Our approach to long-term software maintenance

The maintenance retainer model nobody talks about — how we structure engagements to keep software healthy for years.

Why software rots

Software that isn't actively maintained degrades — not because the code changes, but because everything around it does. Dependencies accumulate CVEs. Cloud providers deprecate APIs. Browsers drop support for old behaviour. Framework major versions break existing patterns. A codebase that was solid in 2022 can be fragile and vulnerable by 2025 with zero new features added.

Most agencies build and hand off. The client is left holding a codebase they don't fully understand, with no ongoing relationship. This is where we deliberately differ.

What a maintenance retainer actually covers

Our retainers are structured around four recurring work types:

Dependency hygiene: Monthly audit and update of dependencies. Security patches are applied within 48 hours of a critical CVE. We use Dependabot for automation, but a human reviews every major version bump.
Performance monitoring: We set baseline p95 latencies at project launch and monitor for regressions. When a metric drifts, we investigate before the client notices.
Bug fix allocation: A fixed number of hours per month for small bugs and UX issues that accumulate after launch. This keeps the backlog from compounding.
Architecture review: Quarterly review of the system design against current load and business requirements. Software that was sized for 500 users needs different thinking at 50,000.

The honest economics

A maintenance retainer is cheaper than emergency firefighting. We've been called in on codebases where deferred maintenance led to a complete rewrite — a 6-month project that a proper retainer would have prevented entirely. The maths is not subtle.

For our clients, the retainer also means they have an engineering team on call who already knows the codebase. Onboarding a new agency to a legacy system takes weeks. A team that built it can ship a critical fix in hours.

What we won't do

We don't sell retainers as a way to keep billing after a project is "done." If a system is genuinely stable and doesn't need active maintenance, we tell the client. Some systems reach a steady state where a light-touch yearly review is all that's needed. That's a success, not a problem.