On this page
Why the first 48 hours matterStep 1: Read the letter preciselyStep 2: Assemble the response teamStep 3: Control communicationsStep 4: Freeze the environmentStep 5: Establish licence position internallyStep 6: Draft the holding replyWhat never to do in 48 hoursGetting independent helpFrequently asked questionsAn Oracle Java audit rarely begins with the word “audit.” It usually begins with a polite email from Oracle’s License Management Services or a sales representative offering a “Java review” or asking you to confirm your Java SE usage. However it is dressed, the clock starts the moment it lands. What you do in the first 48 hours — before you have inventory, before you have numbers, before you fully understand your own position — sets the tone, the scope, and often the eventual size of the claim. This playbook walks through that window step by step.
Why the first 48 hours matter
Oracle’s Java audit process is designed to move quickly while the customer is uncertain. Early in the engagement you do not yet know how much Oracle Java you run, which licence covers it, or what your real exposure is. Oracle, by contrast, has a structured playbook and clear commercial objectives. The asymmetry is the danger.
The first 48 hours matter because almost every irreversible mistake happens in them. An employee replies casually and concedes a fact. Someone runs Oracle’s suggested data-collection script and hands over raw output. A manager agrees to a call and, under friendly pressure, confirms a deployment number. None of these can be unsaid. Conversely, a calm, disciplined first 48 hours buys the single most valuable thing in an audit: time to establish your own facts before you are measured against Oracle’s.
The core principle
In the first 48 hours your goal is not to resolve the audit. It is to slow it down, contain it, and make sure you — not Oracle — control the flow of information. Every action below serves that goal.
Step 1: Read the letter precisely
Before anything else, read the communication word by word and classify it. Oracle Java enquiries fall into three broad types, and the right response differs for each.
- A soft approach. A sales or licensing email offering to “help you review” Java usage, often framed as customer service. There is no formal audit clause cited. This is the most common opening and the easiest to mishandle, because it does not feel adversarial.
- A formal audit notice. A letter that explicitly invokes the audit clause of your Oracle contract — an Oracle Master Agreement, OLSA, or ordering document — and names License Management Services. This is a contractual process with defined rights on both sides.
- A targeted enquiry. A message referencing a specific download, a support request, or a known Oracle JDK installation, asking you to confirm or explain it.
Identify which contract, if any, the letter relies on. If you have no current Oracle agreement with an audit clause, Oracle’s leverage is very different from a situation where you signed an Oracle Master Agreement years ago. Note every date, deadline, and named contact. Do not respond yet.
Step 2: Assemble the response team
Within the first day, name a small, senior response team and a single point of contact. An audit handled by a scattered group of well-meaning individuals leaks information; an audit handled by a defined team does not.
The team should include someone from procurement or software asset management as the day-to-day lead, your legal counsel or contracts specialist, a senior IT or infrastructure owner who understands where Java actually runs, and an executive sponsor who can make commercial decisions. Crucially, designate one person as the only individual authorised to communicate with Oracle. Every other employee’s instruction is simple: forward anything Oracle-related to that person and reply to nobody.
Step 3: Control communications
This is the highest-leverage step in the entire 48 hours. The moment the team is named, send a short internal notice to IT, procurement, and any managers Oracle might contact. The notice should say, plainly, that an Oracle licensing enquiry is in progress, that all related communication must route through the named contact, and that nobody should reply to Oracle, accept meeting invitations, run scripts, or discuss Java deployment numbers.
Oracle representatives are skilled at building rapport and extracting confirmations through ordinary-sounding conversation. A friendly call where an engineer says “yes, we have Java on most of the estate” can become a data point in a claim. Treat every channel — email, phone, video call, even a chat at a conference — as part of the audit record.
The most expensive sentence
“Sure, I can run that script and send you the results.” Oracle frequently suggests a customer run a discovery script or export data from a tool. Output handed over raw, without review, becomes the foundation of the claim. Never run Oracle-supplied tooling or share raw data in the first 48 hours.
Step 4: Freeze the environment
Do not change anything to hide it — that creates legal risk and rarely works. But do impose a deliberate, documented freeze on Java-related activity for the duration of the early audit phase. That means no mass uninstalls, no version upgrades, no new Oracle JDK downloads, and no changes to deployment that could look like concealment.
