Three reasons audits get commissioned — converging on one report
03 / technical audits

Find what's actually wrong.

Five audit dimensions — source code, architecture, security, team practice, AI systems

What this is.

Independent assessment. Code, architecture, security posture, team practice. Scoped to a single product, a single service, or an entire engineering organization — whatever the operator on the other side of the table needs read.

The output is a written report with prioritized findings. Not a slide deck. Not a dashboard. A document the team can sit with.

Most audits are commissioned for one of three reasons: a new technical leader wants a baseline read before making changes; a board wants an independent view before an investment or acquisition; or a team has been shipping fast for two years and wants to know what it's now sitting on. All three are valid. All three benefit from the same approach.

Audit methodology — four phases across two-, four-, or six-week scopes

How it runs.

Two-to-six-week engagement depending on scope. Code is read directly — no inference from architecture diagrams. Interviews with the engineers and the product leaders. Security review where the engagement calls for it. AI-system audits are available as a scope option. They are not the default. Most audits are about everything else first.

Audit deliverables — findings, formats, optional walk-through

What you get.

A report meant to be acted on, not shelved. Prioritized findings, suggested sequence, clear ownership next to each item. Specific enough to assign on Monday.

An optional walk-through with the engineering team after delivery — half a day, decision-focused, recorded.

Scope.

In scope: source-code review, architecture assessment, security posture and threat-model review, third-party dependency audit, deployment and infrastructure review, technical-team practice and process assessment, AI-system audit (model selection, prompt design, evaluation discipline, cost discipline), optional post-delivery walk-through.

Out of scope: full penetration testing (referred out to a specialist firm), compliance certification work (SOC 2, ISO 27001 — also referred out), ongoing remediation work beyond the delivered report (that becomes a Service 01 or 02 engagement).

Engagement.

Two-week, four-week, or six-week engagements depending on scope.

Fixed-fee, scoped per engagement, half-up to start. Half on report delivery. Optional walk-through billed separately as a half-day.

Reports are delivered as PDF + markdown, both formats, both archivable.

Talk.

Book a 30-minute scoping call → Write the operator → WhatsApp ↗