Now Reading: The AI That Does It For You
-
01
The AI That Does It For You
1
00:00:00,000 –> 00:00:03,880
Still hand upgrading legacy Java, that’s not craftsmanship, that’s unpaid penance.
2
00:00:03,880 –> 00:00:07,880
Manual modernization is a failure mode, slow, error prone and permanently behind.
3
00:00:07,880 –> 00:00:08,880
The truth?
4
00:00:08,880 –> 00:00:12,280
AI agents now handle the drudgery with receipts.
5
00:00:12,280 –> 00:00:13,520
Here’s what you actually get.
6
00:00:13,520 –> 00:00:17,120
Time back, CV is gone, and cloud bills that stop bleeding.
7
00:00:17,120 –> 00:00:18,760
We’ll walk a narrative case study.
8
00:00:18,760 –> 00:00:23,200
Stack, benchmarks, results, plus a full audit trail so governance can breathe.
9
00:00:23,200 –> 00:00:26,000
There’s one metric that embarrassed finance and delighted security.
10
00:00:26,000 –> 00:00:26,880
Stay for that.
11
00:00:26,880 –> 00:00:30,640
Now, here’s what happens when you let co-pilot app modernization drive.
12
00:00:30,640 –> 00:00:33,840
Case set up, the legacy stack and the modernization mandate.
13
00:00:33,840 –> 00:00:37,800
Baseline first, we’re dealing with a Java 8-era spring application,
14
00:00:37,800 –> 00:00:40,800
classic MVC plus a sprinkle of scheduled jobs,
15
00:00:40,800 –> 00:00:43,440
built with maven, running on AWS.
16
00:00:43,440 –> 00:00:47,080
Conservative governance, noisy alerts, everyone swears the app is stable
17
00:00:47,080 –> 00:00:48,800
while pager duty begs to differ.
18
00:00:48,800 –> 00:00:51,720
The stack has drift, parent-poms forked years ago,
19
00:00:51,720 –> 00:00:54,280
dependency versions pinned like insect specimens,
20
00:00:54,280 –> 00:00:57,040
and a CI pipeline that only passes if you chant.
21
00:00:57,040 –> 00:00:59,920
Average user behavior, ignore the red badges,
22
00:00:59,920 –> 00:01:03,960
silence the scanner, and pray the next sprint includes tech debt.
23
00:01:03,960 –> 00:01:05,800
Spoiler, it never does.
24
00:01:05,800 –> 00:01:07,200
Pain inventory.
25
00:01:07,200 –> 00:01:10,960
Version drift means modern libraries won’t resolve without exclusions,
26
00:01:10,960 –> 00:01:13,320
dependency hell, transitive roulette,
27
00:01:13,320 –> 00:01:16,920
where one logging upgrade detonates your HTTP client.
28
00:01:16,920 –> 00:01:20,280
Unpatched CVEs sit there politely waiting for an exploit kit,
29
00:01:20,280 –> 00:01:23,080
idle compute waste, auto scaling that never scales down,
30
00:01:23,080 –> 00:01:26,760
instances at 8% CPU while finance funds a space heater.
31
00:01:26,760 –> 00:01:30,360
Add brittle configs, environment variables baked into user data,
32
00:01:30,360 –> 00:01:32,880
stateful file rights on disk and secrets living
33
00:01:32,880 –> 00:01:34,120
where secrets shouldn’t live.
34
00:01:34,120 –> 00:01:35,040
Constraint?
35
00:01:35,040 –> 00:01:38,320
This is audio only, no performative heroics, no live tabs,
36
00:01:38,320 –> 00:01:40,120
switching to stack overflow.
37
00:01:40,120 –> 00:01:42,040
We rely on reproducible artifacts, reports,
38
00:01:42,040 –> 00:01:45,360
commitments, scanner outputs, because guesswork is not a strategy
39
00:01:45,360 –> 00:01:47,480
and worked on my laptop isn’t evidence.
40
00:01:47,480 –> 00:01:48,920
Why Java? 21.
41
00:01:48,920 –> 00:01:51,400
Virtual threats change concurrency from a scarce resource
42
00:01:51,400 –> 00:01:52,600
to a commodity.
43
00:01:52,600 –> 00:01:55,320
Thousands of lightweight threads with minimal overhead,
44
00:01:55,320 –> 00:01:57,960
throughput goes up, tail latency comes down.
45
00:01:57,960 –> 00:02:00,800
garbage collection improvements, G1 and ZGC refinements
46
00:02:00,800 –> 00:02:02,320
reduce pause times.
47
00:02:02,320 –> 00:02:04,640
The foreign function and memory API is stable,
48
00:02:04,640 –> 00:02:06,680
which matters if you’re calling native code
49
00:02:06,680 –> 00:02:08,640
or wrestling with off heap buffers.
50
00:02:08,640 –> 00:02:11,560
Net effect, measurable performance and maintainability gains.
51
00:02:11,560 –> 00:02:13,320
Most people think upgrading is cosmetic.
52
00:02:13,320 –> 00:02:14,080
Incorrect.
53
00:02:14,080 –> 00:02:16,400
You get cheaper concurrency and fewer stalls,
54
00:02:16,400 –> 00:02:18,840
directly visible in service level graphs.
55
00:02:18,840 –> 00:02:21,480
Migrationscope, AWS out, Azure in,
56
00:02:21,480 –> 00:02:23,600
align with enterprise standards, consolidate billing
57
00:02:23,600 –> 00:02:25,760
and plug into the platform, your identity policy
58
00:02:25,760 –> 00:02:27,760
and observability already inhabit.
59
00:02:27,760 –> 00:02:30,280
We’ll target Azure app service or Azure Spring apps
60
00:02:30,280 –> 00:02:32,120
depending on the workload profile.
61
00:02:32,120 –> 00:02:34,480
Simple app app service is fine.
62
00:02:34,480 –> 00:02:37,040
Spring heavy microservices with scaling nuance,
63
00:02:37,040 –> 00:02:38,920
consider Azure Spring apps.
64
00:02:38,920 –> 00:02:41,680
For data, the mandate is Azure SQL database.
