Software Acquisition · Technical due diligence
Before you buy the company, know what the code is really worth.
When you acquire a software business, you are buying the code, even if nobody in the room can read it. The pitch deck says it is modern, clean and well built. The code itself might say something very different. We read the whole codebase the way a buyer needs to: what is actually there, what shape it is in, what it will cost to keep alive, and what risks are buried in it. You walk into the negotiation knowing, not hoping.
The problem
The deck is marketing. The code is the asset.
Most technical due diligence is a few days of interviews and a skim of the documentation. The people answering the questions are the people selling the business. The real story lives in the code, and reading a large, old codebase by hand in the time a deal allows is impossible. So buyers price on trust and find out the truth after the cheque clears.
What buyers get blindsided by
- Maintenance debt that means years of expensive cleanup before anything new can ship.
- Security holes that turn into a breach and a headline a few months in.
- Key-person risk: one or two people who are the only ones who understand it.
- Borrowed code with licence terms that become your legal problem on day one.
What we look at
Four questions, answered from the code itself
Is it safe?
The security holes that actually matter, and crucially, which ones a real attacker could reach. Not a list of theoretical warnings, but the few that are genuinely exploitable and would land on your watch.
What shape is it in?
How much of it is tangled, duplicated or fragile, and where. This is the number that tells you what it will really cost to maintain and build on after the deal, instead of guessing.
Who actually holds it?
Whether the knowledge lives in the code and its history, or only in one or two people’s heads. Key-person risk you can see before it walks out the door after the earn-out.
What did they borrow?
The outside code and licences baked in, and whether any of them create an obligation you inherit. The legal landmines that are invisible in a pitch but very real on the balance sheet.
Not a sample. The complete codebase, mapped end to end, including the years of history that show how it really got here.
Of every flaw found, we trace which ones an attacker could actually reach. The deal risk is the short, proven list, not the scary long one.
Plain-language conclusions tied to specific evidence in the code, in time to use them at the negotiating table.
How it works
A real read, in the time a deal actually allows.
The tooling does the reading at machine speed and shows its work, so the findings are grounded in the actual code rather than a consultant’s impression. The whole thing runs under your control. The target’s code never has to leave a safe room.
Price the deal on what the code is, not what the deck says.
Got a target on the table? We can give you an independent read of its codebase before you commit. Talk to us early; the findings are most valuable before the price is set.