You cannot read their codebase. You cannot shadow their team for a week. But you can run a structured 45-minute discovery call that surfaces the signals separating a reliable long-term technology partner from a vendor focused only on immediate project delivery. The framework below gives you a repeatable method for exactly that, built around the questions offshore vendors rarely prepare honest answers for.
TL;DR
A discovery call is your primary due-diligence instrument when code audits are not practical. Structure it or it becomes a sales pitch.
Evaluate vendors across six dimensions: process transparency, security posture, team stability, AI readiness, SLA commitments, and billing clarity.
Red flags are often revealed not by what vendors say, but by how precisely they answer. Vague answers to specific questions are data points.
Weight each dimension based on your own risk profile (regulated industry, startup pace, enterprise scale).
The goal is not to "win" the call. It is to determine whether this vendor can function as a partner 18 months from now.
About the Author: 724SOFTWARE is a Vietnam-based technology company with delivery experience across 10+ countries and a 95% client retention rate, providing dedicated engineering teams and long-term technology partnerships to clients in Fintech, Digital Healthcare, Edtech, and Enterprise ERP.
Why Is a Discovery Call the Most Underused Due-Diligence Tool?
Most buyers treat the discovery call as a pre-sales formality. In reality, it is the only structured window you have into how a vendor thinks, organises itself, and handles pressure before money changes hands. Code audits are rare, reference calls are rehearsed, and case studies are curated. A well-run 45-minute discovery call, using a consistent scorecard, gives you comparable signal to a much longer evaluation process.
The core insight: you are evaluating how a vendor will behave under pressure and in partnership over time, not just what they have built in the past.
What Six Dimensions Should the Scorecard Cover?
A practical scorecard maps to six dimensions, each scored 1 to 5. Here is the full framework:
Dimension | What You Are Testing | Weight (Regulated Industry) | Weight (Startup / Scale-Up)
|
|---|---|---|---|
Process Transparency | Do they know their own delivery workflow in detail? | High | Medium |
Security and Compliance | Can they name specific certifications? | High | Medium |
Team Stability | What is their actual attrition rate? | High | High |
AI Readiness | Are AI tools integrated into delivery, or just marketed? | Medium | High |
SLA and Response Commitments | Can they give you a specific number? | High | High |
Billing and Visibility | How are actual hours tracked and reported? | High | Medium |
Adjust weights before the call, not after. If you are building a Fintech product, security and compliance should carry more weight than AI readiness. If you need to expand an engineering team within 2-4 weeks, team stability and SLA commitments are likely your top concerns.
How Do You Score Process Transparency?
Process transparency is the first filter, and it reveals more than most buyers expect. Ask the vendor to walk you through a specific recent delivery. Not a case study slide. A week-by-week account of how they handled a requirement change or a production incident.
Strong answers include: named tools (Jira, Confluence, GitHub Actions), specific sprint cadences, escalation paths with role names, and at least one example of something that went wrong and what the post-mortem looked like.
Weak answers sound like: "We follow defined Agile processes," "We have a dedicated PM," or "We adapt to the client's process." These are not wrong, but they are not answers. Vendors who cannot describe their own process in operational detail are unlikely to hold to one under delivery pressure.
What Security and Compliance Questions Actually Matter?
Stepping back from delivery process, a separate concern for many buyers, especially in Fintech and Healthcare, is whether the vendor meets minimum security standards their own clients require.
Do not ask "Are you secure?" Ask instead:
"Which specific certifications do you hold, and when were they last audited?"
"How do you handle data residency for clients in Singapore or Australia?"
"What does your incident response process look like for a security event?"
A vendor worth evaluating can name the standard (ISO 27001:2022, SOC 2 Type II, GDPR compliance) without hesitation. A vendor who responds with "We take security very seriously" has told you they do not have the certification.
For reference, 724SOFTWARE holds ISO 9001, ISO 27001:2022, SOC 2 Type II, and GDPR compliance, and team members can describe what each standard requires in operational terms.
How Do You Assess Team Stability Without Access to HR Data?
A related but distinct question is whether the team assigned to you will still be there in 12 months. This is the offshore engagement failure mode that case studies never show.
