Articles

Cloud Readiness Assessment: What to Do Before You Modernize Anything

By Claus Villumsen
08 July, 2026
Share this article
A cloud readiness assessment is the structured process of evaluating your existing applications - their architecture, dependencies, data flows, and technical debt - before deciding how to modernize them. It tells you which workloads can migrate as-is, which need refactoring, and which should never go to the cloud at all. Without it, you are not making a modernization decision. You are making a guess.
Most companies skip this step. Or they do a version of it that amounts to a consultant walking through a spreadsheet and ticking boxes. Then the project starts, the surprises pile up, the budget doubles, and twelve months later someone in a board meeting is explaining why the cloud initiative "didn't deliver what we expected." The assessment wasn't wrong. It was just never real. A genuine cloud readiness assessment changes what you decide, not just what you know. That is the difference worth understanding - and the reason this post exists.
Think about the last time your organization committed to a cloud migration or modernization program. How much of that decision was based on a real analysis of your application portfolio - and how much was based on vendor slides, analyst pressure, and a general feeling that it was time?
What Does a Cloud Readiness Assessment Actually Measure?
A cloud readiness assessment measures four things: architectural fitness, technical debt load, dependency complexity, and operational risk. Each of those dimensions tells you something different. Architectural fitness tells you whether an application is structured in a way that cloud environments can exploit - or whether it is a monolith that will need to be broken apart before any cloud benefit is possible. Technical debt load tells you how much hidden work lives inside the codebase - the kind that only surfaces when someone tries to change something. Dependency complexity tells you how many other systems this application talks to, in what ways, and how fragile those connections are. And operational risk tells you what happens to the business if this application is unavailable for four hours during a migration weekend.
The honest truth is that most enterprise application portfolios, when assessed rigorously, contain roughly three categories: applications that are genuinely cloud-ready, applications that could become cloud-ready with targeted refactoring, and applications that are so deeply entangled with on-premise infrastructure or proprietary hardware that cloud migration would cost more than it saves. Industry research consistently shows that only around 20 percent of enterprise workloads fall into the first category. The rest require work - or a conscious decision to leave them where they are. A proper assessment tells you which is which. Skipping it means you find out the hard way, mid-project, at the worst possible time.
Good assessments combine static analysis - scanning the codebase for patterns, dependencies, and antipatterns - with dynamic analysis, which means observing how the application actually behaves under real load. Martin Fowler's work on decomposing monoliths is useful here. The patterns he describes for identifying service boundaries map almost directly onto what a cloud readiness assessment tries to reveal: where the seams are, where the coupling is, and what can be separated without breaking everything.
Why Do So Many Cloud Migrations Fail Before They Start?
They fail because the decision to migrate is made before the data exists to support it. A CTO reads an analyst report. A CEO comes back from a conference. A CFO sees that a competitor moved to AWS and wants to know why you haven't. None of these are bad inputs. But none of them are a readiness assessment. The gap between "we should modernize" and "we know what modernizing this specific portfolio will actually require" is where projects die.
The numbers from the field support this. Research cited on InfoQ and elsewhere consistently shows that cloud migration projects run 30 to 40 percent over budget on average, with a significant portion of that overrun traced back to underestimated application complexity that a proper assessment would have surfaced. The vFunction team, which has spent years working on this specific problem, frames it clearly: 81 percent of enterprise workloads are not cloud-native. You cannot lift and shift your way to cloud value. You need to understand what you have before you decide what to do with it.
The other reason migrations fail before they start is organizational. Assessments that are done by the team proposing the migration tend to be optimistic. The people running the assessment want the project to happen. They have an incentive to find things ready. Independent assessment - whether by an outside team or by a tool that has no political stake in the outcome - tends to surface more of the real picture. That is uncomfortable. It is also what you need.
What Are the Six Dimensions Every Assessment Should Cover?
A cloud readiness assessment that only looks at technology misses half the problem. The full picture requires six dimensions, each of which can surface blockers that no amount of cloud architecture will solve on its own.
The first is architecture. Is the application a monolith, a modular monolith, or already decomposed into services? Monoliths are not automatically disqualified from cloud migration, but they carry significant refactoring cost if you want to get real cloud-native benefits. The second is codebase health. How much of the code is tested? How old is it? How well documented? Undocumented code written by people who have since left the company is one of the most common sources of mid-project disaster. The third is data. Where does the application store its data, how much of it is there, how is it structured, and what would a migration to cloud-hosted data services actually require? Data migrations are frequently underestimated by a factor of three.
