es público.
La amenaza de la IA
En los eventos que molestaron a Meta en marzo, la autora se concentraba en un discurso general y más relacionado con el momento actual, en particular la inteligencia artificial y los centros de datos que está intentando atraer el Reino Unido.
La autora se preguntaba sobre el entusiasmo del primer ministro británico, Keir Starmer, para atraer estos centros como supuesto generador de puestos de trabajo.
“¿Alguna vez ha estado en un centro de datos? No hay nadie allí. Me pregunto si en su cabeza es como un almacén de Amazon y piensa en gigantescos almacenes llenos de gente trabajando”, explicaba Wynn-Williams en la librería de Oxford. “Después de haber pasado mucho tiempo en condiciones gélidas, intentando negociar todo tipo de cosas relacionadas con centros de datos, lo que más te sorprende de estos lugares es su silencio. Son tan silenciosos y están tan vacíos... Y la falta de empleos es tan evidente que me pregunto: ¿es ingenuidad? En mis días más sombríos, pienso en que el ex primer ministro [Rishi Sunak] ahora es asesor de Anthropic y de Microsoft, y que un exministro de Hacienda [George Osborne] ahora trabaja en OpenAI... Si no es ingenuidad, ¿será complicidad?”
Uno de sus principales mensajes en 2026 es que la experiencia de las redes sociales y cómo han alterado nuestro mundo debería servir ahora de lección para la regulación de las empresas de inteligencia artificial. “Muchos de los problemas que surgieron con las redes sociales y la dificultad de regularlas y equilibrarlas con la libertad de expresión y con empresas que son transnacionales o que tienen un alcance global y no necesariamente están sujetas a las leyes locales vienen del hecho que políticos no provenían de ese entorno y, por lo tanto, tardaron en comprender las implicaciones”, dijo la abogada y diplomática. “Y eso parece ser doblemente cierto para la IA”.
En el coloquio después de la conversación en Oxford, Sarah Wynn-Williams explicó a elDiario.es que la mayor amenaza que representa la IA ahora se encuentra en sus usos militares: “La idea de abdicar de la toma de decisiones humanas en torno a armas autónomas letales es enorme, y cambia fundamentalmente la geopolítica”, dijo. Entonces, animó a los ciudadanos a implicarse más porque los problemas que plantea la IA “son existenciales de una manera en la que las redes sociales no lo eran”.
¿Tiene Facebook?
A la pregunta de este periódico de si todavía utiliza redes sociales, Wynn-Williams contestó con otro interrogante: “¿Hay alguien en esta sala porque vio algo en mis redes sociales esta noche?” No, la escritora no comparte nada en redes. Pero también dijo que, más allá del hecho de que ella las haya abandonado, es muy cautelosa al denostarlas y puso el ejemplo a progenitores que se organizan en grupos de redes sociales para hacer campañas para limitar el uso de las redes o de móviles para los menores.
Lo que la anima es la reacción que no veía antes contra el mal uso de la tecnología porque hay muchas personas “que están pensando seriamente en su propio uso de estas tecnologías”, por ejemplo con la reacción contra X de Elon Musk. Se trata, según ella, de decisiones personales y también de regulación: “Necesitamos que las cosas sucedan en todos los niveles de la sociedad”, dijo.
La presión ciudadana a los representantes públicos a veces comienza con conversaciones entre amigos y compañeros sobre el uso personal de la tecnología. “Todos estos procesos son complicados. Así que no sabes cuál es la última pequeña grieta en el parabrisas que hace que todo se venga abajo”, dijo. “Pero cuanto más hagas, cuanto más hables de ello, más probable es que el cambio ocurra rápido”.
The phrase "CI/CD tools" suggests a category of products that exist independently of the platforms they deploy to. In 2026, for most teams reading this, that is no longer the right way to think about it.
The ranking will reward both readers: the ones who want a standalone CI/CD product, and the ones who should be re-evaluating whether they need one at all.
House rule: every claim in this post is sourced, no handwaving.
CI/CD as a separate category exists mostly because deploy was historically painful enough that you had to build your own pipeline on top of platforms that didn't handle it. The modern PaaS providers handle build, test, deploy, preview environments per pull request, environment promotion, secrets, and rollbacks natively. If you are on one of those platforms, you probably do not need a standalone CI/CD product. If you are not, you do. This list treats both cases honestly.
What CI/CD does
A CI/CD pipeline, when fully built out, handles seven things.
Build. Compile, bundle, containerize. Cache the result.
Test. Run unit, integration, end-to-end. Block the deploy on failure.
Deploy. Push the artifact to the target environment, run database migrations if any, swap traffic, verify health.
Preview environments. Spin up an ephemeral copy of the app for every pull request so reviewers can poke at it.
Promote. Move artifacts from staging to production with the same artifact bytes, not a rebuild.
Rollback. If production breaks, return to the last known good deploy in seconds, not minutes.
Secrets and configuration. Surface the right secrets to the right environment without leaking them into logs.
When teams ask "what CI/CD tool should I pick," what they're often asking is "who is going to do these seven things for me?" The answer depends on whether your deploy platform already handles them.
The ten platforms, ranked
At a glance:
Comparison of six CI/CD platforms by best use case, delivery model, and starting price
1. Railway
Best for teams who don't want CI/CD as a separate concern.
The whole pitch of this post is that you don't have to think about CI/CD as a separate problem in 2026, and Railway is the platform that has bet the hardest on that being true. Push to your repo, Railway builds the artifact, deploys to a preview environment per pull request, and promotes to production on merge. Secrets are per-environment. Rollbacks are one click. The build cache is on us.
What makes Railway agent-native: every step of that pipeline is also reachable from Claude Code, Cursor, or Codex over MCP. You can prompt the agent to spin up a new environment for a feature branch, run a test suite, redeploy a service, or roll a config change, and the platform handles it. The Stripe Projects CLI extends this to provisioning entire stacks via an agent, end to end.
For overworked dev teams who do not have an engineer to dedicate to maintaining a Jenkinsfile, this matters. Internal tools and production deploys live on the same platform, with the same primitives, on the same bill. You stop thinking about CI/CD because the deploy platform handles it; you stop thinking about internal-tool hosting because the same platform serves it.
Features: native preview environments per PR, branch-deploy automation, build cache, one-click rollback, secrets and config per environment, MCP server for agent-driven CI/CD, Stripe Projects CLI for end-to-end agent provisioning, private networking between deploy environments.
Pricing: $5 Hobby with included usage credit, Pro at $20/seat. CI/CD is included in the platform; you don't pay extra for it.
Best for full-stack teams that don't want a separate CI/CD tool, teams whose engineers' time is the constraint, teams who want the agent to drive deploys, teams running internal tools and production deploys on the same surface.
Honest trade-offs: if your CI/CD needs sit outside of "build, test, deploy this repo," such as complex pipeline orchestration across many systems, regulated compliance pipelines, or build farms doing release engineering for non-Railway-hosted artifacts, you still want a dedicated CI/CD tool. Railway is not trying to be Jenkins for the JPL.
GitHub Actions is the default CI/CD for anything on GitHub. Free for public repos, generous limits for private ones, an enormous marketplace of third-party actions, and runners that can be self-hosted or GitHub-managed. If you have decided you want a separate CI/CD tool, Actions is almost certainly the right answer for any team starting fresh in 2026.
Features: native GitHub integration, matrix builds across runtime versions, self-hosted runners, third-party action marketplace, secrets at repo / org / environment levels, environments with deploy gates.
Pricing: free for public repos; 2,000 minutes/month free for private on the free GitHub plan; per-minute pricing thereafter, with self-hosted runners free.
Best for teams on GitHub who want a real, programmable CI/CD pipeline alongside their repo.
Honest trade-offs: pipeline performance is good but not best-in-class, since CircleCI and Buildkite often beat it on heavier matrices. YAML configuration grows hair on it past a certain size; large monorepos end up with reusable workflows that are a mini DSL of their own. If you are not on GitHub, none of this applies.
3. Vercel
Best for frontend CI/CD inside the Vercel ecosystem.
Vercel is the integrated CI/CD for Next.js and frontend-shaped applications. Preview environments are automatic for every pull request. The build pipeline is optimized for the frameworks Vercel supports.
Features: automatic preview deployments per PR, native Next.js integration, Edge Functions, Fluid Compute with Active CPU pricing (the 2025 update that solved the streaming-workload cost problem), Vercel Postgres (Neon-backed), Vercel KV, image optimization, deploy hooks.
Pricing: Hobby free; Pro $20/seat with included credit, plus usage-based add-ons. Bandwidth and per-seat costs are the more legitimate 2026 critique.
Best for frontend-heavy teams, Next.js shops, static and ISR-heavy sites.
Honest trade-offs: the CI/CD is tightly coupled to Vercel's runtime model. For anything past the frontend, you are pairing Vercel with a real backend platform and your CI/CD spans two surfaces.
Best for standalone CI/CD with serious test orchestration needs.
CircleCI is the standalone CI/CD product that has aged the best. Strong test parallelization, an Orbs ecosystem for reusable pipeline components, and a UI that handles large matrices better than most peers. If you are running a CI workload that's heavy on parallel test execution, CircleCI's parallelism model is often faster than GitHub Actions.
Features: parallel test execution, Orbs reusable config, self-hosted runner option, Docker-layer caching, insights and test analytics.
Pricing: free tier with 6,000 build-minutes/month; paid tiers from $15/mo for more credits and concurrency.
Best for teams with expensive test suites where parallelism pays for itself. Teams that have outgrown GitHub Actions on matrix performance.
Honest trade-offs: it is the second product in a category where GitHub Actions is the default. If you don't have a specific reason to use CircleCI, GitHub Actions is the cheaper-friction choice.
5. Render
Best for predictable-bill CI/CD inside a PaaS.
Render handles CI/CD natively for the apps it hosts. Preview environments per PR, native build pipeline, autoscaling, rollback. The same shape as Railway's CI/CD story but with a fixed-price billing model instead of usage-based.
GitLab CI is GitLab's repo-integrated CI/CD product. The same shape as GitHub Actions, but for GitLab. Strong if your team already uses GitLab, not relevant otherwise.
Features: native GitLab integration, parent-child pipelines, dynamic environments, Auto DevOps, container registry built in.
Pricing: free tier for public projects and small teams; paid tiers for self-hosted runners at scale.
Best for teams on GitLab. Teams running self-hosted GitLab who want everything (repo, CI, registry) on one server.
Honest trade-offs: it lives inside the GitLab ecosystem; if you're on GitHub or Bitbucket, this isn't your tool.
7. Buildkite
Best for hybrid self-hosted CI/CD at serious scale.
Buildkite is the CI/CD product that serious infrastructure teams pick when they have outgrown the hosted-runners model. You run the agents on your own infrastructure (your AWS, your data center), Buildkite orchestrates the pipeline. Used at Shopify, Pinterest, Airbnb scale.
Pricing: free for open source; paid tiers from $15/user/mo. You pay for orchestration; you pay for your own compute.
Best for teams big enough that hosted runner costs dominate the CI bill, teams that need to run builds inside their own VPC, teams that have a platform engineer to operate Buildkite agents.
Honest trade-offs: not the right answer for most teams under 50 engineers; the operational cost of running agents only pays off at scale.
8. Argo CD
Best for Kubernetes-native continuous deployment.
Argo CD is the GitOps tool of choice for Kubernetes shops. Declarative: you commit Kubernetes manifests, Argo reconciles cluster state to match. It is not a CI tool; it is a CD tool. Pair it with GitHub Actions, Jenkins, or anything that produces images.
Pricing: open source, free. Hosted versions available from Akuity and Codefresh.
Best for teams running Kubernetes who want their cluster state to track git.
Honest trade-offs: only useful if you're already on Kubernetes. The mental model is "your cluster is a function of your repo," which is great if you live in that world and noise if you don't.
9. Jenkins
Best for legacy, regulated, or self-hosted CI/CD at scale.
Jenkins is the historical anchor of CI/CD, like Heroku for PaaS. Open source, self-hosted, infinitely pluggable, and old enough to have outlived several generations of competitors. In 2026 Jenkins is still the dominant CI tool in large enterprise environments and regulated industries; in greenfield environments, it is almost never the right choice anymore.
Features: open-source self-hosted, massive plugin ecosystem, declarative or scripted pipelines, distributed build agents, fits any compliance posture because you control everything.
Pricing: free. Your cost is the engineer-hours operating it.
Best for regulated industries (financial services, defense, healthcare) where pipeline auditability and self-hosting are non-negotiable. Teams with existing Jenkins investment too big to migrate.
Honest trade-offs: you operate Jenkins. The plugin ecosystem is also where most of the security exposure lives. If you are not already on Jenkins, you are almost certainly better served by GitHub Actions or a hosted competitor.
10. Bitbucket Pipelines
Best for Bitbucket-shop CI/CD.
Bitbucket Pipelines is Atlassian's repo-integrated CI/CD, for teams on Bitbucket. The same shape as GitHub Actions and GitLab CI, with the Atlassian-flavored UX.
Features: native Bitbucket integration, Docker-based pipelines, deploy environments, integration with Jira and the rest of Atlassian's stack.
Pricing: free tier with 50 build minutes/month; paid tiers from $3/user/mo.
Best for teams on Bitbucket, teams already in the Atlassian ecosystem.
Honest trade-offs: it lives inside Atlassian's universe. If you are not there already, you would pick GitHub Actions instead.
The agent-native bet
CI/CD as a category was about codifying the deploy pipeline so humans didn't have to remember it. The next category is about making the pipeline reachable to agents, so humans don't have to write it either. Railway's bet is that the right architecture for this is an MCP server that exposes deploy primitives directly to the agent (branch operations, environment provisioning, secret rotation, deploy rollback) without a YAML file in the middle.
This matters for overworked dev teams because most of the CI/CD complexity that gets blamed on the tool is pipeline boilerplate. A team of three engineers shouldn't be writing a 400-line YAML pipeline to deploy a Node app. The agent should be writing and running those for them, on a platform that exposes the right primitives. That is the contract we have built toward.
The second-order point: when CI/CD lives inside the deploy platform, internal tooling and production workloads end up on the same surface. The same primitives (build, deploy, secrets, rollback) serve the staging cluster, the internal dashboards, the analytics jobs, and the production API. You stop reaching for a separate "internal tools platform" too.
A closing note
If your team is already on a modern PaaS, you have CI/CD; you just stopped thinking about it as a separate problem. That is the correct outcome, not a gap. Pick the deploy platform that handles the seven things above, set up the agent integration if you have one, and don't go shopping for a CI/CD tool you don't need.
If your team is not on a modern PaaS, because of compliance, scale, or stack constraints that justify it, the standalone tools on this list are real and the ranking is honest. The gravity is mostly toward GitHub Actions for greenfield, Jenkins for legacy, and Buildkite for serious scale.
