Services - ColdFusion development, maintenance & migration
We are one of the few UK agencies that still actively support and modernise ColdFusion applications — and we are proud of it. Adobe CF and Lucee, legacy CFML and modern script-based components, retainers and one-off projects.
Three things we do: keep your existing CF application running well, upgrade or harden it to a supported and secure version, or migrate it incrementally to a modern stack like Next.js or Node.js. Same team across all three — so the conversation can shift between them without restarting the relationship.
Legacy ColdFusion maintenance & support
You have a ColdFusion application that still runs the business — but the original developers have moved on, your in-house team is full-stack JavaScript now, and finding anyone who will touch CFML is getting harder every year. We will.
Monthly retainers from four hours upward, or one-off engagements for specific pieces of work — bug fixes, CFML refactors, query optimisation, scheduled task reliability, integration repairs, security patching, or simply being on call when something breaks.
We work on Adobe ColdFusion 8, 9, 10, 11, 2016, 2018, 2021, and 2023, and on Lucee 4 and 5. Tag-based legacy CFML, script-based modern components — we are fluent in both.
Typical maintenance work
- Bug fixes
- CFML refactors
- SQL & query tuning
- Scheduled task repair
- Integration fixes
- CVE patching
- On-call support
ColdFusion modernisation & migration
When the right answer is move off ColdFusion, we migrate it incrementally — never a big-bang rewrite. Your CF application keeps serving real traffic while we strangle it route by route with a modern stack, typically Next.js, Node.js, or Laravel depending on where your team is headed.
The pattern is well-trodden: a reverse proxy in front of CF, new routes routed to the new stack, old routes left untouched until they are replaced, and feature flags so you can roll back any individual route in seconds. You ship business value every sprint instead of waiting twelve months for a launch that may never come.
You can stop at any point. If half of your CF app turns out to be fine and only the customer-facing portal needed modernising, that is a successful migration too — not a failed rewrite.
Common migration targets
- Next.js
- Node.js / TypeScript
- Laravel / PHP
- AWS Lambda
- Postgres / MySQL
- API Gateway
CF upgrades, Lucee migration & security hardening
Sometimes you do not need to leave ColdFusion — you just need to get on to a supported version of it. We run time-boxed upgrade projects: Adobe CF 9/10/11 → CF 2023, or Adobe CF → Lucee when the licence economics no longer make sense.
Every upgrade ships with a hardening pass: patched runtime, locked-down CFIDE administrator, parameterised queries audited for SQL injection, session and cookie configuration brought up to current best practice, and a WAF (CloudFront, Cloudflare, or AWS WAF) in front. Most CF security incidents we see trace back to fixable basics.
If you are on a CF version with active CVEs and no upgrade path planned, this is the work to do first. Everything else can wait.
What an upgrade engagement includes
- Compatibility audit. Every CFML file scanned for deprecated tags, breaking changes between your current and target version, and Adobe-only features that need replacement if you are moving to Lucee.
- Side-by-side staging. Target version stood up in parallel with the live server so you can point QA at the new environment without touching production. Cutover is a DNS change you can reverse.
- Hardening pass. CFIDE locked down, admin URLs moved, session and cookie security set to current best practice, all queries audited for parameterisation, WAF rules configured.
CFML runtimes, frameworks & products we work with
- Adobe ColdFusion (8 → 2023)
- Lucee 4, 5, 6
- FW/1
- ColdBox
- CFWheels
- ContentBox
- Mura / Masa CMS
- CommandBox
- TestBox
- CFConcurrent
Why Maven for ColdFusion - The senior CFML resource you cannot find elsewhere
A small number of agencies in the UK will still take ColdFusion work seriously. Fewer still pair that with first-rate React, AWS, and modernisation expertise — which is exactly what you need if the conversation might one day turn into a migration.
- 22 years of CFML. Production ColdFusion experience back to Allaire CF in 2003, across every Macromedia, Adobe, and Lucee release since.
- Maintenance to migration on one team. Keep CF running today, modernise it tomorrow, ship the React replacement next year — same engineers throughout, no handoffs.
- Honest recommendations. We will tell you when staying on CF is the right call. Plenty of CF apps do not need to be rewritten and we will say so.
- Security-first. Every engagement starts with a CVE and configuration review. Unpatched CF servers are the single most common incident cause we see — we fix that first.
- Incremental migrations only. If you do want to leave CF, we use the strangler-fig pattern. No big-bang rewrites. Value ships every sprint, not at the end.
- Modern engineering practices. CI/CD, automated tests, infrastructure as code, observability — we bring 2026 engineering hygiene to your CF stack, not 2008 ops.
Get in touch
Got a ColdFusion application that needs an adult in the room?
Maintenance retainer, an upgrade you have been putting off, or the start of a migration — tell us what you are looking at and we will come back with an honest read within one working day.
Start a conversationFAQ - ColdFusion FAQs
The questions we get asked most often when CF teams reach out.
- Do people still use ColdFusion in 2026?
- Yes — far more than the internet suggests. Adobe ColdFusion 2023 is in active mainstream support and Lucee 6 is healthy. CF still powers a meaningful share of UK insurance, local government, higher education, and B2B SaaS systems built between 2002 and 2015. The visible community is small; the operational footprint is not.
- Can you maintain a legacy CF application without rewriting it?
- Yes. Many of our CF engagements are pure maintenance: bug fixes, security patching, CFML refactors, performance tuning, and bringing the application server (CF8, CF9, CF10, CF11) up to a currently-supported version. We work on monthly retainers from 4 hours per month upwards, or ad-hoc for one-off pieces of work.
- Should we upgrade Adobe ColdFusion or migrate to Lucee?
- Depends on your licensing budget and what your code uses. Lucee is open-source, free, and CFML-compatible — a strong fit when you want to drop Adobe licence fees and your codebase does not lean on Adobe-specific tags or PDF/Report Builder features. Adobe CF 2023 is the right answer when you need official vendor support, FIPS-compliant security, or the Adobe-only features. We benchmark both on your code before recommending.
- Can you migrate a ColdFusion application to a modern stack?
- Yes. The pattern that works is incremental: keep CF running, put a Next.js or Node.js frontend in front of it, migrate routes one at a time behind a reverse proxy, and retire CF modules as each is replaced. Big-bang CF rewrites fail. Strangler-fig migrations ship business value every sprint and let you stop at any point if the remaining CF code is genuinely fine.
- What CFML frameworks and products do you work with?
- Adobe ColdFusion (8 through 2023) and Lucee on the runtime side. FW/1, ColdBox, and CFWheels on the framework side. ContentBox and Mura/Masa CMS for content-managed sites. CommandBox for local dev and CI. We are equally happy in tag-based legacy CFML and modern script-based component code.
- Is ColdFusion secure enough for a production application in 2026?
- When patched and configured correctly, yes. Most CF security incidents trace back to unpatched servers running CVE-vulnerable versions, SQL injection in untyped queries, or exposed CFIDE administrators. We harden CF deployments to current best practice — patched runtime, locked-down admin endpoints, parameterised queries, secure session handling, and a WAF in front — as part of any engagement.