The fourth dimension is integration. Every application talks to something. Some of those integrations are documented. Many are not. Hidden integrations - the batch job that runs at 3am, the API call that no one put in the architecture diagram - are the landmines of cloud migration. The fifth is compliance and security posture. Regulated industries have requirements that affect where data can live, who can access it, and how it must be encrypted. These are not blockers to cloud adoption, but they are requirements that the assessment must surface so they can be addressed in the migration design. The sixth is team capability. A cloud readiness assessment that ignores whether your team knows how to operate cloud infrastructure is not an assessment - it is a shopping list. Operational readiness matters as much as technical readiness.
Of those six dimensions - architecture, codebase health, data, integrations, compliance, and team capability - which one in your organization is most likely to be assessed honestly, and which one is most likely to be glossed over because the answer is uncomfortable?
How Do You Prioritize Which Applications to Assess First?
Not every application in your portfolio deserves the same depth of assessment. Applying the same level of scrutiny to a small internal reporting tool as you would to the core transaction processing system is a waste of time and budget. Prioritization is itself a skill, and doing it well is what separates a useful assessment from an academic exercise.
Start with business criticality. Which applications, if unavailable, would stop the business? These are not necessarily the ones you migrate first - in fact, they are often the ones you migrate last, after you have refined your approach on lower-risk workloads. But they are the ones where your assessment needs to be most thorough. A shallow assessment of a mission-critical system is more dangerous than no assessment at all, because it creates false confidence.
Next, look at cost. Which applications are the most expensive to run on-premise? These often have the clearest business case for cloud migration, and a rigorous assessment that confirms their readiness can anchor the ROI conversation in something concrete rather than projection. Then look at age. Applications that have not been significantly changed in five or more years are worth special attention. They may be stable - which sounds good - but stability in a legacy system often means "nobody wants to touch it," which is a very different thing. The most dangerous applications in any portfolio are the ones that run quietly, that everyone is afraid to change, and that nobody fully understands anymore. Those need assessment more than any others, even if migrating them is not on the near-term roadmap. Understanding the risk they carry is itself valuable.
The Thoughtworks Technology Radar has consistently highlighted the importance of treating application portfolio rationalization as a continuous discipline rather than a one-time project. That framing is right. An assessment done once and never revisited becomes stale within months as codebases evolve, integrations change, and team knowledge shifts.
Where Does AI Actually Help With Cloud Readiness Assessment - and Where Does It Fall Short?
AI-assisted tools have genuinely improved the speed and depth of cloud readiness assessments in specific areas. Static code analysis at scale is one of them. A large enterprise portfolio might contain millions of lines of code across dozens of applications. Manually reviewing that codebase to identify dependency patterns, technical debt hotspots, and architectural antipatterns would take months. AI-powered analysis can do a first pass in days, surfacing the areas that deserve human attention and ranking applications by complexity and risk. That is a real, practical benefit, and it is not trivial. It changes what is feasible for a team with limited bandwidth.
Dependency mapping is another area where AI adds genuine value. Modern codebases have integration patterns that are not always visible in architecture diagrams - API calls embedded in business logic, database connections that bypass the data layer, event triggers that no one documented. AI tools that combine static and dynamic analysis can surface these hidden connections far more reliably than manual review. The limit is that AI can tell you what the code does, but it cannot tell you why decisions were made, what the business rules mean, or what the organizational consequences of changing a system will be. Those answers live in people's heads. They require interviews, workshops, and the kind of institutional knowledge archaeology that no tool can replace.
There is also the question of what to do with the assessment output. AI can generate a prioritized list of applications and flag the ones with the highest technical debt or the most complex dependency graphs. But translating that list into a migration strategy requires judgment about business priorities, team capacity, risk tolerance, and organizational politics. A tool can inform that judgment. It cannot replace it. The organizations that get the most value from AI-assisted assessments are the ones that treat the tool output as a starting point for human analysis, not a finished answer. That combination - machine speed at scale, human judgment on the hard questions - is where the real results come from.
What Should Come Out of the Assessment - and What Happens Next?
A cloud readiness assessment should produce three things. First, a portfolio map: every application in scope, scored across the six dimensions described earlier, with a recommended migration approach for each. The standard framework here uses the "6 Rs" - retire, retain, rehost, replatform, refactor, and rearchitect - and a good assessment tells you which R applies to each application and why. Second, a risk register: the specific risks associated with the highest-priority migrations, the dependencies that need to be managed, and the compliance requirements that need to be addressed. Third, a sequencing recommendation: which applications to move first, in what order, and what needs to happen before each migration can begin.
