Legacy Application Assessment Services

The Challenge

Legacy application assessment solves a visibility problem before it becomes an execution problem: organizations that begin modernization programs without a rigorous portfolio inventory migrate the wrong applications in the wrong order, or miss critical security vulnerabilities in systems they didn’t know existed. Based on analysis of 445 engagements, organizations that skip formal assessment before modernization have a 40% higher wave failure rate and spend an average of 35% more on remediation than those with pre-migration assessments.

The CMDB accuracy problem compounds the visibility gap. Central configuration management databases become stale within 12–18 months as teams provision resources outside formal change management processes. Analysis of 445 engagements found that CMDB-only portfolio inventories miss an average of 32% of actual running applications — including “zombie applications” (running but not used) and “shadow IT” (deployed by business units without IT knowledge). These undiscovered applications are disproportionately likely to run EOL software, because they were forgotten before patching routines captured them.

The high success rate (83%) reflects that portfolio assessment is a well-understood, lower-risk engagement compared to migration execution. When it fails, the cause is almost always post-assessment: organizations commission assessments without pre-committed budget for remediation, resulting in a risk register that stays on a shelf.

How to Evaluate Providers

Legacy application assessment providers differentiate on discovery methodology, scoring rigor, and deliverable quality. The key question is: how do they find applications you don’t know about?

Discovery methodology comparison:

Red flags:

• Assessments that rely exclusively on CMDB exports (misses 30% of applications on average)
• No business criticality scoring methodology beyond IT perspective (business owners know which systems drive revenue, not just IT)
• T-shirt sizing effort estimates without methodology documentation (effort estimates with no rationale cannot be challenged or calibrated)
• Deliverables in read-only PDF format (assessment outputs must be editable so teams can maintain them post-engagement)

What to look for: Providers with specific automated scanning tool expertise (CAST Highlight for large portfolios, Veracode for security-focused assessments), case studies from similar portfolio sizes and industries, and deliverables that include unlocked Excel and interactive dashboards.

Implementation Patterns

Successful legacy assessments combine automated scanning with business owner interviews. Automated tools provide coverage and objectivity; interviews provide business context that tools cannot infer from code.

Phased discovery pattern:

1. Automated inventory (week 1–2): Network scanning identifies all running applications. Static code analysis tools (CAST Highlight, SonarQube) produce objective code quality metrics (cyclomatic complexity, technical debt ratio, security vulnerability counts). This phase is non-disruptive — no code changes, no downtime.
2. Business criticality interviews (week 2–3): Application owners scored on business impact (revenue dependency, regulatory criticality, user count), business value (strategic vs commodity), and change frequency (how often does business need updates). IT perspective alone systematically underestimates business criticality for applications used by specific business units.
3. 6 R’s disposition (week 3–4): Apply the 6 R’s framework to each application using combined technical scores (from automated analysis) and business scores (from interviews). The disposition framework: Rehost (move to cloud as-is), Replatform (minor cloud optimizations), Refactor (significant code changes), Repurchase (replace with SaaS), Retire (decommission), Retain (keep on-prem, don’t migrate).
4. Prioritized roadmap (week 4–6): Sequence migration waves by combining: quick wins (high value + low complexity), risk reduction (critical security vulnerabilities), and strategic alignment (applications blocking digital transformation goals).

Zombie application identification: Applications that generate network traffic but have no active business users are candidates for immediate retirement. The typical enterprise portfolio has 20–30% zombie applications — running, licensed, and patched for systems nobody needs. Retiring these before migration reduces total migration scope by 20–30% and produces immediate licensing and hosting savings.

Technical debt quantification: Assessment deliverables should include a $ estimate of technical debt, not just a “high/medium/low” rating. The SQALE method (CAST, SonarQube) estimates technical debt as the engineering hours required to bring code to acceptable quality standards. This enables direct ROI comparison: “fixing this application’s technical debt costs $400K vs replacing it with a SaaS alternative for $80K/year.”

Total Cost of Ownership

Legacy assessment is one of the highest-ROI modernization engagements because it prevents misallocation of much larger migration budgets. Based on 445 engagements, organizations that act on assessment findings avoid an average of $1.2M in migration waste (migrating wrong applications, encountering undiscovered dependencies, redundant remediation).

Cost model by portfolio size:

Hidden costs beyond the engagement fee:

Zombie app retirement savings: The median assessment finds 23% of portfolio applications are retirement candidates. For a 100-application portfolio, retiring 23 applications typically saves $300K–$800K in annual licensing, hosting, and maintenance costs — often recovering the full assessment cost within the first year.

Post-Engagement: What Happens Next

After a legacy assessment, you own an application portfolio inventory, technical debt heatmap, 6 R’s disposition plan, and a sequenced modernization roadmap. The next step is committing budget to act on findings.

Typical post-engagement sequence:

• Week 1–4 post-assessment: Review findings with executive team. Approve budget for modernization program. Assign internal application owners to each application in the disposition plan.
• Month 1–3: Retire zombie applications (immediate cost savings, zero migration risk). Begin Wave 1 (highest-priority, lowest-complexity applications).
• Month 3–12: Execute migration waves following the assessment roadmap. Reassess changed applications if major scope changes occur.
• Month 12–24: Mid-program review. Validate that TCO projections from assessment are tracking actual results. Adjust wave sequencing if business priorities have shifted.

Keeping the assessment current: Portfolio assessments become stale within 18–24 months as applications are deployed, retired, and changed. Plan a lightweight refresh assessment every 18–24 months, or after major events (M&A, major cloud migration, significant new application deployments).

Connecting assessment to execution: The assessment roadmap should directly inform your migration program’s Wave 1 scope. Organizations that let assessment deliverables sit without acting within 6 months typically re-commission assessments before acting — paying twice for the same analysis.