65
00:02:41,680 –> 00:02:43,600
Yes, you can keep post-gress cool on Azure,
66
00:02:43,600 –> 00:02:45,120
but the business wants consolidation,
67
00:02:45,120 –> 00:02:47,440
so we’ll map the path and show the trade-offs.
68
00:02:47,440 –> 00:02:49,080
Governance stands.
69
00:02:49,080 –> 00:02:51,520
Every action lands in Git.
70
00:02:51,520 –> 00:02:53,840
Differable, reversible, attributable.
71
00:02:53,840 –> 00:02:57,440
The agent generates a plan, opens issues and proposes commits.
72
00:02:57,440 –> 00:03:00,360
You approve, it resolves builds, patches dependencies
73
00:03:00,360 –> 00:03:03,320
applies code transformations, using known recipes,
74
00:03:03,320 –> 00:03:06,280
regenerates the s-bomb and reruns scanners.
75
00:03:06,280 –> 00:03:09,960
If something doesn’t pass, it loops no alt-tap pilgrimage.
76
00:03:09,960 –> 00:03:12,800
And when it can’t proceed, it asks for input and documents why.
77
00:03:12,800 –> 00:03:13,760
See the difference?
78
00:03:13,760 –> 00:03:16,040
Work becomes auditable instead of anecdotal.
79
00:03:16,040 –> 00:03:18,880
Before you let an agent touch anything, you assess.
80
00:03:18,880 –> 00:03:21,680
Automated inventory across modules, dependencies,
81
00:03:21,680 –> 00:03:24,200
build plugins and runtime configs.
82
00:03:24,200 –> 00:03:27,920
Risk ranked findings with references to advisories and documentation.
83
00:03:27,920 –> 00:03:30,080
Cloud readiness flags for service bindings,
84
00:03:30,080 –> 00:03:32,200
environment variables and stateful traps
85
00:03:32,200 –> 00:03:34,120
that break when containers come and go.
86
00:03:34,120 –> 00:03:36,600
Cospace lines, compute hours, idle percentages,
87
00:03:36,600 –> 00:03:39,080
and the egress patterns that finance pretends not to notice
88
00:03:39,080 –> 00:03:39,960
until month end.
89
00:03:39,960 –> 00:03:42,520
You might be thinking, we can triage that by hand.
90
00:03:42,520 –> 00:03:43,360
Fascinating.
91
00:03:43,360 –> 00:03:45,280
And you’re still surprised the app crashes.
92
00:03:45,280 –> 00:03:47,560
The average user misses the long tail issues,
93
00:03:47,560 –> 00:03:50,400
deprecated APIs deep in the scheduler, a logging bridge,
94
00:03:50,400 –> 00:03:54,520
masking duplicate class conflicts, or that one library pin
95
00:03:54,520 –> 00:03:56,320
that blocks everything from moving.
96
00:03:56,320 –> 00:03:58,520
The agent doesn’t miss them because it doesn’t get bored.
97
00:03:58,520 –> 00:04:01,400
So the modernization mandate is simple and final.
98
00:04:01,400 –> 00:04:04,600
Upgrade to Java 21, eliminate CVEs, container-wise,
99
00:04:04,600 –> 00:04:07,760
migrate to Azure Wire CI/CD with control drawouts
100
00:04:07,760 –> 00:04:10,360
and force policy via approvals and key vault,
101
00:04:10,360 –> 00:04:13,040
and cut cost without cutting reliability.
102
00:04:13,040 –> 00:04:15,760
All changes trace back to commits with rationale.
103
00:04:15,760 –> 00:04:20,160
No black box, no swaggering hero commits a 2AM assessment first
104
00:04:20,160 –> 00:04:21,920
because guesswork is not a strategy.
105
00:04:21,920 –> 00:04:23,200
Then we execute.
106
00:04:23,200 –> 00:04:24,040
Assessment.
107
00:04:24,040 –> 00:04:26,760
The AI exposes technical debt with receipts.
108
00:04:26,760 –> 00:04:29,040
Here’s what actually happens when you press assess.
109
00:04:29,040 –> 00:04:30,400
The agent doesn’t scan.
110
00:04:30,400 –> 00:04:31,360
It inventories.
111
00:04:31,360 –> 00:04:33,800
Code, build files, plugins,
112
00:04:33,800 –> 00:04:35,360
transitive dependencies,
113
00:04:35,360 –> 00:04:37,600
Docker Bits, environment variables,
114
00:04:37,600 –> 00:04:39,760
start-up scripts, even though stray shell wrapper
115
00:04:39,760 –> 00:04:42,400
someone copy-pasted in 2017.
116
00:04:42,400 –> 00:04:43,840
It builds a dependency graph
117
00:04:43,840 –> 00:04:46,200
annotates it with CVE data and ranks risk.
118
00:04:46,200 –> 00:04:50,200
Not vibes, severity, exploitability, reachability.
119
00:04:50,200 –> 00:04:53,040
It’s the Windows registry of your app’s reality.
120
00:04:53,040 –> 00:04:55,640
Not just a list, your structural spine exposed.
121
00:04:55,640 –> 00:04:56,440
The truth?
122
00:04:56,440 –> 00:04:58,360
Most people think they know their stack.
123
00:04:58,360 –> 00:04:58,880
They don’t.
124
00:04:58,880 –> 00:05:00,640
The agent finds the forked parent pom
125
00:05:00,640 –> 00:05:03,280
with a logging version pin that blocks every downstream patch.
126
00:05:03,280 –> 00:05:05,640
It flags duplicated SLF4J bridges
127
00:05:05,640 –> 00:05:07,480
that shadow each other like feuding roommates.
128
00:05:07,480 –> 00:05:09,440
It catches the servlet container
129
00:05:09,440 –> 00:05:11,240
that’s quietly three releases behind
130
00:05:11,240 –> 00:05:13,280
because your CI only tests the happy path.
131
00:05:13,280 –> 00:05:15,520
And yes, it maps deprecated APIs
132
00:05:15,520 –> 00:05:16,640
you’ve been calling for years
133
00:05:16,640 –> 00:05:18,880
because nobody wanted to touch the job scheduler.
134
00:05:18,880 –> 00:05:20,480
Spoiler alert, you’re touching it now.
135
00:05:20,480 –> 00:05:22,280
CVE is next, severity breakdown,
136
00:05:22,280 –> 00:05:24,360
affected libraries and references to advisories,
137
00:05:24,360 –> 00:05:25,760
direct links, not rumors.
