Technical DebtConsultingEngineering

Inherited a Bad Codebase: How to Assess What You Actually Have

Veld Systems||5 min read

In this article

You just took over a software project. Maybe you acquired a company, maybe your previous developer left, maybe you hired a new CTO and the first thing they said was "this is a mess." Whatever the reason, you are staring at a codebase you did not build and you need to figure out what you actually have.

We have audited dozens of inherited codebases. Some turned out to be better than they looked. Most were worse. Here is the systematic process we use to assess a codebase and give you an honest answer about what to do next.

Step 1: Can You Run It?

This sounds basic, but it is the first and most revealing test. Clone the repository, follow whatever setup instructions exist (if any), and try to run the application locally.

If it runs on the first try with documented steps: Good sign. Someone cared enough to make this reproducible. You are probably dealing with a codebase that has some structure, even if the code itself needs work.

If it takes hours of detective work to get running: Bad sign. Missing environment variables, undocumented dependencies, hardcoded paths, database dumps with no migration files. This tells you that the original developer was the only person who could operate this system, and they are gone.

If it does not run at all: You might be looking at a rebuild. But do not make that call yet.

Step 2: Map the Architecture

Before you judge code quality, understand what you are looking at. Map out:

- What framework and language is this? Is it a modern stack (React, Next.js, TypeScript) or something legacy (jQuery, PHP 5, ColdFusion)? The stack itself is not a death sentence, but it tells you about your hiring options and maintenance trajectory.

- What does the database look like? How many tables? Are there foreign keys and constraints, or is it just a bag of loosely related data? Is there an ORM or are SQL queries scattered through the codebase?

- How are users authenticated? Custom auth (risky), an established library, or a managed service like Supabase Auth?

- What third party services are involved? Payment processors, email providers, analytics, storage, CDNs. Each one is a dependency you need to understand.

- How is it deployed? Automated pipelines or manual FTP uploads?

Draw a simple diagram. You do not need fancy tooling, a box for each major component and arrows showing how they talk to each other. This diagram will guide every decision you make going forward.

Step 3: Measure the Technical Debt

Technical debt is not just "bad code." It is specific, measurable things that slow you down and create risk. Here is what to look for:

No tests. If there are zero automated tests, every change is a coin flip. You will spend more time manually verifying things than actually building. This is the single most expensive form of technical debt because it makes everything else slower. Our automated testing strategy guide covers what a proper test suite looks like.

No type safety. A large JavaScript codebase with no TypeScript is a minefield. Every function call is a guess about what arguments it expects and what it returns. Migrating to TypeScript is one of the highest ROI refactoring moves you can make.

Copy paste code. The same logic duplicated in 15 places. Change it in one place, forget the other 14, ship a bug. This is tedious to fix but straightforward.

No error handling. The application works perfectly when everything goes right and crashes spectacularly when anything goes wrong. Missing try/catch blocks, no input validation, unhandled promise rejections.

Hardcoded secrets. API keys, database passwords, and service credentials committed directly in the source code. This is both a security risk and an operational headache.

No documentation. No README, no architecture notes, no comments explaining complex business logic. Every new developer will need to reverse engineer the system from scratch.

Step 4: Assess Business Logic Integrity

This is the part most technical assessments miss. The code might be ugly, but does it do the right thing? Talk to the people who use the software:

- Are there known bugs that everyone just works around?

- Are there features that "kind of work" but produce incorrect results in edge cases?

- Is there business logic that nobody fully understands anymore?

A codebase with clean architecture but broken business logic is worse than an ugly codebase that produces correct results. You can refactor ugly code. Rebuilding lost business knowledge is much harder.

Step 5: Make the Call, Refactor or Rebuild

This is the expensive decision. We have a detailed guide on rebuild vs. refactor, but here is the short version:

Refactor when:

- The core architecture is sound but the code is messy

- The database schema is reasonable

- Business logic is correct, just poorly organized

- The tech stack is still viable and you can hire for it

- The application is in production and generating revenue (you cannot afford downtime)

Rebuild when:

- The tech stack is dead or dying (no community, no security updates)

- The architecture fundamentally cannot support what you need to build next

- There are no tests and the codebase is too tangled to add them incrementally

- The system architecture was never designed for your current scale

- It would take longer to understand and fix the existing code than to rewrite it

The hybrid approach is often the best answer. Keep the database (your data is valuable), keep the business rules you have documented, but rewrite the application layer on a modern stack. This gives you a fresh start without losing your data or business logic.

Step 6: Create a Prioritized Plan

You cannot fix everything at once. Prioritize based on risk and business impact:

Week 1: Secure access (credentials, hosting, DNS), get the app running locally, set up basic monitoring if none exists.

Weeks 2 to 4: Add the most critical missing tests, fix any security vulnerabilities, set up a proper deployment pipeline.

Month 2 onward: Address structural issues, begin refactoring or rebuilding the highest risk components, start paying down technical debt systematically.

The key is to stop the bleeding first, then improve. Do not try to refactor the entire codebase while simultaneously shipping new features. That is how projects collapse.

What This Assessment Should Cost

A professional codebase assessment typically takes 1 to 2 weeks and should produce a written report covering everything above: architecture map, technical debt inventory, risk assessment, and a prioritized roadmap. Some teams, including offshore firms, will do this assessment and then lowball the remediation estimate to win the project. Be skeptical of any assessment that says "everything is fine" or any estimate that seems too good to be true.

If you have inherited a codebase and need an honest assessment, not a sales pitch disguised as a code review, reach out to us. We will tell you what you have, what it will take to fix, and whether it is worth fixing at all.

Ready to Build?

Let us talk about your project

We take on 3-4 projects at a time. Get an honest assessment within 24 hours.

Related articles

Technical Debt: How to Measure It and When to Fix It

A practical guide to technical debt, what it actually is, how to measure its impact, when to fix it vs live with it, and how to communicate it to non technical stakeholders.

The Problem with Move Fast and Break Things

Move fast and break things was never good advice for most companies. Here is why speed without discipline leads to expensive failures, and what to do instead.

The Fastest Way to Kill a Product Is to Redesign Everything at Once

Full product redesigns fail more often than they succeed. Learn why incremental improvements beat big bang rewrites and how to modernize without destroying what works.