The first 48 hours of an Oracle Java audit matter more than any stage that follows. Not because anything is decided in two days, but because the habits you set in those two days govern the entire engagement. Respond fast and loose, and you spend months unwinding it. Respond slow and deliberate, and you keep control. This article is the buyer side checklist for that opening window.
It sits inside the wider defense set out in the Java Audit Survival Guide.
Hour zero, do not reply in the moment
The single most valuable move is the one that feels least productive. Do not send a substantive reply on the day the contact arrives. Acknowledge receipt if you must, but do not confirm numbers, do not agree to a call date, and do not run anything. Oracle’s opening contact is calibrated to produce a quick, helpful response. A measured pause is your first and cheapest defense. For the email itself, read how to respond to an Oracle Java soft audit email.
Name one owner
Within the first day, designate a single person through whom all Oracle communication flows, usually in procurement or legal. Tell the wider organisation that nobody else replies to Oracle about Java. Audits gain ground when a well meaning engineer answers a technical question directly or an account contact confirms a figure on a call. One channel, one owner, one voice.
Freeze the script
If the contact asks you to run a discovery or audit script and return the output, do not run it inside the first 48 hours, or at all without advice. A script gives Oracle raw data it will interpret in its own favour and that you cannot easily walk back. Running Oracle’s script blindly is one of the most common ways buyers hand over a high number before they have understood their own position.
Start your own evidence trail
While you slow Oracle down, begin gathering your own facts internally. Where does Oracle Java SE genuinely run? Where has a free OpenJDK distribution already replaced it? What is the real, defensible employee number, separated from contractors who may be double counted with payroll? You are building the evidence base before Oracle builds its version. For what to assemble, read scoping an Oracle Java audit down to what matters.
| First 48 hours | Do | Do not |
|---|---|---|
| Reply | Acknowledge receipt only | Confirm numbers or usage |
| Channel | Name one owner | Let others talk to Oracle |
| Script | Hold it for review | Run it and return output |
| Evidence | Start your own internal map | Rely on Oracle’s reconstruction |
Understand the three year lookback early
Know from the start that a 2026 audit reaches back three years. That changes what evidence you preserve. Do not delete or alter records of past Java deployment, because your history is your defense, and you may need to show when Oracle Java SE was removed or replaced. Preserve, organise, and control your own history rather than leaving Oracle to assume the worst across the window.
Set expectations internally
Tell leadership early that an audit is a commercial process that will take time and that the opening number, when it comes, will be high by design. Setting that expectation prevents a panicked decision to settle quickly to make the problem disappear. A fast settlement is exactly what the high anchor is built to produce, and it is almost always the most expensive outcome.
Indicative worked example. A retailer that paused for two days, named a procurement owner, and declined to run the supplied script entered the rest of its audit with its evidence intact. By the time the claim arrived, it had its own defensible headcount and a record of OpenJDK use that removed a large share of the assumed exposure. The disciplined opening, not a clever later move, set up the result. Figures are indicative.
The window closes fast
Two days is enough to set every habit that matters. Pause, name the owner, freeze the script, and start your evidence. Do those four things and you enter the audit on your terms. Skip them and you spend the rest of the process recovering ground you gave away in the first afternoon. For the stages that follow, read what happens when an Oracle Java audit lands.
Why two days decides the rest
It can seem dramatic to claim that two days shape a process that may run for months, but the logic is simple. The first response sets Oracle’s expectation of how this engagement will go. A fast, detailed, helpful reply signals a buyer who will keep providing on request. A measured, documented, single channel reply signals a buyer who will engage formally and on their own terms. Oracle calibrates its approach to the signal you send, and you only send the first one once. Everything after is easier if the opening was disciplined and harder if it was loose.
Build the holding response
A good holding response is short and contains no substance. It confirms receipt, names the single owner for all further contact, and asks Oracle to frame any request against your existing agreement in writing. It does not confirm a headcount, describe your environment, agree to a call agenda, or commit to running anything. The aim is to convert an informal approach into a formal, documented process without giving away a single figure. Drafting this language in advance, before any contact arrives, means you are never improvising under time pressure.