138
00:05:25,760 –> 00:05:27,360
Critical and high get top billing,
139
00:05:27,360 –> 00:05:30,080
but it also identifies whether the vulnerable code paths
140
00:05:30,080 –> 00:05:31,400
are reachable by your application.
141
00:05:31,400 –> 00:05:32,920
Reachability matters.
142
00:05:32,920 –> 00:05:34,760
If a transitive library has an issue
143
00:05:34,760 –> 00:05:37,160
but your code never calls the vulnerable class,
144
00:05:37,160 –> 00:05:38,440
it’s still flagged,
145
00:05:38,440 –> 00:05:41,880
but the agent prioritizes fixes that reduce real risk first.
146
00:05:41,880 –> 00:05:45,120
You get the remediation options, bump versions at exclusions
147
00:05:45,120 –> 00:05:46,680
or swap artifacts entirely.
148
00:05:46,680 –> 00:05:48,120
That’s a menu, not a mystery.
149
00:05:48,120 –> 00:05:49,920
Upgrade readiness comes with receipts.
150
00:05:49,920 –> 00:05:53,400
Java 21 requires you to stop pretending it’s 2009.
151
00:05:53,400 –> 00:05:54,920
The agent runs open rewrite recipes
152
00:05:54,920 –> 00:05:56,720
against your code base in dry run mode,
153
00:05:56,720 –> 00:05:58,880
showing exactly which APIs are deprecated,
154
00:05:58,880 –> 00:06:01,960
which imports must change and where behavior shifts lurk.
155
00:06:01,960 –> 00:06:03,800
It calls out illegal reflective access.
156
00:06:03,800 –> 00:06:08,080
JUC quirks and the tiny landmines waiting in XML configuration.
157
00:06:08,080 –> 00:06:09,600
It notes frameworks that are ready.
158
00:06:09,600 –> 00:06:11,480
Spring versions plug in compatibility
159
00:06:11,480 –> 00:06:14,040
and those that need coercion, no hand waving.
160
00:06:14,040 –> 00:06:17,120
Every proposed change links back to docs and migration notes.
161
00:06:17,120 –> 00:06:19,400
Cloud readiness is where your infrastructure signs
162
00:06:19,400 –> 00:06:20,720
go to be catalogued.
163
00:06:20,720 –> 00:06:22,600
The agent identifies stateful traps,
164
00:06:22,600 –> 00:06:25,040
writing temp files to local disk during requests,
165
00:06:25,040 –> 00:06:27,440
caching sessions in memory across instances,
166
00:06:27,440 –> 00:06:29,920
storing secrets in a text file under opt
167
00:06:29,920 –> 00:06:32,560
because someone needed it to work.
168
00:06:32,560 –> 00:06:34,480
It flags environment variable usage
169
00:06:34,480 –> 00:06:37,000
that assumes EC2 meta data patterns.
170
00:06:37,000 –> 00:06:39,040
It points out service bindings for radius cues
171
00:06:39,040 –> 00:06:41,400
and databases that won’t survive container churn.
172
00:06:41,400 –> 00:06:43,880
Then it proposes bindings the as-you-away.
173
00:06:43,880 –> 00:06:45,760
Connection strings move to configuration,
174
00:06:45,760 –> 00:06:48,400
key vault for secrets, managed identities for hours.
175
00:06:48,400 –> 00:06:49,360
You know, like adults.
176
00:06:49,360 –> 00:06:50,600
Now the finance shocker.
177
00:06:50,600 –> 00:06:51,840
Cost base lines.
178
00:06:51,840 –> 00:06:54,200
The agent pulls compute hours, instant sizes,
179
00:06:54,200 –> 00:06:56,040
scale patterns and idle percentages
180
00:06:56,040 –> 00:06:58,080
from telemetry and infrared definitions.
181
00:06:58,080 –> 00:07:00,960
It estimates egress costs based on outbound patterns.
182
00:07:00,960 –> 00:07:02,440
Yes, that one noisy batch job
183
00:07:02,440 –> 00:07:05,920
that hurls data across regions every night gets a line item.
184
00:07:05,920 –> 00:07:08,200
It translates all of this into a monthly number
185
00:07:08,200 –> 00:07:09,720
that doesn’t care about your anecdotes.
186
00:07:09,720 –> 00:07:11,440
This is the number that embarrassed finance
187
00:07:11,440 –> 00:07:12,640
and delighted security.
188
00:07:12,640 –> 00:07:15,120
Why? Because eliminating CVEs while cutting spend
189
00:07:15,120 –> 00:07:17,200
is the only religion both teams share.
190
00:07:17,200 –> 00:07:18,840
Artifacts or it didn’t happen.
191
00:07:18,840 –> 00:07:21,120
The agent produces a plan file with sections.
192
00:07:21,120 –> 00:07:24,240
CVE remediation steps, Java upgrade recipes,
193
00:07:24,240 –> 00:07:28,200
build changes, code transformations, containerization moves
194
00:07:28,200 –> 00:07:30,080
and cloud target mappings.
195
00:07:30,080 –> 00:07:33,040
It opens issues per work stream, tags owners if you want
196
00:07:33,040 –> 00:07:35,360
and scaffolds commits in a separate branch.
197
00:07:35,360 –> 00:07:38,080
Clean small difts with rationales in the messages.
198
00:07:38,080 –> 00:07:40,080
Espoo M generated signed and versioned.
199
00:07:40,080 –> 00:07:41,920
Von Rability scanner outputs attached.
200
00:07:41,920 –> 00:07:43,440
That’s audit ready from step zero.
201
00:07:43,440 –> 00:07:45,240
You want traceability?
202
00:07:45,240 –> 00:07:47,880
Every finding links to an advisory or a source document.
203
00:07:47,880 –> 00:07:50,280
NVD entries, project release notes,
204
00:07:50,280 –> 00:07:53,680
open rewrite recipe documentation as your migration guides.
205
00:07:53,680 –> 00:07:55,120
When it suggests replacing a library,
206
00:07:55,120 –> 00:07:57,000
it cites compatibility matrices.
