Methodology Over Marketing

Why trust
Evidalux?

Most audit products say "we have dozens of checks." We publish how each one is tested — and what that testing cannot prove. Every run goes into a public report, including the bad ones and the gaps.

22 / 74
Tools scored against an independent reference — the rest have no industry counterpart, and we say so
64
Tools pinned by the regression corpus
1110
Regression corpus fixtures
Public
Every run published — including the ones we lose
How we measure

One measurement that isn't ours

A regression corpus of 1110 fixtures pins every tool's behaviour, but we write those fixtures ourselves, so it is a build gate — not evidence, and not published as such. The only measurement that can tell you anything about us is the one we do not control.

The method

Cross-Tool Agreement — scored against something we don't control

This is the only leg that can support a claim like "as good as Lighthouse." Tools with industry counterparts (Lighthouse, axe-core, Mozilla Observatory, SSL Labs, Google Rich Results Test, IAB CMP Validator, dig, Google's robots.txt parser) run against the same sites in parallel with the reference, and every disagreement lands in the public report with the date it was measured — including the rows where we come off worse.

  • 22 of 74 tools have a reference-tool counterpart
  • Target: agreement ≥ 0.90; > 15% deviation → DETECTED status
  • A site nobody could measure is dropped, not scored as agreement

What this does not prove. It covers 22 of our 74 tools — the rest (compliance, answer-engine readiness, regulation tracking) have no industry counterpart, so for those "as good as the leader" is not a claim anyone can make, us included. The cohort is 10 sites and does not rotate, which means a score is evidence about those 10 and not about the web. And the reference can be wrong: the first real disagreement we investigated turned out to be a bug in our reference, not in the tool — the read-out said RED until we checked it by hand.

On the roadmap

None of these run today — they are design notes, listed so the gap is visible rather than implied. The one thing below that is real is the confidence label, and it ships on every finding.

Mutation Testing — controlled degradation, blind-spot detection (monthly)
Adversarial Test Suite — pages designed to fool the plugin
Determinism Check — 10× rerun on LLM plugins, Cohen's κ
Inter-Rater (3 LLMs) — GPT-4o + Claude Opus + Gemini majority vote
Public Benchmark — W3C ACT-rules, IAB CMP Validator, SchemaOrg test corpus
Regulatory Expert Panel — biannual external counsel (GDPR + EAA) review
Drift Detection — daily 3σ deviation alerts on finding rate
Customer False-Positive Loop — "Is this wrong?" button → fixture feedback
Confidence Taxonomy — every finding gets a VERIFIED/DETECTED/SUSPECTED badge (this one is live)
Confidence Taxonomy

Every finding's epistemic status is disclosed

Saying "this is compliant, this isn't" isn't enough. How the finding was produced is always visible in the report. The user can answer "how much should I trust this?" from the report itself.

🟢
VERIFIED HTTP/DNS/TLS handshake parse, JSON-LD parse, header read. Deterministic, no judgment.
🟡
DETECTED DOM regex, heuristic substring, HEAD probe. Tolerance margin exists.
🟠
SUSPECTED LLM response interpretation, vision-LLM screenshot review, NLP semantic claim.
INCONCLUSIVE Plugin ran but data is insufficient. Tells the user "rerun this scan."
🔍
MANUAL_REQUIRED Plugin can't audit; human review needed. Saying "automated check not possible" is honesty.
OUT_OF_SCOPE Plugin not applicable. E.g. an EU-only plugin is skipped on a US-only site.

Every finding's JSON output also carries mandatory method (how it was measured), limitations (caveats), and evidence.guidelines (regulator reference) fields. When an auditor asks "how did you produce this finding?" the answer comes straight from the report.

Transparency principle

Nothing to hide

Bad numbers also publish

When a tool disagrees with its reference, the public report shows the gap. We fix the code and re-run, repeat until the curve goes up. We don't delete the old number.

Historical archive

Each daily report stays at /validation-report/archive/<date>.html. "It was 78% in February 2026, 96% in May 2026" — improvement is provable.

Contractual clause

The customer contract carries this line: "Evidalux publishes precision/recall/agreement metrics for every plugin daily in a public report." This is a legal commitment.

Every run is kept

Every run has its own snapshot under /validation-report/archive/ — 177 of them so far. Nothing is overwritten, so a number can be checked against the run that produced it.

Methodology over marketing

Every run published — including the bad ones, and what the tests can't prove. Proof before pitch.

Live validation report See all 5 modules