Legacy System
Risk Scorecard

Is your core application a monolith with no module boundaries (everything in one deployable unit)?

Does changing one feature regularly break unrelated functionality?

Is the average function/method in your codebase longer than 50 lines?

Would your system fail to handle 3× your current traffic without significant rearchitecting?

Does your application have known CVEs in its dependencies that have been unpatched for >90 days?

Are any credentials (API keys, DB passwords, secrets) committed to your git repository — even in history?

Does your application display stack traces or debug information in production error responses?

Is your application missing any of these security headers: CSP, HSTS, X-Frame-Options?

Is your application running on a language/runtime version that has reached end-of-life? (PHP <8.1, Node <18, Python <3.9, etc.)

Do you have third-party libraries that were manually downloaded (not managed by a package manager like Composer, npm, pip)?

Is your production infrastructure a single server with no redundancy or auto-scaling?

Has it been more than 6 months since you ran npm audit, composer audit, or equivalent on your dependency chain?

Is there a critical part of your system that only one person understands?

Does onboarding a new developer to productivity take more than 2 weeks?

Is your system's architecture undocumented — no architecture decision records, no deployment runbook, no API documentation?

Has the original developer/architect of the system left the company?

Does deploying to production require a maintenance window or planned downtime?

Do you lack automated tests that run on every commit/push?

When production breaks at 3 AM, does it take more than 30 minutes before anyone is notified?

Has it been more than 3 months since you tested restoring from a backup?