The Rescue Playbook: What to Do When Your Outsourced Agency Delivers a Broken Web App

You Are Not Alone

A founder calls us. They spent £60,000—sometimes £200,000—with a web development agency over six to twelve months. They now have a product that looks acceptable in a demo but crashes under real usage, has no documentation, no tests, and the agency is unresponsive or asking for more money to fix problems they introduced. The codebase has been "handed over," but no competent developer they have shown it to wants to work on it.

We receive enquiries matching this pattern every single week. It is not a niche problem. It is a structural feature of how the low-to-mid-cost agency market operates.

Why Low-Cost Agencies Consistently Fail

The economics of a low-cost development agency create misaligned incentives at every level. Project managers are measured on delivery date, not quality. Developers are paid per feature shipped. The agency's revenue model depends on signing new contracts, not maintaining long-term relationships. Quality assurance is the first cost cut when a project runs over budget—and most projects run over budget.

The result is code that functions well enough to pass a client review, but has not been stress-tested, security-audited, or written with any consideration of how it will be maintained. The agency's job ends when you accept the delivery. Your problems are just beginning.

The Technical Assessment Checklist

Before deciding what to do with an inherited codebase, you need an honest assessment across six dimensions:

• Security: SQL injection vulnerabilities, unescaped output, exposed credentials in the repository, missing authentication middleware
• Test coverage: Are there tests? Do they pass? Do they test meaningful behaviour?
• Architecture: Is the application structured consistently? Are there N+1 query problems, missing indexes, or synchronous processes that should be asynchronous?
• Documentation: Is there a README that accurately describes how to run the application?
• Dependencies: Are packages up to date? Are there known vulnerabilities?
• Infrastructure: Is the server configuration documented? Are monitoring and alerting systems in place?

What to Salvage vs. What to Rebuild

Most failed agency deliveries contain two valuable assets: the database schema (which represents months of thinking about your data model) and the business logic embedded in the code (months of domain knowledge, even if poorly expressed). The infrastructure, test suite, and often the frontend are candidates for replacement.

The practical approach: stabilise first—fix security vulnerabilities and critical bugs—then build a proper test suite around existing behaviour before refactoring. This preserves business continuity while systematically improving quality.

Protect Yourself in Future

The single most reliable protection is insisting on code ownership and quality visibility from week one. Require repository access from day one. Request weekly test coverage reports. Insist on automated deployment pipelines. Have an independent technical advisor review the codebase at the midpoint of any significant project—before the agency has a final payment incentive to dismiss concerns.

If you are currently in this situation, the most valuable thing you can do is get an honest assessment before committing to a direction. Get an honest technical assessment from engineers who will tell you what you actually have.