207
00:07:57,000 –> 00:07:58,800
When it recommends moving a secret,
208
00:07:58,800 –> 00:08:00,880
it points to platform guidance on key vault
209
00:08:00,880 –> 00:08:02,480
and managed identities.
210
00:08:02,480 –> 00:08:04,560
It’s not just because AI said so,
211
00:08:04,560 –> 00:08:07,240
it’s because this standard right here says so.
212
00:08:07,240 –> 00:08:08,560
Controls remain human.
213
00:08:08,560 –> 00:08:10,920
The plan sits in Git awaiting approval.
214
00:08:10,920 –> 00:08:14,200
You can adjust priorities, reject a remediation strategy
215
00:08:14,200 –> 00:08:15,920
or demand a different target service
216
00:08:15,920 –> 00:08:18,040
as your app service versus as your spring apps
217
00:08:18,040 –> 00:08:19,960
with the trade-offs listed plainly.
218
00:08:19,960 –> 00:08:22,800
The agent adapts, reruns the assessment delta
219
00:08:22,800 –> 00:08:25,200
and updates artifacts, no sulking.
220
00:08:25,200 –> 00:08:27,200
Once you see the receipts, the posture changes.
221
00:08:27,200 –> 00:08:30,040
You stop debating if modernization is worth it
222
00:08:30,040 –> 00:08:31,760
and start sequencing the work.
223
00:08:31,760 –> 00:08:35,000
And yes, the average user will still try to ship a feature first.
224
00:08:35,000 –> 00:08:35,800
Fascinating.
225
00:08:35,800 –> 00:08:38,200
Meanwhile, the agent has already mapped the shortest path
226
00:08:38,200 –> 00:08:40,360
to a secure, compliant, cheaper runtime,
227
00:08:40,360 –> 00:08:43,640
approve the plan, then what should do the work you keep postponing?
228
00:08:43,640 –> 00:08:47,680
Automated upgrade from Java 8 to Java 21 without the drama.
229
00:08:47,680 –> 00:08:50,840
Plan approved so the agent stops talking and starts doing.
230
00:08:50,840 –> 00:08:52,400
The loop is simple and merciless.
231
00:08:52,400 –> 00:08:56,040
Apply recipe, build, test, patch, repeat until green.
232
00:08:56,040 –> 00:08:58,840
No heroic tap explosion, no forum archeology,
233
00:08:58,840 –> 00:09:00,520
no tri-clean install.
234
00:09:00,520 –> 00:09:03,600
It uses open rewrite recipes to rewrite APIs,
235
00:09:03,600 –> 00:09:05,600
maven enforces to normalize versions
236
00:09:05,600 –> 00:09:07,800
and a unit integration test suite to prove
237
00:09:07,800 –> 00:09:09,440
it didn’t break your world.
238
00:09:09,440 –> 00:09:11,040
When a build fails, it doesn’t panic.
239
00:09:11,040 –> 00:09:13,880
It biceps the failure, proposes a targeted change
240
00:09:13,880 –> 00:09:16,320
and reruns, discipline at machine speed.
241
00:09:16,320 –> 00:09:19,320
Dependency upgrades are where humans usually create chaos.
242
00:09:19,320 –> 00:09:20,800
Enter bomb alignment.
243
00:09:20,800 –> 00:09:22,960
The agent adopts the official bill of materials
244
00:09:22,960 –> 00:09:26,200
for spring and related ecosystems, centralizes versions
245
00:09:26,200 –> 00:09:29,120
and kills the version sprinkling across child pumps.
246
00:09:29,120 –> 00:09:30,920
It tightens version ranges to exacts
247
00:09:30,920 –> 00:09:33,240
or manage constraints to prevent transitive roulette,
248
00:09:33,240 –> 00:09:34,680
removes redundant exclusions
249
00:09:34,680 –> 00:09:36,640
and adds the one exclusion that actually matters
250
00:09:36,640 –> 00:09:38,240
when two logging back ends dual.
251
00:09:38,240 –> 00:09:40,960
Result, fewer surprises, fewer conflicting jars,
252
00:09:40,960 –> 00:09:43,080
fewer midnight pages, you know, stability.
253
00:09:43,080 –> 00:09:46,880
Now the code, Java 21 means your old APIs need adult supervision.
254
00:09:46,880 –> 00:09:48,880
The agent replaces deprecated classes
255
00:09:48,880 –> 00:09:51,680
and methods with supported equivalents, updates, imports
256
00:09:51,680 –> 00:09:54,600
and adjusts method signatures where the platform evolved.
257
00:09:54,600 –> 00:09:58,080
It surfaces optional refactors, record and pattern usage,
258
00:09:58,080 –> 00:10:00,800
sequenced collections, behind a feature flag
259
00:10:00,800 –> 00:10:02,400
so the diff stays minimal.
260
00:10:02,400 –> 00:10:04,400
It also addresses illegal reflective access
261
00:10:04,400 –> 00:10:08,000
by swapping in supported SPI or JDK sanctioned alternatives
262
00:10:08,000 –> 00:10:10,200
then annotates the commit with a short rational
263
00:10:10,200 –> 00:10:11,840
and links to migration notes.
264
00:10:11,840 –> 00:10:13,800
It’s not just a patch, it’s evidence.
265
00:10:13,800 –> 00:10:16,360
Security remediation is not an afterthought bolted to the end.
266
00:10:16,360 –> 00:10:17,320
It’s in line.
267
00:10:17,320 –> 00:10:19,840
As dependencies move the agent checks CVs again,
268
00:10:19,840 –> 00:10:22,040
closes the loop on any residual findings
269
00:10:22,040 –> 00:10:24,960
and regenerates the S-bomb so your scanners see the new world,
270
00:10:24,960 –> 00:10:26,120
not your memory of it.
271
00:10:26,120 –> 00:10:27,840
And yes, it runs the vulnerability scanner
272
00:10:27,840 –> 00:10:30,000
and fails the bill if something regresses.
273
00:10:30,000 –> 00:10:31,320
You call it strict.
274
00:10:31,320 –> 00:10:34,560
Correct, security calls it minimum viable professionalism.
275
00:10:34,560 –> 00:10:37,440
Let’s talk tests because the average user loves to say,
276
00:10:37,440 –> 00:10:39,760
it compiles like that’s an achievement.
