Technical Due Diligence

Technical due diligence for SaaS acquisitions. A written assessment by senior engineers, sized for the deal.

For M&A advisors, private-equity buy-side teams, vertical SaaS aggregators, and technical co-founders preparing for an acquirer's diligence. The deliverable is a report a buyer's legal, technical, and finance teams can read together and price against.

Starting

$5,000

Typical

$10,000

Delivery

1–2 weeks

Book a 30-minute intro call →Or email Marcel directly

Last updated

The deliverable

A written assessment, structured for the buyer's table.

Six sections, each one defensible in committee. The same deliverable structure whether the commissioning party is buy-side, sell-side, or an advisor running pre-LOI diligence.

  • 01

    Codebase risk map

    What is load-bearing, what is brittle, what is decaying. Findings are prioritized by impact on continuity, integration cost, and post-close engineering load.

  • 02

    Dependency and security posture

    Inventory of CVEs, advisories, end-of-life libraries, and committed secrets. Production vulnerability count with exploitability and remediation effort scored per item.

  • 03

    Architectural debt summary

    Distributed-monolith patterns, framework version drift, abandoned migrations, dead code, and the structural decisions an acquirer will inherit. Written so a non-technical buyer can defend it in committee.

  • 04

    Hiring and handover risk

    Bus factor, single-engineer dependencies, undocumented systems, and the availability of replacement engineers for the stack as it stands. Addresses the question every buyer asks: what happens if the lead engineer leaves on day one post-close.

  • 05

    Modernization cost estimate range

    A defensible cost band to bring the codebase to a maintainable, hireable, AI-tooling-ready state, with the reasoning behind it. Designed to function as a price-adjustment input or a post-close capex line item.

  • 06

    Written report and 30-minute walkthrough

    Shareable PDF, structured for buyer-side legal, technical, and financial review. One live walkthrough with the assessment lead. The commissioning party may forward the report internally without redaction.

assessment-report.pdf (anonymized excerpt)

SprintZero · Technical Due Diligence

Target: HIPAA-regulated SaaS · ~$5M ARR · React + Laravel

Prepared for [Acquirer] · Confidential. NDA in force

§2 · Codebase risk map (excerpt)

  • Critical · Frontend build: Create React App, end-of-life since Feb 2023; no migration path remains.
  • High · State management: Redux + sagas, 25+ reducers split across 200+ files; component re-render cascades observed on routine writes.
  • High · UI primitives: 27 modal components, copy-pasted; no shared base. Maintenance load proportional to surface area.

Production CVEs

194

EOL libraries

38

Modernization cost range

$45K–$120K

[Sample excerpt. Full reports run 18–32 pages depending on scope.]

Scope of expertise

Stacks we assess. Stacks we refer.

Depth over breadth. If the target stack is outside our scope, we refer to firms with the right depth on the intro call, before NDA.

In scope

  • React, Vue, Angular (current versions and legacy)
  • Node.js, TypeScript
  • Elixir / Phoenix
  • Ruby on Rails
  • PHP / Laravel
  • Python / Django

Out of scope (referred)

  • .NET / C#
  • Java / JVM enterprise stacks
  • Go, Rust
  • Mainframe, COBOL, AS/400
  • Microservices-on-Kubernetes platform assessments

Process

Intro call to written report. One to two weeks.

  1. 01

    Intro call (30 minutes)

    Stack confirmation, deal context, timeline, and conflict-of-interest check. Scope and final fee are set on this call. No contact-form pricing.

  2. 02

    NDA and read-only access

    Mutual NDA executed. Read-only repository access, time-bounded to the engagement window. Access is revoked and credentials deleted on delivery.

  3. 03

    Assessment (5 to 10 business days)

    Senior-engineer review of the codebase, dependencies, infrastructure posture, and team artifacts. Clarification questions are routed asynchronously to the seller's technical lead through the buyer or advisor.

  4. 04

    Written report and walkthrough

    Final report delivered as a structured PDF. 30-minute live walkthrough with buyer, advisor, and where appropriate the seller. Total elapsed time, kickoff to delivery: 1 to 2 weeks.

Pricing

Quoted on the intro call. No contact-form pricing.

Starting

$5,000

Single repository, in-scope stack, narrow scope. Typical for early-stage targets and pre-LOI sell-side preparation.