If your current "CI/CD" is a 400-line shell script someone wrote in 2019 that nobody fully understands anymore, the right move is to give yourself the quarter back.
Happy shipping.
Angelo
Angelo Saraceno is a Solutions Engineer at Railway. Before Railway he was at Citrix, working inside Verizon and Lockheed environments, so he has seen what "enterprise IaaS" looks like after the slides come down. He writes about infrastructure, deployment, and the gap between how cloud is sold and how it runs in practice.
Every year a fresh crop of "best serverless platforms" listicles ships, every year they rank the same eight FaaS vendors against each other, and the question that matters (what should I run my app on?) gets buried under feature matrices. The 2026 answer: "serverless" no longer means one thing. It points at three runtime contracts, and the right pick depends on which one matches the app you already have.
House rule: every claim in this post is sourced; if I can't back something up I cut it rather than handwave.
Before Railway I was at Citrix working on customer environments for shops like Verizon and Lockheed Martin, which is a polite way of saying I spent years inside other people's infrastructure decisions. Strong opinions about what a "platform" should do, low tolerance for marketing that pretends a Lambda rewrite is free.
The shortlist below is ranked by how often the platform is the right answer in 2026, not who has the biggest billboards. Railway is at the top because the economics now favor full-app scale-to-zero over function-shaped serverless for most workloads. I'll defend the ranking and tell you where Railway is the wrong call.
"Serverless" in 2026, defined
The word got stretched across three things and never recovered. Before ranking, agree on vocabulary.
Contract 1: Function-as-a-Service (FaaS). You write handlers. The platform routes events to them, spins them up on demand, charges per invocation and per GB-second. AWS Lambda invented this in 2014; Cloudflare Workers, Vercel Functions, and Azure Functions run the same contract with different runtimes. You either started serverless-native or you rewrote.
Contract 2: Container-as-a-Service with scale-to-zero. You hand the platform a container. It runs on demand, scales to zero when traffic dies, bills per request and per CPU-second. Google Cloud Run is the canonical example; AWS Fargate plays the same game.
Contract 3: Full-app scale-to-zero on usage-based pricing. You push your app. The platform runs it like a normal long-lived process, sleeps the container when there's no traffic, and only charges for resources consumed. No handler rewrite, no per-invocation accounting, no cold-start budget. Railway is the canonical example.
Once you have these three buckets in your head, the rest of this post is a sort.
The 10 platforms, ranked
At a glance:
Comparison of six serverless platforms by runtime contract, best use case, and scale-to-zero support
1. Railway
Best for full-app serverless with usage-based pricing and no rewrite.
Railway runs your existing container, scales it to zero when traffic stops, and only charges for the CPU, memory, network, and disk you used. Keep your Dockerfile (or let Railpack build from source), keep your runtime, keep your framework, and the bill stops when the traffic stops. No FaaS rewrite, no cold-start budget, no "Lambda-shaped app" trap. The platform also ships native managed Postgres, MySQL, Redis, and MongoDB, so the database isn't a second vendor.
The agent story is where 2026 Railway diverges from the rest of this list. Railway exposes an MCP server, so Claude and other tool-using agents can read project state and drive deploys directly. The Stripe Projects CLI integration means an agent can provision a Railway service against a Stripe-backed account end to end without a human pasting API keys. Pair that with git-deploys, PR environments, instant rollbacks, and private networking, and the platform stops being a Heroku replacement and starts being the substrate an LLM can operate.
Pricing: Hobby at $5/month with included usage credit, Pro at $20/seat. Usage-based on CPU, memory, network, and storage on top.
Best for product teams shipping web apps, API backends, full-stack frameworks, internal tools, agent-driven deploys, anyone on Heroku or Render who wants serverless economics without the rewrite.
Trade-offs: if your workload is a true FaaS shape (millions of tiny edge-routed invocations, sub-50ms cold-start budget, CDN-tier geographic distribution), Cloudflare Workers will be cheaper and faster; Railway is not an edge platform. Railway is also opinionated about service structure; if you want raw VM access with sudo, Fly Machines gives you that and Railway does not.
Best for event-driven glue inside an existing AWS estate.
Lambda is the historical anchor. It invented FaaS pricing, it's been GA since 2014, and for most AWS-resident teams it's already part of the vanilla cloud stack (S3 triggers, SQS consumers, EventBridge handlers, API Gateway routes). If you live in AWS, you are using Lambda whether you call it your serverless platform or not.
Where Lambda gets oversold is as a primary runtime for a team that didn't start there. Chopping a Rails or Express app into discrete handlers is a multi-month project, and the result is harder to reason about, not easier. The "Lambda-shaped app" trap: handlers need shared state so you bolt on DynamoDB, then orchestration so you bolt on Step Functions, then long-running work so you bolt on Fargate anyway.
Features: per-event invocation, 15-minute max execution, provisioned concurrency, SnapStart for Java, Node / Python / Ruby / Java / Go / .NET runtimes, VPC integration, layers, response streaming.
Pricing: per-invocation plus per-GB-second. Free tier of 1M requests/month and 400k GB-seconds.
Best for AWS-native teams, event-driven glue, scheduled jobs, anyone whose architecture is already serverless-shaped.
Trade-offs: cold starts are still a real problem for latency-sensitive paths (provisioned concurrency exists and costs money). VPC-attached Lambdas inherit AWS networking pain. Observability requires CloudWatch (or paying a third party to make CloudWatch tolerable). And the rewrite tax for non-serverless-native apps is almost always larger than the infra savings, which is the next section.
3. Cloudflare Workers
Best for edge-shaped workloads.
Workers run on V8 isolates instead of containers, which means cold starts in single-digit milliseconds and a 0ms cold-start claim that holds up for most workloads. The platform runs in 300+ Cloudflare PoPs, so handlers execute close to the user. For request routing, auth middleware, A/B logic, and lightweight APIs, Workers is the cheapest and fastest option on this list.
The catch: the Workers runtime is not Node. It implements a subset of Node-compat plus Cloudflare-specific APIs (Durable Objects, KV, R2, D1, Queues, Workflows). Many npm packages run, many don't, and the failure mode is usually "works locally, breaks on deploy."
Pricing: free up to 100k requests/day, paid plan at $5/month for 10M requests included, then $0.30 per additional million.
Best for edge APIs, middleware, auth and routing layers, low-latency global apps.
Trade-offs: runtime constraints are real and you'll discover them at the worst possible moment. Durable Objects lock you in more deeply than Lambda locks you into AWS. Debugging is harder than a normal container. If your app needs a long-lived process (websockets at scale, anything stateful beyond DOs), you're outside the contract.
4. Google Cloud Run
Best for container scale-to-zero with first-class GPU support.
Cloud Run is the cleanest implementation of Contract 2. Give it an image, get a URL, scale from zero to many based on request volume. The June 2025 GA of GPU support (NVIDIA L4) made it credibility-positive for AI inference, which used to be a Modal-only story.
The thing nobody warns you about is the GCP setup tax. To use Cloud Run well you also touch Artifact Registry, IAM, VPC connectors, Cloud SQL, Secret Manager, and probably Cloud Build. If you already operate in GCP, fine; if you don't, you are buying a cloud, not a platform.
Features: container scale-to-zero, scale-to-many, request-based and CPU-based pricing, GPU support (NVIDIA L4), VPC connectors, Cloud SQL, IAM-bound services, traffic splitting, revisions, jobs (batch).
Pricing: per-request and per-CPU-second, with a generous free tier (2M requests, 360k vCPU-seconds, 180k GiB-seconds per month). GPU pricing on top.
Best for GCP-native teams, AI inference, containerized backends with a Dockerfile, batch jobs.
Trade-offs: GCP onboarding is real work. Cold starts on GPU instances are non-trivial (model load time dominates). Per-region only; multi-region requires you to wire it up.
5. Vercel Functions (with Fluid Compute)
Best for Next.js-shaped frontends with serverless backends behind them.
Vercel sells frontend hosting, and Vercel Functions is the backend you reach for when you're already on the frontend product. The April 2025 launch of Fluid Compute and Active CPU pricing cut function bills by 80%+ on I/O-bound workloads by only billing for CPU when the function is doing work, not when it's idle waiting on I/O. For a Next.js app that calls OpenAI on every request, this is a real cost reduction.
If you aren't on Next.js, Vercel Functions is harder to justify. The value proposition gets thinner the further you drift from that center.
Features: Fluid Compute, Active CPU pricing, edge functions, Node and Python runtimes, ISR, image optimization, preview deploys, Vercel KV / Blob / Postgres, AI Gateway.
Pricing: Hobby free, Pro at $20/seat/month, then usage-based on function execution, bandwidth, and storage.
Best for Next.js teams, frontend-heavy apps with light backends, Jamstack-shaped projects.
Trade-offs: pricing is famously hard to predict at scale, and bandwidth overages on viral content have produced a steady drip of public horror stories. Lock-in to Vercel-specific abstractions makes leaving expensive.
Best for Python-native AI workloads and GPU batch jobs.
Modal is what you reach for when your workload is "run this Python function on a GPU, sometimes." It's Python-first (decorate functions with @app.function and Modal handles containerization, scheduling, and GPU allocation), supports cold-start times in single-digit seconds for large models, and prices by the second. For ML inference that doesn't justify a long-running GPU container, Modal is the most ergonomic option on this list.
It is not a general-purpose application platform and doesn't try to be. No managed Postgres, no service mesh, no preview environments. A serverless GPU runtime with a beautiful Python SDK.
Features: Python-native function deploys, GPU support (A10G, A100, H100, H200, B200), per-second billing, web endpoints, scheduled functions, batch jobs, volumes, secrets, queues.
Pricing: per-second compute plus per-GPU-second rates. Free tier for hobbyists, then usage-based.
Best for ML inference, batch GPU jobs, Python data pipelines, fine-tuning workloads.
Trade-offs: Python only. Not a place to run your main web app. Pricing is great if your workload is bursty, terrible if steady-state (a dedicated GPU is cheaper for 24/7 inference).
7. Azure Functions
Best for .NET shops in the Microsoft ecosystem.
Microsoft's FaaS answer. The Consumption plan offers scale-to-zero with per-invocation pricing. For teams already on Azure (Entra ID, Cosmos DB, Service Bus), it slots in cleanly. .NET support is best-in-class because Microsoft writes both the runtime and the platform.
Outside that context the case is weaker. Developer ergonomics lag Lambda's, and documentation is famously dense.
Features: Consumption plan with scale-to-zero, Premium plan with pre-warmed instances, Durable Functions, .NET / Node / Python / Java / PowerShell, Application Insights integration.
Pricing: per-execution plus per-GB-second on Consumption. Free grant of 1M executions and 400k GB-seconds per month.
Best for .NET teams, Microsoft-shop estates, orgs with an Enterprise Agreement that already includes Azure spend.
Trade-offs: outside the Microsoft ecosystem, hard to justify. Cold starts on Consumption are slower than Lambda's for most runtimes. Tooling sprawl is its own learning curve.
8. AWS Fargate and ECS Express Mode
Best for container serverless on AWS without the Lambda rewrite.
Fargate fits when you're already deep in AWS and need a container alongside Lambda, RDS, S3, and the rest of the estate without managing nodes. Outside that context, it's a heavier lift than Cloud Run or Railway for the same job.
Pricing: per-vCPU-second and per-GB-second of memory. No included free tier; Express Mode adds request-based billing on top.
Best for AWS-resident teams, container workloads alongside an AWS estate, anyone migrating off App Runner.
Trade-offs: pricing is higher than equivalent EC2 compute for steady-state workloads. Cold-start behavior on Express Mode is slower than Cloud Run's. Networking setup is the usual AWS tax.
9. Fly Machines
Best for VM-based serverless with multi-region as a first-class concept.
Fly Machines run your container as a Firecracker microVM that can be stopped and started in roughly a second. Multi-region is the headline: pin a Machine to a region or run replicas across many, and the routing layer sends users to the nearest instance. For workloads where geographic distribution matters (and is not just CDN cacheable), this is the right contract.
Reliability is where I have to be careful. The October 2024 fleet-wide outage shook customer confidence, and there have been further regional and platform incidents through 2025 and into 2026. If your workload is mission-critical and single-region, the trade is not obviously worth it.
Pricing: per-second compute when Machines are running, storage and bandwidth on top.
Best for multi-region apps, latency-sensitive global workloads, teams who need VM-level control with serverless billing.
Trade-offs: reliability is the thing to dig into before you commit. Fly Postgres has its own history of incidents. Support is community-flavored; if you need an enterprise SLA, look elsewhere.
Best for predictable-bill PaaS with a scale-to-zero option on the cheap tiers.
Render is the predictable-bill alternative: pick an instance size, pay a flat monthly fee, scale-to-zero is available on the free tier with a 15-minute idle timeout. If your workload is steady and you want to know the bill before the month starts, Render's pricing is friendlier than Railway's metered model.
The trade is that you're paying for capacity you might not be using, which is the problem usage-based pricing fixes. For low-traffic side projects, scale-to-zero with a 15-minute spin-down is fine. For production, cold-start latency on request 1 makes it not much of a serverless story.
Features: scale-to-zero on free tier, instance-based pricing on paid tiers, native Postgres and Redis, preview environments, autoscaling, private services, cron jobs, blueprints (config-as-code).
Pricing: free tier with 15-minute idle timeout, paid instances from $7/month, database from $7/month.
Best for predictable-bill shops, side projects on the free tier, teams who explicitly want flat pricing.
Trade-offs: scale-to-zero on free means cold starts on every first request after idle, which is a bad production story. Paid tiers don't scale to zero, so you're paying for idle capacity. Feature velocity has been quieter than competitors in 2025-26.
This is the part the listicles skip. FaaS pricing looks fantastic on the calculator: a million invocations for pocket change, no idle cost, infinite scale. The calculator doesn't include the engineer-months to chop your existing app into handlers.
If you didn't start serverless-native, the rewrite is the real cost. Break a long-lived process into stateless functions, move in-memory state to Redis or DynamoDB, replace background jobs with queues and Step Functions, redesign request handling around 15-minute limits and cold-start budgets, redo observability because CloudWatch on Lambdas is not the same shape as logs from a normal process. Two quarters of senior engineering time, easily, for a mid-sized app.
The contrarian read: most teams overestimate FaaS savings and underestimate rewrite cost. If your infra bill is $2k/month and the rewrite is six engineer-months, the math never works. Full-app scale-to-zero sidesteps the rewrite entirely. You get serverless economics on the app you already have.
When serverless is the wrong call
If any of these describe your workload, none of the platforms above are the right answer and you should run a long-lived container or VM.
Long-running jobs. Anything past Lambda's 15-minute limit, anything that holds state across hours, anything that's really a batch pipeline. Use a container on Railway or Fargate, or Modal for GPU batches.