Protect the people who will be contacted
Oracle often reaches technical staff directly, because an engineer who uses Java is more likely to answer a usage question helpfully than a procurement lead who is thinking about leverage. In the first 48 hours, tell the teams most likely to be contacted that all Oracle communication about Java now routes through the named owner, and that they should forward rather than answer. This is not about secrecy. It is about ensuring that a casual, well meaning reply does not become a finding that costs the organisation dearly.
Map your real position quickly
Use the time you have bought to start a rapid internal map. Identify where Oracle Java SE genuinely runs versus where a free OpenJDK distribution is already in place. Pull a defensible view of headcount that separates the contracting entity from the wider group and removes contractors double counted with payroll. You will refine all of this later, but even a rough first map tells you whether the eventual claim is likely to be large or small, and it stops you from negotiating blind. For how to narrow what Oracle is entitled to examine, read scoping an Oracle Java audit down to what matters.
Decide who else needs to know
Within the first two days, brief the small set of people who genuinely need to be involved, typically procurement, legal, and a senior IT sponsor. Keep the circle tight and aligned on the holding posture. Tell leadership early that the eventual opening number will be high by design and that a fast settlement is the most expensive path. Setting that expectation now prevents a panicked decision later, when the large claim lands and the instinct to make it disappear is strongest.
Preserve, do not delete
An instinct some teams have when an audit appears is to tidy up, to remove old installations or clear records. In a three year lookback that instinct is dangerous. Your historic records are your defense, because they show when Oracle Java SE was removed, when a free OpenJDK distribution took over, and how the estate actually changed. Deleting or altering them leaves gaps that Oracle fills with unfavourable assumptions. The rule for the first 48 hours is preserve and organise, never delete. Lock down change, capture the current state, and keep the history intact.
Resist the helpful reflex
The hardest part of the opening window is emotional, not technical. The natural reflex is to be helpful, to resolve the discomfort quickly, to send the numbers and move on. That reflex is exactly what the soft opening is designed to trigger. Naming the reflex out loud to your team helps. Remind everyone that cooperation in an audit means precise, documented, bounded responses, not fast and generous ones, and that slowing the process is a legitimate and powerful choice rather than a failure to engage.
Set the cadence you can sustain
In the first two days you also set the rhythm of the engagement. Agree internally how often you will respond, who signs off each response, and what review every figure passes through before it leaves. A steady, deliberate cadence that you control is far better than reacting to each Oracle message as it arrives. The buyer who sets the tempo keeps the initiative. The buyer who answers on Oracle’s timetable is always one step behind and more likely to make a costly slip.
Get advice before the data moves
The highest value window for independent buyer side advice is before any data or script output has left the building, which usually means within these first 48 hours. Once figures are confirmed or raw output is returned, the work shifts from shaping the position to recovering ground already lost. Bringing in help early is not an admission of weakness, it is the move that keeps every option open. If a contact has arrived and you have not yet responded substantively, you are at the best possible moment to take advice and respond on your terms.
Write down your opening position
Close the first two days by writing a short internal note that records your opening position. What you have acknowledged, what you have withheld, who owns the channel, what evidence you are gathering, and what you believe your defensible number looks like in rough terms. This note becomes the reference point for everyone involved and prevents drift as the engagement lengthens. A clear, written opening position keeps the organisation aligned and ensures that the discipline set in the first 48 hours carries through every stage that follows.
The opening you can be proud of
A disciplined opening is not dramatic, and that is the point. It is a short acknowledgement, a named owner, a held script, a preserved history, and a calm internal brief that sets expectations. None of it requires legal genius or technical heroics. It requires only the decision to slow down and respond deliberately rather than quickly. Buyers who look back on a well handled audit almost always trace the outcome to those first two days, when they chose preparation over reflex and set a tone Oracle had to follow rather than one it set for them.
Next step. Download the Oracle Java Audit Survival Guide for the full first response checklist and the holding language we use with Oracle. We also work on a Fixed Fee from $18,000 or a Gainshare share of verified savings or avoided exposure, with zero retainer and no risk to you.