Ask directly:
"What is your average engineer tenure?"
"If my lead engineer leaves, what is the replacement process and timeline?"
"How many engineers on your current teams have been in place for over two years?"
Strong vendors give you numbers. They also explain their retention mechanisms: career ladders, competitive compensation benchmarked locally, and management practices that reduce attrition. 724SOFTWARE, for example, maintains a 95% client retention rate, which is partly a function of keeping the same team members stable across long engagements.
When a vendor cannot tell you their attrition rate, that is useful data. Healthy vendor: low single-digit annual attrition, named replacement process, pre-vetted bench. Concerning vendor: changes the subject to team size or headcount growth.
How Do You Evaluate AI Readiness Without Being Misled by Marketing?
Building on team stability, the harder question for many buyers in 2026 is whether a vendor's AI capability is real or demonstrable in actual workflows. Generative AI claims have become standard in vendor decks, which makes them nearly useless as differentiators unless you dig into specifics.
Ask:
"Which AI tools are currently integrated into your SDLC, not just available to engineers?"
"Can you give one concrete example of where AI measurably reduced delivery time on a recent project?"
"Are you a named partner with any AI platform providers?"
The right answer includes specific tool names (Claude, Gemini, Cursor, NotebookLM), a concrete workflow example (automated test generation, requirement summarisation, code review), and a measured outcome. 724SOFTWARE, as an official partner with Claude (Anthropic) and Cursor, integrates these tools into active delivery workflows to accelerate the software lifecycle by approximately 30%. That figure should be traceable to a specific use case, not a general promise.
What SLA and Billing Questions Should You Close With?
Save SLA and billing for the final 10 minutes. By this point you have tested technical depth. Now test accountability.
"What is your guaranteed incident response time, and is it in the contract?"
"How are working hours tracked and reported to clients?"
"What happens if a sprint goal is missed?"
Numbers matter here. "Rapid response" is not an SLA. "<10 minutes for P1 incidents, 24/7, backed by a follow-the-sun model" is an SLA. Similarly, "transparent billing" is not a billing model. "Clients access a real-time dashboard of actual working hours logged per engineer" is a billing model.
Frequently Asked Questions
How long should a vendor discovery call actually be?
45 minutes is sufficient if you use a prepared scorecard. Beyond that, the conversation tends to drift toward features rather than accountability.
Should I run this scorecard with every vendor or just finalists?
Use a shorter version (three dimensions) as a first-round filter, then run the full scorecard with the top two or three candidates.
What if the vendor refuses to answer specific questions about attrition or certifications?
That refusal is your answer. Legitimate vendors have this data and share it readily.
How do I compare scores across vendors with different strengths?
Weight the dimensions before the calls, not after. Post-hoc weighting is how confirmation bias enters vendor selection.
Is the discovery call enough on its own?
No. Pair it with a reference call to a current client (not a testimonial, an actual conversation) and a review of the vendor's standard contract terms.
What is the single most revealing question on this scorecard?
"Tell me about a delivery that did not go as planned and what you did." Vendors with real delivery experience have this story ready. Vendors who do not should make you cautious.
How do I evaluate a vendor who is strong on process but weak on security?
Treat the weaker dimension as a dealbreaker if your product operates in a regulated industry. Compensate with contractual obligations and audit rights if you proceed.
About 724SOFTWARE
724SOFTWARE is a Vietnam-based technology company providing engineering services, custom software development, and managed IT solutions to clients across Singapore, Australia, the US, the UK, and the broader APAC region. With 200+ professionals (58% senior-level), delivery across 10+ countries, and a 95% client retention rate, 724SOFTWARE operates as a long-term technology partner rather than a project vendor. The company holds ISO 9001, ISO 27001:2022, SOC 2 Type II, and GDPR certifications, and is an official partner with Claude (Anthropic) and Cursor, applying generative AI practically across the software delivery lifecycle.
If you are preparing for a discovery call with a Vietnam software team or comparing offshore IT companies in Vietnam, use this scorecard as your baseline. If you want to see how a vendor performs under it, start the conversation with 724SOFTWARE at https://724software.com.vn/.