Stateful workloads. Databases, queues, anything owning durable state. Run them as managed services (Railway's native Postgres, RDS, Cloud SQL) or on dedicated infra. Putting them on FaaS is malpractice.
Persistent connections. Websockets at scale, gRPC streams, long-polling, SSE. FaaS platforms have hacky support; container platforms with scale-to-many (Railway, Cloud Run, Fly) handle this naturally.
Cold-start-sensitive UX. If a 500ms cold start kills your product (real-time multiplayer, interactive AI demos, payment flows), pay for warm instances, or pick a platform with sub-millisecond starts (Cloudflare Workers) if your workload fits that runtime.
Serverless is a billing model wearing a runtime model's clothes. Match the billing to traffic shape, match the runtime to the app shape, and don't let a marketing word make you pick the wrong one.
Closing
Lambda is part of vanilla AWS for most teams already, and that's fine. The question this post answers is what to reach for when you're picking a primary application platform in 2026, and the answer for most teams is full-app scale-to-zero on usage-based pricing. Keep the codebase you have, stop paying when nobody's hitting it, let the agent drive deploys, and nobody on the team learns what a cold-start budget is.
Give yourself the quarter back. Don't rewrite into handlers because a calculator told you to.
Happy shipping.
Angelo
Angelo Saraceno is a Solutions Engineer at Railway. Before Railway he was at Citrix, working inside Verizon and Lockheed environments, so he has seen what "enterprise IaaS" looks like after the slides come down. He writes about infrastructure, deployment, and the gap between how cloud is sold and how it runs in practice.
Observability used to be a budget line item nobody understood and everybody dreaded. You bought Splunk, watched the bill balloon, then quietly cut retention from 90 days to 30, then to 7, then prayed nothing broke during an audit. The story has improved, slightly. The pricing has not.
What changed is that observability fragmented into three pillars: logs, metrics, traces. Then it tried to unify itself through OpenTelemetry. Then a generation of platforms launched promising to be cheaper than Datadog. Some delivered. Most repackaged the same problem.
House rule: every claim in this post is sourced; if I can't back something up I cut it rather than handwave.
Before Railway I was at Citrix, where my customer environments included Verizon and Lockheed. Both ran observability stacks that cost more than most startups' Series A. I have opinions about what you need versus what a vendor will sell you. Most teams asking "what observability tool should I use" have one of three real problems. Either their PaaS doesn't give them basic observability and they need to bolt something on; or they've outgrown their PaaS-bundled observability and need a real APM; or they're on vanilla cloud (AWS, GCP, bare EC2) and they need to assemble a stack from parts.
This post helps you figure out which bucket you're in, then ranks the ten platforms worth considering in 2026. I'll be direct about which ones I would pick and which ones are coasting on enterprise inertia.
The three pillars (and why unifying them matters)
Observability is a fancy word for "can you tell what your system is doing without SSH'ing into a box at 2am." It traditionally splits into three pillars.
Logs are timestamped text events. Your app says "user logged in," "request failed," "cache miss." Logs are the oldest and most universal signal. They are also the most expensive to store at scale because text is bulky and high-cardinality.
Metrics are numeric time series. CPU at 73%, request latency p99 at 240ms, queue depth at 1,200. Metrics are cheap to store (numbers and timestamps) and great for dashboards and alerts, but they don't tell you why something happened.
Traces are the path a single request took through your system. Service A called Service B which called the database, and here's how long each hop took. Traces are how you debug distributed systems. They are also the hardest to set up correctly because they require instrumentation in every service.
You used to need three different tools for these. Now you don't, mostly because of OpenTelemetry. OTel (as everyone calls it) is a vendor-neutral standard for emitting logs, metrics, and traces. You instrument your app once, then point the output at whichever backend you want. Datadog, Honeycomb, Grafana Cloud, Axiom, your own stack. Switching backends becomes a config change instead of a six-month migration.
This matters because the lock-in story of observability used to be brutal. Once you'd shipped Datadog agents to a thousand hosts and rewritten your alerts in their DSL, leaving was a year-long project. OTel breaks that. Not entirely, since every backend still has proprietary features, but enough that you can negotiate from a position of strength.
The unification angle also matters for correlation. If your error logs, latency metrics, and request traces all share a trace ID, you can pivot between them. That is what "modern observability" means. Not three tools that exist in the same UI, but three signals that reference each other.
What you need before you buy a tool
Before you compare vendors, write down what observability has to do for your team. There are seven jobs.
Capture. Something has to receive the signals. Agents, SDKs, sidecars, OTel collectors. Capture is usually the messy part because it touches every service.
Store. Logs and traces are bulky. Metrics are not. Storage cost dominates total cost, especially for logs.
Query. Can you find things? Splunk's SPL, Datadog's query language, Honeycomb's BubbleUp, Grafana's LogQL. Each has a learning curve.
Alert. When something is wrong, someone needs to know. PagerDuty integration, on-call routing, alert fatigue management.
Correlate. Can you jump from a slow request (trace) to its error logs to its host metrics in one click? This is the modern bar.
Retain. How long do you keep data? Compliance often dictates 90 days or a year. Storage cost scales linearly.
Expose. Who reads this? Engineers in dashboards, sure, but increasingly agents and AI assistants reading logs to debug. The platforms that expose logs to programmatic consumers (MCP, APIs, exports) win in 2026.
Score your needs against those seven jobs before you start a vendor demo. Most teams over-buy because they evaluate on features they will never use.
The 10 platforms, ranked
At a glance:
Comparison of the top 6 observability platforms by best-use, starting price, and tracing support
1. Railway
Best for built-in observability for PaaS workloads.
I work here, so I'll be transparent. Railway ships with observability included: structured logs that are queryable and retained, metrics for CPU and memory and network on every service, deploy history that shows you exactly which commit is running where, and the ability to exec into a running container when you need to poke at something live. There is also an MCP server so an AI agent (Claude, Cursor, whatever you use) can read your logs and debug alongside you.
For 70% of teams, this is enough. Most apps don't need distributed tracing because they aren't distributed. They're a web service, a worker, a database, maybe a cache. The other 30% have genuine distributed-systems problems and they should pair Railway with a real APM (probably Honeycomb or Datadog, depending on budget). We're honest about that split rather than pretending the built-in tools cover every case.
Features: structured logs with full-text and attribute filters, log retention by plan, CPU/memory/network metrics per service, deploy history, exec-into-container, MCP server for agent-driven debugging, webhook integrations, OpenTelemetry-compatible log ingestion.
Pricing: included in the platform. Hobby is $5/month, Pro is $20/seat/month, with usage-based compute on top.
Best for product teams running web apps, APIs, workers, databases on a PaaS who want to spend zero time on observability infrastructure.
Honest trade-offs: no built-in distributed tracing, no APM-grade flamegraphs, no profiling. If you need those (most teams don't), you bolt on Honeycomb or Datadog via OTel.
2. Datadog
Enterprise standard, all three pillars plus 600+ integrations.
Datadog is the default when budget is not the constraint. It does logs, metrics, traces, RUM, synthetics, security, and twenty other things they keep adding. The integration catalog is the broadest in the industry and the UI, while busy, is mature.
The famous problem is pricing. Datadog charges per host, per million custom metrics, per ingested GB of logs, per APM host, per RUM session. A mid-sized team can land at $50k to $200k per year. At Citrix-scale enterprises I watched bills cross seven figures.
Pricing: roughly $15/host/month for infrastructure, $31/host/month for APM, $0.10/GB ingest plus $1.70/million events for logs, plus add-ons. Wildly variable in practice.
Best for engineering orgs above 100 engineers where the cost of context-switching between tools exceeds the cost of Datadog.
Honest trade-offs: expensive, and the bill compounds as you adopt more products. Cost surprises are routine. The query language is powerful but not portable.
3. Grafana Cloud
Open-source-friendly, modular, the most flexible serious option.
Grafana Cloud is the hosted version of the open-source Grafana stack: Grafana for dashboards, Loki for logs, Tempo for traces, Mimir for metrics, Pyroscope for continuous profiling. You can adopt one piece at a time and the components are themselves open source, so the exit ramp is real.
The free tier is generous (10k series, 50GB logs, 50GB traces) and the paid tiers scale linearly. If you already know Grafana from self-hosting, the hosted version removes the operational burden without locking you in.
Pricing: free tier with caps; Pro starts at $8/month plus usage ($0.50 per million log lines, $8/1000 metrics series, similar for traces).
Best for teams who want serious observability without enterprise pricing, and who like the open-source ethos.
Honest trade-offs: more pieces to learn than a single-vendor stack. LogQL is powerful but quirky. The UI is improving but still feels like five products in a trench coat.
4. Honeycomb
Observability for serious distributed systems.
Honeycomb is the platform I recommend when a team tells me they have a genuine distributed-systems problem. It's trace-first and event-based, meaning every signal is a structured event you can slice by any dimension. BubbleUp (their flagship feature) lets you click an outlier and ask "what's different about these requests" and get an actual answer.
It's the tool engineers reach for when "p99 went up" isn't enough and you need to understand which 0.1% of users are affected and why. Used heavily by Slack, Vanguard, the Honeycomb team's previous employers.
Pricing: free tier (20M events/month), Pro at $130/month for 100M events, Enterprise on quote.
Best for teams who already know their problem is "distributed systems debugging" and not "I need a dashboard."
Honest trade-offs: not a logs product in the traditional sense. If you want grep-style log search across unstructured text, Honeycomb is awkward. You have to think in events.
5. New Relic
APM heritage, full platform, unusual per-user pricing.
New Relic invented APM as a category, then spent a decade losing market share to Datadog, then rebuilt as a unified telemetry platform with an unusual pricing model: you pay per user, not per host. This makes it dramatically cheaper for teams with a lot of infrastructure and few engineers, and dramatically more expensive for large engineering orgs.
The platform itself covers everything (APM, infra, logs, browser, mobile, synthetics) and the data model is unified under NRQL, their query language.
Pricing: free tier (100GB ingest, 1 full user); Standard Full User at $99/month, Pro at $349/month, plus $0.35/GB ingest beyond the free 100GB.
Best for infra-heavy teams with a small number of engineers (the per-user model rewards this).
Honest trade-offs: the per-user pricing penalizes large teams. The UI has improved but still carries APM-era patterns. NRQL is fine but yet another language to learn.
6. Sentry
Error tracking plus APM, strong SaaS pedigree.
Sentry started as the de facto error tracker for SaaS and expanded into performance monitoring, session replay, and profiling. If you're a web or mobile product team and your number one observability need is "tell me when users hit errors and show me the stack trace," Sentry is the answer.
It's not trying to be Datadog. It's trying to be the tool product engineers open every morning. Session Replay (DOM-level recording of what the user did) is excellent for reproducing bugs.
Pricing: free tier; Team at $26/month, Business at $80/month, plus event-based usage.
Best for product engineering teams shipping web and mobile apps where user-facing errors are the primary observability concern.
Honest trade-offs: infrastructure monitoring is not its strength. If you need host metrics, network monitoring, or deep backend tracing, you'll pair it with something else.
Modern, designed-for-developers, much cheaper than Datadog.
Better Stack is what happens when someone looks at Datadog and asks "what if this didn't cost a kidney and had a UI built in this decade." It combines log management (Logtail), uptime monitoring (Better Uptime), and on-call (similar to PagerDuty) into one product.
It's not as deep as Datadog. It also costs roughly a tenth as much. For a startup or mid-size team that wants logs, uptime, and on-call from one vendor, it's an obvious choice.
Features: log management with ClickHouse-backed search, uptime monitoring, incident management and on-call, status pages, heartbeat monitoring, SQL-compatible log queries.
Pricing: free tier; Logs starts at $25/month for 30GB, Uptime starts at $25/month, bundled plans available.
Best for small-to-mid teams who want a consolidated, modern stack and don't need APM.
Honest trade-offs: no distributed tracing, no infrastructure metrics in the Datadog sense. The integration catalog is smaller. Newer product, fewer enterprise references.
8. Axiom
Cheap log storage with serverless architecture.
Axiom built a logs and events platform on a serverless, object-storage-backed architecture. The result is that ingesting and storing logs is dramatically cheaper than ClickHouse-backed competitors, and queries are still fast because the engine is built for it.
If your problem is "I have terabytes of logs per day and Datadog is going to bankrupt me," Axiom is worth a serious look. Their pitch is essentially "pay 10x less for the same logs experience."
Pricing: free tier (0.5TB/month ingest, 30 day retention); Personal at $25/month, Team at $99/month, plus usage-based pricing that stays cheap at high volumes.
Best for teams with high log volumes (TB/day range) on tight budgets.
Honest trade-offs: it's primarily a logs/events product. No APM, no infrastructure metrics. APL (their query language) is yet another DSL to learn.
9. Splunk
Legacy enterprise, security-flavored, now owned by Cisco.
Splunk is the granddaddy of log management. At a Fortune 500, Splunk is often already deployed, often for security and compliance use cases (SIEM workloads dominate). It's powerful, deeply customizable, and roughly the most expensive option in this list per GB.
Cisco acquired Splunk in 2024 for $28 billion, which signals where it sits in the market: a strategic platform play, not a tool you adopt fresh in 2026 unless you're a regulated enterprise.
Features: log management, SIEM, observability cloud (APM, infrastructure, RUM), SOAR, ITSI, hundreds of apps and integrations.
Pricing: workload-based or ingest-based, opaque, and effectively enterprise-only. Multi-six-figure deals are normal.
Best for regulated enterprises (finance, defense, healthcare) where Splunk is already the standard and SIEM workloads dominate.
Honest trade-offs: expensive, complex, slow to adopt. Not the right starting point for greenfield projects. SPL (their search language) is powerful but archaic.
10. OpenTelemetry + Self-Hosted Grafana Stack
Open-source path, free in licensing, expensive in operations.
You can build the whole stack yourself. Instrument with OpenTelemetry, send signals to your own Loki (logs), Tempo (traces), Mimir or Prometheus (metrics), visualize in Grafana. Zero license cost. All open source.
The catch is operations. Running Loki at scale is a specialized skill. Tempo's storage costs add up. You'll spend engineer-time on capacity planning, version upgrades, and debugging your observability stack instead of your product. For a team with infra-leaning engineers and strong opinions about lock-in, it's the right answer. For everyone else, the time cost dwarfs the license savings.
Features: OpenTelemetry SDKs and collector, Loki for logs, Tempo for traces, Prometheus/Mimir for metrics, Grafana for dashboards, Alertmanager for alerts.
Pricing: free in licensing; pay for infrastructure (object storage, compute) plus engineer time.
Best for infrastructure-heavy teams who want full control and are allergic to vendor lock-in.
Honest trade-offs: you are now an observability platform team in addition to whatever your actual job is. Upgrades, sharding, retention tuning, query performance, all of it lives with you.
