Scrolls
17 min read
On this page

Technical Due Diligence

Technical Due Diligence

Why This Skill Matters

At some point in your CTO career, someone is going to put a company in front of you and ask: "Should we buy this? Is the technology worth what they're asking?"

Your answer will inform a decision worth millions -- sometimes billions -- of dollars. Get it right, and you've helped your company acquire a strategic asset. Get it wrong, and you've either wasted a fortune on technology that doesn't work or passed on an acquisition that a competitor snaps up.

Technical due diligence is one of the highest-leverage activities a CTO performs. A thorough evaluation can save your company from a disastrous acquisition or give you the confidence to move quickly on a great one.

This isn't something most engineers learn organically. It's a specific skill set, and I'm going to walk you through it.

M&A Due Diligence: Evaluating Acquisition Targets

When your company considers acquiring another company, the business team evaluates revenue, customers, market position, and financial health. Your job as CTO is to evaluate the technology.

What you're really evaluating:

You're answering three fundamental questions:

  1. Does the technology work? Not "does it demo well" -- does it actually work at the scale and reliability the business needs?

  2. Can we integrate it? Can this technology be merged with our existing systems, or will it live as a permanent island?

  3. Is the team capable? Technology without the team that built it is often worthless. Can this team continue to develop and maintain the technology after acquisition?

The evaluation process:

Phase 1: External assessment (1-2 weeks)

Before you get access to the target's code and systems, evaluate what you can from the outside:

  • Public APIs and their documentation quality
  • Published architecture or technical blog posts
  • Open source contributions
  • Technology job postings (these reveal their stack and pain points)
  • Glassdoor and similar reviews from engineering team members
  • Product performance from a user perspective
  • Security posture (SSL configuration, headers, public vulnerabilities)

This gives you a preliminary picture and helps you know what to focus on when you get inside access.

Phase 2: Deep dive (2-4 weeks)

Once you have access, here's what to evaluate:

Code quality: Not just whether the code is "clean" -- whether it's maintainable, well-tested, and well-documented. Look at:

  • Test coverage (not just the percentage, but the quality of tests)
  • Code review practices (are PRs substantive or rubber-stamped?)
  • Coding standards and consistency
  • Documentation (especially for complex systems)
  • Dependency management (are dependencies current or dangerously outdated?)

Architecture: How the system is designed and whether that design will serve the business going forward. Look at:

  • System topology (how services connect)
  • Data architecture (how data flows and where it's stored)
  • Scalability characteristics (where are the bottlenecks?)
  • Deployment architecture (how code gets to production)
  • Disaster recovery (what happens when things fail?)

Technical debt: Every company has it. The question is how much and how strategically it was incurred. Look at:

  • Known issues and their severity
  • Areas of the codebase that people avoid changing
  • Workarounds and hacks that have become permanent
  • Deprecated systems that are still running
  • Manual processes that should be automated

Security: This is non-negotiable. A security problem in an acquisition target becomes your security problem the moment the deal closes. Look at:

  • Authentication and authorization implementation
  • Data encryption (at rest and in transit)
  • Vulnerability management process
  • Security incident history
  • Compliance with relevant standards (SOC 2, HIPAA, PCI, GDPR)
  • Secret management practices

Infrastructure: How the systems are hosted and operated. Look at:

  • Cloud provider and service usage
  • Infrastructure as code maturity
  • Monitoring and alerting coverage
  • Incident response process and history
  • Cost efficiency (are they spending wisely?)
  • Capacity planning practices

Team assessment: The people behind the technology. Look at:

  • Team size and composition
  • Key person dependencies (who's irreplaceable?)
  • Tenure and turnover rates
  • Hiring pipeline and quality
  • Engineering culture and practices
  • Technical leadership strength

Investment Evaluation

Sometimes you're not acquiring a company -- you're evaluating a technology investment. Maybe it's a vendor you're considering for a critical system, or a startup you're thinking about partnering with or investing in.