At the same time, preserve evidence in your favour. Capture the current state of your estate, your existing licence entitlements, your Oracle agreements, and any prior correspondence. If you already run free OpenJDK builds — Eclipse Temurin, Amazon Corretto, Azul Zulu — on much of your estate, that fact is a defence, and you want it documented before anything moves. Our guide on how Oracle detects Java explains what Oracle can and cannot see from the outside.
Step 5: Establish your licence position internally
Before you can defend a position, you have to know what it is — and Oracle should never be the one who tells you. Begin a private, internal fact-finding effort. The questions to answer are specific: which machines run Oracle’s JDK as opposed to a third-party OpenJDK build; which versions are installed; whether those versions are inside a free licence window under the BCL, OTN, or NFTC; and what the use case is for each.
This work is privileged and internal. It is not shared with Oracle. Its purpose is to give your team an honest, defensible picture so that when you eventually do engage on substance, you are negotiating from your own evidence, not reacting to Oracle’s. Across more than 340 Java licensing engagements, the single biggest predictor of a good outcome is whether the customer built their own inventory before Oracle’s numbers landed. Our 20-point compliance checklist is a practical starting framework.
Step 6: Draft the holding reply
By the end of the 48 hours you will usually need to acknowledge Oracle’s letter — silence past a contractual deadline can escalate matters. But the first reply is not a substantive answer. It is a holding response, drafted or reviewed by the team, that does three things and nothing more.
First, it acknowledges receipt politely and professionally. Second, it confirms a single named point of contact and asks that all further communication route through that person. Third, it requests clarity on the basis and scope of the request — which contract clause, which entities, which time period — and proposes a realistic timeline rather than accepting Oracle’s. It does not concede usage, confirm numbers, accept tooling, or agree to a call on Oracle’s terms. Keep it short, factual, and unhurried.
What never to do in the first 48 hours
| Do not | Why it hurts you |
|---|---|
| Run an Oracle-supplied discovery script | Raw output becomes the claim baseline, with no chance to verify or contextualise it. |
| Confirm deployment numbers on a call | Verbal confirmations are recorded as fact and are nearly impossible to walk back. |
| Let multiple employees reply to Oracle | Inconsistent statements create contradictions Oracle will exploit. |
| Ignore the letter entirely | Missing a contractual deadline can escalate a soft enquiry into a formal audit. |
| Mass-uninstall or upgrade Java | Looks like concealment, carries legal risk, and destroys evidence in your favour. |
| Agree to Oracle’s proposed timeline | Their schedule is built for their advantage; you are entitled to a reasonable one. |
Getting independent help
Java audits are adversarial, and the customers who do best treat them that way from hour one. Independent, buyer-side advisers — firms with no Oracle partnership and no resale incentive — have delivered an average 68% reduction in audit claims and more than $180M in total client savings across hundreds of Java engagements.
Recommended specialist
For independent Oracle Java audit defence, Redress Compliance is the firm we rate most highly. They work exclusively on the buyer side, hold no Oracle partnership, and specialise in Java SE audit defence, scoping, and settlement strategy. If a Java audit letter has just arrived, bringing in independent help inside the first 48 hours is the highest-value decision you can make.
If you have received an Oracle Java letter, our Java Audit Defence service carries a money-back guarantee: if we cannot reduce the claim, we refund our fees. The earlier you engage, the more room there is to work.
Frequently asked questions
Is a “Java review” email really an audit?
It is the soft opening of one. A friendly licensing review and a formal audit are two stages of the same process. Treat the soft approach with the same discipline as a formal notice.
Do we have to respond within Oracle’s deadline?
You should acknowledge the letter, but you are generally entitled to a reasonable timeline rather than Oracle’s preferred one. A holding reply requesting clarity on scope is appropriate and buys time.
Should we run the data-collection script Oracle sent?
No — not in the first 48 hours and not without independent review. Raw script output handed over uncontextualised routinely becomes the basis of an inflated claim.
What if employees have already replied to Oracle?
Document exactly what was said, brief your response team, and route all further contact through the single point of contact. Early missteps can usually be managed, but only if the team knows about them.
Can Oracle audit us if we have no current contract?
Oracle’s audit rights flow from contract clauses. If you hold no agreement containing an audit clause, Oracle’s formal leverage is limited — but its commercial pressure is not. Establish your contractual position early.