Two weeks.
One report. No retainer.
A fixed-scope engagement from first contact to final debrief. No open-ended discovery phase, no scope creep — the same three stages, every time.
IntakeDAYS 1–2
A structured questionnaire covering the system's architecture, data flows, and current ownership. Access to architecture docs and the relevant repo. One technical interview with the team that built the system, to fill in what the docs don't cover.
AuditDAYS 3–9
Each of the four risk surfaces — data exposure, architecture brittleness, output reliability, operational readiness — is reviewed in turn. Every finding is scored independently on severity and likelihood, then ranked into Critical, High, or Watch.
Report & debriefDAYS 10–14
A ranked findings document — one-page executive summary, findings list with recommended fixes, and a technical appendix. Followed by a 60–90 minute walkthrough call to go through what matters most and what to fix first.
No open-ended engagement, no surprise invoice.
A fixed two-week window and a fixed price, agreed before the work starts. That's deliberate — it removes the usual fear of scope creep on your side, and it matches what's actually deliverable on ours. The audit answers one question well, rather than drifting into an unscoped advisory relationship.
The report is the spec for what comes next.
Critical and High findings become scoped, fixed-price remediation quotes — priced individually, not as a retainer. You decide which to act on and in what order. There's no obligation to continue past the report.
Know exactly where the risk is before someone else finds it.
A 20-minute call to see if an audit makes sense for what you've built.