277
00:10:39,760 –> 00:10:42,400
The agent runs your unit tests, your integration tests,
278
00:10:42,400 –> 00:10:45,360
and if you’ve set them up, contract tests against stop services.
279
00:10:45,360 –> 00:10:47,000
When tests are brittle, it files issues
280
00:10:47,000 –> 00:10:49,480
with precise failure output and recommended fixes.
281
00:10:49,480 –> 00:10:51,280
If a flaky test is blocking progress,
282
00:10:51,280 –> 00:10:54,240
it proposes quarantining it with a tag, documents the risk
283
00:10:54,240 –> 00:10:56,160
and keeps moving on non-risky areas,
284
00:10:56,160 –> 00:10:58,600
momentum without denial.
285
00:10:58,600 –> 00:11:00,000
Bench marks next.
286
00:11:00,000 –> 00:11:02,760
After the upgrades, stabilizes the agent runs targeted
287
00:11:02,760 –> 00:11:05,320
throughput and latency tests against the same workloads
288
00:11:05,320 –> 00:11:06,440
as baseline.
289
00:11:06,440 –> 00:11:09,280
The impact is where Java 21 earns its keep.
290
00:11:09,280 –> 00:11:11,680
More concurrent requests on the same CPU budget
291
00:11:11,680 –> 00:11:13,880
due to virtual threats, lower tail latency
292
00:11:13,880 –> 00:11:17,000
thanks to GC improvements and fewer context switch penalties.
293
00:11:17,000 –> 00:11:18,280
You don’t need to worship benchmarks
294
00:11:18,280 –> 00:11:21,000
to understand graphs that slope in the correct direction.
295
00:11:21,000 –> 00:11:22,560
The report calls out which improvements
296
00:11:22,560 –> 00:11:25,520
came from virtual threats versus GC tweaks.
297
00:11:25,520 –> 00:11:28,480
So you can credit the right feature when finance asks why
298
00:11:28,480 –> 00:11:30,440
the machines are suddenly less bored.
299
00:11:30,440 –> 00:11:31,960
Build hygiene matters.
300
00:11:31,960 –> 00:11:34,200
The agent normalizes maven wrappers,
301
00:11:34,200 –> 00:11:36,880
pins the tool chain to a Java 21 distribution
302
00:11:36,880 –> 00:11:39,800
you actually control and removes antique plug-ins
303
00:11:39,800 –> 00:11:42,200
that exist solely to make builds slow.
304
00:11:42,200 –> 00:11:44,720
It standardizes compiler flags, enables warnings
305
00:11:44,720 –> 00:11:46,760
as errors for the modules you approve,
306
00:11:46,760 –> 00:11:49,360
and adds static analysis where the signal is high.
307
00:11:49,360 –> 00:11:50,760
The goal isn’t perfect.
308
00:11:50,760 –> 00:11:53,600
The goal is repeatable and dull, which is the gold standard
309
00:11:53,600 –> 00:11:54,600
for builds.
310
00:11:54,600 –> 00:11:56,560
Here’s where the reclaimed hours show up.
311
00:11:56,560 –> 00:11:59,080
Historically, this kind of upgrade consumes weeks
312
00:11:59,080 –> 00:12:02,120
of senior engineer time, hunting transitive conflicts,
313
00:12:02,120 –> 00:12:03,880
unpicking arcane plug-in failures,
314
00:12:03,880 –> 00:12:05,520
and babysitting flaky tests.
315
00:12:05,520 –> 00:12:07,200
The agent compresses that into days,
316
00:12:07,200 –> 00:12:10,280
not by magic, by not getting tired, not getting distracted,
317
00:12:10,280 –> 00:12:12,080
and not inventing side quests.
318
00:12:12,080 –> 00:12:14,040
Your humans spend their time reviewing
319
00:12:14,040 –> 00:12:17,400
diffs and making judgment calls, not guessing version numbers.
320
00:12:17,400 –> 00:12:19,560
And when the loop converges, recipes applied,
321
00:12:19,560 –> 00:12:22,000
builds green, tests passing, scanners quiet,
322
00:12:22,000 –> 00:12:24,560
you have a clean branch with small well-labeled commits.
323
00:12:24,560 –> 00:12:27,640
Each message names the change, the rationale, and the source.
324
00:12:27,640 –> 00:12:29,680
Rollbacks are obvious, approvals are fast.
325
00:12:29,680 –> 00:12:31,400
Auditors can read them without calling you.
326
00:12:31,400 –> 00:12:34,320
Also, your page is silent, which is how you know modernization
327
00:12:34,320 –> 00:12:36,080
happened instead of cosplay.
328
00:12:36,080 –> 00:12:37,360
Modern runtime secured.
329
00:12:37,360 –> 00:12:39,480
The app is faster, safer, and frankly more adult.
330
00:12:39,480 –> 00:12:42,360
Now the Cloud Bill and topology need surgery.
331
00:12:42,360 –> 00:12:46,280
Cloud migration, AWS out as you’re in with pipelines and policy.
332
00:12:46,280 –> 00:12:48,320
Everything changes when the runtime is sane.
333
00:12:48,320 –> 00:12:50,760
Now we move the furniture, target architecture first,
334
00:12:50,760 –> 00:12:53,040
because random lifting creates random outages.
335
00:12:53,040 –> 00:12:56,480
For a single spring MVC app that isn’t pretending to be a service mesh,
336
00:12:56,480 –> 00:12:58,440
Azure app service is the efficient path.
337
00:12:58,440 –> 00:13:00,640
Simple deploys, built in scaling, and no surprise,
338
00:13:00,640 –> 00:13:01,640
Kubernetes cosplay.
339
00:13:01,640 –> 00:13:03,320
If you’ve got multiple spring microservices,
340
00:13:03,320 –> 00:13:05,440
service discovery, and config churn,
341
00:13:05,440 –> 00:13:08,280
Azure Spring apps earns its keep with managed spring bits
342
00:13:08,280 –> 00:13:09,760
and blue green out of the box.
343
00:13:09,760 –> 00:13:12,240
The agent doesn’t guess, it scores the workload on features,
344
00:13:12,240 –> 00:13:14,000
statefulness, and traffic, then recommends
345
00:13:14,000 –> 00:13:15,520
with trade-offs and cost notes.