The principles are similar, but the focus shifts:

For vendor evaluation:

  • Product maturity. Is this production-ready or still experimental?
  • Scale evidence. Do they have customers operating at the scale you need?
  • Financial stability. Will this company exist in three years?
  • Integration capability. How well does it integrate with your stack?
  • Support quality. When things break at 2 AM, who picks up the phone?
  • Roadmap alignment. Is their product direction compatible with where you're heading?
  • Exit strategy. If you need to switch away, how painful is it?

For startup investment:

  • Technical differentiation. Is the technology genuinely novel, or is it a thin wrapper around commodity technology?
  • Defensibility. Can competitors replicate this technology? How long would it take?
  • Scalability. Can the technology scale to the level the business plan assumes?
  • Team capability. Can this team actually build what they're promising?
  • Technical risk. What are the hard unsolved problems, and how confident are you they'll be solved?

Informing Million-Dollar Decisions

Your due diligence findings directly affect the deal. Here's how:

Impact on valuation:

Technical findings should adjust the price. If you find significant technical debt, that's a cost the acquirer will bear -- it should reduce the price. If you find a technology asset that's stronger than expected, it might justify a higher price.

Example: A target company claimed their platform could handle 10x current load. Due diligence revealed it would actually start failing at 3x. The cost to fix this was estimated at 2millionandsixmonthsofengineeringtime.Thisfindingreducedtheacquisitionpriceby2 million and six months of engineering time. This finding reduced the acquisition price by 4 million (the $2M fix cost plus risk premium).

Impact on deal structure:

Technical findings can change how a deal is structured. If key engineers are critical to the technology, the deal might include retention bonuses or earnout provisions tied to technology milestones.

Impact on integration planning:

Your findings determine the integration timeline and cost. A clean, modern codebase might integrate in three months. A tangled legacy system might take two years. This affects when the acquirer starts seeing return on their investment.

Kill criteria:

Sometimes due diligence should kill a deal. Be prepared to make this recommendation, even when everyone else is excited about the acquisition.

Deals I've recommended killing:

  • A company whose core algorithm was covered by a patent they didn't own
  • A company with a massive security vulnerability they'd been ignoring
  • A company where the entire system was in one person's head and that person had already given notice
  • A company whose technology worked but was built on a platform being discontinued by its vendor

Making the "don't buy" recommendation is hard, especially when the CEO and board are enthusiastic. But it's one of the most valuable things a CTO can do.

What to Look For: A Detailed Breakdown

Architecture assessment:

Questions to ask:

  • Can you draw the system architecture on a whiteboard? (If they can't, that's a red flag.)
  • How do services communicate? Is it consistent?
  • Where are the single points of failure?
  • How is data partitioned and replicated?
  • What's the deployment architecture?
  • How is the system secured at the network level?
  • What's the disaster recovery plan? Has it been tested?

What you're looking for:

  • Clear, understandable architecture (complexity should be proportional to the problem being solved)
  • Appropriate use of proven patterns
  • Evidence of intentional design rather than accidental evolution
  • Reasonable separation of concerns
  • Adequate redundancy and fault tolerance

Technical debt assessment:

Questions to ask:

  • What would you rewrite if you had six months and no feature pressure?
  • What parts of the codebase do engineers avoid?
  • What's your deployment frequency? Has it changed over time? (Decreasing deployment frequency often signals growing technical debt)
  • How long does it take a new engineer to make their first meaningful contribution?
  • What's your incident frequency? Is it increasing?

What you're looking for:

  • Technical debt that was incurred strategically (conscious trade-offs) versus accidentally (poor practices)
  • Debt that's well-documented and tracked versus debt that's been forgotten or ignored
  • Debt in non-critical areas (manageable) versus debt in core systems (dangerous)
  • A realistic plan for addressing the most critical debt

Team capability assessment:

Questions to ask:

  • Who are the key technical leaders? What's their tenure?
  • How many engineers have been there more than two years?
  • What's the voluntary turnover rate? (Above 20% is a warning sign)
  • How do you handle technical disagreements?
  • What's your hiring bar? Walk me through your interview process.
  • What does your engineering career ladder look like?