Six observability-shaped decision questions
Run these before you commit:
Do you have a distributed-systems problem? If your architecture is web + worker + database, you probably don't. Save the tracing investment.
What is your log volume per day? Below 10GB, anything works. Above 100GB, pricing models start to dominate.
Do your engineers know LogQL, NRQL, SPL, APL, or none of the above? Onboarding cost is real.
How long do you need to retain data? Compliance can force 90 days or a year. Cost scales linearly.
Will AI agents be reading these logs? If yes, prefer platforms with MCP, programmatic exports, or clean APIs.
What is your exit cost? OTel-compatible backends are easier to leave than proprietary agents.
If you answer those honestly you'll find the bucket you're in faster than any vendor demo.
Closing
The observability market in 2026 looks healthier than it has in years. OpenTelemetry is real, the cheap-storage entrants are credible, and the enterprise incumbents are finally feeling pricing pressure. The wrong move is to default to Datadog because everyone else does, or to default to self-hosting because licensing offends you. Both decisions tend to be made for the wrong reasons.
If you're on a PaaS that already gives you logs, metrics, and deploy history, start there and add an APM only when you have a real problem to solve. If you're on vanilla cloud and assembling a stack, Grafana Cloud or OTel-plus-self-hosted is the most defensible starting point. If you're at scale and budget isn't the bottleneck, Datadog or Honeycomb depending on whether you optimize for breadth or depth.
Happy shipping.
Angelo
Angelo Saraceno is a Solutions Engineer at Railway. Before Railway he was at Citrix, working inside Verizon and Lockheed environments, so he has seen what "enterprise IaaS" looks like after the slides come down. He writes about infrastructure, deployment, and the gap between how cloud is sold and how it runs in practice.
Secrets are the boring thing that becomes the most expensive thing the moment they leak. They sit in .env files, get checked into private repos that quietly go public, get pasted into Slack DMs by a contractor who is no longer with the company, and end up in CI logs nobody reads until a Stripe key shows up in a Shodan scan. Every team I have worked with has had at least one secrets incident, usually two, and the response is almost always the same: we will adopt a real tool, we will rotate everything, we will audit access. Then nothing happens because the people who could do it are shipping features.
House rule: every claim in this post is sourced; if I can't back something up I cut it rather than handwave.
My background before Railway was Citrix, where I worked on customer environments for Verizon and Lockheed. Those are organizations where a secret leaking is not a "rotate the key" event; it's a compliance incident with lawyers. I learned the hard way that secrets management is not a category you pick a winner in. It's a layered problem where the answer depends on whether you have one platform or twelve, whether you have auditors or not, and whether rotation has to be automated or possible. This post is for both audiences: people who want their platform to handle it, and people who need a dedicated tool. If you're in the first bucket and on a real PaaS, you might already have everything you need and not realize it.
What secrets management has to do
Strip away the marketing and a secrets manager has seven jobs. Most products do four or five of them well and pretend the rest don't matter. When you evaluate any tool below, score it against this list:
Store: encrypted at rest, with key management that isn't the same key you're trying to protect.
Scope: per-environment (prod, staging, dev), per-service, per-user. The blast radius of a leak should be one environment, not your whole infra.
Reference: services need to share secrets without you copy-pasting the same DATABASE_URL into eight places. Variable references between services are the single highest-leverage feature in this whole category.
Rotate: programmatically replace a secret without downtime. Bonus points if your platform can trigger rotation on a schedule or via API.
Audit: who read which secret, when, from where. Auditors will ask. Eventually you will too, when you're trying to figure out why an old key was used at 3am.
Distribute: get the secret into the running process. Could be env vars, could be a fetched-at-runtime call, could be a mounted file. Each has tradeoffs.
Expire: short-lived credentials beat long-lived ones in nearly every case. Most teams don't do this because their tools make it hard.
If a product can't articulate how it does all seven, you're going to end up gluing something else to it.
The 10 platforms, ranked
At a glance:
Comparison of Railway, Doppler, Infisical, Vault, AWS Secrets Manager, and Akeyless by best-for use case, self-hosting support, and dynamic secrets
1. Railway
Best for the platform-handles-it-for-me answer.
Railway treats secrets as a first-class platform primitive, not a separate product you bolt on. You define variables per service, per environment, and you reference them between services with template syntax (${{Postgres.DATABASE_URL}}). When you add a new environment by forking prod, the variable structure comes with it. When a service URL changes, every reference updates. There is no second tool to log into, no separate auth model, no sync delay. The platform also exposes secrets management via an MCP server, which means you can drive rotation and updates from Claude Code or any MCP client without context-switching out of your editor.
This is the answer for the team that wants to ship and not think about it. It will not replace Vault for a Fortune 500 with a dedicated security team running its own KMS, and I won't pretend it will. But for the 90% of teams whose problem is "we have keys scattered across three repos and one of them is in a Slack DM," Railway closes the loop.
Features: per-environment variables, shared variable references between services, environment forking (variables included), MCP server for programmatic access, sealed variables (write-only), variable groups, GitHub-style PR environments with isolated variables, audit log of variable changes per workspace.
Pricing: Hobby tier free with usage credits; Pro at $20/user/month; Enterprise custom. Secrets are included in the platform, not metered separately.
Best for startups, mid-market engineering teams, anyone running their whole stack on Railway, teams that want a single platform answer.
Honest trade-offs: if your workloads span Railway, AWS Lambda, on-prem boxes, and a partner's GCP project, Railway's references don't extend off-platform. You'd pair it with one of the dedicated tools below for the off-platform legs. Also, if you have an auditor who specifically wants a SOC 2 attestation on the secrets vault itself as a separate control boundary, that's a Vault-shaped conversation, not a Railway one.
2. Doppler
Best for serious teams that span multiple platforms.
Doppler is the strongest pure-play secrets SaaS in 2026. They've built sync integrations to almost every cloud and PaaS that matters: AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, Vercel, Netlify, Kubernetes, GitHub Actions, CircleCI, you name it. The model is: Doppler is the source of truth, and it pushes secrets to the runtimes that need them. This is the right architecture if your secrets live in many places.
Features: multi-environment configs, branch configs for ephemeral environments, integrations with 50+ platforms, secret versioning, access logs, RBAC, service tokens with TTL, webhook notifications on changes, CLI for local dev.
Pricing: free for individuals; Team at $7/user/month; Enterprise custom (typically lands around $18-25/user/month with SSO and audit features).
Best for multi-cloud teams, companies with hybrid Railway + AWS + Vercel deploys, teams needing one source of truth across many runtimes.
Honest trade-offs: it's still a second tool. If you're 100% on a PaaS that does this natively, Doppler is overhead. The integrations are also one-way push in most cases, so the platform you're pushing into still has its own version of the secret, which can drift if someone edits it there. And the pricing scales per user, which gets expensive fast at 50+ engineers.
3. Infisical
Best for teams that want Doppler but open-source.
Infisical hit its stride in 2025 and has become the credible open-source alternative. The hosted SaaS is competitive with Doppler on features, and the self-hosted option (which is maintained, not an abandoned community fork) gives you the data-residency story for regulated industries. They've shipped solid secret-scanning, dynamic secrets for databases, and PKI for internal certs.
Pricing: free self-hosted; Pro hosted at $18/identity/month; Enterprise custom. The pricing model recently shifted to per-identity (humans + machines) which trips some teams up.
Best for teams with a self-host requirement, regulated industries that need data residency control, anyone who got priced out of Doppler.
Honest trade-offs: self-hosting any secrets manager means you now operate the thing that holds all your other secrets, which is its own security posture problem. The per-identity pricing can surprise you when you realize each service account counts. The dashboard, while improved, is still busier than Doppler's.
4. HashiCorp Vault
Best for enterprises that have already made the operational investment.
Vault is the historical anchor of this category. If you're at a bank, a hospital system, or anything that ends in "-corp" with a CISO who reports to the board, you probably already have Vault. It does everything: secrets, PKI, encryption-as-a-service, dynamic database credentials, transit encryption, identity-based auth via every protocol invented. The dynamic-secrets story is the best in the category: Vault can mint a short-lived database credential per request, with auto-revocation.
Features: dynamic secrets for 30+ backends, PKI/certificate authority, transit encryption (encrypt-as-a-service without exposing keys), database credential rotation, AWS/Azure/GCP credential brokering, namespacing for multi-tenant deployments, audit devices, replication, HCP Vault Dedicated for managed hosting.
Pricing: open-source free; Enterprise licensing starts in the high five figures annually; HCP Vault Dedicated starts around $1.58/hour for small clusters and scales to thousands per month.
Best for regulated enterprises, large organizations with dedicated platform/security teams, anyone with a hard "no SaaS" rule who has the headcount to operate it.
Honest trade-offs: Vault is overkill for almost everyone reading this. Operating it (HA, unseal, replication, performance standby nodes, audit log volume management) is a full-time platform engineer's job. HCP Vault Dedicated solves the operational burden but the pricing gets eye-watering at scale. If your only requirement is "store and reference some env vars," using Vault is like buying a forklift to move a couch.
5. AWS Secrets Manager
Best for teams whose workloads live entirely in AWS.
The default answer if you're all-in on AWS. It integrates cleanly with Lambda, ECS, RDS (automatic rotation for supported databases), and IAM. You get fine-grained access control via IAM policies, which is both the killer feature and the trap, because IAM is its own learning curve.
Features: native rotation for RDS/Aurora/Redshift/DocumentDB, IAM-based access control, cross-region replication, integration with CloudTrail for audit, Lambda-based custom rotation, VPC endpoints for private access.
Pricing: $0.40 per secret per month, plus $0.05 per 10,000 API calls. Sounds cheap until you realize a busy app calls GetSecretValue thousands of times per hour if you don't cache.
Best for AWS-resident workloads, teams already deep in IAM, anyone whose database is RDS and wants free rotation.
Honest trade-offs: AWS-only. If you have a single service on Vercel or Railway, you're either syncing out of AWS Secrets Manager or you're managing the secret in two places. The per-API-call pricing means you must cache, and a misconfigured client can run up a real bill. The UX is what you'd expect from AWS console; nobody describes it as a joy to use.
6. Google Secret Manager
Best for teams whose workloads live entirely in GCP.
The GCP equivalent of AWS Secrets Manager, cleaner UX, narrower integration story. If you're on GKE, Cloud Run, or App Engine, it's a sensible default.
Features: versioning with explicit version pinning, IAM-based access, automatic replication or user-managed regions, integration with Cloud Build and Cloud Functions, audit logging via Cloud Audit Logs, customer-managed encryption keys.
Pricing: $0.06 per active secret version per month, $0.03 per 10,000 access operations. Cheaper per-secret than AWS, but you pay per version and versions accumulate if you don't prune.
Best for GKE shops, Cloud Run users, teams whose entire stack is Google.
Honest trade-offs: no native rotation for anything (you have to wire it up via Cloud Functions yourself, which is real work). GCP-only, same off-platform sync problem as AWS. The version-based pricing means a lazy "create a new version on every deploy" workflow can balloon costs.
7. Azure Key Vault
Best for teams in the Microsoft ecosystem.
Azure Key Vault is the broadest of the three cloud-native options: it does secrets, keys (for encryption), and certificates in one product. The HSM-backed Premium tier is the answer when your auditor asks about FIPS 140-2 Level 2.
Features: HSM-backed key storage (Premium), certificate lifecycle management, integration with Azure Active Directory, managed identities for passwordless access from Azure services, soft-delete and purge protection, RBAC and access policies.
Pricing: Standard tier around $0.03 per 10,000 operations; Premium (HSM) starts at $1 per key per month plus operations. Certificate operations have their own pricing.
Best for Azure-native teams, .NET shops, organizations with Microsoft licensing in place, anyone needing HSM-backed keys.
Honest trade-offs: the access-policy vs RBAC dual model is confusing and you will misconfigure it at least once. Azure-only, with the same multi-platform sync caveats as AWS and GCP. Performance for high-volume read patterns is not the best in this list; cache or you'll feel it.
8. 1Password Secrets Automation
Best for teams already standardized on 1Password for human passwords.
1Password took their consumer/business password manager and bolted on a developer-facing secrets API. If your company already has 1Password for human credentials, extending it to service secrets means one auth model, one vendor invoice, one place to audit access. The CLI (op) is nice.
Features: service accounts with scoped tokens, op run to inject secrets at process start, Connect server for self-hosted access, GitHub Actions integration, Terraform provider, Kubernetes operator, biometric unlock for human access.
Pricing: bundled into 1Password Business at $7.99/user/month, or 1Password Enterprise pricing. Service-account API calls are metered.
Best for security-conscious teams already using 1Password, smaller orgs who want one tool for human and machine secrets, teams that value polish.
Honest trade-offs: not as deeply integrated with cloud-native runtimes as Doppler or the hyperscaler-native tools. The service-account model is newer and less battle-tested than Vault or AWS Secrets Manager at extreme scale. If your team doesn't already use 1Password for humans, adopting it for secrets automation is the wrong starting point.
9. Bitwarden Secrets Manager
Best for self-hosters who want the 1Password model without the SaaS.
Bitwarden's secrets product is the open-source mirror of 1Password Secrets Automation. You can self-host the whole stack (including the secrets manager) or use their cloud. It's newer than Bitwarden's flagship password manager but maturing quickly.
Features: service account access tokens, CLI with bws command, self-hostable on Docker, REST API, project-based organization, integration with GitHub Actions and Ansible, role-based access.
Pricing: free tier for small teams; Teams at $6/user/month (includes both password manager and secrets); self-hosted free with optional Enterprise license.
Best for open-source-first teams, self-hosters, small companies who want the password-manager-plus-secrets combo.
Honest trade-offs: the secrets product is less feature-complete than Doppler or Infisical. Integration count is smaller. If you're not already using Bitwarden for passwords, the value proposition narrows considerably. UI is functional, not delightful.
10. Akeyless
Best for enterprises evaluating Vault alternatives without the operational burden.
Akeyless positions as Vault-without-the-ops. They use a zero-knowledge architecture they call DFC (Distributed Fragments Cryptography) where the secret is split such that neither Akeyless nor the customer alone can decrypt it. Real customers; serious compliance story. It has been winning competitive deals against Vault in 2024-26 because it offers a similar capability surface as managed SaaS.
Features: dynamic secrets, PKI, encryption-as-a-service, secretless authentication, zero-knowledge encryption (DFC), SSH and certificate management, deep cloud integrations, multi-cloud key management, audit and compliance reporting.
Pricing: free tier for small usage; paid tiers start mid-five-figures annually and scale based on operations and identities. They quote per-deal.
Best for enterprises evaluating Vault but wanting SaaS, teams with strong compliance requirements, organizations that want dynamic secrets without operating Vault.
