How Codekeeper Made Software Verification More Affordable

For years, software verification was a luxury; something only enterprises with massive compliance budgets could justify. A single verification could cost $10,000 or more. And if you needed it done regularly — annually or quarterly — you were looking at $25,000 to $100,000+ per year.

That pricing wasn't arbitrary. Verification is genuinely complex work. But when regulations like DORA, NIS2, and the Cyber Resilience Act (CRA) started requiring proof that escrowed software was functional and complete, we knew something had to change. Small and mid-sized organizations needed verification just as much as enterprises, but they couldn't afford it.

So we rebuilt it.

» Understand what software verification is — and why it matters

Why software verification costs $10,000+ per project

Traditional software verification is expensive because it's labor-intensive and built on an outdated model.

Every verification requires dedicated engineering hours. Senior developers need to manually review code repositories, set up isolated build environments that match production, attempt full builds, test deployment procedures, and document everything for compliance.

A typical verification project involves 40 to 80+ hours of work. Legacy systems require specialized expertise, undocumented build procedures need reverse engineering, and integration with various escrow providers adds friction, all driving those hours even higher.

Also, the traditional model treats each verification as a separate consulting engagement. Firms charge $9,000 to $10,000 per verification plus expenses, with project rates running $150 to $300 per hour. 

Which means that most companies couldn't afford it and only verified their software when forced by specific contracts. There was a massive verification gap: organizations had code in escrow but couldn't prove it met regulatory requirements.

How Codekeeper made verification affordable

We started by analyzing every regulation as it came into effect.

When DORA, NIS2, and the Cyber Resilience Act were announced, our team spent months studying what they required, what regulators wanted to see, and what organizations would need to prove.

We had many brainstorming sessions. And the question kept coming back to the same thing: How do we make verification accessible to everyone who needs it? Because our biggest goal is protecting user software so they can protect their cyber resilience. That's how we build a more secure world.

The breakthrough came when we decided to build everything around the application itself. That's what's being protected. That's what needs to work.

We looked at what gets stored in each type of escrow (on-premises software versus SaaS applications) and structured our verification processes to align with those stored components. So we broke up verification into specialized processes. Now, each tier verifies what actually matters for that type of escrow and that level of assurance.

And yes, we automated parts of it. But only the parts that should be automated. The work that requires human judgment and expertise — building code, testing deployments, confirming everything runs as expected — that still needs engineers.

We wanted to offer Certified Verification to our users so they can prove their software resilience. It's really as simple as that.

Here's what we did:

Strategy 1: Automated verification for routine checks

We started by looking at what required human expertise versus what could be automated reliably.

Turns out, a lot of verification work is routine checking: confirming files are present, tracking changes, analyzing content structure. That doesn't need a senior engineer. So we automated it.

Our Validated tier handles this automatically. It checks what's in escrow and generates certificates without any manual work. Our Verified tier takes it further with continuous monitoring and analysis, watching for changes, tracking updates, and reporting on what's happening.

Then, the Certified tier is where our engineers come in. They perform full build testing and expert review, the work that genuinely requires human judgment and experience.

Strategy 2: Platform integrations that eliminate manual work

Traditional verification involves a lot of back-and-forth. Uploading files, coordinating access, setting up environments. Every handoff adds time and cost.

We built direct integrations with GitHub, Bitbucket, Azure DevOps, and other platforms that developers already use. Code flows into escrow automatically. Updates happen without anyone having to remember or manually trigger them.

Setup that used to take weeks of coordination now takes hours. This wasn't just about making things easier, though it does. Every manual step we eliminated was a cost we could remove from the process.

Strategy 3: Subscription pricing vs. one-time project fees

The one-time project model never made sense for verification (or at least for us). Organizations need ongoing assurance, not a single snapshot in time. But paying thousands of dollars every time you wanted verification meant most companies only did it when absolutely forced to.

We flipped the model. Instead of one-time projects, we built verification as a continuous service with monthly subscriptions. You get ongoing monitoring and regular reporting. Updates and changes get verified automatically. And costs spread out over time instead of hitting all at once.

Our Certified tier costs $249/month ($2,988 annually). That's a 70%+ reduction compared to a single traditional verification, and you get continuous monitoring instead of a one-time check.

Strategy 4: Three verification tiers for different compliance needs

We recognized that not everyone needs the same level of verification.

• Some organizations just need confirmation that their assets are present — that's Validated (free).
• Others need ongoing monitoring and automated analysis — that's Verified ($29/month).
• Only those with strict regulatory requirements need full expert review and build testing — that's Certified ($249/month).

By offering tiers, you can choose what you need instead of paying for verification that's more comprehensive than your situation requires.

Note: We didn't cut corners to cut costs. We built better tools and workflows to make verification more efficient, but the process itself hasn't changed.

Our Certified tier uses real engineers who build and test your code. They compile your software, run it, and document what they find. When our engineers review code, they apply the same standards any qualified verification team would. 

Every tier also includes Software Resilience Certificates. These document what verification happened and what it covered. You can present them to auditors and regulators as proof of your software resilience.

Software verification pricing: Before and after

Let's compare what verification costs now versus what it used to cost:

Why affordable verification matters now

The timing couldn't be more critical. DORA has been in full effect since 17 January 2025. NIS2 Member States were required to adopt compliance measures by 17 October 2024. The Cyber Resilience Act entered into force on 10 December 2024, with requirements becoming mandatory starting 11 September 2026.

These are real regulations with real enforcement and penalties. Organizations need to prove their software is resilient and recoverable.

And verification provides that proof.

Before, only enterprises could afford to comply. Now, any organization can prove their software works — without an enterprise budget.

» Discover how to demonstrate real software resilience to auditors and stakeholders

It's time to certify your software resilience

If you've been putting off verification because of cost, that barrier is gone.

If you're dealing with cyber resilience requirements, verification is now accessible.

If stakeholders are asking for proof that your escrowed software is recoverable, you can provide it.

The verification you need exists at a price you can actually work with. That's what we built, and that's what's available now.

» Ready to add verification? See our verification options or contact us to discuss your specific needs.