How SaaS Companies Structure Their Engineering and IT Operations at Different Stages
The mistake most SaaS companies make with IT and engineering structure is building for where they want to be rather than where they are. Implementing enterprise-grade processes at 15 people adds overhead without adding value. Ignoring those processes at 150 people creates chaos.
The right structure is stage-appropriate. What works at seed stage is actively wrong at Series B. This guide covers what each stage actually looks like and the specific inflection points where the structure needs to change.
Stage 1: Seed to $1M ARR (5–20 people)
At this stage, the entire "IT department" is usually the founding technical team. Everyone does everything. The database goes down and whoever notices first fixes it.
What's appropriate here:
- Centralized everything — one person or a small shared team handles infrastructure, deployment, and internal tools
- Minimal process overhead — formal ticketing and change management slow you down more than they help
- Managed services over self-hosted — use Heroku, Render, Railway, or similar rather than managing your own servers. The operational cost savings are not worth the engineering time at this stage
- Basic observability — Datadog, New Relic, or Sentry with alerts for the things that will wake you up at 3am
What breaks as you approach $1M ARR:
- One person knowing everything means one vacation takes down your operations
- No deployment process means "it worked on my machine" is a regular problem
- No on-call rotation means someone burns out
The first hire worth making in IT operations: a DevOps/platform engineer who can build repeatable deployment and monitoring systems before the team grows further.
Stage 2: $1M–$10M ARR (20–80 people)
This is where structure starts mattering. You have enough people that ad-hoc coordination breaks down, but you're not large enough to afford dedicated teams for everything.
What should be in place:
CI/CD pipeline — Every code change goes through automated testing before it deploys. This is table stakes for reliability at this stage. Teams that don't have it spend disproportionate time on incidents caused by untested changes. GitHub Actions, CircleCI, or GitLab CI are the most common implementations.
Incident management process — A defined protocol for when things break: who gets paged, how they communicate during the incident, and what happens after (postmortem, action items). PagerDuty or OpsGenie handles the paging. The process documents exist separately.
Security baseline — MFA required for all systems, secrets in a secrets manager (not in code), access reviewed when people join and leave, basic vulnerability scanning on dependencies.
Organizational model: Most companies at this stage work in a hybrid structure — a small central platform/DevOps team that owns shared infrastructure and tooling, with product engineers embedded in feature teams who own their own services.
| Function | Who owns it |
|---|---|
| Shared infrastructure, CI/CD, monitoring | Platform/DevOps team |
| Service reliability for their area | Product engineering team |
| Security and compliance | Security lead (often shared with engineering) |
| Internal tools and IT support | Ops generalist |
What breaks as you approach $10M ARR:
- Platform team gets overwhelmed as the number of services grows
- Security and compliance become full-time concerns, especially if you're selling to enterprise
- Knowledge silos form — only one person knows how a critical system works
Stage 3: $10M–$50M ARR (80–300 people)
At this scale, IT and engineering operations are genuinely complex. Multiple product lines, enterprise customers with compliance requirements, a team large enough that communication overhead becomes a real cost.
What changes:
Organizational model shifts from hybrid to decentralized. Product teams own their services end-to-end — from development through production operations. The central platform team becomes an internal product team building tools that other teams use, rather than a team that does things for other teams.
This is the shift Slack made as they scaled. It's necessary because central IT as a service bottleneck doesn't scale past a certain team size. Decentralized ownership scales.
Compliance becomes a dedicated function. SOC 2 Type II certification is increasingly a purchase prerequisite for enterprise sales. GDPR compliance if you have EU users. HIPAA if you have healthcare customers. These require dedicated attention — either a Head of Security or a third-party security firm on retainer.
SRE (Site Reliability Engineering) practice. Defining and tracking Service Level Objectives (SLOs) for critical systems, running chaos engineering to find failure modes before customers do, and building reliability into the software development process rather than bolting it on afterward.
| Function | Stage 1 | Stage 2 | Stage 3 |
|---|---|---|---|
| Infrastructure | Founders | Small DevOps team | Platform engineering team |
| Deployments | Manual / ad-hoc | CI/CD pipeline | Automated, feature flags |
| Incident response | Everyone | On-call rotation | SRE practice with SLOs |
| Security | Basic hygiene | Security lead | Dedicated team, compliance certifications |
| Org model | Centralized | Hybrid | Decentralized product ownership |
The tooling decisions that matter most
Tooling choices made early are hard to change later. The three with the highest long-term impact:
Cloud provider lock-in. Going all-in on AWS, Google Cloud, or Azure creates deep dependencies through managed services, proprietary databases, and deployment tooling. Multi-cloud is operationally complex. Most companies choose one provider and accept the lock-in. Make this choice deliberately and early.
Observability stack. Logs, metrics, and traces should be centralized and queryable from day one. Retrofitting observability into a system that was built without it is expensive and never complete. Datadog is the most common commercial choice. Grafana + Prometheus + Loki is the open-source alternative.
Identity and access management. As the team grows, managing who has access to what becomes operationally significant. Okta or Azure AD centralize this early and pay dividends when you need to offboard quickly or pass a security audit.
The thing that breaks most often as SaaS companies scale IT
Knowledge concentration. One engineer who understands how the billing system works. One DevOps person who knows why the Kubernetes configuration is structured the way it is. One database administrator who knows the schema.
This is not a documentation problem — it's a system design problem. If a system requires specialized knowledge to operate, that's a reliability risk. The fix is architecture that makes systems understandable to someone who didn't build them, not documentation that tries to transfer tacit knowledge in writing.
The Google SRE book (free online) is the most comprehensive resource on building reliable systems at scale. Worth reading before hiring your first dedicated SRE.
Engineering and IT structure is one of those areas where getting the stage-appropriate answer right saves significant money and prevents the expensive rebuilds that happen when you scale the wrong foundation.
If you're working through these questions at a growth stage, the conversation is worth having before you hire.
agency.pizza →
