Guides

How to Choose a Code Audit Provider

The market problem

Decide you need a code audit and you’ll find the market cheerfully unhelpful. The term covers everything from a $500 automated scan with a PDF cover page, to a $150,000 security assessment by a specialized firm, to a consultancy’s loss-leader designed to conclude that you need a rewrite (by them, starting Monday).

All of these call themselves audits. They are not the same product. Choosing wrong costs you either money (paying security-assessment rates for a linter run) or worse, false confidence (a clean report from a scan that never checked the things that actually break companies). Here’s how to evaluate providers before you commit, including how to evaluate free ones, since we obviously have a position in that fight and you should discount our take accordingly.

First: know which audit you actually need

Providers specialize, and the wrong specialist will earnestly audit the wrong things. Match the trigger to the type:

  • Buying a company or raising a round → technical due diligence: architecture, team dependencies, scalability, IP hygiene. Auditor works for the buyer/investor’s questions.
  • Handling sensitive data, facing compliance, or you got scared → security audit / penetration test: exploitable vulnerabilities, done by offensive-security people.
  • Velocity collapsing, quality complaints, key-person risk → general code quality and architecture audit: technical debt, structure, maintainability, the works. (This is what a code audit means on this site.)
  • Inherited a codebase (acquisition, departed freelancer, AI-built MVP) → a general audit weighted toward “what don’t we know we don’t know.”

A pentest firm will do a mediocre job on maintainability; a quality auditor is not a substitute for a pentest if you’re storing health records. Anyone who claims to do all of it equally well at every price point is telling you something.

The five questions that separate providers

1. “Will a human read my code, and who exactly?”

The single most important question. Much of the low end of the market is automated scanning (SonarQube, Snyk, a lint suite) repackaged with commentary. Those tools are useful (we run them too) but they find the findable-by-tools subset: known CVEs, style violations, complexity counts. They cannot tell you that your authorization model has a hole, that your architecture fights your roadmap, or that all your knowledge lives in one employee. The difference is the entire subject of manual vs. automated code audits.

So ask: what fraction of the engagement is a senior engineer actually reading code? Then ask who: the person on the sales call is frequently not the person doing the work. Ask for the reviewer’s background. “Auditors” two years out of a bootcamp reviewing your distributed system is a real thing that happens.

2. “Show me a sanitized sample report.”

Any provider who has done this before has one. Judge it on:

  • Specificity. Findings should name files, lines, and concrete fixes, not “consider improving error handling.”
  • Prioritization. Severity ratings and an ordering, so it feeds directly into a fix plan, not a reading assignment.
  • Effort estimates. Even rough ones. A finding without a cost attached can’t be scheduled.
  • Tone. Reports written to frighten (“47 CRITICAL issues!!”) are sales documents. Real reports say “this is fine” about the things that are fine.

If the sample is twelve pages of tool output with a summary paragraph, you’ve learned what you’d be buying. Our full breakdown of what a good report contains works as a checklist here.

3. “What’s your process and how long will you spend?”

There’s a floor below which real review is impossible. A meaningful audit of a production SaaS codebase takes days of senior attention, not hours. Ask how they scope (by lines of code? repos? risk areas?), what they’ll need from you (repo access, architecture walkthrough, a call with your lead), and whether the process includes talking to your engineers: codebases lie less than people, but people know where the bodies are. A provider who quotes a fixed price without seeing your repository size or stack is quoting for a scan.

4. “What happens to my code and my report?”

Boring, mandatory diligence: NDA before access, read-only access, where your code is cloned and when it’s deleted, who internally sees it, whether findings are ever used in marketing. For security-sensitive audits, ask about their own security posture. Any hesitation here is disqualifying: this person is asking for the keys to your IP.

5. “What are you selling after the audit?”

Every provider has an incentive structure; make it visible. Pure-play audit firms have no follow-on work, so their findings skew neutral, but they also hand you a list and leave. Agencies (like, transparently, Webisoft) often audit free or cheap because some audited companies later hire them to fix things. That’s the model; the honest version is fine and the dishonest version isn’t. The tell is in the report: does it recommend proportionate fixes your own team could do, or does every road lead to a six-month engagement with the auditor? Ask directly: “if the biggest finding is a two-day fix, will the report say so?”

The same logic applies to free audits, including ours. A free audit is worth exactly as much as the work put into it, so apply questions 1 to 4 with full force. Free plus a named human engineer plus a real written report is a legitimate lead-gen trade. Free plus “our platform scanned your repo” is an email harvester.

Red flags, compressed

  • Guarantees a specific number of findings, or a “100% security” outcome
  • Won’t name the engineers or show a sample report
  • Fixed quote before seeing the codebase
  • Report reads like fear marketing, or like a proposal for their rewrite
  • No questions asked about your goals: an audit scoped without knowing whether you’re scaling, selling, or firefighting will optimize for the wrong reader
  • Timeline of “24 to 48 hours” for a non-trivial codebase (that’s a scan’s timeline, not a human’s)

A sane selection process

In practice: identify the audit type you need, shortlist two or three providers of that type, ask the five questions, read the sample reports, and weight the sample report above everything else: it’s the product you’re actually buying. Check that scope, timeline, and deliverable are written down. Then pick, and plan for the audit’s real cost: not the fee, but the engineering time to act on it afterward. An audit nobody acts on is the most expensive kind, whatever it cost up front.

Get a free code audit

Here’s our answer to the questions above, on the record: the Webisoft free audit is a manual review by a senior engineer, it produces a written prioritized report with severity and effort ratings, we’ll show you a sample first if you ask, your code is accessed read-only under NDA, and the business model is exactly what it looks like: some companies later hire us, most just take the report, and both outcomes are fine. If the biggest finding is a two-day fix, the report will say so. Get a free code audit and judge the product for yourself.

FAQ

Frequently asked questions

How do I tell a real audit from a scanner run with a logo on it?

Ask what fraction of the engagement is a senior engineer actually reading code, and who that person is. A fixed quote before anyone has seen your repository, or a 24 to 48 hour turnaround on a non-trivial codebase, is a scan's economics, not a human's. Tools find the findable-by-tools subset; they can't tell you your authorization model has a hole.

What should I look for in a sample report?

Specificity (files, lines, concrete fixes rather than "consider improving error handling"), severity ratings with an ordering, effort estimates even if rough, and a calm tone that says "this is fine" about the things that are fine. If the sample is pages of tool output with a summary paragraph, you've learned what you'd be buying.

Which type of audit do I actually need?

Match the trigger to the specialist. Raising or being acquired points to technical due diligence; compliance or a security scare points to a security audit or pentest by offensive-security people; collapsing velocity or key-person risk points to a general quality and architecture audit. A pentest firm will do a mediocre job on maintainability, and a quality auditor is not a substitute for a pentest.

Are free code audits legitimate, or always a sales trap?

It depends on what's behind them, so apply the same questions with full force. Free plus a named human engineer plus a real written report is a legitimate lead-gen trade: the agency bets some audited companies later hire them, and the honest version of that model is fine. Free plus "our platform scanned your repo" is an email harvester.

What are the fastest disqualifiers when comparing providers?

Guaranteed finding counts or "100% security" outcomes, refusal to name the engineers or show a sample report, a fixed price quoted before seeing the codebase, reports that read like fear marketing or like a proposal for their own rewrite, and no questions asked about your goals. Any one of these is enough to move on.

Free · no strings shown later

Get your free code audit

A repo URL and two minutes of your time. A Webisoft engineer sends back written findings (security, tech debt, performance) with file-and-line specifics.

Request my free audit