346
00:13:15,520 –> 00:13:17,520
You approve, it proceeds, data is next,
347
00:13:17,520 –> 00:13:19,720
and this is where adults separate from hobbyists.
348
00:13:19,720 –> 00:13:21,520
The mandate is Azure SQL Database.
349
00:13:21,520 –> 00:13:23,560
Yes, I heard your PostgreSQL nostalgia.
350
00:13:23,560 –> 00:13:26,320
Governance wants consolidation, identity wants managed auth
351
00:13:26,320 –> 00:13:27,880
and finance wants one bill.
352
00:13:27,880 –> 00:13:30,600
The agent inventories JDBC usage, connection pools,
353
00:13:30,600 –> 00:13:32,040
and driver assumptions.
354
00:13:32,040 –> 00:13:34,880
It swaps the driver, updates the JDBC URL,
355
00:13:34,880 –> 00:13:37,240
adds retry logic, suited for transient errors,
356
00:13:37,240 –> 00:13:41,440
and services and CSQL deltas where you wrote dialect-specific queries.
357
00:13:41,440 –> 00:13:42,920
If migration friction is high,
358
00:13:42,920 –> 00:13:45,720
it proposes an interim landing zone on Azure Database
359
00:13:45,720 –> 00:13:48,640
for PostgreSQL with a future cutover plan.
360
00:13:48,640 –> 00:13:50,960
Clearly labeled, timelines included.
361
00:13:50,960 –> 00:13:53,200
Options with receipts.
362
00:13:53,200 –> 00:13:55,360
Containerization isn’t a personality trait.
363
00:13:55,360 –> 00:13:57,040
It’s a repeatability tool.
364
00:13:57,040 –> 00:13:58,440
The agent generates a Docker file
365
00:13:58,440 –> 00:14:00,880
that actually builds multi-stage minimal base image,
366
00:14:00,880 –> 00:14:02,840
non-root user health checks.
367
00:14:02,840 –> 00:14:05,600
It bakes in JVM flags aligned to Java 21
368
00:14:05,600 –> 00:14:08,720
and your memory budget, not a random copy from a blog.
369
00:14:08,720 –> 00:14:11,960
Then it emits infrastructure as code, bicep, or ARM templates
370
00:14:11,960 –> 00:14:14,160
to provision app service or Azure Spring apps,
371
00:14:14,160 –> 00:14:17,600
app service plans, key vault identities, and networking.
372
00:14:17,600 –> 00:14:21,080
One environment definition per stage, death, test, port,
373
00:14:21,080 –> 00:14:22,480
same shape, different sizes.
374
00:14:22,480 –> 00:14:25,480
Fewer surprise failures because the machine stop improvising.
375
00:14:25,480 –> 00:14:28,520
CACD is where the will deploy later mid-goes to die.
376
00:14:28,520 –> 00:14:30,280
Enter GitHub actions.
377
00:14:30,280 –> 00:14:32,200
The agent scaffolds workflows that build
378
00:14:32,200 –> 00:14:35,720
with the PIND Java 21 tool chain, run tests and scanners,
379
00:14:35,720 –> 00:14:37,240
build and scan container images,
380
00:14:37,240 –> 00:14:40,200
and deploy through environments that require approvals.
381
00:14:40,200 –> 00:14:42,400
Rollbacks are a button, not a sayons.
382
00:14:42,400 –> 00:14:45,400
Previous image tags, previous slot, previous template.
383
00:14:45,400 –> 00:14:48,720
It wires smoke tests post-deploy and gates promotion on success.
384
00:14:48,720 –> 00:14:52,000
You don’t hope prod looks like tests, the pipeline enforces it.
385
00:14:52,000 –> 00:14:54,200
Secrets are not environment variables in plain text.
386
00:14:54,200 –> 00:14:55,400
They live in key vault.
387
00:14:55,400 –> 00:14:57,800
The agent provisions vaults, creates references,
388
00:14:57,800 –> 00:14:59,960
and switches the app to managed identity.
389
00:14:59,960 –> 00:15:02,960
That means no embedded keys, no accidental config
390
00:15:02,960 –> 00:15:04,560
commits and no late night rotations
391
00:15:04,560 –> 00:15:06,760
because someone leaked credentials in a screenshot.
392
00:15:06,760 –> 00:15:08,720
It also adds conditional approvals.
393
00:15:08,720 –> 00:15:11,320
Security reviews happen when the S/B ARM changes,
394
00:15:11,320 –> 00:15:13,760
cost reviews trigger when plan sizes increase,
395
00:15:13,760 –> 00:15:16,280
and break class is logged when you override.
396
00:15:16,280 –> 00:15:19,120
Guard rails without friction, adults keep receipts.
397
00:15:19,120 –> 00:15:20,640
Cost reduction isn’t a prayer,
398
00:15:20,640 –> 00:15:22,640
it’s architecture plus policy.
399
00:15:22,640 –> 00:15:25,520
The agent write sizes plans based on measured CPU and memory,
400
00:15:25,520 –> 00:15:26,360
not ego.
401
00:15:26,360 –> 00:15:28,560
For non-production, it recommends scale to zero
402
00:15:28,560 –> 00:15:31,000
or consumption style options were supported.
403
00:15:31,000 –> 00:15:34,200
For production, it sets auto-scaling rules on real signals,
404
00:15:34,200 –> 00:15:36,800
requests per second, CPU, Q-depth,
405
00:15:36,800 –> 00:15:38,760
and caps maximum instance counts
406
00:15:38,760 –> 00:15:40,800
with a documented exception process.
407
00:15:40,800 –> 00:15:44,040
Egress gets trimmed by collocating services and switching chatty
408
00:15:44,040 –> 00:15:46,640
nightly jobs to intra-region parts.
409
00:15:46,640 –> 00:15:49,360
The before and after estimate lands in the repo.
410
00:15:49,360 –> 00:15:52,480
Instance hours, storage tiers, data transfer,
411
00:15:52,480 –> 00:15:54,880
finance recognizes numbers, give them numbers.
412
00:15:54,880 –> 00:15:57,120
Network and reliability aren’t afterthoughts either.