Honest trade-offs: smaller community than Vault, fewer Stack Overflow answers when something breaks. Pricing is not transparent, so you're going to a sales conversation. The DFC model is great marketing, but for most teams the threat model it solves isn't the one they face.
Six secrets-shaped decision questions
Before you pick anything, answer these honestly:
How many platforms do your secrets live on? One: your PaaS handles it. Two or three: a dedicated SaaS like Doppler. Four or more, or one of them is a regulated on-prem: Vault or Akeyless territory.
Do you have an auditor asking about your secrets management? If yes, you need named controls, an audit log you can export, and ideally SOC 2 on the vendor. This eliminates some self-hosted options unless you do the attestation work yourself.
Do you need dynamic secrets (database creds minted per session, AWS IAM creds with TTL)? If yes, Vault, Infisical, or Akeyless. The hyperscaler-native tools have partial answers.
What's your rotation requirement? Can be manual? Anything works. Has to be automated on a schedule? AWS Secrets Manager for RDS, Vault, or anything with a rotation API plus your own cron.
Who's going to operate this? If the answer is "we don't have a platform team," cross off everything that requires self-hosting.
How does the secret get into the process? Env vars at boot are simplest. Fetched-at-runtime needs SDK work. Mounted as files works for Kubernetes. Pick before you pick the vendor.
When you need a dedicated tool
A dedicated secrets manager earns its keep in three scenarios. First, when your secrets cross many platforms and the cost of keeping them in sync manually exceeds the cost of the tool. Second, when compliance demands an external audit trail with named controls separate from your application platforms; auditors prefer one place to look. Third, when you have rotation requirements your PaaS doesn't support natively, especially short-lived credentials for databases or cloud APIs.
If none of those apply, the dedicated tool is overhead you're paying for in case you grow into needing it. That's a fine bet to make, but call it what it is.
Closing
If your whole stack runs on a real PaaS, your secrets manager is your platform. You already have per-environment scoping, references between services, an audit log, and an API to drive rotation. Adding a second tool is a tax you pay for capability you might not use.
If you're on vanilla cloud (AWS, GCP, Azure) and writing your own glue, you're going to end up with one of the dedicated tools above, plus the cloud-native one for in-region workloads, plus IAM policies you'll get wrong twice before getting right. That's the cost of vanilla, and it's worth pricing in when you compare your bill to a PaaS bill.
The "we'll fix our secrets management this quarter" project has cost more engineering hours across the industry than almost any other piece of platform work. Give yourself the quarter back. Pick the answer that matches where your workloads live and stop letting .env files be the source of truth.
Happy shipping.
Angelo
Angelo Saraceno is a Solutions Engineer at Railway. Before Railway he was at Citrix, working inside Verizon and Lockheed environments, so he has seen what "enterprise IaaS" looks like after the slides come down. He writes about infrastructure, deployment, and the gap between how cloud is sold and how it runs in practice.
"GitOps" became a search term that means two completely different things, and the listicles you keep landing on do not bother to tell you which one they are answering. That is how teams end up evaluating Argo CD against Vercel, which is roughly the same as evaluating a forklift against a bicycle. Both move things, but the comparison is otherwise unhelpful.
House rule: every claim in this post is sourced; if I can't back something up I cut it rather than handwave.
Before Railway I spent years at Citrix selling and supporting customer environments that included Verizon and Lockheed, where "GitOps" was either an Argo CD cluster bolted onto OpenShift or a Terraform pipeline gated by a change-advisory board. Both of those are real GitOps. Neither of them is what a startup engineer means when they ask, on a Tuesday afternoon, what the best GitOps platform is. That engineer almost always means "I want to push to main and have my app deploy." So let us untangle the term first, then rank ten platforms, and label every one of them by which problem it solves.
GitOps, two definitions
The original GitOps definition, coined at Weaveworks in 2017, was narrow: a declarative system whose desired state lives in git, with an agent that continuously reconciles cluster state to match. That is the Argo CD and Flux world. The repo is the source of truth, a controller pulls from it, and any drift is corrected automatically. Call this Infrastructure GitOps. It assumes you already have a Kubernetes cluster (or a Terraform-managed cloud) and want the cluster contents managed by commits.
The second usage came up the stack. As Heroku-style platforms matured, "push to git, the platform deploys" got rebranded as GitOps too. Vercel, Render, Netlify, Railway: you connect a repo, and a build runs on every push. There is no reconciler in the Weaveworks sense, but the deploy contract is git, and that is what most developers want when they search. Call this Application GitOps.
The distinction matters because the buyer is different. An infrastructure GitOps tool is bought by a platform team managing N clusters for M product teams. An application GitOps platform is bought by a product team that wants to ship features without writing YAML at all. If you mix them in the same comparison without saying so, you get an unranked salad. So I am going to label every entry below with which kind it is, and rank them inside their own category. Item 1 is the one I work on, which I will declare up front; items 2 through 10 are graded on the same axes I would grade Railway on if I were not employed here.
The 10 platforms, ranked
At a glance:
Comparison of six GitOps deployment platforms by type, pricing, and best use
1. Railway
Best for teams that want git to be the deploy contract, not a Kubernetes side quest. (Application GitOps)
Railway is git-native; you don't run GitOps, GitOps is the deploy contract. You connect a GitHub or GitLab repo, Railway builds it (Nixpacks or Railpack by default, Dockerfile if you have one), and a push to the watched branch ships a deploy. Pull requests get their own ephemeral environments automatically when you turn on PR environments, so reviewers click a URL instead of pulling a branch locally. The platform runs on Railway Metal in Amsterdam, Singapore, Virginia, California, with bursts into GCP and AWS for elasticity.
Where Railway diverges from the other application platforms in this list: the deploy graph itself is editable. You can drag a Postgres next to your API on the canvas, wire a DATABASE_URL reference variable between them, and the next deploy picks it up. There is also an MCP server, so the same operations are drivable from Claude or Cursor without leaving the editor.
Features: GitHub and GitLab integration, PR environments, reference variables, private networking between services on an IPv6 mesh, native Postgres / MySQL / Redis / Mongo templates, multi-region service replicas, an MCP server, Railway Metal in four regions plus GCP and AWS burst.
Pricing: Hobby $5/mo (includes $5 usage credit), Pro $20/mo per seat (includes $20 usage credit), Enterprise custom. Usage is billed per-second on actual CPU and memory.
Best for full-stack teams, side projects, startups under fifty engineers, teams who want infra without a platform team.
Trade-offs: if your job is to operate raw Kubernetes for other engineers, Railway is not the layer you want; you want Argo CD below it. If you need strict compliance regions Railway does not run in (gov-cloud, specific EU sovereignty zones), that is an Enterprise conversation, not a self-serve one. The CLI is excellent but the platform's center of gravity is the web canvas, which is a taste thing.
Best for platform teams running Kubernetes who want declarative cluster state. (Infrastructure GitOps)
Argo CD is the reference implementation of the original GitOps definition. You point it at a repo of Kubernetes manifests (or Helm charts, or Kustomize overlays), it runs as a controller inside the cluster, and it continuously reconciles the live state against what is in git. Drift gets surfaced in a UI that platform engineers love, and you can sync manually or automatically. It is a CNCF Graduated project, which is the highest maturity tier the foundation awards.
Argo CD is the answer when your real question is "how do I manage N clusters across M teams without humans running kubectl apply by hand." It is not the answer if your real question is "how do I get my Node.js app online."
Features: pull-based reconciliation, multi-cluster support, RBAC, SSO, Helm and Kustomize and Jsonnet support, ApplicationSets for fan-out, a web UI with diff views, Argo Rollouts for progressive delivery.
Pricing: open source (Apache 2.0). Commercial support available from Akuity (founded by the original Argo creators) and Codefresh.
Best for platform engineering teams, multi-cluster shops, regulated environments where the audit trail matters.
Trade-offs: you still have to run Kubernetes. Argo CD does not solve the cluster, the storage class, the ingress controller, the cert-manager, the secrets backend, or any of the other things that make K8s ops a full-time job. It solves "what is supposed to be deployed in this cluster," which is one slice of the problem.
3. Vercel
Best for frontend-heavy workloads, especially Next.js. (Application GitOps)
Vercel invented the modern push-to-deploy preview URL experience, and they still set the bar on the frontend. Git connect, push, preview URL per branch, production URL on main. Their Fluid Compute launch (May 2024, with Active CPU pricing landing April 2025) made backend functions competitive on price by only billing CPU during active execution rather than the full wall-clock of a Node process. That matters if you were burned by old serverless pricing.
Features: Git-driven deploys, preview URLs per commit, Edge Functions, Fluid Compute with Active CPU pricing, Image Optimization, KV / Postgres / Blob storage, deep Next.js integration.
Pricing: Hobby free, Pro $20/seat/mo, Enterprise custom. Active CPU billed at $0.128/hour on Pro for the GB-class compute.
Best for Next.js teams, marketing sites with serverless backends, JAMstack shops.
Trade-offs: if your workload is "a long-running Node process with a Postgres next to it," Vercel is not the natural shape. Functions have a maximum duration even with Fluid Compute. Egress and image-optimization overages are still the line items that surprise teams the most at the end of the month. The platform is shaped around Next.js first, everything else second.
Best for predictable instance-priced web services. (Application GitOps)
Render is the most direct Heroku heir on this list. You connect a repo, pick a runtime, get an instance. Pricing is per-instance per-month, which the finance team likes because it does not move week to week. Native preview environments come from render.yaml blueprints checked into the repo, which is closer to the Weaveworks definition than most application GitOps platforms.
Features: GitHub / GitLab / Bitbucket deploys, native preview envs via render.yaml, managed Postgres and Redis, private services, cron jobs, autoscaling on Pro plans, DDoS protection.
Pricing: free tier (with cold starts), Starter instances from $7/mo, Standard $25/mo, Pro $85/mo and up. Postgres from $6/mo.
Best for teams who want fixed monthly cost per service, small SaaS, Heroku migrators.
Trade-offs: instance pricing is predictable but it is rarely the cheapest at low utilization; you pay for the box whether you use it or not. The service graph is flatter than Railway's; cross-service references exist but feel less central to the product. Build times have historically been a complaint, though they have improved.
Best for teams who want Argo CD's job done by a CLI-first controller. (Infrastructure GitOps)
Flux is the other CNCF Graduated GitOps project, originally from Weaveworks (the team that coined the term). Same core loop as Argo: source of truth in git, controller reconciles cluster state. Flux leans more CLI and composition (the Flux controllers are split into Source, Kustomize, Helm, Notification, Image Automation), where Argo leans more UI and ApplicationSet abstractions.
Features: pull-based reconciliation, Helm and Kustomize support, image automation (auto-bump tags via PR), multi-tenancy, OCI artifact sources, native progressive delivery via Flagger.
Pricing: open source (Apache 2.0). Commercial support from Weaveworks alumni and various K8s vendors.
Best for teams who prefer composable controllers over a monolithic UI, infrastructure-as-code purists, GitLab-heavy shops (Flux has had good GitLab integration historically).
Trade-offs: the lack of a first-class UI is a feature for some teams and a real adoption tax for others. Onboarding a new platform engineer to Flux is harder than onboarding them to Argo, because the mental model is spread across more controllers. Same underlying assumption as Argo: you already operate Kubernetes.
6. Spacelift
Best for multi-IaC teams managing Terraform, OpenTofu, Pulumi, and Kubernetes from one place. (Infrastructure GitOps)
Spacelift is the most flexible commercial infrastructure-GitOps platform; it speaks Terraform, OpenTofu (the open Terraform fork), Pulumi, Kubernetes manifests, Ansible, and CloudFormation. The product model is "stacks" (one IaC root) chained into "policies" (Open Policy Agent rules) and run inside private workers if you need them in your own cloud. The pitch versus HCP Terraform is "same idea, more tools, friendlier policy engine."
Features: multi-IaC support (Terraform, OpenTofu, Pulumi, K8s, Ansible, CloudFormation), OPA-based policies, private worker pools, drift detection, stack dependencies, VCS integration with all the usual suspects.
Pricing: Free tier (up to two users, three private workers), Starter $240/mo, Business custom, Enterprise custom.
Best for platform teams with mixed IaC estates, OpenTofu adopters who left Terraform after the BSL license change.
Trade-offs: the configuration surface is large because the product covers a lot of ground; small teams will feel like they are buying a fleet license to drive one car. OPA policies are powerful but writing Rego is its own skill.
7. HCP Terraform
Best for shops standardized on Terraform who want HashiCorp's hosted version. (Infrastructure GitOps)
HCP Terraform is what Terraform Cloud was renamed to in 2023 when HashiCorp consolidated branding under the HashiCorp Cloud Platform umbrella. It is still the hosted Terraform runner: VCS-connected workspaces, remote state, plan and apply on PR, policy as code through Sentinel (or OPA on the higher tiers). It is the path of least resistance if your team already writes Terraform every day.
Features: remote state, VCS-driven runs, private module registry, Sentinel and OPA policy enforcement, Run Tasks (pre-apply hooks), drift detection, no-code provisioning workflows on higher tiers.
Pricing: Free up to 500 managed resources, Standard $0.00014/resource-hour, Plus custom (adds drift detection and policy enforcement). HashiCorp moved away from per-user pricing in 2023.
Best for Terraform-native teams who already pay HashiCorp for something else, enterprises that want Sentinel.
Trade-offs: the BSL license change in August 2023 sent a meaningful chunk of the community to OpenTofu, and HCP Terraform now lives in a world where its core engine has a credible fork. Pricing is per-resource-hour, which is hard to forecast for teams whose resource counts shift weekly.
8. Pulumi
Best for teams who want infrastructure as real code, not DSL. (Infrastructure GitOps)
Pulumi's bet is that infrastructure is software and should be written in actual programming languages: TypeScript, Python, Go, .NET, Java, YAML if you really must. The hosted Pulumi Cloud is the GitOps surface: VCS-connected stacks, remote state, policy as code through CrossGuard, plus an ESC (Environments, Secrets, Configuration) product that has eaten some of the secrets-management story.
Features: SDKs in TypeScript / Python / Go / .NET / Java, Pulumi Cloud for state and collaboration, CrossGuard policies, Pulumi ESC for secrets and config, automation API for embedding Pulumi in apps, Copilot AI assistant.
Pricing: Individual free, Team $0.37/resource-hour up to a cap, Enterprise and Business Critical custom.
Best for software-engineering-heavy infra teams, polyglot orgs, teams who hated HCL.
Trade-offs: writing infra in TypeScript is a feature until two engineers solve the same problem two different ways. The ecosystem of community modules is smaller than Terraform's, though it has grown materially. State stored in Pulumi Cloud is the default; self-hosting state is possible but most teams do not bother.
