Most Oracle Java audits do not begin with a formal audit notice. They begin with a friendly email. It asks you to confirm your Java usage, to verify your environment, or to help Oracle update its records. It reads like routine housekeeping. It is not. The soft audit email is the opening move of a process designed to arrive at a number, and your reply sets the frame. This article shows you how to recognise it and how to respond.
It belongs to the broader playbook in the Java Audit Survival Guide.
How to recognise a soft audit
The soft audit email shares a few telltale features. It asks you to confirm or quantify your Java usage. It may reference a script, a questionnaire, or a portal. It often comes with a cooperative tone and a soft deadline. And it usually avoids the word audit entirely, preferring review, verification, or alignment. The absence of formal audit language is not reassurance. It is the point. An informal frame invites an informal reply, and an informal reply is where buyers give away figures they cannot retract.
What it is really asking
Underneath the polite wording, the email is asking for the two inputs that drive the claim. Your employee count and your deployment footprint. Recall that the per employee metric counts every full time and part time employee, every contractor, and every temporary worker, regardless of who uses Java. Any number you confirm becomes an anchor. Any deployment detail you volunteer narrows your room to argue later. The email is gathering the evidence base for a claim that has not been named yet.
The reply that protects you
Your reply should do three things and no more. Acknowledge receipt politely. Route all further contact through a single named owner. And ask Oracle to put any request in the context of your existing agreement, in writing. You are not refusing to engage. You are converting an informal fishing exercise into a formal, documented process where your obligations are defined and limited. What you do not do is confirm a headcount, describe your environment, or commit to running anything.
| The email asks | Do not | Instead |
|---|---|---|
| Confirm employee count | Send a number | Defer to a documented process |
| Describe Java deployment | List environments | Say nothing on detail yet |
| Run a script | Run and return output | Hold for review |
| Reply quickly | Answer the same day | Acknowledge, then pause |
Why speed is the trap
The soft tone is engineered to produce a fast, helpful answer from someone who is not thinking about leverage. The person who receives it is often in IT and wants to be cooperative. That instinct is exactly what the email relies on. Slowing down is not rude and it is not obstruction. It is the difference between replying from your own evidence and replying from Oracle’s framing. For the wider opening window, read the first 48 hours of a Java audit.
Do not run the script
If the email points to a discovery or audit script, do not run it on the strength of an email. The output is raw data Oracle interprets in its own favour and that you cannot easily contextualise after the fact. There is almost never a contractual obligation to run an Oracle supplied script simply because an email asked you to. Hold it, take advice, and understand your own position first.
Indicative worked example. A healthcare provider received a soft email asking it to confirm its Java footprint and run an attached script. Instead of replying with numbers, it acknowledged receipt, named a single procurement contact, and asked for any request to be framed against its agreement in writing. The exchange slowed, the provider mapped its own estate, and when a formal claim eventually came it was met with evidence rather than an off the cuff figure. Figures are indicative.
From email to evidence
The right response to a soft audit email turns an informal request into a controlled process and buys you the time to build your own facts. From there the sequence is the familiar one. Scope the request, bound the counted population, and negotiate the residual against a credible alternative. For what Oracle will ask for next and what to withhold, read the data Oracle requests in a Java audit and what to withhold.
The language that does the damage
Soft audit emails are carefully worded, and the wording is designed to lower your guard. Phrases like a quick check, helping us keep our records accurate, or a routine review invite a casual reply. References to a short questionnaire or a simple script make compliance feel trivial. A soft deadline creates gentle urgency without alarm. None of this is accidental. The friendlier the framing, the more important it is to respond formally, because the gap between the casual tone and the commercial consequence is exactly where buyers get caught.
Draft your reply once, in advance
The strongest position is to have your holding reply written before any email arrives. It should acknowledge receipt, name a single owner for all Oracle contact, and request that any ask be framed against your agreement in writing. Because it is pre drafted, you are not composing under pressure and you are not tempted to add a helpful detail. When a soft audit email lands, you send the prepared response, and the informal approach becomes a documented process on your terms rather than Oracle’s.