413
00:15:57,120 –> 00:15:59,240
The templates add health probes, readiness checks,
414
00:15:59,240 –> 00:16:02,240
and connection draining so your user stop noticing deploys.
415
00:16:02,240 –> 00:16:04,480
If compliance demands private endpoints,
416
00:16:04,480 –> 00:16:06,960
it sets them up, pushes traffic through application gateway
417
00:16:06,960 –> 00:16:09,160
or front door, and configures WAV policies
418
00:16:09,160 –> 00:16:10,440
you can actually read.
419
00:16:10,440 –> 00:16:13,640
Logging routes to Azure Monitor with structured fields.
420
00:16:13,640 –> 00:16:17,120
Dashboards pre-baked, latency, error rate, saturation.
421
00:16:17,120 –> 00:16:18,600
Boring visibility is the goal.
422
00:16:18,600 –> 00:16:20,320
Cut over, follow the script, not vibes.
423
00:16:20,320 –> 00:16:21,720
The agent stages the environment,
424
00:16:21,720 –> 00:16:23,320
deploys to a new slot or instance,
425
00:16:23,320 –> 00:16:26,360
warms it with synthetic traffic and runs contract checks.
426
00:16:26,360 –> 00:16:29,320
Then a controlled switch, DNS TTLs adjusted if needed,
427
00:16:29,320 –> 00:16:32,240
slot swap if app service, traffic splitting if spring apps,
428
00:16:32,240 –> 00:16:35,800
rollback plan remains armed until user traffic proves the point.
429
00:16:35,800 –> 00:16:37,680
The report calls out impact windows
430
00:16:37,680 –> 00:16:40,120
who approved what and where the escape hatch lives.
431
00:16:40,120 –> 00:16:41,960
This is how you avoid 2AM folklore.
432
00:16:41,960 –> 00:16:44,360
Policy integration ties the room together.
433
00:16:44,360 –> 00:16:46,320
Approvals for security sensitive changes,
434
00:16:46,320 –> 00:16:48,360
cost checks for plan upgrades and compliance
435
00:16:48,360 –> 00:16:50,440
at the stations baked into the workflow.
436
00:16:50,440 –> 00:16:52,520
Every action lands and get with rationale.
437
00:16:52,520 –> 00:16:55,200
Auditors see intent, change, and verification.
438
00:16:55,200 –> 00:16:57,520
No black box, just a disciplined choreography
439
00:16:57,520 –> 00:16:58,960
where the agent does the heavy lifting
440
00:16:58,960 –> 00:17:00,240
and you retain the steering wheel.
441
00:17:00,240 –> 00:17:03,240
Result AWS out, Azure in, pipelines humming,
442
00:17:03,240 –> 00:17:06,920
policy enforced, and the cloud bill finally acting like it’s on your side.
443
00:17:06,920 –> 00:17:07,840
You’re welcome.
444
00:17:07,840 –> 00:17:09,280
Results and benchmarks.
445
00:17:09,280 –> 00:17:12,400
Time, CVEs, cost, and hours.
446
00:17:12,400 –> 00:17:15,360
Let’s talk outcomes, not vibes, timeline first.
447
00:17:15,360 –> 00:17:16,960
The upgrade and migrate sequence
448
00:17:16,960 –> 00:17:19,920
that historically swallows a quarter went from months to days.
449
00:17:19,920 –> 00:17:22,520
Assessment and plan in hours, Java 21 upgrade
450
00:17:22,520 –> 00:17:23,680
in a couple of working days,
451
00:17:23,680 –> 00:17:27,040
cloud migration prep and pipelines inside the same sprint.
452
00:17:27,040 –> 00:17:30,240
Calendar effect, feature stop queuing behind upgrade season
453
00:17:30,240 –> 00:17:31,440
because there is no season,
454
00:17:31,440 –> 00:17:33,920
just disciplined automation running continuously.
455
00:17:33,920 –> 00:17:36,520
Security next, CVEs don’t care about your roadmap.
456
00:17:36,520 –> 00:17:38,240
The agent moved critical and high findings
457
00:17:38,240 –> 00:17:41,800
from present and exploitable to resolved, regenerated the S-bomb
458
00:17:41,800 –> 00:17:44,560
and produced scanner reports that matched reality.
459
00:17:44,560 –> 00:17:46,920
Residual medium and low items were documented
460
00:17:46,920 –> 00:17:49,760
with reachability notes and remediation timelines.
461
00:17:49,760 –> 00:17:52,600
The important bit, risk trend turns down and stays down
462
00:17:52,600 –> 00:17:54,600
because the pipeline reskands on every change.
463
00:17:54,600 –> 00:17:57,000
Cost reduction shows up where finance actually looks.
464
00:17:57,000 –> 00:18:00,160
Compute hours, right size to reload, non-prod environment
465
00:18:00,160 –> 00:18:02,200
set to scale to zero, we’re supported
466
00:18:02,200 –> 00:18:05,880
and egress trimmed by collocating chatty services.
467
00:18:05,880 –> 00:18:09,280
Before, instances idling at single digit CPU,
468
00:18:09,280 –> 00:18:11,400
transfer charges spiking on nightly jobs,
469
00:18:11,400 –> 00:18:13,600
storage hoarding data you’ll never read.
470
00:18:13,600 –> 00:18:16,120
After instance counts align to demand curves,
471
00:18:16,120 –> 00:18:18,440
batch jobs stay in Trabi region, storage tiers,
472
00:18:18,440 –> 00:18:19,920
match access patterns,
473
00:18:19,920 –> 00:18:23,000
the number that embarrassed finance and delighted security,
474
00:18:23,000 –> 00:18:25,680
total monthly run cost dropped while CVE account dropped,
475
00:18:25,680 –> 00:18:27,480
fewer dollars, fewer vulnerabilities,
476
00:18:27,480 –> 00:18:29,160
both graphs moved down together,
477
00:18:29,160 –> 00:18:30,520
that never happens by accident.
478
00:18:30,520 –> 00:18:32,720
Developer hours reclaimed aren’t theoretical.
479
00:18:32,720 –> 00:18:34,960
Senior engineer stopped babysitting dependency roulette
480
00:18:34,960 –> 00:18:36,080
and brittle builds.
481
00:18:36,080 –> 00:18:38,720
The agents loop, apply build test patch,
482
00:18:38,720 –> 00:18:41,240
replaces the least creative part of their job.