What you're looking for:

  • Stable leadership team that will stay through the acquisition
  • Healthy culture (people disagree openly and resolve conflicts well)
  • Good engineering practices (code review, testing, documentation)
  • Appropriate mix of senior and junior talent
  • Evidence of growth and learning

Scalability assessment:

Questions to ask:

  • What's your current load? What's your peak?
  • What happens at 2x, 5x, 10x current load?
  • Where will the system break first under load?
  • How do you load test?
  • What's your biggest scalability concern right now?

What you're looking for:

  • Honest assessment of current limits
  • Evidence of load testing and capacity planning
  • A plan for scaling beyond current limits
  • Architecture that supports horizontal scaling
  • No fundamental design choices that prevent scaling

Red Flags

Over the years, I've compiled a list of red flags that should make you proceed with extreme caution:

Immediate red flags:

  • No version control history available. Either they're hiding something or they have terrible practices. Either way, bad.

  • No automated tests. If there are zero tests, the system is held together by hope and tribal knowledge.

  • Single developer dependency. One person built the system, only one person understands it, and that person might not stay after acquisition.

  • No monitoring or alerting. They don't know when things break until customers tell them.

  • Hardcoded secrets in source code. This signals both a security problem and a cultural problem around engineering practices.

  • No disaster recovery plan. If they can't recover from a data center failure, one bad day can destroy the value of the acquisition.

Serious concerns:

  • Outdated dependencies. Major framework or library versions that are more than two years behind current. This means security vulnerabilities and increasingly painful upgrades.

  • Manual deployment process. If getting code to production requires human intervention, you'll have reliability and speed problems.

  • No documentation. All knowledge is in people's heads. This creates key-person risk and makes integration much harder.

  • Declining velocity. If the team is shipping features more slowly over time, architectural problems are likely accumulating.

  • High incident frequency. If the system has frequent outages, there are likely fundamental reliability issues.

  • Compliance gaps. Missing SOC 2, incomplete GDPR compliance, or other regulatory gaps that will need to be fixed post-acquisition.

Context-dependent concerns:

  • Monolithic architecture. Not always bad, but may limit your ability to scale the team and the system independently.

  • Proprietary technology. Custom-built infrastructure that does what commodity tools could do. This is expensive to maintain and hard to staff.

  • Technology choices that conflict with your stack. Not a dealbreaker, but increases integration cost significantly.

Due Diligence Report Structure

When you complete your evaluation, you need to present findings in a way that non-technical decision-makers can understand and act on. Here's a structure that works:

Executive Summary (1 page)

  • Overall assessment: Green (proceed), Yellow (proceed with conditions), or Red (significant concerns)
  • Top three strengths
  • Top three risks
  • Estimated integration cost and timeline
  • Recommendation

Technology Assessment (3-5 pages)

  • Architecture overview and assessment
  • Code quality assessment
  • Technical debt assessment
  • Security assessment
  • Scalability assessment
  • Infrastructure assessment

For each area, use a consistent format:

  • Current state (what we found)
  • Risk level (Low / Medium / High / Critical)
  • Impact on deal (how this affects valuation, timeline, or integration)
  • Remediation plan (what needs to happen post-acquisition)

Team Assessment (1-2 pages)

  • Team composition and capability
  • Key person dependencies
  • Retention risks
  • Cultural compatibility
  • Recommended retention strategy

Integration Plan (2-3 pages)

  • Phase 1: Stabilization (first 90 days)
  • Phase 2: Integration (months 3-12)
  • Phase 3: Optimization (months 12-24)
  • Key milestones and decision points
  • Resource requirements
  • Risk mitigation strategies

Financial Impact (1 page)

  • Estimated integration cost
  • Estimated ongoing operational cost
  • Expected savings or revenue impact
  • Recommended price adjustments based on findings

Appendix

  • Detailed technical findings
  • Architecture diagrams
  • Data flow diagrams
  • Risk register

Real-World Examples

Example 1: The acquisition that looked great on paper

A company was considering acquiring a competitor for $50 million. The product was well-regarded, the customer list was impressive, and the revenue was growing. The technology due diligence told a different story.