What happens next depends on what the assessment finds. Some organizations discover that their portfolio is in better shape than they expected, that several applications are genuinely lift-and-shift ready, and that a phased migration program can begin relatively quickly. Others discover that their most critical applications are so tightly coupled to on-premise infrastructure that a meaningful cloud migration is a two-to-three year program rather than a twelve-month project. Neither finding is failure. Both are useful. The worst outcome of a cloud readiness assessment is not bad news - it is inaccurate news, because inaccurate news leads to plans that fail in ways that could have been avoided.
One thing that often gets underestimated in the post-assessment phase is the conversation that needs to happen at the executive level. Assessment results sometimes challenge assumptions that have been baked into budget plans or board presentations. Surfacing those challenges early - before the migration is underway, before the contract is signed, before the team is assembled - is exactly what the assessment is for. It is not comfortable to take that conversation to leadership. But it is far less comfortable to take it to them six months into a migration that is running over budget and behind schedule.
If you commissioned a genuine cloud readiness assessment of your full application portfolio tomorrow - one with no political constraints, no predetermined conclusions, and no vendor interest in the outcome - what do you think it would tell you that you don't already know?
Frequently Asked Questions
What is a cloud readiness assessment?
A cloud readiness assessment is a structured evaluation of your application portfolio that determines which workloads are ready to migrate to the cloud, which need refactoring first, and which should remain on-premise. It covers architecture, technical debt, data complexity, integration dependencies, compliance requirements, and team capability. The output is a prioritized migration plan grounded in real data rather than assumptions.
How long does a cloud readiness assessment take?
For a portfolio of 20 to 50 applications, a thorough assessment typically takes four to eight weeks. Larger portfolios with hundreds of applications may take three to four months. AI-assisted tooling can compress the initial data-gathering phase significantly, but the analysis, validation, and stakeholder interviews needed to produce a reliable result still require meaningful time investment.
How is a cloud readiness assessment different from a cloud migration plan?
The assessment comes first and informs the plan. The assessment tells you what you have - the current state of your applications, their readiness, and their risks. The migration plan tells you what you will do - the sequence, the methods, the timelines, and the budget. Building a migration plan without a completed assessment is like drawing a route on a map before confirming your starting location.
What does a cloud readiness assessment cost?
Costs vary widely. A consultant-led assessment for a mid-sized portfolio might run from $50,000 to $250,000 depending on scope and depth. AI-assisted platforms can reduce that cost significantly by automating the analysis layer, though human expertise is still required for interpretation and strategy. The more relevant number is what an inadequate assessment costs - typically measured in migration overruns, failed deployments, and delayed business value.
What is the "6 Rs" framework and how does it apply to cloud readiness?
The 6 Rs - retire, retain, rehost, replatform, refactor, and rearchitect - is a classification framework for cloud migration decisions. A cloud readiness assessment produces a recommendation for each application in the portfolio. Retire means decommission the application. Retain means keep it on-premise for now. Rehost means lift and shift with minimal changes. Replatform means make targeted optimizations. Refactor means restructure the code for cloud-native patterns. Rearchitect means rebuild substantially.
Can AI tools replace manual cloud readiness assessment?
No. AI tools can dramatically accelerate the data-gathering and pattern-recognition phases of an assessment - scanning codebases, mapping dependencies, and scoring technical debt at a scale no manual process can match. But they cannot assess business context, organizational risk tolerance, team capability, or the strategic trade-offs involved in sequencing decisions. The best results come from combining AI-assisted analysis with experienced human judgment.
What percentage of enterprise applications are typically cloud-ready without refactoring?
Based on consistent findings across the industry, roughly 15 to 20 percent of enterprise workloads are genuinely ready for cloud migration without significant refactoring. The remaining 80 percent require some level of change - ranging from minor replatforming to full rearchitecting - before they can take meaningful advantage of cloud-native capabilities. This is precisely why assessment before migration is not optional.
What is the biggest risk of skipping a cloud readiness assessment?
The biggest risk is discovering mid-migration that a critical application has dependencies, compliance requirements, or architectural constraints that make the planned approach unworkable. At that point, you have already committed budget, reallocated teams, and potentially decommissioned on-premise infrastructure. Reversing course is expensive and disruptive. An assessment surfaces these blockers before they become crises, while you still have options.
Kodebaze combines AI-powered codebase analysis with expert-led assessment to give you a clear, prioritized picture of your application portfolio before a single line of code moves to the cloud. See how it works →
Related articles

AI

AI

AI
AI + Human
AI + Human software Solution
© 2026 Kodebaze. All Rights Reserved.
© 2026 Kodebaze. All Rights Reserved.