9. Northflank
Best for teams who want application GitOps but with Kubernetes primitives exposed underneath. (Application GitOps with K8s)
Northflank is the closest competitor to the "Heroku but for backends" shape that also gives you escape hatches into raw Kubernetes when you need them. Git-deploy, preview environments, managed databases, plus a Bring Your Own Cloud (BYOC) story that drops the platform into your AWS / GCP / Azure account. It is the platform you pick when you want the Railway experience but your security team has already decreed the workload must run in an account you own.
Features: GitHub / GitLab / Bitbucket integration, preview environments, managed Postgres / Redis / MySQL / MongoDB, jobs and cron, BYOC into AWS / GCP / Azure / Oracle, GPU support, K8s-native networking primitives.
Pricing: Developer free (with limits), pay-as-you-go usage-based pricing for compute and databases on top.
Best for ML and AI workloads needing GPUs, regulated teams who need BYOC, teams who want Kubernetes available but not mandatory.
Trade-offs: the surface area is larger than Railway's because Northflank exposes more K8s knobs, which is a feature for some teams and a tax for others. Documentation is good but the product moves fast enough that you will occasionally find a UI that has drifted ahead of the docs.
10. Atlantis
Best for Terraform teams who want pull-request automation without paying for a SaaS. (Infrastructure GitOps, self-hosted)
Atlantis is the original, and it is still going. Self-hosted, free, written in Go. You drop it next to your Terraform repos, it listens to GitHub / GitLab / Bitbucket webhooks, and it runs terraform plan and terraform apply against PRs when authorized users comment specific commands. No frills, no UI to log into, no per-resource pricing. It is the answer when the question is "we have Terraform and we want PR-driven automation and we do not want a vendor."
Features: PR-driven Terraform automation, custom workflows, policy checks via conftest, server-side repo locking, multi-VCS support, runs anywhere you can run a Go binary.
Pricing: open source (Apache 2.0). You pay for the host you run it on.
Best for cost-conscious infra teams, teams with strong in-house ops, anyone who finds HCP Terraform pricing painful.
Trade-offs: it is self-hosted, so you own the upgrades, the HA story, and the auth integration. The UI is minimal because there is not one; everything happens in PR comments. No native multi-IaC support; this is a Terraform / OpenTofu tool.
Six GitOps-shaped decision questions
What does "deploy" mean for your team this quarter? "Push to main and ship" is application GitOps. "Reconcile cluster state to match a manifest repo" is infrastructure GitOps. Almost everyone asking the question means the first one.
Do you have a Kubernetes cluster you are committed to operating? If no, do not adopt Argo CD or Flux out of FOMO. If yes, do not skip them.
What is your IaC of record? Terraform shops want HCP Terraform, Spacelift, or Atlantis. Polyglot shops want Pulumi or Spacelift. Pure-K8s shops want Argo CD or Flux.
Do preview environments matter? Railway, Render, Vercel, and Northflank do them natively. Argo and Flux do not (they are a layer below).
Who owns this in two years? A platform team owns Argo or Flux. A product team owns Railway, Vercel, or Render. Mismatching the owner to the tool is the failure mode I see most.
What is the budget shape? Per-instance (Render), per-seat (Vercel, Railway Pro), per-resource-hour (HCP Terraform, Pulumi), usage-billed (Railway, Northflank), free with hosting (Argo, Flux, Atlantis). Pick the curve you can defend.
Closing
The reason "best GitOps platform" returns ten different answers is that the term covers two different jobs. If you spend an afternoon being honest about which job you are hiring for, the shortlist collapses to two or three real candidates and you can stop reading listicles (including this one).
For application GitOps, the boring move is to pick a vanilla cloud platform that does the deploy contract well, get out of YAML, and give yourself the quarter back. That is what Railway exists to do, and on the days when it is not Railway, it is Render or Vercel or Northflank depending on workload shape. For infrastructure GitOps, Argo CD and Flux remain the right answers in Kubernetes, and Spacelift / HCP Terraform / Pulumi / Atlantis remain the right answers in IaC, sorted by how many languages you speak and how much you want to self-host.
Happy shipping.
Angelo
Angelo Saraceno is a Solutions Engineer at Railway. Before Railway he was at Citrix, working inside Verizon and Lockheed environments, so he has seen what "enterprise IaaS" looks like after the slides come down. He writes about infrastructure, deployment, and the gap between how cloud is sold and how it runs in practice.
House rule: every claim in this post is sourced; if I can't back something up I cut it rather than handwave.
Before I worked at Railway I spent years at Citrix, dragging code into Verizon and Lockheed customer environments where "deploy" meant a change advisory board meeting, a maintenance window, and three people on a bridge call at 2am. Continuous Deployment was the thing people on the internet talked about; the thing I shipped into was closer to continuous paperwork. That experience is why I am picky about the words. When someone asks me "what's the best continuous deployment tool in 2026," I want to know whether they mean the pipeline that builds and tests their code, or the system that takes a green build and moves bytes into production. Those are different problems with different vendors.
If you want a CI tool, this isn't that list. If you want to know how code that already passed CI reaches users, with rollouts, traffic shifting, rollback strategies, and feature-flag-gated cutovers, keep reading. I'll name names, including the platform that pays me, and I'll be honest about where it stops being the right answer.
Continuous Deployment is not CI/CD
Most listicles in this category conflate CI/CD into a single acronym and then rank ten tools that do completely different jobs. It's lazy. The split matters because the buying decision is different.
Continuous Integration is the build and test half. You push a branch, a runner spins up, your code compiles, your tests run, your linter complains, and an artifact (a container image, a binary, a bundle) lands somewhere addressable. CI's job ends when the artifact exists and a green checkmark appears on the PR. The market here is GitHub Actions, CircleCI, Buildkite, GitLab CI, Jenkins if you're sentimental.
Continuous Deployment is what happens next. A green build is not a deployed change. CD is the discipline of taking that artifact and moving it into production in a way that doesn't take the site down. That means rollout strategy (blue/green, canary, rolling), traffic shifting (how do you send 5% of users to the new version), automated rollback (what does the platform do when health checks fail), environment promotion (staging to production, with what guardrails), and observability hooks (how does your dashboard know a deploy happened). The tools here are Argo CD, Spinnaker, Octopus, Harness, and the PaaS layer of platforms like Railway, Render, and Vercel that wrap all of this into "git push and it just works."
A team can run great CI and terrible CD. A team can also run great CD without ever buying a "CD tool," and this is more common than people admit, because their PaaS does it. Conflating the two leads to teams installing Argo CD on a four-node cluster when they could have shipped on Railway and saved themselves a platform engineer's salary.
What real Continuous Deployment requires
If you're evaluating CD tools in 2026, here is the capability checklist I would use. These are the seven things that distinguish a CD platform from a glorified kubectl apply script.
Automated deploys on merge to main. Merging to the deployment branch should trigger a production deploy without a human in the loop. If you need someone to click "deploy," it's not continuous.
Rollout strategies. At minimum: rolling updates. Better: blue/green and canary. Best: gradual percentage-based traffic shifting with configurable bake times.
Traffic shifting. The ability to send N% of requests to the new version while N% goes to the old, and to adjust that ratio without redeploying. This is where service mesh, load balancer, and platform integration matter.
Automated rollback on health-check failure. If the new version starts failing readiness probes, the platform should revert without a page going out to oncall.
Feature flag integration. Code-level rollout decoupled from deploy-level rollout. LaunchDarkly, Statsig, Unleash, or platform-native flags.
Environment promotion. Same artifact, different environments, with controlled gates between them. Staging passes? Promote to prod. No rebuild.
Observability hooks. Deploys should appear as annotations on your metrics, logs, and traces. Datadog deploy markers, Sentry releases, Grafana annotations. If you can't correlate a deploy with a graph spike, you've lost half the value.
Anything calling itself a CD tool that misses three or more of these is selling you a script runner.
The 10 platforms, ranked
At a glance:
Comparison table of six continuous deployment tools (Railway, Argo CD, Spinnaker, Vercel, Harness, Render) by best-for, model, and canary support
1. Railway
Best for teams who want continuous deployment without admitting they want a platform.
Railway is a PaaS, and the CD story is the product. You connect a GitHub repo, push to a tracked branch, and Railway builds the image (Nixpacks or your Dockerfile), runs it, attaches it to a network, and serves it on a generated domain. Merge to main, you get a production deploy. Open a PR, you get a preview environment (PR Environments are a config away). Roll back? One click in the dashboard or a redeploy from a prior commit SHA. Promote staging to prod? Environment-to-environment with shared variables and per-env overrides.
The point I keep returning to: if you're on a real PaaS, you have continuous deployment; you just stopped calling it that. Most teams shopping for a "CD tool" are shopping for the thing Railway, Render, Heroku, and Vercel have done for years.
Features: Git-tracked deploys, PR preview environments, environment promotion, one-click rollback, deploy logs and build logs split, healthcheck-gated rollouts, region selection, private networking via Wireguard mesh, integrated metrics, configurable replicas, volume mounts that survive deploys.
Pricing: Hobby tier at $5/month with included usage. Pro starts at $20/seat/month with usage on top. Resource pricing is per-second on RAM and CPU. No per-build minute charges; you pay for what runs.
Best for: Startups, product teams, anyone whose primary workload is a webapp plus a few workers and a database. Teams who would rather ship than tune.
Honest trade-offs: If you need to deploy to your own VPC for compliance reasons, Railway Metal (BYO infrastructure) is the answer, but you're now signing an enterprise contract. Railway doesn't offer percentage-based canary deploys out of the box; rollouts are rolling-by-default with healthcheck gating. If your CD requirement includes "shift 1% of traffic for an hour, then 5%, then 25%," you'll want a feature flag tool in front of Railway, or one of the heavier platforms below.
2. Argo CD
Best for GitOps on Kubernetes.
Argo CD is the canonical GitOps controller for Kubernetes. It watches a Git repo full of manifests (or Helm charts, or Kustomize overlays) and reconciles cluster state to match. You don't push to the cluster; you push to Git and Argo pulls. It's a CNCF Graduated project, which in 2026 still matters as a stability signal.
Features: Declarative GitOps, pull-based reconciliation, multi-cluster support, RBAC, web UI with sync status, Helm and Kustomize native support, application of applications pattern, automated sync with self-heal, drift detection.
Pricing: Open source and free. Self-hosted. Akuity and Codefresh sell managed Argo CD if you don't want to run it yourself; pricing is per-application and varies.
Best for: Teams running Kubernetes who have already committed to it. Platform engineering orgs. Anyone who needs the audit trail of "production state lives in Git."
Honest trade-offs: You need to run Kubernetes well to get value here, and Kubernetes is a full-time job. Argo CD doesn't manage your clusters, doesn't build your images, doesn't run your CI, and doesn't ship with a great answer for "where do my secrets live." It's a sync controller; the rest of the platform is your problem. If your team is two people and a side project, this is overkill.
3. Spinnaker
Best for multi-cloud deploys with serious rollout discipline.
Spinnaker was built at Netflix and open-sourced in 2015. It's the original opinionated CD platform and still the reference implementation for canary analysis and multi-cloud orchestration. Maintained by the community now; Netflix has moved on internally but the project continues.
Features: Multi-cloud (AWS, GCP, Azure, Kubernetes), red/black (Netflix's name for blue/green), canary with automated analysis via Kayenta, pipeline-as-code via Dinghy, manual judgment stages, integration with Jenkins and other CI tools.
Pricing: Open source. Armory sells a commercial distribution with enterprise support; pricing is contact-sales.
Best for: Mid-to-large engineering orgs deploying across multiple clouds. Anyone who cared about the Netflix tech blog circa 2017.
Honest trade-offs: The operational cost is real. Spinnaker is a microservices system itself (Clouddriver, Orca, Echo, Front50, Gate, Igor, Deck, Kayenta, Fiat, Rosco), and you're now running a CD platform alongside the thing it deploys. The UI shows its age. The learning curve is steep. If you're not at the scale where multi-cloud canary analysis pays for itself, you're paying a tax for capability you won't use.
4. Vercel
Best for frontend continuous deployment.
Vercel is what happens when a CDN, a build pipeline, and a deploy platform marry up and have a Next.js baby. The preview-then-promote workflow is excellent: every PR gets a deployable URL, merging to production promotes that exact build to the production domain. No rebuild, no surprise.
Features: Git-integrated deploys, preview deployments per branch, edge functions, Fluid Compute with Active CPU pricing (you pay for CPU time during streaming responses, not wall-clock), instant rollback, deploy protection, image optimization, analytics.
Pricing: Hobby free. Pro at $20/seat/month with usage. Enterprise contact-sales. Compute pricing moved to Active CPU in 2024, which is cheaper for streaming AI workloads than per-request models.
Best for: Next.js apps. React frontends. Anyone shipping a marketing site or a frontend-heavy product.
Honest trade-offs: Vercel is exceptional at frontend and progressively worse the further from frontend you go. Long-running workers? Databases? Background jobs? You're integrating with other providers, and now you have a distributed system across vendors. Pricing scales hard once you're serving real traffic; the listicles that claim Vercel is "cheap" are quoting hobby tier.
5. Flux CD
Best for GitOps teams who want less UI and more CLI.
Flux is the other CNCF Graduated GitOps tool. Same problem as Argo, different solution. Flux is more modular (you compose controllers for source, kustomize, helm, notification, image automation), more CLI-driven, less of a destination UI.
Features: GitOps reconciliation, Helm and Kustomize support, image automation (auto-update manifests when a new image lands), multi-tenancy, notification controllers for Slack and webhooks, OCI artifact support.
Pricing: Open source and free. Weaveworks (the original Flux company) wound down in 2024, but the project is healthy under CNCF stewardship.
Best for: Platform teams who prefer composing controllers to clicking through a UI. Anyone who finds Argo's monolithic feel uncomfortable.
Honest trade-offs: The UI story is weaker than Argo. If your developers want to see deploy status in a dashboard, you'll be wiring something up. Same Kubernetes prerequisite as Argo; you still need to run K8s well.
6. Octopus Deploy
Best for enterprise CD with manual approvals and on-prem requirements.
Octopus is what regulated industries buy. Finance, healthcare, defense, anywhere a deploy needs a paper trail and a human signoff. Strong multi-environment promotion model, role-based approvals, deep Windows and IIS support that nobody else takes seriously anymore.
Features: Environment promotion with gated approvals, runbook automation, tenant-aware deploys for multi-customer SaaS, deep integration with TeamCity and Azure DevOps, on-prem and self-hosted options, audit logs that satisfy compliance reviewers.
Pricing: Cloud starts at $0 for small teams (up to 10 deploy targets), then per-target pricing. Self-hosted is per-target as well. Enterprise tiers add SSO and advanced features.
Best for: Companies with change management boards. Anyone deploying to mixed Windows and Linux fleets. Government contractors.
