A 360° diagnosis in decision language: where velocity stalls, what technical debt costs, and how exposed you are on security. Report in four days, one-hour readout.
Book a scoping call
Six cases I run into regularly, invisible in the repository and very real on the servers:
Settings left at their defaults degrade performance or compromise data persistence. It looks minor, yet it often weighs heavy.
A database or an admin console stays reachable from the outside, while nothing in the code hinted at it.
Passwords and access keys sit in plain text in the configuration, copied from one deployment to the next. And former employees sometimes still have access to production or to critical components.
No monitoring is in place: the outage is discovered when a customer calls, not before. I call this anti-pattern Customer-based alerting, and it's a disastrous customer experience.
In interviews, I'm told there's a solid testing strategy. In the code, I find tests that are missing or limited to the trivial, covering none of the critical scenarios. That feeds customer dissatisfaction, and sometimes churn.
What runs in production no longer matches the repository. Hand-made changes linger, and no one can recreate the production environment from scratch anymore, for instance to trigger a disaster recovery plan after an attack.
How the product's building blocks communicate, where the single points of failure sit, and what gives way when traffic is multiplied by ten.
Is the code still modular and changeable without breaking everything, or does coupling spread every change everywhere and slow the team down?
Does the infrastructure scale with the company's growth, on the performance side? I add a FinOps analysis: I compare your infrastructure costs with those of similar-size companies I've already observed, then I identify the possible optimizations, in performance as well as cost.
Do your teams go from source code to deployment without depending on anyone? Is their breakdown aligned with business stakes, with infrastructure, and with the codebase? The goal is autonomous teams: a short time-to-market, and a company that stays aggressive in its market.
Does the way of delivering really serve the company's goals and align the teams on a shared trajectory, or does it burn budget off-target?
From the stated need to the shipped code, I measure the drift at each step: gathering, specification, implementation, quality.
Real exposure surface: reachable data, over-broad rights, vulnerable dependencies. I measure it in the code and on the servers actually running.
This is the health that determines future speed: tests, readability, technical debt. That hidden debt slows every change down.
I interview your CTO and your technical leads, then I hold their explanations against what the code, the servers, the team organization and the methodology used across the whole software lifecycle actually show. That's often where the gap between the story and the reality becomes visible.
An audit that stops at interviews, without a review of the source code or the servers, misses half the problems. The tickets and the business owners describe the intent, which rarely matches what was actually written in the source code. The reality of the customer experience plays out on the production servers. That's exactly what I check, on both sides. I read the source code, under NDA if needed, then I inspect the servers in execution and in configuration, where the flaws and configuration defects that weigh on performance and security hide.
Your product holds up, your team ships, and the technical side, the methodology and the alignment of your teams' organization with your stakes all stay a black box you can't audit yourself. I give you a verified answer, in the language of decisions: where velocity stalls, where software quality stalls, what your real exposure is on security and GDPR, whether the team is sized for the roadmap ahead, and what technical debt is costing you. I come as an ally of your CTO. I leave them precise, actionable arguments and recommendations on their tech stack, their methodology and their team organization, to defend their work in front of you.
I've already run these audits for Ouest-France, Klaxoon, France's Ministry of the Interior, Ascor, Guest Suite, Wanteeed and COMAP.
They trusted me to audit their technical foundations.
The scope narrows to what drives the decision: red flags, quantified technical debt, the team's ability to deliver the roadmap, security and compliance risks. The debrief decides: go, no-go, or go with conditions, with the impact on valuation.
I already work with Arkéa Capital, MAIF Avenir, SofiOuest, NCI and Caisse des Dépôts.
They trust me with the technical due diligence of their targets before they invest.
« François-Guillaume gave me advice on migrating a SaaS architecture to On Premise, drawing on all his experience. In just half a day, we found the simplest and most effective solution possible, with a roadmap of best practices to implement over time. I highly recommend him. »
Pierre COGNIN, Founder & CEO Techmood« François-Guillaume was extremely helpful in clarifying our SaaS strategy from both a technical and product standpoint. The audit gave us a clear and actionable assessment. François-Guillaume's expertise is inspiring, and his ability to simplify complex issues, understand the stakes, and his genuine care make his audits a truly enriching experience. »
Antoine Laborde, CTO Ogures Software« With strong technical, organizational, and entrepreneurial skills, François-Guillaume quickly grasped our complex challenges and delivered a precise assessment along with invaluable recommendations. »
« François-Guillaume has both a very broad general IT knowledge and sharp expertise in new technologies. His theoretical knowledge is illustrated by his own field experience. »
« Following a half-day exchange about database performance issues, François-Guillaume's advice enabled us to quickly reduce response times across our services. »
« He knows and recommends the right tools for every situation, and is able to structure things in a simple and effective way. A real pleasure to work with. »
Rémi Castel, Software Engineer HublotThe audit applies the method from the book NoBullshit Tech-Lead. You know exactly what gets reviewed, before you sign.
I have built, shipped to production and sold SaaS products. I judge your stack the way an acquirer would judge mine: what holds in production, what gets expensive later.
Funds trust me to audit their targets before a fundraise.
My open source code runs close to 9.6 million times a month. I do not audit in theory.
A fast first read, or investment due diligence.
The detailed assessment to decide with confidence.
For your most complex technical challenges.
A blocking issue. A decision to make. An external perspective on your architecture, organization, or go-to-market.
Unblock this point →For CEOs, CTOs, CPOs and COOs who want to be challenged, not reassured.
Book a sparring session →Prices excl. VAT. The exact scope is set in a 30-minute call.
If needed, I sign your NDA before any access to the source code and the servers. I observe in read-only, without ever changing your production. The diagnosis is delivered to you behind closed doors. And I give your CTO the arguments to defend their work internally.
A full audit usually runs from €3,000 to €15,000 depending on depth and on the auditor. I offer two formats: €4,800 excl. VAT for a flash due-diligence audit with a report within four days, and from €14,750 excl. VAT for a full 360° audit with a readout.
It is an independent audit commissioned by an investor to assess how solid a digital asset is before investing. It covers architecture, technical debt, security, scalability, team organisation and continuity risks. The deliverable combines a report and a readout within a few days.
The right move is to bring in a senior external peer, to avoid the hierarchical bias. I review architecture decisions, engineering quality (CI/CD, code review, debt), the ability to hire and retain, and the alignment between roadmap and resources. I arrive as an ally to the CTO and I leave him arguments to defend his work.
It is the same method under a different angle. The audit is commissioned by internal management to improve and prioritise. The due diligence is commissioned by an investor before a transaction, to qualify the risk and decide on funding.
Three signals come up often: deliveries slow down while the team grows, production incidents repeat, or an acquisition or fundraise is coming. An external view finds the root causes without the internal team's bias.
I sign your NDA before any access to the code and servers. I observe in read-only mode, without ever changing your production, and the readout happens behind closed doors.
A short call is enough to check whether the audit makes sense, and which one. I sign your NDA before any access.
Book a scoping call