Choosing a software agency is a more expensive decision than choosing the stack. If the stack is wrong, you refactor in six weeks. If the agency is wrong, you lose the project, the code, the upfront payments, and months of calendar — without having launched anything. The good news is that most red flags are visible from the quote stage, before signing.
This guide is for founders and SMB owners in the selection process. These are the seven concrete signs we see repeating in quotes that reach our hands asking for "a second opinion" or rescue of a half-built project. Most arrive too late. You are going to arrive on time.
💡 TL;DR: If the agency does not give you the code in your own repo, bills only by the hour, promises impossible timelines, has no verifiable references, demands an in-person meeting to quote, forces premium support, or admits the documentation "lives in their heads" — do not sign. Run technical due-diligence before committing.
Why the agency decision is more expensive than the stack decision
A wrong stack decision costs you six weeks of refactor. A wrong agency decision costs you the entire project. The asymmetry is brutal, and few people notice it before signing.
When you hire an agency you delegate: code, production keys, intellectual property, timelines, architectural decisions, technical quality, and user-facing communication while the system is live. If anything fails, it is not "a delay" — it is losing control over something you are already funding. Unlike an in-house dev, an agency that walks away leaves you with a system you cannot maintain and no other vendor wants to touch.
The seven signs that follow predict that disaster. Each is detectable before signing the contract if you look in the right place.
Red flag #1: They do not give you the code in your own repo
How it looks: "don't worry, we'll handle the repo". Or "the code is on our platform, you access it through your client account". Or they don't mention where the code lives.
Why it is dangerous: if the code is not in YOUR GitHub account from day 1, you do not own the product you paid for. You are a tenant. Three typical variants: private repo in the vendor's organization with "read access" while you pay; system on a "proprietary platform" they rent you; or no-code disguised as custom (Bubble, Glide, Webflow).
How to avoid it: explicit clause: "source code, service credentials, and domains are the exclusive property of the Client from day 1, hosted in a GitHub organization controlled by the Client".
Red flag #2: They bill only by the hour, with no deliverables
How it looks: "USD 40/hour, we estimate 200 hours, approximate total USD 8,000". No detailed per-deliverable scope.
Why it is dangerous: pure hourly billing rewards the slow vendor. If an agency charges USD 40/hour and a junior dev takes twice as long as a senior, the client pays twice. The incentive is to maximize reported hours, not to deliver fast.
Serious agencies bill per deliverable: a fixed total for a defined scope. If they run over, they absorb it. You know the total before signing. Legitimate exceptions: ad-hoc consulting, debugging legacy, monthly retainer. If your project does not fit those categories and the agency refuses to quote per deliverable, find another.
Red flag #3: Suspiciously short timelines
How it looks: you quote an app with authentication, payments, dashboard, and notifications — something that takes the market 8–12 weeks — and a vendor tells you "we'll finish in 2 weeks". Do not sign.
Why it is dangerous: two explanations, both bad. Underestimation (the vendor has never built something similar to production scale) or lying to win the contract (they know it takes 8 weeks but promise 2 because once they have your financial commitment, you will tolerate the delays). Both end the same way: you have invested 40% of the budget, you cannot leave, and the vendor knows it.
How to avoid it: ask to see 3 past projects of similar scope with their real start and end dates (not promised, real). If the agency refuses, assume the bad scenario. The pillar pricing guide lists typical timelines by project type.
Red flag #4: Zero verifiable references
How it looks: portfolio with screenshots and no real URLs. Written PDF testimonials with name and company but no phone. Or: "due to confidentiality we cannot share client contacts".
Why it is dangerous: any junior designer can mock screenshots in Figma. Testimonials are drafted by the agency. Real confidentiality exists in specific industries (defense, regulated fintech); 95% of software projects don't have strict NDAs.
How to verify it: names + phone numbers of 3 past clients of similar size. Call directly (not email). Ask: did they hit the original timeline? Were there cost overruns? Who owns the code? Would you hire them again? An agency with a good track record wants you to call its clients — it's their best marketing.
Red flag #5: They want an in-person meeting before quoting
How it looks: you send a clear written brief. They reply "we need to visit you to understand your business". They don't want Zoom — they want your office. Before giving you a number.
Why it is dangerous: this is marketing disguised as consulting. The real goal is to read signals of your ability to pay: office, team, industry, body language when discussing budget, urgency. With that data, they adjust the quote upward. The same project they quote a small startup at USD 8,000 they quote an established company at USD 18,000.
An agency with transparent pricing quotes from a written brief. A 30-minute Zoom call is enough for doubts. The in-person meeting is for kickoff, not for discovery.
Red flag #6: Mandatory premium support from day 1
How it looks: the development quote is reasonable — USD 6,000 for an MVP. But in fine print: "mandatorily includes premium support plan at USD 800/month for 12 months". Adds USD 9,600 you didn't ask for.
Why it is dangerous: real support costs at most USD 150–300/month for a small system. They charge USD 800 because they have you locked in: code on their infra, keys in their name, and if you stop paying, the system "coincidentally" fails. Typical pattern: client cancels support at 6 months; two weeks later "a mysterious technical issue" appears that the agency fixes "as a courtesy" if you re-contract. Support becomes a permanent toll.