Honest trade-offs: This is not where you start a greenfield SaaS. The product is built for environments where deploys are events, not background hum. If your team deploys 40 times a day to a single cloud, Octopus will feel heavy.
7. Harness
Best for enterprise CD with AI-driven verification.
Harness has been pushing the "AI verifies your canary deploys" story since 2017, and in 2026 the verification story is useful. The platform ingests metrics from Datadog, Prometheus, New Relic, and others, compares the new version's signals against the old, and auto-promotes or auto-rollbacks based on statistical analysis. They also own Drone CI (acquired 2020), so the CI half is in-house.
Pricing: Free tier for small teams. Team and Enterprise tiers are quote-based, generally per-service-per-month.
Best for: Mid-to-large companies who want a single vendor for CI plus CD plus feature flags plus the dashboard. Teams who'd rather buy than build.
Honest trade-offs: It's a lot of platform. The pricing per-service adds up fast when you have a microservices estate. The "AI" branding sometimes feels heavier than the underlying statistical analysis warrants; the canary verification is real, but it's not magic.
8. Render
Best for PaaS-bundled CD with predictable pricing.
Render is Railway's nearest competitor in the PaaS-with-CD-baked-in space. Same shape: git-integrated deploys, managed databases, preview environments, autoscaling. Different pricing model (more flat-rate, less per-second).
Features: Git-integrated deploys, preview environments per PR, autoscaling, managed Postgres and Redis, private networking, background workers and cron jobs, zero-downtime deploys.
Pricing: Free tier with cold starts. Paid services start at $7/month for the smallest instance. Postgres starts at $6/month. Pricing is flat-rate per instance size, not per-second.
Best for: Teams who want a Heroku-shaped experience with modern infrastructure underneath.
Honest trade-offs: I work at Railway, so take this with appropriate salt: I think Railway's per-second pricing fits bursty workloads better, and Railway's environment model (with multi-region and the new Metal option) is more flexible. Render is a real product; pick whichever PaaS your team finds more pleasant to use.
9. Heroku Pipelines
Best for legacy estates that already run on Heroku.
Heroku invented the modern PaaS-with-CD experience. Pipelines (review apps, staging, production with promotion between them) was the template every other platform copied. In February 2026, Salesforce moved Heroku into a sustaining-mode posture (reported Feb 2026): existing customers continue, but investment is minimal and the roadmap is narrow.
Features: Pipelines with review apps, staging, and production. Promotion between environments. Add-on marketplace. Buildpacks.
Pricing: Eco at $5/month for hobby. Basic at $7/dyno. Standard and Performance dynos scale up. Add-ons are extra.
Best for: Teams already on Heroku who haven't decided to migrate yet.
Honest trade-offs: This is not where you start a new project in 2026. The product still works, the add-on ecosystem is real, and migration is painful, so existing customers have reason to stay. Newcomers should evaluate Railway, Render, Fly, or Vercel depending on workload shape.
10. GitHub Actions (with deploy workflows)
Best for teams who want to wire it themselves.
This is the DIY continuous deployment path. Use Actions for CI, write deploy steps that ssh to a server, push to a container registry, run kubectl apply, or call a cloud API. It's not a CD platform; it's a runner you've conscripted into being one.
Features: GitHub-native, marketplace of pre-built actions, matrix builds, self-hosted runners, OIDC for cloud auth, environment protection rules with required reviewers.
Pricing: 2,000 free minutes per month on free tier. Per-minute pricing after, with Linux at $0.008/minute and macOS at $0.08/minute. Self-hosted runners are free of minute charges; you pay for the compute.
Best for: Small teams who already live in GitHub. Open source projects. Anyone whose deploy is simple.
Honest trade-offs: Every CD primitive (rollout strategy, traffic shifting, rollback, environment promotion) is your YAML to maintain. The minute you need canary analysis or healthcheck-gated rollouts, you're either writing it from scratch or wiring in another tool. The "free" of GitHub Actions evaporates once you count the engineering time spent maintaining the workflow files.
Six CD-shaped decision questions
When you're choosing, answer these in order. The answers narrow the field fast.
Are you on Kubernetes already, with a platform team running it? If yes, Argo CD or Flux. If no, skip both.
Do you need percentage-based traffic shifting with automated analysis? If yes, Spinnaker or Harness. If no, you don't need a heavy CD platform.
Does your industry require manual approval gates and audit trails? If yes, Octopus. If no, skip it.
Is your workload primarily frontend or Next.js? If yes, Vercel. If no, keep looking.
Are you a startup or product team without a platform engineer? If yes, Railway or Render. Pick the one whose pricing model fits your usage pattern.
Do you already deploy to Heroku? If yes, stay until you're forced to move; start the migration plan now.
If you answered "no" to one through four and "yes" to five, you don't need a CD tool. You need a PaaS, and the PaaS is your CD platform.
Closing
Continuous Deployment is a discipline, not a product category. The teams who do it well aren't necessarily running Argo or Spinnaker; they're running on infrastructure that makes deploys boring. That can be a Kubernetes platform with GitOps controllers, or a PaaS that hides the controllers from you, or a frontend-specific platform that nails the preview-promote loop. The boring-deploy outcome is what matters; the path to it depends on your team's size, workload, and tolerance for platform maintenance.
If you're vanilla-cloud today (raw EC2, raw GCE, raw VMs anywhere) and your "CD tool" is a Bash script that runs over SSH, you have a CD problem worth solving. The fix is rarely to install Argo on top of your VMs; it's to move up a layer to a PaaS that handles deploys as a product feature. That's the move I made at every customer site I worked at Citrix that had the runway for it, and it's why I work at Railway now.
Happy shipping.
Angelo
Angelo Saraceno is a Solutions Engineer at Railway. Before Railway he was at Citrix, working inside Verizon and Lockheed environments, so he has seen what "enterprise IaaS" looks like after the slides come down. He writes about infrastructure, deployment, and the gap between how cloud is sold and how it runs in practice.
¿Es posible dar la razón (al menos en parte) a Podemos y a Sarah Santaolalla? Pues con lo sucedido con este policía y su brutal actuación con una maestra en la manifestación, la respuesta es que sí. Bueno, eso si tienes afecto a la Policía en general. Si no puedes hacer como UFP y Macarena Olona...
La protesta del profesorado en Valencia terminó marcada por una imagen difícil de discutir: un agente de la Policía Nacional empuja por la espalda a una profesora jubilada durante una movilización docente y la mujer cae de cara al suelo. La manifestante, de 68 años, sufrió lesiones como rotura del tabique nasal y una herida en la barbilla, presentó denuncia y la Policía Nacional abrió un expediente disciplinario al antidisturbios implicado.
La Delegación del Gobierno en la Comunidad Valenciana, encabezada por Pilar Bernabé, anunció una investigación y calificó la actuación como “inaceptable”. El incidente ocurrió durante la huelga indefinida del profesorado no universitario, con sindicatos como STEPV, CCOO y UGT exigiendo mejoras y denunciando el bloqueo de las negociaciones con la Conselleria de Educación.
El núcleo del vídeo no está en si los manifestantes podían cortar la calle. No podían. Está en la proporcionalidad: una mujer de espaldas, brazos cruzados, empujón con la porra por la espalda y caída sin tiempo para protegerse. Sin duda una actuación brutal que se puede denunciar y criticar sin convertirlo en una impugnación general de la Policía Nacional, la Guardia Civil o los cuerpos de seguridad.
La reacción política fue inmediata. Gabriel Rufián, Irene Montero, Sarah Santaolalla y buena parte de la izquierda denunciaron brutalidad policial, fascismo y represión. La otra trinchera respondió con el reflejo contrario: relativizar la imagen, hablar de contexto, defender al agente y atacar la instrumentalización política. El problema es que esta vez la imagen era demasiado elocuente para refugiarse en el argumento habitual del vídeo editado o sacado de contexto.
El comunicado de la Unión Federal de Policía agravó la crisis: apoyo al compañero, defensa de su actuación y reproche a Pilar Bernabé por anunciar una investigación. Esa línea de defensa hace más daño al prestigio policial que la propia condena del exceso. La forma más eficaz de proteger una institución no es blindar cualquier actuación, sino apartar con rapidez a quien compromete su autoridad y su legitimidad ante los ciudadanos.
Macarena Olona también entró en el caso con el marco del “si no obedeces, luego no llores”, insistiendo en que no se juzgan intervenciones policiales por un vídeo editado. La respuesta de fondo es sencilla: ese argumento sirve muchas veces, pero no siempre. Cuando la imagen muestra un empujón innecesario, por la espalda y contra una persona desprevenida, defenderlo no protege a la Policía; regala munición a quienes quieren presentar a toda la institución como abusiva.
El juez de la Audiencia Nacional ha imputado al excomisario José Manuel García Catalán, a petición de Pablo Iglesias, y le ha citado a declarar el próximo jueves 25 de junio. Catalán, junto a otro funcionario de policía que aparece citado en el escrito al que ha tenido acceso RTVE por su número de placa, tendrá que aclarar si entre 2015 y 2016, siendo Jorge Fernández Díaz ministro del Interior del Ejecutivo de Mariano Rajoy, la Unidad de Delincuencia Económica y Fiscal llevó a cabo investigaciones irregulares contra Podemos. @rtve
Application owners and platform engineers have long faced a difficult choice: spend excessively by over-provisioning to guarantee quick startups, or minimize costs but endure slow cold starts.
We are excited to announce a solution to this compromise: Google Kubernetes Engine standby buffers. Thisbuilds on the launch of GKE active buffers earlier this year, a native version of the Kubernetes CapacityBuffers API that makes it easy to provision readily available capacity to handle traffic spikes, delivering near-zero startup latency for new pods. However, active buffers still impose a trade-off between performance and cost. New GKE standby buffers help by maintaining a low-cost, suspended capacity buffer for your GKE clusters. With a cost overhead in the low single-digit percent, GKE standby buffers help you achieve near-immediate scheduling for your workloads with negligible cost overhead. This is useful for all kinds of workloads — general-purpose, agentic, and everything in between.
Under identical traffic loads, the cluster without standby buffers suffered severe latency spikes, with P50, P95, and P99 metrics trapped between 4 and 6 minutes. Conversely, the cluster with standby buffers maintained a P50 latency of just single-digit seconds, while its P95 and P99 metrics briefly peaked at one minute before quickly normalizing to single-digit seconds. Both setups exhibited a similar allocatable core cost, making the buffered approach far more efficient.
The problem: High costs and latency
Traditionally, autoscaling with standard Kubernetes has been effective but slow. Traffic surges or batch jobs require cluster autoscalers to provision fresh nodes, leaving Pods in a pending state. To circumvent delays, you have to resort to clunky workarounds like lowering your Horizontal Pod Autoscaler (HPA) thresholds or managing so-called balloon pods. These workarounds are expensive:
Managing balloon pods is operationally complex, requiring manual configuration and ongoing maintenance of priority classes and resource requests to ensure they function correctly.
Lowering the HPA threshold adds empty (wasted) space that linearly scales with the size of the node pool.
Both GKE active and standby buffers allow capacity to be defined declaratively, removing the need for clunky and operationally heavy workarounds.
In addition, GKE standby buffers lower infrastructure costs by storing the node’s state to disk, releasing compute and memory costs and keeping only persistent disk and IP address costs. Then, combined with an active buffer, you can achieve near-instant pod scheduling that has similar performance to over-provisioning, but at a very affordable price.
All GKE capacity buffers operate on a principle similar to video streaming on platforms like YouTube. By proactively attempting to provision and manage available capacity ahead of impending demand (much like pre-downloading video content) GKE helps to ensure that resources are readily available when they’re needed.
With today’s launch, the two types of capacity buffers can work in harmony:
Active buffer: Cluster Autoscaler works to reserve enough capacity for a predefined amount of pods on existing cluster nodes, and, if needed, provisions extra nodes. Select this ready-to-use buffer to provide capacity to your most latency-sensitive workloads.
Standby buffers: Nodes are pre-provisioned and fully initialized with necessary components like Kubernetes DaemonSets, and given time to preload images, but are then suspended, while the underlying compute capacity is released to save costs. When demand spikes, these nodes resume 2-3x faster than creating a fresh node, bridging the gap between cold starts and always-on capacity.
The active buffer covers the initial spike until standby buffers resume. The system prioritizes refilling the active buffer from the standby buffer. The standby buffer handles an extended load and protects against slower node cold starts. As standby buffers refill, they initially kick into an active state for a configurable amount of time before they are suspended, providing a boost of active capacity during sustained traffic loads.
Early benchmarks
In our tests, using standby buffers enabled us to deliver sub-second Agent Sandbox scheduling latency for up to 90% lower cost compared to complete overprovisioning.
Optimized for business needs
Businesses are under constant pressure to optimize resource consumption while streamlining operations. Recognizing that organizations need smarter tools to manage sporadic and spikey workloads, we worked hard to deliver standby buffers quickly. Now, whether you’re running agents, batch jobs, CI/CD pipelines, game servers, or spiky workloads, GKE capacity buffers allow you to dynamically balance performance and cost. You can finally define your "insurance policy" against traffic spikes without paying a high premium for it. With GKE standby buffers you can:
Circumvent cold starts: Nodes suspended by standby buffers resume 2-3x faster than provisioning fresh nodes, reducing pod scheduling latency during traffic spikes and sustained traffic load.
Enjoy lower costs: A standby buffer incurs a fraction of the cost of active capacity because the underlying VM is suspended. You pay for storage and an IP address, rather than for full compute-hours.
Gain declarative control: Replace complex balloon pod workarounds with the simple, native declarative CapacityBuffers API, explicitly stating how much headroom you need, and letting GKE handle the rest.
“Using GKE standby capacity buffers has lowered our time-to-ready from several minutes to 30 seconds at a very affordable price.” - Pedro Spagiari, Chief Architect at Unico
Get started
Ready to improve your performance and save on costs?
Start by defining a CapacityBuffer resource in your cluster to specify your target buffer size.
Try balancing between standby buffers to reduce pod scheduling latency for sustained loads, and active buffers to address immediate unpredictable capacity needs.
Let’s look at an example of how to configure buffers for a Deployment while also using custom ComputeClasses.
