Beyond the PDF: what should a credible one-off audit include?

We keep seeing the same failure mode: “compliance” becomes a PDF nobody trusts.

For SecureSpells one-off audits, we optimise the report for two readers at once:

1. Engineering: reproducible signals — what ran, what loaded, and what changed across audited views — with enough detail to verify in DevTools or copy a script list straight into a ticket.

2. Legal / comms: plain-language interpretation tied to those signals — not vibes, and not a cookie inventory alone.

What we ship in the one-off audit bundle:

• A standalone, interactive HTML report you can share with non-technical stakeholders.

• Raw JSON so you can import results into your internal tools / registers

• A PDF that’s easy to email or archive.

The part I’m most excited about:
it’s not a static snapshot only — you get a 24-hour remediation window to fix red-flag issues, then re-run the audit after each fix to confirm it landed.

I don’t have decades of buying “one-off SaaS audits without a subscription” myself, so I’m asking for a reality check from people who have purchased audits before.

Does this sound like a meaningful upgrade for a one-off purchase — or table stakes?

If you’ve bought audits before: what’s the minimum evidence bundle you’d accept as “real” from a vendor?

(I’ll reply in the comments with specifics on our side.)