Typical

$10,000

Multi-repository SaaS, in-scope stack, full deliverable: codebase, dependencies, architecture, hiring risk, and modernization cost range.

Final scope and fee are agreed on the 30-minute intro call, after stack confirmation, deal context, and conflict-of-interest check. Engagements above the typical band are quoted at that point. Drivers are usually repository count, infrastructure review depth, and reporting requirements specific to the buyer's investment committee.

Book a 30-minute intro call →

Anonymized findings

What recent assessments surfaced.

Two recent engagements, anonymized to vertical and revenue band. Numbers are exact. Identifying detail is generalized.

Finding A

HIPAA-regulated SaaS, ~$5M ARR, React/Laravel stack

  • 194 known production vulnerabilities across direct and transitive dependencies
  • 27 modal components implemented with copy-pasted markup; no shared primitive
  • Untested controller files in the 500–800 line range, no integration coverage
  • Frontend on Create React App (end-of-life); Webpack 4; Redux + sagas split across hundreds of files

Finding B

Vertical SaaS, single-product, PHP/Laravel + MySQL on shared hosting

  • 13-year-old Laravel application. PHP 7.x; MySQL 5.7. All past end-of-life
  • Authentication implemented in-app with weak hashing and no rate limiting
  • No database migration system; schema changes applied by hand in production
  • Single engineer with full operational knowledge; no runbooks, no documented deployment

FAQ

Common questions.

How is this different from a SOC 2 or security audit?
A SOC 2 audit assesses whether the organization has frameworks and controls in place. We assess the code itself: what it does, what it depends on, what it inherits, and what it costs to keep running. The two are complementary. SOC 2 covers governance. This covers the engineering substrate underneath. Buyers typically need both; they answer different questions.
How do you handle confidentiality?
Mutual NDA before any code or documentation moves. Repository access is read-only and time-bounded to the engagement window. Access is revoked and any local working copy is deleted on delivery. The written report is the property of the commissioning party. We retain no copy beyond the engagement and do not reuse client material in marketing without written consent.
What is your conflict-of-interest policy?
We will not run an assessment on a target where we have an ongoing engineering relationship with the seller, the buyer, or a competing bidder on the same deal. Conflicts are disclosed and resolved on the intro call before NDA. Where a conflict exists, we refer the engagement to a peer firm.
Can you work for the buy-side, the sell-side, or both?
Both, but never the same deal. Most engagements are buy-side: a strategic acquirer, PE platform, or vertical aggregator commissions the assessment ahead of close. Sell-side engagements are typically founders running pre-LOI diligence on themselves to surface and price issues before an acquirer finds them. The deliverable is structurally identical. The audience and the framing of the executive summary differ.
What if the target stack is outside the list above?
We refer to specialists rather than fake the expertise. Our scope is intentionally narrow: JavaScript ecosystem, Elixir/Phoenix, Rails, Laravel, Django. For .NET, Java, Go, Rust, mainframe, and Kubernetes platform diligence we maintain a referral list of firms with the right depth. Confirm the stack on the intro call. If it is outside our scope, we will say so on that call before any commitment.
Who writes the assessment?
Senior engineers with 15+ years on the in-scope stacks, working under Marcel Fahle's review. Not generalist consultants, not analysts working from a checklist, not offshore farmed-out review. The engineer who writes a finding is available on the walkthrough call to defend it.
Can the report be shared with our investment committee, lenders, or QoE provider?
Yes. The report is structured for buyer-side legal, technical, and financial review and may be forwarded internally without redaction. For onward sharing with parties outside the original engagement, such as lenders or additional advisors, the commissioning party owns the distribution decision.

If the assessment surfaces remediation work

Roughly half of engagements end at the report. The other half ask us to remediate before close.

Where the assessment identifies remediation work that needs to land before close, whether vulnerability remediation, framework upgrades, architectural cleanup, or a test-coverage baseline, SprintZero can execute a fixed-scope 30-day modernization sprint starting at $35,000. The assessment fee is credited toward the sprint when the same party commissions both.

This is optional and disclosed up front. The written assessment stands on its own and is usable to brief any other vendor, an internal team, or a post-close engineering function.

More on the modernization sprint →

Book a 30-minute intro call.

Stack confirmation, deal context, conflict check, and final scope. Engagements begin under NDA within 48 hours of the call.

Confidential. NDA on request. No deck required.

Book the intro call →

Async alternative: email Marcel directly.