Due Diligence Services

Tech debt is a slide. Regulatory debt is what moves the multiple.

A diligence report has two readers: the deal team testing the investment thesis, and the non-technical business and investment principals who need to understand the risk, the severity, and what it means for the decision in front of them. We write for both. The numbers and the architecture sit in the same document as the plain-language summary that lets a principal walk into the next meeting and explain it.

When the buyer is in one regulatory regime and the target is in another, the regulatory mapping is the deal risk, not a footnote. We read both sides.

Where the value sits

Stack reviews and security scans are commoditised. The work that moves a deal sits one layer deeper.

Buy-side diligence on regulated targets

The seller's narrative tends to break under DORA, NIS2, UK CTP or GDPR questioning. We bring those questions early, before the buyer's IC committee finds them late.

Sell-side vendor due diligence (VDD)

We surface what the buyer's diligence will find, before the buyer does. The internal version of the same report lets the sell-side adjust negotiation strategy and address critical issues quietly, so they do not become price-revisions later.

PQC and crypto-debt as a real DD dimension

Not future-state hand-waving. Long-dated portfolios are exposed already. Insurance contracts, mortgage books, KYC archives, M&A data rooms. We assess what the target carries and how migration cost should be priced into the deal. See our note on the cryptographic-inventory layer.

Concentration risk in the third-party chain

DORA Article 28 logic applied early. If the target is concentration-exposed, or sits in someone else's concentration chain, the post-close remediation cost is a number the deal team can use. See the Critical 19 analysis.

Carve-out and post-merger integration

When the regulated entity has both jurisdictional and technical lock-in, integration becomes a multi-year programme rather than a 100-day plan. We surface that distinction during DD, not after.

Cross-border targets

Buyer in one regulatory regime, target in another. The mapping work is the deal risk. We read both sides and tell you which gaps are fixable, which are deal-breaking, and which become covenants.

We bring a solution, not a survey

A diligence report should land a solution, not a survey. We bring a view, defend it under questioning by the other side's advisers, and adjust it when we are wrong. You can buy hedged option-papers from larger firms for more. We are not paid to widen the option set, we are paid to narrow it to a decision the deal team can make.

Risk-adjusted views of the target. What is tolerable for a strategic buyer is unacceptable for a leveraged one. We make the risk profile usable by the deal team, not just the security team. Findings are scoped, defended, and quantified where the numbers genuinely move the price.

What is table stakes

Given, not headline: stack reviews, security scans, cloud bill audits, headcount-quality scoring, IP and open-source review, run-rate normalisation, code-quality assessment, SDLC maturity, BCP and DR review, key-person dependency mapping, vendor and licensing audit. One to three senior people, time-boxed, output is a document that survives questioning by the other side's advisers and is readable by the principals who will sign off on the deal.

What we deliver

Beyond the positioning above, the specific offerings inside our due diligence practice.

Technology due diligence (buy-side)

Stack and architecture assessment, code quality and technical-debt analysis, scalability and performance evaluation, security posture and vulnerability assessment, cloud infrastructure and cost analysis, engineering-team capability review, IP ownership and licensing verification, data architecture and quality assessment.

Startup due diligence

A distinct engagement for investors evaluating earlier-stage targets. Technology assessment for the growth thesis, security review where it affects enterprise sales and regulatory exposure, technical-team capability and key-person dependencies, infrastructure cost projections that feed financial modelling.

Sell-side and vendor due diligence (VDD)

A comprehensive technology and security report that you control, shared with potential buyers to accelerate timelines. An internal version flags critical issues early so the sell-side can adjust negotiation strategy or remediate quietly. Pre-sale remediation of the items most likely to depress valuation or kill deal certainty. Documentation preparation so the data room survives buyer scrutiny.

What you receive

Executive summary written for principals with deal-critical findings, detailed risk register with severity and likelihood, technical-debt quantification with remediation cost estimates, integration risk assessment and recommendations, 100-day plan for post-close critical items, management presentation and Q&A support. We work to deal timelines, with preliminary findings provided quickly and detailed reports on schedule.

What we assess

Product and technology (product strategy and roadmap, stack and architecture quality, SDLC maturity, QA and testing). Operations and security (infrastructure and DevOps, security posture and compliance status, business continuity and disaster recovery, incident management and response). Organisation and commercial (team structure and capabilities, key-person dependencies and succession, open source and IP, vendor contracts and licensing obligations).

Our Boutique Approach

Due diligence is time-sensitive and high-stakes. We bring the experience and focus needed to surface critical issues quickly.

Deal-Ready Timelines

We understand transaction pressure. We provide preliminary findings fast and detailed reports on schedule. We don't let technology DD become the bottleneck.

Senior Expertise Throughout

Your assessment is led by experienced practitioners who've seen hundreds of technology estates. We know what good looks like - and what warning signs to look for.

Valuation-Focused Findings

We quantify technical debt, estimate remediation costs, and identify integration risks. Our reports give you the inputs you need for pricing and negotiation.

Clear Recommendations

Every finding comes with practical remediation guidance and timeline estimates. We tell you what to fix, in what order, and what it will take.

Success Criteria

We define clear deliverables and outcomes for every due diligence engagement.

What You Receive

  • Executive summary with deal-critical findings
  • Detailed risk register with severity ratings
  • Technical debt quantification with remediation costs
  • Integration risk assessment and recommendations
  • 100-day post-acquisition action plan
  • Management presentation with Q&A support

How We Measure Success

  • No material technology surprises post-close
  • Accurate technical debt and cost projections
  • Findings that influence deal terms or pricing
  • Integration plan that accelerates value realisation
  • Stakeholder confidence in technology assessment
  • Repeat engagement on future transactions

Further reading on DORA Consultancy

Where our positioning intersects with regulatory analysis, we publish under our sister brand.

The Critical 19: CCTP List Analysis

What the designated critical providers list actually tells us about concentration, substitutability and the sovereignty profile of the EU financial-sector ICT supply.

Read on DORA Consultancy

Asset Management under DORA

The ICT asset register as a working artefact, including the cryptographic-inventory layer that becomes material in any modern due diligence.

Read on DORA Consultancy

IT Suppliers' Legal Obligations under DORA

Relevant for any target that sells to European financial-sector clients. DORA may not apply to the target directly, but its clients' auditors will hold them accountable.

Read on DORA Consultancy

Get in Touch

Tell us about your project and we'll get back to you within 24 hours.