What's in the Free digital audit (and what we left out)

What it is

The free digital audit is a real PDF report — usually 12-18 pages — covering web performance, SEO, security posture, and app health. We send it within 24 hours of submission. There's no follow-up sales call required to get it.

This post is what's in it, what's not in it, and why we drew the lines where we did.

What's covered

Web performance

• Lighthouse scores (mobile + desktop) for the homepage and 2-3 key pages
• Core Web Vitals from real-user data (CrUX) where available
• LCP / CLS / INP breakdowns with the offending elements identified
• Specific recommendations: images that should be optimized, scripts that should be deferred, fonts that should be preloaded
• TTFB and hosting/CDN signals

We don't just dump Lighthouse output. We tell you which findings move your business metric and which are noise.

SEO foundation

• Indexability check (robots.txt, sitemap, canonical tags)
• On-page basics: title tags, meta descriptions, H1 structure, image alt text on the first 50 images
• Schema markup audit
• Internal linking patterns
• Core Web Vitals (which are a ranking factor)
• A short list of obvious technical SEO wins

We don't do keyword research, content strategy, or link-building recommendations in the audit. Those need a real engagement.

Security posture

• TLS configuration (Qualys SSL Labs equivalent)
• Security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy, etc.)
• DNS health (DNSSEC, CAA, DMARC, SPF, DKIM)
• External attack surface (open ports, exposed admin panels, leaked credentials in known dumps)
• Subdomain takeover scan (see our post on why this matters)
• Cookie security (Secure, HttpOnly, SameSite)

This is intentionally external-only. We're not authenticating into anything, not running internal scans, not touching code.

App health (if applicable)

If the client has a public-facing app (iOS or web), we add:

• App Store / Play Store listing review
• Crash rate signals from public data
• Bundle size and load-time analysis (web)
• Privacy disclosure consistency check

What we explicitly don't include

This is the part that matters most.

Deep code analysis

We don't audit your source code. We don't run SAST tools against your repo. We don't review your authentication implementation, your authorization logic, or your business-critical workflows.

Why not: a real code audit takes 20-40 hours of senior engineering time. We can't give that away for free without it either being a junior engineer's output or being a teaser for a paid engagement. We'd rather be honest: the Security Audit + Fix SKU is $4,995 and that's where deep code analysis lives.

Pentest-grade findings

The audit doesn't include manual exploitation, business-logic testing, or chained-vulnerability discovery. Those require a Pentest Engagement — $14,995, 21 days, manual work by humans with bug-bounty backgrounds.

Authenticated testing

We don't log into anything. The audit is what an attacker (or a journalist, or a competitor) could find from outside.

Performance under load

We don't do load testing or stress testing. The audit reflects normal traffic conditions. If you need capacity planning, that's a separate engagement.

Strategy and recommendations

We give specific technical findings with specific fixes. We don't give you a 90-day roadmap or a quarterly strategy doc. The audit is a diagnostic, not a plan.

Why is this free

Three reasons, in order of honesty:

1. It's a great way to find clients. Roughly 1 in 5 audit recipients books a paid engagement within 30 days. We'd rather pay for that lead with engineering work than with ads.
2. The work itself is mostly automated. Lighthouse, SSL Labs, security header scans, DNS checks — all scriptable. The 24-hour turnaround is real because most of the report writes itself. The human touch is the prioritization and the prose.
3. It's a portfolio piece. Every audit is a working sample of how we communicate technical findings. If you like the audit, you'll like the work.

What you do with it

The PDF includes a prioritized list at the front: "If you fix three things this month, fix these." Most companies fix the high-impact items themselves. Some hand it to their existing dev team. A subset hire us to do the fixing.

All three of those outcomes are fine with us. We'd rather give the report to people who never hire us than gate it behind a sales call.

Request the audit here — there's no credit card and no call.