Independent educational resource. Not affiliated with CAST, SonarSource, or any code-analysis vendor. Data sourced from CISQ, Stripe, McKinsey, and DORA reports.
Eight categories of debt with cost ranges, warning signs, and remediation strategies, plus Martin Fowler's deliberate vs inadvertent quadrant for the diagnostic question that comes before measurement.
Before measuring debt, classify it. Martin Fowler's quadrant separates debt by intent (deliberate vs inadvertent) and judgement (reckless vs prudent). The quadrant your debt sits in determines whether the right response is process, coaching, refactoring, or stop everything.
For each category: definition, causes, warning signs, measurement approach, typical cost range, and remediation strategy.
Monoliths under load, tight coupling, outdated patterns, unbounded service growth
Deploy fear, change ripple, integration tests slow
Module dependency graph density, deploy independence ratio
$200K to $2M+ annually for mid-size teams
Strangler fig pattern, bounded context extraction, anti-corruption layers
Time pressure, low review rigour, junior team without coaching, copy paste culture
High complexity scores, duplication, magic numbers, methods over 50 lines
Cyclomatic complexity, duplication ratio, SonarQube code smells
10 to 20% velocity reduction
Linting in CI, complexity ratchet, refactoring sprints, pair programming
Skipped tests under deadlines, flaky test fatigue, no integration test infrastructure
Production regressions, slow CI, fear of merging, low coverage report
Line, branch, mutation coverage, integration test count
$2K to $15K per production incident, increased frequency
Coverage gates, mutation testing, integration test infrastructure, contract tests
Update fatigue, breaking changes, transitive dependency lock, abandoned upstream
Stale lockfile, outdated major versions, vulnerability backlog growing
Mean dependency age, critical vulnerability count, deprecated API count
3 to 8 engineer days per major upgrade, security incident exposure
Renovate or Dependabot, monthly review, replace abandoned dependencies
Docs as afterthought, no doc review, key engineers leaving, no ADR practice
Onboarding over 4 weeks, tribal knowledge, runbook gaps, stale wiki
Onboarding time to first PR, doc currency audit, ADR coverage
2 to 4 weeks slower onboarding per hire, 5 to 10% velocity tax
Docs in repo, ADR practice, doc review in PR, living wiki
Manual deploys, environment drift, no IaC, ad hoc scaling
Deploy hesitation, environment specific bugs, slow recovery, no rollback
Deploy frequency, mean time to recover, environment parity score
5 to 15% additional downtime risk, slower delivery
IaC adoption, blue green deploys, ephemeral environments, golden paths
Unpatched vulnerabilities, weak auth, exposed secrets, missing threat model
Critical CVEs open over 30 days, secrets in code, auth ad hoc
Critical vulnerability count, mean time to patch, secrets scan results
Variable, but a single breach often exceeds total annual debt cost
SAST plus DAST in CI, vault all secrets, threat model per feature, regular pen test
Schema drift, missing migrations, denormalised under pressure, no data contracts
Inconsistent data models, broken reports, migration fear, ETL fragility
Schema drift count, data quality test coverage, contract coverage
Compounds with system count, often invisible until reporting fails
Migration discipline, data contracts, lineage tooling, governance
Not all debt deserves equal urgency. This matrix orders categories by typical risk and remediation cost, so you can pick the right starting point.
| Category | Tail risk | Remediation cost | Priority |
|---|---|---|---|
| Security | Catastrophic | Medium | 1, do first |
| Architectural | High, growing | High | 2, sequence after security |
| Test Coverage | Medium, frequent | Medium | 3, fund continuously |
| Data | High at scale | High | 3, if data complex |
| Dependency | Medium, security adjacent | Low to medium | 4, automate |
| Infrastructure | Medium | Medium | 5, batch with platform work |
| Code Quality | Low individually, compounds | Low per item | 6, Boy Scout rule |
| Documentation | Low, rises with attrition | Low | 7, ongoing hygiene |
No. Deliberate, prudent debt taken to meet a real business deadline can be a sound choice provided three conditions are met: the trade-off is documented, the principal is tracked, and a remediation plan exists. The problem is undocumented, unplanned debt that accumulates without intent. Martin Fowler's quadrant separates the strategic from the negligent.
Architectural debt has the largest blast radius because it affects every change. Security debt has the highest tail risk because a single incident can exceed years of accumulated cost. Test coverage debt is the most expensive on a per-incident basis. The right answer depends on your business: a fintech prioritises security, a fast-moving SaaS prioritises architectural.
Run the eight dimension assessment on this site. The dimensions map directly to seven of these eight categories (data debt is the exception, addressed separately for systems with significant data complexity). The dimension scoring lowest is the type you carry most.
No. Sequential focus beats parallel sprawl. Pick the dimension scoring lowest, dedicate two to four sprints to it, then re-assess. Architectural and security debt are often best addressed first because they have the largest cascading effects on the other categories.