M&A security due diligence

Security DD before you sign the LOI.

CREST-accredited researchers run pre-LOI and pre-close security due diligence on acquisition targets: web, API, cloud, AD, plus historical-breach scan and code-quality review. The findings that change valuation or kill the deal, surfaced before signing.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most M&A security DD finds the breach after close, not before signing.

  • Generic pentest firms do not scope for acquirer-side DD: code-quality, historical breach indicators, and inherited-risk analysis are out of scope.

  • Without inherited-risk surfacing, the acquirer takes on undisclosed breaches, IP theft, or compliance failures post-close.

  • Reports that arrive after signing leave the acquirer holding the bag on findings that should have changed valuation.

Here is what we ship.

Why teams pick us

Pre-LOI findings, not post-close surprises.

  • Pre-LOI security DD

    Web, API, cloud, AD pentest plus historical-breach scan and code-quality review. Findings surface before signing.

  • Inherited-risk analysis

    Disclosed vs undisclosed breach indicators, IP theft markers, compliance-failure markers.

  • Valuation-relevant

    Findings shaped to inform purchase-price adjustment, escrow size, and rep-and-warranty insurance scope.

How it works

From LOI prep to close on the deal timeline.

  1. Scope on the call

    Target stack, deal timeline, acquirer-side InfoSec, and rep-and-warranty insurance scope confirmed on the call.

  2. Researchers test the target

    Web, API, cloud, AD pentest plus historical-breach scan, code-quality review, inherited-risk analysis.

  3. Deal-ready findings package

    Report, valuation-relevant findings, inherited-risk memo, rep-and-warranty insurance scope material.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Pre-LOI or pre-close?
Both. Pre-LOI for high-risk targets, pre-close for confirmatory DD.
Will the target cooperate?
Typically yes under NDA. Some engagements run unauthenticated-only for initial screen, authenticated under target cooperation post-LOI.
Inherited-risk surfacing?
Yes. Historical-breach indicators, IP theft markers, compliance-failure markers surfaced in the inherited-risk memo.
Rep-and-warranty insurance support?
Yes. Findings shaped for R&W insurer scope review and post-close claim defence.
Engagement timing?
Two to four weeks depending on scope. Pre-LOI screens can run in one week.

Ready to surface the findings before you sign?

20-minute scoping call with the lead M&A DD pentester. Pre-LOI or pre-close, on your deal timeline.

CREST · CERT-In · SOC 2 · ISO 27001