Most enterprises know they need better DevOps practices. Few can articulate where they stand or what the next concrete step is. A maturity model provides the framework: it defines the stages, identifies your current position, and maps the path forward.
This model uses five levels. Each level builds on the previous one. Skipping levels creates fragile practices that collapse under pressure.
Level 1: Manual
Deployments are manual. Someone logs into a server, copies files, runs scripts, and hopes. Build processes require specific knowledge held by one or two people. Testing is manual and inconsistent. The deployment process is documented (optimistically) in a wiki page that was last updated 18 months ago.
Organisations at Level 1 experience long deployment cycles (weekly or monthly), high change failure rates, extended outages during deployments, and key person dependencies that create single points of failure.
- The step to Level 2: automate your build process. If you cannot produce a deployable artifact with a single command, nothing else matters.
Level 2: Automated Build, Manual Deploy
A CI server (Jenkins, GitLab CI, GitHub Actions) automatically builds the application when code is committed. Automated tests run during the build. Deployments are still manual but they use the artifacts produced by the CI pipeline rather than ad hoc file copies.
This level eliminates “it works on my machine” problems and catches compilation errors and basic test failures before deployment. The manual deployment step remains a bottleneck and a risk.
- The step to Level 3: automate your deployment pipeline. Deploy the same way to every environment using the same scripts.
Level 3: Continuous Delivery
The entire path from code commit to production deployment is automated. Code passes through build, test, staging, and production stages through a pipeline that requires no manual steps except a final approval gate before production.
Environments are provisioned using infrastructure as code (Terraform, Pulumi, CloudFormation). Configuration is managed through environment variables or secret management tools, not manual edits. Deployments are repeatable, reversible, and consistent.
- The step to Level 4: invest in observability and feedback loops.
Level 4: Continuous Deployment with Observability
The approval gate before production is removed. Code that passes all automated checks deploys to production automatically. This requires high confidence in your test suite and robust monitoring that detects problems immediately after deployment.
Observability goes beyond basic monitoring. It includes distributed tracing (tracking a request across services), structured logging (searchable, queryable logs), custom metrics (business level indicators alongside technical metrics), and alerting based on anomaly detection rather than static thresholds.
Feature flags control the rollout of new functionality. A deployment puts code into production. A feature flag controls whether users see it. This separates the deployment risk from the feature risk.
- The step to Level 5: shift left on security and compliance.
Level 5: Fully Integrated DevSecOps
Security scanning, compliance checks, and policy enforcement are integrated into the pipeline. Dependency vulnerability scanning runs on every build. Container image scanning checks for known vulnerabilities before deployment. Infrastructure as code undergoes policy validation (Open Policy Agent, Sentinel) that enforces security and compliance rules.
Audit trails are generated automatically by the pipeline. Compliance teams can verify that every production change passed through the required gates without reviewing individual deployments.
Organisations at Level 5 deploy frequently (multiple times per day), detect issues in minutes, recover in minutes, and maintain continuous compliance without manual audit preparation.
Assessing Your Level
Be honest about where you are. Most enterprises are between Level 2 and Level 3. The organisations that claim Level 5 but deploy monthly are measuring aspiration, not practice.
The value of the model is not the label. It is the clarity about what to work on next. Each level up delivers measurable improvements in deployment speed, reliability, and security.
What This Means for Your Business
DevOps maturity directly affects how fast you can deliver software, how reliably it runs, and how securely it operates. Each maturity level reduces risk and increases velocity.
FortySeven’s DevOps practice helps enterprises assess their current maturity level and implement the specific practices, tools, and cultural changes required to advance.
