novacto / guides / dev agency red flags

9 red flags your dev agency is overbilling you — and how to check each one yourself

Let's start with the good news: most development agencies are not scamming you. The bad news is subtler and more expensive — a long-running agency relationship with no client oversight drifts, the way any unmeasured thing drifts. Senior people rotate to newer clients. Velocity settles at "enough to avoid questions." Quality corners get cut where nobody's looking, which, in your case, is everywhere.

You don't need to read code to catch this. Every flag below comes with a check a non-technical founder can run — most of them this afternoon. What you need is access: make sure you have at least read access to your own GitHub or GitLab repositories. It's your code; you paid for it. If you don't have access, requesting it is step zero (and see flag #9 for what it means if they resist).

1. The velocity fade

The pattern: Output is impressive for the first six to eight weeks — demos every Friday, visible progress, quick replies. Then, once the relationship feels secure (often right after a contract renewal), the pace quietly drops 30–50% while the invoice stays identical.

Your check: Open your repository's activity or "insights" page — GitHub shows this as simple graphs, no code involved. Compare the last four weeks of activity to the first four weeks of the engagement. Some fluctuation is normal; a sustained cliff that coincides with your renewal date is not.

2. The seniority swap

The pattern: You were sold a team of senior engineers — they were certainly in the sales meetings. A couple of months in, the actual work is being done by juniors or offshore staff you've never met, at the same blended rate.

Your check: Look at the "contributors" view of your repository. Are the names doing the work the names you were introduced to? Then ask, in writing: "Who is currently staffed on our account, and at what seniority?" Compare the answer to what the commit history shows. A mismatch is your answer.

3. The "one more sprint" loop

The pattern: A feature is "90% done" for a month. Each update cites a new, plausible-sounding obstacle. In practice, "one more sprint" repeated three times means either the estimate was fiction, the staffing is thinner than claimed, or your project is the one that gets bumped whenever a bigger client calls.

Your check: Keep a dated log of every estimate you're given (an email thread works fine). When an estimate slips, ask for the specific cause in writing. Legitimate causes are specific and verifiable — "the payment provider's API changed, here's their announcement." Illegitimate ones are vibes: "it turned out more complex than expected," three times in a row.

4. Big invoices, tiny footprints

The pattern: The monthly report lists an impressive volume of work, but the actual changes to your product are cosmetic — reworded buttons, minor fixes — while the invoice reflects a full team's month.

Your check: Each month, write down (in your own words) what your product can do now that it couldn't do 30 days ago. If you regularly struggle to fill three lines, and you're paying for hundreds of hours, the ledger doesn't balance. Meaningful engineering produces user-visible capability or clearly explained foundations for it — and a good agency can articulate which one you bought this month.

5. Zero tests on the code that makes you money

The pattern: Features ship on schedule — untested. This is the agency-relationship trap with the longest fuse: everything looks fine at delivery, and the fragility becomes your problem a year later, long after the contract ended. Skipping tests is how an agency ships fast enough to look good while quietly transferring risk to you.

Your check: Ask one question in writing: "What is our test coverage on the payment and login flows, and can you show me it running in our repository?" You don't need to understand the answer technically. You need to watch how they answer. Confident teams love this question. Evasion — "we test manually," "coverage numbers are misleading" — is the tell.

6. The documentation void

The pattern: Nothing is written down: no setup instructions, no architecture overview, no explanation a future engineer could follow. Sometimes it's laziness. Sometimes it's strategy — an undocumented codebase makes leaving the agency terrifyingly expensive, which is precisely the point.

Your check: Ask: "If we hired an in-house engineer tomorrow, what would you hand them so they could run this without you?" The answer should be a real, existing document — ask to see it. "We'd walk them through it on a call" means the knowledge lives only in their heads, and you're renting access to your own product.

7. You don't own your own accounts

The pattern: The GitHub organization, the AWS account, the domain, the app-store listings — registered under the agency's name, not yours. Framed as convenience. Functions as a hostage situation the day the relationship sours.

Your check: List every account your product depends on and check who owns each one — not who has access, who owns. Anything not owned by your company gets transferred this quarter. A professional agency will cooperate without drama; this is standard practice, not an accusation.

8. The cloud bill only goes up

The pattern: Your AWS or Google Cloud bill climbs every month regardless of whether your usage grows. Forgotten test environments, oversized servers, and abandoned experiments accumulate because the agency spends your money with none of the friction of spending their own.

Your check: Pull up the last six months of your cloud bill next to your user growth. Costs growing meaningfully faster than usage deserves one written question: "Please walk me through our three largest cloud line items and why each is sized the way it is." The forgotten-cluster confessions this question produces are something to behold.

9. They resist your oversight

The pattern: You ask for repository access, or mention adding independent monitoring, and the temperature drops. You hear "you wouldn't be able to interpret it," "it's not standard practice," or the classic — "don't you trust us?"

Your check: This one is the check. Asking to see work you're paying for is among the most normal requests in commerce; your accountant expects you to see the books. An agency's response to reasonable oversight is the cheapest, fastest diligence you will ever run. Welcome it, and you've likely got a good partner. Resist it, and they've answered a question you hadn't even asked yet.

The honest disclosure: we sell software that automates these nine checks — NovaCTO watches your repositories and cloud continuously and puts the answers in a plain-English brief every Monday. But every check on this page works without us, today, for free. Run them. If everything comes back clean, congratulations — you have a good agency, and now you know it instead of hoping it.

What to do if you found red flags

Don't fire anyone from this article. One flag is a conversation; three or more is a pattern that deserves a structured response: put your questions in writing, ask for specific evidence rather than reassurance, and set a 30-day window to see measurable change. Written questions with specific answers do something remarkable to vendor relationships — the good ones get better, and the bad ones reveal themselves in their replies.

And whichever way it goes: secure your access first. Your repositories, your cloud account, your domains — in your name, this month. Everything else in this guide is easier when you're checking your own property instead of asking permission to see it.

Automate the checks

These nine checks, run every week, in a five-minute brief.

Connect your repo with read-only access. Your agency's real output history arrives in your first Monday Brief.

✓ You're on the list. First brief coming soon.
First two briefs free · nothing changes for your agency