Code Review & Technical Audit

Code review and technical audit are the engagement shape we take on when the question is specifically about the code. How good is it? What risks live in it? What would an acquirer find? What would an attacker find first? The output is a written, evidence-backed report tailored to the audience: executive summary up front, detailed findings and remediation guidance behind.

This work runs as part of our broader practice. The full engagement page covers the four situations we're built for (inheriting a codebase, heading into funding or acquisition, acquirer-side technical due diligence, production rescue), what an audit covers in detail, and indicative pricing.

A Note on Vendor Reviews

One distinction worth flagging: vendor reviews are something we take on, but only where the vendor is informed and cooperative. We don't do covert reviews. The exercise produces better information when the team that wrote the code is in the room, and it produces better outcomes for the client commissioning the work too.

Frequently Asked Questions

What is the difference between a code review and a technical audit?

A code review focuses on the code itself: quality, correctness, security, maintainability. A technical audit is broader, covering architecture, operations, security posture, vendor and dependency risk, and engineering process. Most engagements blend both, which is why we cover them together as part of our codebase audit and rescue practice.

Do you do covert reviews of vendor code?

No. Vendor reviews are something we take on, but only where the vendor is informed and cooperative. Covert reviews aren't a service we offer.

Do you do security-focused reviews?

We do, with the caveat that we are not a dedicated penetration-testing firm. Where the engagement requires a formal security assessment with controlled exploitation, we recommend partnering with a specialist firm and we're happy to scope and oversee that engagement.