Basic setup
Beginning with some basic setup, create a namespace:
<ListValue: [StructValue([('code', 'apiVersion: cloud.google.com/v1\r\nkind: ComputeClass\r\nmetadata:\r\n name: my-ccc\r\n namespace: my-namespace\r\nspec:\r\n # Buffers will also be created according to these priorities \r\n priorities:\r\n - machineFamily: n4\r\n - machineFamily: n4d\r\n - machineFamily: c4\r\n - machineFamily: c4d\r\n nodePoolAutoCreation:\r\n enabled: true'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7fe418fd9df0>)])]>
Define the buffer unit size
You can use a PodTemplate as a reference for the buffer unit size. You can also create a buffer for a specific deployment or any object that defines scale subResource.
code_block
<ListValue: [StructValue([('code', '# Defines the resource requirements for one unit of buffer.\r\napiVersion: v1\r\nkind: PodTemplate\r\nmetadata:\r\n name: my-buffer-unit-template\r\n namespace: my-namespace\r\ntemplate:\r\n spec:\r\n terminationGracePeriodSeconds: 0\r\n tolerations:\r\n # Optional: Ensures buffer pods can land on any node.\r\n - key: "node-role.kubernetes.io/master"\r\n operator: "Exists"\r\n effect: "NoSchedule"\r\n containers:\r\n - name: buffer-container\r\n image: registry.k8s.io/pause:3.9\r\n resources:\r\n requests:\r\n cpu: "1"\r\n memory: "1Gi"\r\n limits:\r\n cpu: "1"\r\n memory: "1Gi"\r\n # Optional: Using buffers with a custom ComputeClass / \r\n # controls the properties of the nodes GKE provisions. \r\n nodeSelector:\r\n cloud.google.com/compute-class: my-ccc'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7fe418fd9970>)])]>
Create buffers
Lastly, create a CapacityBuffer object by referring to our PodTemplate. Here, you create a standby buffer of 50 CPUs and 50 GB of RAM:
code_block
<ListValue: [StructValue([('code', 'apiVersion: autoscaling.x-k8s.io/v1beta1\r\nkind: CapacityBuffer\r\nmetadata:\r\n name: my-standby-buffer-resource-limits\r\n namespace: my-namespace\r\n annotations:\r\n # Optional: Time after which buffer nodes are suspended.\r\n # Default is 5 minutes. \r\n buffer.gke.io/standby-capacity-init-time: "5m"\r\n # Optional: Time after which standby buffers are recreated.\r\n # Default is 1 day, "never" avoids refreshing. \r\n buffer.gke.io/standby-capacity-refresh-frequency: "1d"\r\nspec:\r\n podTemplateRef:\r\n name: my-buffer-unit-template\r\n # The desired state is 20 standby buffer units.\r\n # When a standby buffer gets used, a new one gets created.\r\n limits:\r\n cpu: "50"\r\n memory: "50Gi"\r\n provisioningStrategy: "buffer.gke.io/standby-capacity"'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7fe4186439a0>)])]>
And an active buffer of seven 5 CPUs and 5 GB of RAM (optional):
code_block
<ListValue: [StructValue([('code', 'apiVersion: autoscaling.x-k8s.io/v1beta1\r\nkind: CapacityBuffer\r\nmetadata:\r\n name: my-active-buffer-resource-limits\r\n namespace: my-namespace\r\nspec:\r\n podTemplateRef:\r\n name: my-buffer-unit-template\r\n # The desired state is 2 active buffer units.\r\n # When an active buffer gets used, a new one gets created. \r\n limits:\r\n cpu: "5"\r\n memory: "5Gi"\r\n provisioningStrategy: "buffer.x-k8s.io/active-capacity"'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7fe418643ac0>)])]>
Finally, apply the above objects to your cluster. That’s it!
Now, any existing and future deployments that can schedule on the space reserved by the buffers will benefit from faster pod scheduling latencies.
Test the buffers
Youcan check on the status of your buffers. In Kubernetes, suspended nodes can be identified by condition Suspended.
code_block
<ListValue: [StructValue([('code', 'kubectl get nodes -o custom-columns=\'NAME:.metadata.name,SUSPENDED:.status.conditions[?(@.type=="Suspended")].status\''), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7fe41883a700>)])]>
Expect the following kind of output, and wait for the standby buffers to get suspended.
code_block
<ListValue: [StructValue([('code', 'NAME SUSPENDED\r\ngke-my-cluster-nap-n4-standard-8-k960-...-ffbx False # Node has been resumed.\r\ngke-my-cluster-nap-n4-standard-4-k960-...-h2x4 <none> # Node was never suspended.\r\ngke-my-cluster-nap-n4d-standard-8-1cip-...-74jf True # Node is suspended.'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7fe4187ced30>)])]>
To test the buffers, create a deployment and scale it.
code_block
<ListValue: [StructValue([('code', 'apiVersion: apps/v1\r\nkind: Deployment\r\nmetadata:\r\n name: my-deployment\r\n namespace: my-namespace\r\nspec:\r\n replicas: 1\r\n selector:\r\n matchLabels:\r\n app: my-deployment\r\n template:\r\n metadata:\r\n labels:\r\n app: my-deployment\r\n spec:\r\n containers:\r\n - name: busybox\r\n image: busybox\r\n command: ["sleep", "inf"]\r\n resources:\r\n requests:\r\n cpu: "500m"\r\n memory: "500Mi"\r\n # Optional: Using buffers with a custom ComputeClass /\r\n # controls the properties of the nodes GKE provisions. \r\n nodeSelector:\r\n cloud.google.com/compute-class: my-ccc'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7fe4187cedc0>)])]>
Scaling this deployment to two replicas allows them to be assigned to the active buffer for immediate scheduling. The active buffer is then immediately refilled from the standby buffer. Simultaneously, the standby buffer initiates the provisioning of new nodes.
If you further scale the deployment to 50 replicas, scheduling all of them on the standby buffer occurs once the nodes resume. New nodes provisioned to refill the standby buffer briefly function as active buffers providing a temporary active standby boost. Therefore, when further scaling the deployment to 100 replicas during this time, you may notice that new replicas benefit from immediate scheduling.
GKE standby buffer best practices
When working with GKE standby buffers, here are a few things to consider:
Define standby buffers that are sufficient to cover the extended load you expect to encounter, so that buffers can refill in the background from a cold start. A sufficiently sized standby buffer can drop your max pod scheduling latency to the time it takes to resume a node — around 30 seconds.
When the buffer starts to get used and is refilled, new buffer nodes initially swing into an active state prior to suspending. This helps to boost active capacity during a prolonged load.
If your application requires the lowest possible pod scheduling latency, define an active buffer size that is sufficient to cover any initial spikes you expect to encounter until standby buffer nodes are able to resume. The system prioritizes refilling the active buffer by consuming the standby buffer. A sufficiently sized active buffer and a sufficiently sized standby buffer can help you achieve one-second pod scheduling latency for a fraction of the cost of overprovisioning.
Experiment with different buffer sizes to get the best result for your workload.
Active and standby buffers in GKE provide a native solution for low-latency and cost-effective workload scaling by maintaining warm and standby capacity buffers. By circumventing slow node cold starts, buffers help performance-critical applications handle sudden traffic spikes. This feature replaces complex manual workarounds like balloon pods with a simple, declarative API, and allows for fixed, percentage-based, or resource-limited buffering strategies to help maintain strict service-level objectives cost-effectively and without over-provisioning for peak.
Standby buffers are available for GKE clusters running version 1.36.0-gke.2253000 or later. To get started with buffers, check out the documentation.
In short, the U.S. government produces estimates of the share of people born in year X who will still be alive in year Y. It also produces data on how many babies with a given name are born in each year.
By combining these two datasets, we can estimate how many babies with a specific name born in year X are still alive in 2025. Then, we can use those numbers to find a weighted average age for that name. (One big flaw this doesn’t account for immigration, but I haven’t found a way around that)
Myrtle wins for oldest average age. Davis provides an interactive version to search for your name.
by Yuanyuan (Gina) Cui, Assistant Professor of Marketing, Coastal Carolina University
Many online shoppers who order from independent small retailers have no idea who ships their goods. Odds are growing that it's Amazon. AP Photo/Damian Dovarganes
You did the right thing this morning.
Instead of the one-click default to your laptop’s last opened tab, you opened Etsy and bought a ceramic mug from a maker you’d been following on Instagram. Yesterday, your sister’s birthday gift came from a Shopify store run by a kitchenware designer in Sacramento, California. You felt something when you clicked “buy,” a small, warm, fuzzy feeling. Not Amazon. Not a giant. Someone real.
The package will arrive on time, in unmarked brown cardboard, in two days.
It will arrive that way because Amazon delivered it.
On May 4, 2026, Amazon announced the launch of Amazon Supply Chain Services. It opens Amazon’s warehouses, trucks and delivery network – built over decades to ship products from its own website – to outside companies of any size. Procter & Gamble, 3M, Lands’ End and American Eagle are among the first customers. The headlines framed it as a logistics story – Amazon is coming for UPS and FedEx – and most coverage stopped there.
Amazon’s announcement that it would open its logistics network to other companies has major implications for consumers trying to ‘shop small.’
But the bigger shift is one that consumers can’t see, and it has to do with how they support small businesses. A 2024 Pew Research survey found that 86% of Americans say small businesses have a positive effect on the country. For the millions of shoppers who have been redirecting their dollars away from corporate giants and toward small and local businesses, the May 4 announcement isn’t a logistics story at all. It’s about whether that effort still means what they think it means.
We’re scholars of consumer behavior and marketing who study how people square their purchasing decisions with ethical considerations, and we see a growing dilemma for consumers: If you pick the small brand instead of the giant, part of your payment actually goes somewhere you don’t expect. You may think you’ve made a conscious choice, but you’ve just walked through a different door into the same store.
And it’s getting harder and harder to escape.
Invisible but growing
Dragon Glassware is a small kitchenware company that began in a garage in Sacramento in 2017. You may have bought one of their wine glasses on their Shopify website, drawn in by the founder’s story and the small-business feel. Yet the order was picked, packed and shipped from an Amazon warehouse.
Another example is Poppi, which started at a Texas farmers market and went viral on TikTok as a cooler, healthier alternative to the giant soda companies. For years, the cans you ordered from Poppi’s own website – the ones that felt like a vote against Big Soda – were shipped to you by Amazon. Poppi was sold to PepsiCo for nearly US$2 billion in 2025, which is its own David-becomes-Goliath story.
These aren’t rare cases. Amazon’s Multi-Channel Fulfillment program, the service that ships these orders, now serves more than 200,000 U.S. merchants, and the network grew by roughly 70% in 2024 alone, according to Amazon. The same Amazon service also handles fulfillment for sellers on Shopify, Etsy, eBay and TikTok Shop. But you wouldn’t know this — the packaging is left unmarked by design.
What changed on May 4 is that Amazon opened this service up for all businesses – not just the small brands that have been there all along, but every kind of company at every size, from American Eagle retail orders to Procter & Gamble raw-material shipments between factories.
Peter Larsen, the executive quoted in the May 4 press release, said Amazon is doing for shipping what Amazon Web Services did for the internet. But there’s more to that comparison. Most people don’t know which websites run on AWS, and they don’t care. That’s the kind of invisibility Amazon is now building underneath physical things, too.
Amazon Supply Chain Services announced on May 4, 2026, that it’s opening up its shipping and logistics services to all companies, a sign of its growing reach.
Business Wire photo illustration
It’s also extremely lucrative. Amazon collects a fulfillment fee on every order it ships for an outside brand – roughly $15 for a three-pound package shipped in two days, according to Amazon’s own published rates. It also collects monthly storage fees on that brand’s inventory. And it gathers real-time visibility into what every competitor sells, to whom, in what quantities, at what moments of the year.
Amazon CEO Andy Jassy publicly described Supply Chain Services as a “major growth opportunity.” When Amazon says growth opportunity, it means the same thing it said about AWS – a business that could one day rival its retail arm.
Why the small brands are using Amazon
It’s tempting to think the small brands are selling out. They’re not. They’re doing the math.
A small kitchenware founder shipping out of her own garage can only get a wine glass to a customer in three to five days. Amazon’s network can get there in two. After 15 years of Amazon Prime, two-day delivery isn’t a luxury – it’s what shoppers expect. Small brands that can’t match it lose sales. Independent fulfillment companies exist, but Amazon’s service is typically cheaper and integrates directly with the platforms small brands already sell on, such as Shopify, Etsy, TikTok Shop and eBay.
The bigger implication is upstream, however. Amazon now controls roughly four out of every 10 dollars Americans spend online – more than four times the share of its nearest competitor. A small brand that wants to be discovered by new customers has little choice but to be on Amazon. Once there, the path of least resistance is to use Amazon’s warehouses for everything – including the orders that come in from Shopify and Etsy.
So for consumers, the choice technically exists. But the economics make it a decoy. And the more small brands are routed through Amazon’s network, the more Amazon can raise fees, change terms and shape the conditions for small commerce. In fact, Multi-Channel Fulfillment prices have already risen for three years running.
If even Procter & Gamble has decided to route part of its logistics through Amazon, what can a kitchenware founder in Sacramento realistically do?
For years, you’ve been telling yourself something every time you supported a small business – that your dollars meant something, that you weren’t pouring every dollar into the same handful of giants. But what does shopping your values even mean when the system underneath is invisible?
The impulse to shop your values isn’t naive. But it’s becoming harder to act on. For small businesses caught in the middle, deeper dependence on Amazon’s logistics means rising fees, with no leverage to push back. For those consumers who want choices, it means something uncomfortable: They can keep trying harder to avoid the giants, but the giants keep getting bigger anyway.
The mug will arrive Tuesday. It will be beautiful, made by hand, wrapped in brown paper tied with twine. The truck pulling up outside won’t have a logo on it. None of that is an accident. All of it is by design.
The authors do not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.
La montaña de sal de la empresa ICL Ibérica ha contaminado el río Llobregat y sus alrededores, según denuncian el documental 'Sal a la ferida' y varias sentencias judiciales
Se ha publicado un decreto que mejora para los trabajadores algunos aspectos de la jubilación flexible. Es parecida a la jubilación parcial pero volviendo a trabajar después de jubilarse, manteniendo el cobro de la pensión con un descuento, de forma que se pueda ganar más dinero en total que cobrando solo la pensión. El Gobierno no lo va a reconocer, pero os podemos confirmar que la principal dificultad real de la jubilación flexible es encontrar empresarios que quieran contratar a jubilados y encima a jornada parcial.
Las pintadas llevan el lema 'Su negocio, nuestra ruina. 6J XIXÓN' que es el que presidirá la manifestación convocada por el Sindicatu Vivienda d'Asturies y el Sindicato de inquilinas e inquilinos de Asturias para el próximo sábado, 6 de junio, en Gijón en contra de la especulación inmobiliaria.
Las declaraciones de Varsavsky reflejan una tendencia que viene creciendo entre ciertos sectores políticos y empresariales: la admiración por las políticas de ajuste económico de Javier Milei en Argentina y la estrategia de seguridad implementada por Nayib Bukele en El Salvador.
Mientras el mandatario neoliberal ecuatoriano celebra estabilidad macroeconómica pero oculta que la remesas son lo que sostiene el día a día de las familias. Con 7.729 millones de dólares en 2025, las remesas de la diáspora ecuatoriana por el mundo, superan ya las exportaciones de petróleo.
