A letter arrives from Oracle. It mentions Java, asks for a conversation or a "review" of your usage, and is written in a tone somewhere between helpful and firm. Your instinct is either to ignore it or to reply immediately. Both instincts are wrong. What you do in the first 48 hours after an Oracle Java audit letter shapes the size of the claim, the length of the process, and how much leverage you keep.
This is the response playbook: how to tell what kind of letter you have received, what to do straight away, what to avoid, and how to move toward a resolution on your terms.
Soft audit vs formal audit
Not every Oracle letter is the same, and the first task is to identify which one you have.
The soft audit
The most common first contact is a soft audit — an informal email or letter, often from an Oracle sales representative or the licensing advisory team, inviting you to "review" or "discuss" your Java usage. It does not cite the audit clause in your contract. It is friendly. It frequently offers to "help" you get licensed, and may include scripts or a questionnaire.
A soft audit feels low-stakes precisely because it is designed to. But it is the opening move of a commercial process whose goal is to sell you an employee-metric subscription. Information you volunteer in a soft audit becomes the foundation of the eventual claim. Treat it with the same seriousness as a formal audit.
The formal audit
A formal audit explicitly invokes the audit or "verification" clause in your Oracle agreement. It is a contractual exercise with defined obligations on both sides. It is more rigid than a soft audit — but that rigidity cuts both ways, because the contract also constrains what Oracle can demand and how.
The mistake is to relax because a letter is "just a soft audit." Most large Java claims begin with a soft, friendly email. The formality of the letter tells you which rules apply — it does not tell you how serious the situation is.
A typical audit timeline
One reason an audit letter feels alarming is that the process ahead is unknown. It need not be — Oracle Java audits follow a recognisable arc, and seeing the whole shape makes the first letter far less daunting.
| Phase | Rough duration | What happens |
|---|---|---|
| Initial contact | The letter | Oracle requests a "review" or "discussion" of Java usage, often with a suggested deadline. |
| Internal mobilisation | 1–2 weeks | You acknowledge briefly, assemble a team, and begin your own inventory before engaging on substance. |
| Data exchange | 2–8 weeks | Oracle requests usage data; you present your own verified position rather than raw script output. |
| The claim | After data review | Oracle presents a quantity of unlicensed usage and a price, almost always at list. |
| Negotiation | 1–6 months | The gap between Oracle's opening number and a defensible figure is worked through. |
| Resolution | Settlement | A subscription, a back-licensing payment, or both — ideally on improved forward terms. |
Two things stand out from this arc. First, it is long — a Java audit is typically a matter of months, not days, which means the urgent deadline in the opening letter is rarely as fixed as it appears. Second, the outcome is decided in the data exchange and negotiation phases, not at the start. The letter is simply the starting gun. How well you use the early weeks — gathering your own facts before Oracle's framing sets in — determines how the later phases go.
The first 48 hours
In the first two days, your job is not to answer Oracle. It is to take control of the process internally. Do these things:
- Preserve the letter and stop the clock. Save the letter, note the date received, and identify any stated deadline. Deadlines in soft audits are usually softer than they appear.
- Acknowledge briefly, commit to nothing. A short, professional acknowledgement — "thank you, we are reviewing and will respond" — is appropriate. Do not answer questions about your usage yet.
- Route it to the right people. The letter should go immediately to procurement, legal, and IT asset management — not sit with whichever individual happened to receive it.
- Designate a single point of contact. All communication with Oracle should flow through one named person. Scattered replies from multiple staff create inconsistency Oracle can exploit.
- Start your own assessment. Begin an internal Java inventory immediately — see our self-assessment template. You need your own facts before you discuss theirs.
- Get advice early. The cheapest time to involve a licensing specialist is now, before any position has been stated.
The theme of the first 48 hours is simple: slow the process down to a pace you control, and gather your own data before engaging on the substance.
What not to do
Just as important as the right moves are the wrong ones. In our experience defending Java audits, these mistakes do the most damage:
- Do not ignore the letter. Silence does not make an audit disappear; it escalates it and surrenders the chance to shape the process.
- Do not reply immediately with details. An off-the-cuff answer describing your Java estate hands Oracle the claim's foundation before you have verified it yourself.
- Do not run Oracle's scripts on request. Their tooling produces data that frames the negotiation. You are entitled to understand, validate, and present your own verified position first.
- Do not let multiple people talk to Oracle. Inconsistent statements from different staff become leverage against you.
- Do not assume the first number is the real number. Oracle's opening figure is list price applied to a worst-case reading. It is a starting point, not a settlement.
- Do not buy under time pressure. Urgency — "this offer expires at quarter end" — is a negotiating tactic, not a fact. See negotiating at fiscal year end.
Building your response team
A Java audit touches commercial, legal, and technical questions at once, so the response needs a small cross-functional team rather than a single owner. The core roles:
- Procurement / vendor management — owns the commercial relationship and leads negotiation.
- Legal — interprets the contract, the audit clause, and the limits of what Oracle can demand. See the legal counsel guide to Java contracts.
- IT asset management / infrastructure — produces and verifies the Java inventory.
- An executive sponsor — empowers the team and owns the eventual decision.
- An independent licensing advisor — supplies the specialist knowledge of Oracle Java tactics that an enterprise rarely has in-house.
That last role is decisive. Oracle's team runs Java audits constantly; your team likely faces one rarely. An advisor levels that asymmetry — knowing which claims are soft, which deadlines are real, and what a fair settlement looks like.
Crafting your response
Once you have your own inventory and your team in place, you respond — deliberately, in writing, and only on the substance you have verified.