483
00:18:41,240 –> 00:18:43,960
Those hours shift to performance work that compounds,
484
00:18:43,960 –> 00:18:46,400
optimizing hot endpoints, deleting dead features,
485
00:18:46,400 –> 00:18:48,240
improving observability.
486
00:18:48,240 –> 00:18:50,000
portfolio wide, the pattern scales.
487
00:18:50,000 –> 00:18:52,800
Once your playbook exists in Git, other apps adopted
488
00:18:52,800 –> 00:18:54,800
and the upgrade tax stops accruing.
489
00:18:54,800 –> 00:18:56,920
Reliability signal improves because the pipeline
490
00:18:56,920 –> 00:18:58,520
enforces adulthood.
491
00:18:58,520 –> 00:19:00,840
Build success rates climb, test pass rates,
492
00:19:00,840 –> 00:19:02,680
stabilize after flake quarantine
493
00:19:02,680 –> 00:19:05,400
and rollback drills become a button instead of a ritual.
494
00:19:05,400 –> 00:19:08,160
Deploy frequency increases without error rate penalties
495
00:19:08,160 –> 00:19:11,120
because the shape of dev, test and prod stops drifting.
496
00:19:11,120 –> 00:19:13,040
Confidence becomes a metric, not a speech.
497
00:19:13,040 –> 00:19:14,480
Transparency ties it together.
498
00:19:14,480 –> 00:19:15,600
Every change is a small,
499
00:19:15,600 –> 00:19:18,120
reviewable commit with rational and references.
500
00:19:18,120 –> 00:19:19,800
Reports live beside code.
501
00:19:19,800 –> 00:19:22,240
Auditors answer their questions without summoning engineers.
502
00:19:22,240 –> 00:19:25,640
Leadership sees cost, risk, and velocity in the same pain.
503
00:19:25,640 –> 00:19:28,240
And the pager, it’s still quiet.
504
00:19:28,240 –> 00:19:31,560
Numbers matter, so you get them with receipts?
505
00:19:31,560 –> 00:19:33,720
Governance, audit, trail and model transparency.
506
00:19:33,720 –> 00:19:34,960
No black boxes.
507
00:19:34,960 –> 00:19:37,520
Tracability is the baseline, not an extra.
508
00:19:37,520 –> 00:19:40,000
Every action lens in Git with a reason and a link
509
00:19:40,000 –> 00:19:43,160
to an advisory, a recipe, a migration note.
510
00:19:43,160 –> 00:19:44,800
You don’t approve AI magic.
511
00:19:44,800 –> 00:19:47,120
You approve specific documented changes.
512
00:19:47,120 –> 00:19:49,200
Rollback is a Git-revert, not a war room.
513
00:19:49,200 –> 00:19:51,120
Explainability isn’t optional.
514
00:19:51,120 –> 00:19:53,920
The agent attaches Y notes to each fix,
515
00:19:53,920 –> 00:19:57,920
which CVE, which API deprecation, which as your guideline,
516
00:19:57,920 –> 00:20:00,360
model outputs map to standards you already recognize.
517
00:20:00,360 –> 00:20:02,720
If a suggestion deviates, it flags the variance
518
00:20:02,720 –> 00:20:03,920
and waits for a human.
519
00:20:03,920 –> 00:20:05,320
Control stays where it belongs.
520
00:20:05,320 –> 00:20:07,320
Controls are layered, not performative.
521
00:20:07,320 –> 00:20:09,520
Human in the loop checkpoints at plan approval,
522
00:20:09,520 –> 00:20:12,560
security sensitive changes, and environment promotion.
523
00:20:12,560 –> 00:20:14,520
Conditional gates trigger when S-bomb delta
524
00:20:14,520 –> 00:20:16,760
are large, when plan sizes increase cost,
525
00:20:16,760 –> 00:20:18,400
or when network posture changes.
526
00:20:18,400 –> 00:20:22,000
Breakglass exists, is logged, and is audited after the fact.
527
00:20:22,000 –> 00:20:24,080
Adult sign, systems remember.
528
00:20:24,080 –> 00:20:26,440
Reporting is visible and dull, exactly right.
529
00:20:26,440 –> 00:20:28,440
Power BI dashboards pull from Git,
530
00:20:28,440 –> 00:20:31,680
scanners and pipeline runs, time-saved, CVE trend,
531
00:20:31,680 –> 00:20:33,320
cost curve, deployment health.
532
00:20:33,320 –> 00:20:35,840
You can filter by repo, team, or environment.
533
00:20:35,840 –> 00:20:38,560
That means governance reviews look at facts, not folklore.
534
00:20:38,560 –> 00:20:40,000
Compliance posture is repeatable
535
00:20:40,000 –> 00:20:42,040
because evidence packs assemble themselves.
536
00:20:42,040 –> 00:20:44,680
Commit history, S-bombs, scanner outputs,
537
00:20:44,680 –> 00:20:46,480
pipeline logs, and change approvals bundle
538
00:20:46,480 –> 00:20:48,760
into audit artifacts aligned to your frameworks.
539
00:20:48,760 –> 00:20:50,760
You run the play again next quarter,
540
00:20:50,760 –> 00:20:53,280
and the output matches because the process matches.
541
00:20:53,280 –> 00:20:55,880
So, should you still fix legacy Java by hand?
542
00:20:55,880 –> 00:20:57,120
No, obviously.
543
00:20:57,120 –> 00:20:58,280
Here’s the takeaway.
544
00:20:58,280 –> 00:21:00,120
Manual modernization is waste.
545
00:21:00,120 –> 00:21:02,840
Agent-driven audited automation is the new baseline
546
00:21:02,840 –> 00:21:05,240
for speed, security, and cost control.
547
00:21:05,240 –> 00:21:08,360
If this saved you time, do the efficient thing, subscribe.
548
00:21:08,360 –> 00:21:10,520
Next, I’ll wire the Power BI dashboard
549
00:21:10,520 –> 00:21:12,520
and pipeline triggers end-to-end,
550
00:21:12,520 –> 00:21:15,560
so your reports update themselves and your deploys behave,
551
00:21:15,560 –> 00:21:17,920
enable notifications, and stop learning by outage.
