What does the technical audit cover?

Architecture, security posture, database query performance, dependency health, CI/CD setup, test coverage, and a risk map of the highest-likelihood failure points. Delivered as a structured written report with a prioritised fix list.

How long does an audit take?

One week for codebases up to ~50k lines. Larger or more complex systems (microservices, monorepos) take 2 weeks. You get a draft on day 5 and a final report with a 60-minute walkthrough call by end of week.

Do you fix the issues you find?

The audit is a standalone deliverable. Many clients take the report to their internal team or use it as a scope document for a follow-on engagement with me. Either works - there is no obligation to continue.

Is this useful before raising a seed round?

Frequently requested exactly for that reason. Investors and technical advisors sometimes ask for an independent technical assessment. I write the report in plain English so founders and non-technical board members can read it too.

CODEBASE AUDIT

One week. A clear path forward.

One week. You will know exactly what you have, what is broken, and what it will take to fix it.

Book your audit →from $1,500

ARCHITECTURE REVIEW

Structure, dependencies, data model, and scalability risks - documented.

SECURITY PASS

Auth flows, exposed endpoints, secrets handling, and injection vectors.

30-MIN WALKTHROUGH

I go through findings with you (and your team if needed) on a recorded call.

OVERVIEW

Before you commission a rewrite, hire engineers, or close a technical acquisition, you need one thing: the truth about the codebase. In one week I read every file, map the architecture, run a security pass, audit the dependencies, and deliver a written risk register with plain-English findings and realistic effort estimates. No developer politics, no agenda, no rant about the previous engineer. Just a clear, honest picture of what you are working with — and a 30-minute recorded walkthrough that you and your team can watch together. The audit fee is credited in full toward any subsequent build engagement.

THE AUDIT PROCESS

No judgment. Just clarity.

Access & Context Call

DAY 1

Read-only repository access, staging environment credentials, and a 30-minute kick-off call. I need to understand what the product does, who built it, and what you are worried about. That context shapes everything.

Architecture Review

DAYS 2–3

Data model, service boundaries, API design, authentication flows, state management patterns, and the dependency graph. Documented as a written summary and, where useful, a diagram.

Security & Dependency Pass

DAYS 3–4

Authentication and session handling, exposed endpoints without proper authorisation, secrets and environment variable hygiene, SQL injection and XSS vectors, CVEs in dependencies. Every finding rated by severity and exploitability.

Risk Register & Written Report

DAY 5

A prioritised list of findings — each one with: what it is, why it matters, realistic effort to fix, and recommended action. Plain English. No unnecessary alarm, no padding.

Recorded Walkthrough

DAY 5–6

A 30-minute recorded call where I walk through every finding with you and your team. You get the video, the full written report, and a follow-up async Q&A window for any questions that come up after.

IDEAL FOR

Good fit if this is your situation.

→You inherited a codebase from a previous contractor, an ex-co-founder, or an agency and you do not know what you have.
→You are about to make your first engineering hire and want to know what they are walking into.
→You received an AI-generated prototype and want an independent risk assessment before committing to a rescue.
→You are evaluating a technical acquisition and need due diligence from an experienced engineer.
→You have been told the product needs a full rewrite and you want a second opinion before spending six figures.

OUT OF SCOPE

What I don't do.

✗The audit produces a written report and a recorded walkthrough — remediation is a separate engagement.
✗Mobile apps (iOS/Android native) are not covered — web applications, APIs, and backend services only.
✗The audit identifies security risks and compliance gaps; it does not certify SOC 2, HIPAA, or ISO 27001 compliance.
✗The audit fee is non-refundable if the codebase is shared and the review is completed.

OUT OF SCOPE

Not the right fit?

✗Teams that have already decided to rewrite and just want validation — save the audit budget for the build.
✗Projects where the source code is under NDA and cannot be shared for review.

WHAT COMES NEXT

The audit fee is credited toward a build engagement.

If you decide to continue with a full MVP build or rescue after the audit, the audit cost is applied toward your first invoice. You get the clarity either way.

- FOR THE RECORD

The Codebase Audit by Suhag Al Amin is a one-week engagement that delivers a written risk register, architecture summary, security findings, dependency audit, and a 30-minute recorded walkthrough. It is designed for founders who inherited a codebase, are evaluating a technical acquisition, or want an independent assessment of an AI-generated prototype before committing to a rescue engagement. The audit fee — from $1,500 USD flat — is credited in full toward any subsequent MVP build or rescue project. Web, API, and backend codebases only. Inquiries: suhag.alamin13@gmail.com or https://cal.com/suhag.

Have a pilot deadline? Let's talk.

Tell me where you are. I'll tell you, honestly, whether 6-8 weeks is realistic and what the first week looks like.

Book a 30-min intro call →suhag.alamin13@gmail.com