How to avoid it: separate in the contract development (one-time, defined scope, code ownership in your favor) from maintenance (optional, monthly, cancelable with 30 days' notice). Ask: "Can I operate the system without contracting monthly support?". If the answer is "technically yes, but X could happen", X is the lock-in lever.
Red flag #7: Documentation = "we have it in our heads"
How it looks: "don't worry, our senior knows everything". Or worse: "documentation is a bottleneck, better we do demos".
Why it is dangerous: if knowledge lives only in one senior's head and that senior quits, your project loses 80% of its operational knowledge. The transition to another agency takes three times longer. A 3 AM incident is only solved by waking the senior.
What to demand at minimum: repo README with instructions to install, run locally, deploy; ADRs (one per important decision — why Postgres? why Vercel? why Payload?); operational runbooks; simple architecture diagram; environment variables documentation. All of it lives in the repo, in markdown, versioned in git.
How to do due-diligence before signing — 5 steps
The seven signs are detectable. But detecting them is not enough — you need an active validation process. These five steps take 3–7 days and save you 3–6 months of failed project.
Step 1: Verify the agency's public GitHub. Open repos, recent commits, contributions to known open source. If the agency "has no time for open source" but charges you senior rates, there is a disconnect. Total opacity almost always hides poor quality.
Step 2: Talk to 3 past clients of similar size by phone. Call (don't email — the agency may have prepped the client). Ask: did the initial quote match the final cost? Did the promised timeline match real delivery? Who owns the code? How did they respond to a critical bug? Would you hire them again?
Step 3: Read the contract end to end, including the fine print. Verify: IP clause in your favor (complete, irrevocable, from day 1); scope per deliverable; payments tied to deliveries (ideally 25-25-25-25); minimum 30-day warranty; written change-request process; termination conditions. If anything is vague, get it in writing before signing.
Step 4: Validate the technical setup before kickoff. On day 1, validate live: GitHub organization with your account as owner; project repo with the agency as collaborator; domain in your name; Vercel and service accounts with your email. "First we start in our setup and then move it" is wrong — starting wrong is very hard to correct.
Step 5: 48-hour communication test. Send a concrete technical question through their official channel. Measure response time, who answers, technical quality, tone. What you see pre-contract is what you'll see during 12 weeks of project.
💡 Want an approximate range before quoting with several agencies? Use Sirius's interactive quote builder — 4 questions, 30 seconds, USD range to compare against the offers you receive.
Real case: the project we rescued in 2024
Medium company in San José, logistics sector. They hired a local agency recommended by an acquaintance. Initial quote: USD 14,000 for a platform with shipment tracking, operations dashboard, and a driver mobile app. Promised timeline: 10 weeks.
What happened: week 4 — demo with half-built frontend and incomplete backend. Week 12 — visible bugs and the agency asks for another 30% of budget for "QA and deploy". Week 16 — they deliver "the system"; day 2 in production the database collapses because there were no backups or indexes. Week 20 — the client asks for code access and discovers it was in the senior dev's personal account, no README, no tests, hard-coded environment variables. Week 24 — the agency proposes an "orderly transition" for an additional USD 4,000.
When it reached us: USD 22,200 invested, a platform barely working, no real code ownership. Three weeks of audit + stabilization (USD 3,200, closed scope). We migrated the repo to the client's organization, wrote a README, configured backups, added monitoring, documented the 5 critical decisions. After that, the client hired an in-house dev and never again hired an external agency without the 5 validations.
The five signs in retrospect (all detectable in the original quote): code in dev's personal account (#1); they billed by the hour under "task estimates" (#2); 10 weeks for something the market takes 14–18 (#3); references from small projects, not similar size (#4); documentation "in Notion" that turned out to be 2 empty pages (#7).
In summary
| # | Red flag | What to demand |
|---|---|---|
| 1 | They don't give you code in your repo | Repo in YOUR GitHub from day 1 |
| 2 | They bill only by the hour | Per-deliverable model with closed scope |
| 3 | Suspiciously short timelines | 3 past projects with real timelines |
| 4 | Zero verifiable references | Names + phones of 3 past clients |
| 5 | In-person meeting before quoting | Written quote from written brief |
| 6 | Mandatory premium support | Separate development from optional support |
| 7 | Documentation "in our heads" | README, ADRs, runbooks in the repo |
And the five due-diligence steps: verify the public GitHub, talk to 3 past clients, read the contract end to end, validate the technical setup before kickoff, run a 48-hour communication test.
If your current quote violates 2 or more signs, do not sign until you have done the five steps. Cheap today is expensive tomorrow. If you are torn between agency and freelancer, read the agency vs freelancer comparison.
💡 If you already have a quote from another agency and want a technical second opinion, write to us. The review is free and honest — if the quote is good, we tell you. If it has gaps, we tell you which. We do not compete for bad projects.
For your own quote, use the interactive quote builder — 4 questions, 30 seconds, immediate USD range.
📞 Direct contact: WhatsApp +506 8433 7752 or admin@siriusx.net. Learn more about us at /nosotros.
Related posts
- How much does software cost in Costa Rica in 2026 — the pillar guide with real USD ranges by project type and vertical.
- 1-week sprints: the pattern that keeps flow — why a weekly cadence with demos protects you from the five most common traps.
