Fixed-Price Symfony Legacy PHP Audit · From $950 · Written Deliverables · No Surprises

Know exactly what it’ll take
to modernize your legacy
Symfony codebase.

A complete risk assessment and costed upgrade roadmap — Rector analysis, PHPStan, CVE audit, Deptrac. In writing. No rewrite evangelism.

Symfony 2.x → 7.x PHP 5.6 → 8.4 CVE & EOL audit Written roadmap

“Every legacy codebase I’ve audited is running on a PHP version that stopped getting security patches years ago. The team knows. Nobody wants to say the number it’ll cost to fix. We will — in writing.”

— Ruben Elizondo · 15+ years on Symfony · Senior PHP Developer

Three documents.
One fixed price.

  • Dependency & CVE Report

    Every Composer package, its exact EOL date, known CVEs, and a risk-rated list of unmaintained libraries. You see exactly what stops receiving security patches and when.

  • Static Analysis Report

    PHPStan findings at level 5, a Rector dry-run showing deprecated API usage and estimated change volume, and Deptrac output flagging architectural boundary violations.

  • Phased Upgrade Roadmap

    A costed, step-by-step plan ordered by risk. What to do first, what to defer safely, and honest time estimates for each phase. Your team can execute it — or we can.

from $950 fixed price · single application
3–10 business days delivery

Three steps. No surprises.

You invest 15 minutes of your time. We do the rest — and deliver everything in writing.

Step 1

Share read-only access

Add us as a read-only collaborator on GitHub or GitLab, or send a zip archive. A short intake form captures your PHP version, Symfony version, and anything you already know is broken or untouchable.

Step 2

We run the analysis

Rector dry-run, PHPStan, composer audit, Deptrac, and manual review of your architecture and dependency chain. Every finding is sourced from tool output you can verify yourself.

Step 3

You receive the report

A structured PDF: risk ratings, costed upgrade phases, tool output appendix. We walk you through it on a recorded call. Your team keeps the report and the recording forever.

Every tool that matters for legacy PHP

We don’t guess. Every finding comes from tool output you can reproduce and verify independently.

Composer Audit
CVE tracking across all dependencies
Rector Dry-Run
Deprecated API usage, automated change detection
PHPStan Level 5
Static analysis across your entire src/
Deptrac
Architectural boundary violations
PHP 5.6 → 8.4
Migration path from any legacy version
Symfony 2.x → 7.x
Component deprecations and config changes
Doctrine ORM
Version compatibility and deprecated usage patterns
PHPUnit & Pest
Test gaps and untested critical paths
EOL Mapping
Per-package end-of-life and support timelines
Security Headers
Public-facing exposure and misconfiguration flags

Single-application audit covers up to ~100K LOC. Extended pricing available for larger or multi-app codebases.

25+ years in PHP. Deep on Symfony.

Small by design. You work with the people who did the analysis, not an account manager.

RE

Ruben Elizondo

Lead Auditor · Senior Symfony Consultant

25 years building PHP applications in production. 15 years on Symfony specifically — from Symfony 1.x through 7.x. Leads all audits: analysis, upgrade roadmap, and every technical conversation.

Symfony PHP 8.4 PHPStan Rector Architecture
ME

Mabell Elizondo

Client Operations

Owns project coordination, scheduling, and client communications in English and Spanish. If you send a question, she routes it. If the timeline changes, she tells you before you have to ask.

Operations Client Communications English Spanish

Two ways to take the next step.

A 15-minute call, or — if you prefer async like most engineers I work with — send six short questions by email and I’ll come back with a fixed quote in writing. No call required.