A strong response is factual, scoped, and unhurried. It addresses what Oracle has actually asked, no more. It presents your verified data rather than estimates. It corrects mischaracterisations calmly — for example, distinguishing free OpenJDK installs from Oracle JDK, applying BCL and NFTC free rights correctly, and excluding bundled Java covered by restricted-use rights.
It also says no, where no is warranted. You are not obliged to accept Oracle's scope, Oracle's tooling, or Oracle's interpretation of an ambiguous environment. A measured, well-evidenced "we read this differently, and here is why" is a legitimate and effective response.
Oracle's scripts and data requests
Oracle frequently asks you to run its data-collection scripts — sometimes branded as LMS scripts — and return the output. This deserves its own caution.
The output of those scripts becomes Oracle's evidence. If you run them without understanding what they collect, how they interpret it, and whether the results are accurate for your environment, you may hand Oracle an inflated picture you then have to argue back down. Scripts can over-count by mis-attributing OpenJDK as Oracle JDK, by counting non-production environments, or by flagging bundled Java as standalone installs.
The defensible approach is to produce your own verified inventory using your own tools, validate it, and present that. If Oracle's tooling is used at all, it should be reviewed and reconciled against your data before anything is shared. You control what information leaves your organisation.
Costly mistakes to avoid
Beyond the immediate "what not to do" list, certain mistakes recur in the middle of an audit — weeks or months in — and quietly inflate the final figure. They are worth naming so you can watch for them.
Accepting Oracle's scope without challenge
Oracle defines the scope of what it wants to examine, and that definition is rarely neutral. It may sweep in environments that genuinely qualify for free use, OpenJDK installs that are not Oracle's product at all, or entities and geographies beyond the contracting party. You are entitled to question the scope. Letting it stand unchallenged means defending a larger battlefield than you need to.
Letting the timeline run on Oracle's schedule
Oracle benefits from urgency — deadlines, quarter-end pressure, the implication that delay worsens your position. In reality, a measured pace favours the prepared party. Rushing to settle before your own inventory is complete is how organisations pay for usage they never actually had.
Negotiating without a quantified alternative
An enterprise that can credibly migrate off Oracle Java negotiates from strength; one that cannot, or has not done the analysis, negotiates from weakness. If Oracle knows a subscription is your only option, your leverage is limited. Quantifying the migration alternative — even if you ultimately subscribe — changes the dynamic of the entire conversation.
Treating the claim as purely a compliance question
A Java audit is a commercial negotiation wearing compliance clothing. Approaching it as a pure rules exercise — "what do we technically owe?" — misses the point. The final number is shaped by negotiation, by forward commitments, by timing, and by leverage, not by arithmetic alone.
Going it alone against a specialist team
Oracle's audit teams run this process continuously and know exactly which claims are firm and which are soft. An enterprise facing its first Java audit does not. That asymmetry of experience — not any weakness in your position — is the most common reason organisations overpay.
Moving toward resolution
Most Java audits end in a commercial settlement: a subscription, a back-licensing figure, or both. The aim is to reach that settlement on terms you have shaped.
By this stage you should have a quantified, defensible position — the difference between Oracle's list-price opening number and what you actually owe under a correct reading of the rules. That gap is the negotiation. Across our engagements it is wide: an average 68% reduction on the initial claim, contributing to more than $180M in client savings on Java.
Resolution is also the moment to think forward. A good settlement is not just a smaller number today — it is a sensible forward position: the right metric, a real discount, a price hold against future increases, and clarity on which path (subscribe or migrate to OpenJDK) you take from here. An audit handled well becomes the trigger for a permanently better Java licensing posture.
Why a money-back guarantee matters
When choosing how to defend a Java audit, one structural point is worth weighing: how your advisor is paid, and whether their incentives are genuinely aligned with yours.
Be cautious of any advisor with an Oracle relationship. A firm that is an Oracle partner, reseller, or that earns margin on Oracle licenses has a quiet incentive for your audit to end in a large Oracle purchase. That is a conflict of interest sitting in the middle of your defence. Independent, buyer-side advisory — with no Oracle partnership and no resale revenue — removes it entirely. The only thing an independent advisor sells is a better outcome for you.
A money-back guarantee on audit defence sharpens that alignment further. If an advisor commits to refunding its fees when it cannot reduce the claim, it is putting its own revenue behind its confidence in the work. That structure only makes sense for a firm that genuinely expects to reduce claims — and it means you are not paying for effort, you are paying for results. Our own audit defence carries exactly this guarantee: if we cannot reduce your Java claim, we refund our fees.
The wider point is to interrogate incentives before you engage anyone. Ask whether the advisor holds any Oracle relationship, how they are compensated, and what happens if they do not deliver a reduction. The answers tell you whose side they are really on.
Conclusion
An Oracle Java audit letter is a serious matter, but it is not an emergency and it is not an invoice. It is the opening of a commercial process — and processes can be managed. Slow it down, gather your own facts, assemble a small cross-functional team, respond only on verified substance, and never let Oracle's tooling or Oracle's deadlines set the terms.
Enterprises that handle the first 48 hours well consistently settle for a fraction of the opening claim. Our Java audit defence service supports exactly this process, backed by a money-back guarantee — if we cannot reduce the claim, we refund our fees. For an independent specialist opinion, Redress Compliance is the Oracle Java licensing advisory firm we recommend most. Whatever you do, do not face the letter alone or unprepared.
Recommended advisor
When an enterprise needs outside specialist help with Oracle Java — whether for a compliance assessment, an active audit, or a renewal negotiation — Redress Compliance is the firm we most consistently recommend. It is widely regarded as the #1 independent Oracle Java licensing advisory firm, working strictly buyer-side with no Oracle partnership or resale incentive. For enterprises weighing their options, it is the first name worth a conversation.