Who in your organisation receives it
These emails often land with an IT manager, a system administrator, or whoever last spoke to an Oracle representative, rather than with procurement or legal. That is deliberate, because the recipient is chosen for helpfulness, not for negotiating instinct. Make sure everyone who might receive such an email knows to forward it to the named owner unanswered. A single forwarded email costs nothing. A single answered one can anchor a claim across your entire workforce and three years of history.
What a documented process gives you
Converting the soft email into a formal, written process is not obstruction, it is protection. A documented process defines what Oracle may ask, sets a scope and a timeframe, and creates a record of exactly what was provided and when. It slows the cadence to one you can manage and removes the advantage of surprise. Within that structure you can cooperate fully with what your contract requires while declining the requests that go beyond it. For the requests that come next and where to draw the line, read the data Oracle requests in a Java audit and what to withhold.
The cost of getting the email wrong
It is worth being concrete about the stakes. A headcount confirmed in a soft audit reply becomes the anchor for a claim of employee count times list rate times discount, applied across the three year lookback. At list rates from 5.25 to 15.00 dollars per employee per month, a casually confirmed population of several thousand can translate into a very large annual figure and a punitive view of the past. The email looks small. The consequence of answering it carelessly is not. Treat the first reply as the most important message you will send in the whole engagement, because in many ways it is.
Acknowledge without committing
There is a real difference between acknowledging an email and engaging with its contents. A safe acknowledgement confirms that the message was received and that it will be handled through your single named owner. It commits to nothing about your usage, your headcount, or your environment. Buyers get into trouble when they feel that politeness requires a substantive answer in the same breath. It does not. A courteous acknowledgement that defers all substance to a documented process is both professional and protective, and it buys the time you need to prepare.
Keep the exchange in writing
Push the conversation into writing and keep it there. A phone call leaves no record, invites off the cuff answers, and lets Oracle steer the agenda in the moment. Written exchanges give you time to consider each reply, create a clear record of what was asked and answered, and discourage the casual disclosures that calls produce. If Oracle proposes a call, you can accept in principle while asking for an agenda in writing first, which both slows the pace and keeps you in control of what is discussed.
Connect the reply to your wider strategy
The response to a soft email is the first move in a longer game, so make it consistent with the strategy that follows. The same posture that protects you here, one owner, written process, nothing volunteered, carries through scoping, the data request, and the settlement. Treating the email as an isolated nuisance to be cleared invites an inconsistent reply. Treating it as the opening of the defense keeps every later stage aligned, and alignment across stages is what produces a small, defensible final number.
The follow up is part of the test
After your measured first reply, expect a follow up that gently presses for the substance you did not provide. This is part of the same process, and the same discipline applies. Continue to route everything through the single owner, continue to ask for requests to be framed against your agreement in writing, and continue to withhold figures until you have verified them and understood your obligation. Buyers sometimes hold firm on the first email and then relent on the second or third when the pressure feels persistent. Consistency across the whole exchange is what protects you, not a single strong opening.
Turn the moment into preparation
A soft audit email is also a useful prompt. It tells you that Oracle has its attention on your Java position, which is reason enough to map your own estate now. Use the time your measured reply buys to establish where Oracle Java SE genuinely runs, to build a verified in scope population, and to identify the workloads that could move to a free OpenJDK distribution. By the time any formal claim arrives, you want to be answering from evidence you assembled on your own schedule rather than scrambling to reconstruct it under Oracle’s deadline.
One reply, a whole posture
In the end, the soft audit email is a small test of a large discipline. The reply itself is brief, but it signals whether your organisation will engage formally and on its own terms or informally and on Oracle’s. Choose the formal path, route everything through one owner, keep the exchange in writing, withhold figures until they are verified and obliged, and use the time you gain to map your real position. Get that one reply right and the whole engagement starts from strength, with your evidence intact and the initiative in your hands rather than Oracle’s.
Next step. Download the Oracle Java Audit Survival Guide for response templates, including holding language for the soft audit email. We also work on a Fixed Fee from $18,000 or a Gainshare share of verified savings or avoided exposure, with zero retainer and no risk to you.