Frequently Asked Questions: Tech Stack Assessment
What exactly is analyzed in the assessment?
We analyze 6 dimensions: (1) Architecture & code quality (metrics, tech debt), (2) Security & compliance (OWASP, secrets, IAM, GDPR), (3) Dependencies & supply chain (SCA, SBOM, licenses), (4) DevOps & CI/CD (pipeline maturity, test coverage), (5) Cloud & costs (FinOps, waste, rightsizing), (6) Observability & operations (monitoring gaps, SLO readiness). Scope is aligned upfront.
What tools and scanners do you use?
We use established tools: SonarQube/SonarCloud for code quality, Snyk/Trivy for SCA and container scanning, OWASP ZAP for security scans, AWS Cost Explorer/Infracost for cloud costs, and proprietary checklists for architecture and DevOps maturity. All tools can be used GDPR-compliant.
How is sensitive data and code handled?
Security by design: Code access via read-only repository access (GitHub/GitLab), all scans run in your environment or isolated, no data leaves your systems without approval, NDA before project start, scan results are deleted after handover. On-premise analysis available on request.
How long does an assessment take and who needs to be involved?
Standard scope: 2–4 weeks. Kickoff with CTO/Tech Lead (2h), then we work largely independently with repository access and cloud read access. Interim presentation after week 2, closing workshop with findings and roadmap. Your effort: approx. 1 day spread over the duration.
What do I receive as a result?
Concrete deliverables: (1) Executive summary for stakeholders, (2) Scorecard & heatmap (PDF/interactive), (3) Detailed findings report with screenshots/metrics, (4) SCA/SBOM export (CycloneDX/SPDX), (5) Prioritized roadmap (quick wins + strategic), (6) Optional: ADR templates for architecture decisions. All formats digital, management presentation on request.
What happens after the assessment?
You have full clarity about your tech stack and a prioritized roadmap. We optionally accompany implementation: quick-win sprints for immediate improvements, architecture coaching for your team, security hardening workshops, or continuous tech debt reduction as retainer. Many clients start with 2–3 quick wins and then plan the strategic topics.