The entire system ran on a single, massive server. There was no horizontal scaling capability. The database had no replication. A single hardware failure would take down the entire product. The cost to re-architect for proper scalability was estimated at $8-12 million and two years of work.

The CTO's recommendation: proceed at a reduced price ($38 million) with the re-architecture cost factored in, and structure the deal so the founding engineers stayed for at least two years to support the transition. The company followed this advice and completed a successful integration.

Example 2: The startup with great technology and no team

A CTO was evaluating a startup acquisition. The technology was genuinely innovative -- a novel approach to real-time data processing that would have taken two years to build internally. However, the team was three people, and two of them were founders who planned to leave after the deal closed.

The technology was documented only in the remaining engineer's head. No architecture docs, minimal code comments, and no operational runbooks. The CTO recommended against the acquisition unless both founders committed to an 18-month transition period. One founder agreed, the other didn't. The deal was restructured as a technology license rather than an acquisition, saving the company $20 million.

Example 3: The hidden security nightmare

During due diligence on a healthcare technology company, the CTO discovered that patient data was being stored unencrypted in a database with default credentials. The company had no HIPAA compliance program despite handling protected health information. The regulatory exposure alone could have exceeded the acquisition price.

The CTO recommended killing the deal. The board initially pushed back -- the revenue was attractive. But when the CTO laid out the regulatory risk in dollars (potential fines, lawsuits, remediation costs), they agreed. Six months later, the target company disclosed a data breach. The CTO's due diligence had saved their company from inheriting a catastrophe.

Common Mistakes

Mistake 1: Rushing the evaluation

Business timelines often pressure CTOs to complete due diligence too quickly. Push back. A rushed evaluation that misses critical issues is worse than no evaluation at all. Two to four weeks of deep evaluation can prevent years of pain.

Mistake 2: Focusing on code quality over architecture

Clean code in a bad architecture is still a bad system. Architecture is harder and more expensive to fix than code quality. Focus your evaluation there first.

Mistake 3: Ignoring the team

Technology without the team that built it loses most of its value. If the key engineers won't stay, the technology may be worth significantly less than it appears.

Mistake 4: Optimistic integration estimates

Integration always takes longer and costs more than you think. Whatever your estimate is, add 50%. Seriously. I've never seen an integration come in under estimate. Not once.

Mistake 5: Letting excitement override assessment

When the CEO is excited about an acquisition, it's hard to be the person who raises concerns. But that's exactly your job. Be thorough, be honest, and present your findings clearly. If the business decides to proceed despite your concerns, that's their prerogative -- but they should make that decision with full information.

Mistake 6: Binary thinking

Not every finding is a dealbreaker. The goal isn't to find the perfect acquisition target (it doesn't exist). The goal is to understand the technology thoroughly so the business can make an informed decision about price, timeline, and risk.

Mistake 7: Not documenting findings

Your due diligence findings become the foundation for the integration plan. If they're not well-documented, the integration team starts from scratch. Write it all down.

Business Value

Technical due diligence creates direct, measurable business value:

  • Price accuracy. Your findings help ensure the company pays the right price for an acquisition. Overpaying by even 10% on a 50milliondealis50 million deal is 5 million. Your due diligence easily saves that much by identifying hidden costs.

  • Risk reduction. Identifying security vulnerabilities, compliance gaps, and scalability limits before the deal closes prevents post-acquisition surprises that can cost millions to fix.

  • Integration speed. Thorough due diligence enables faster, cheaper integration. You know what you're working with before day one. Companies that skip due diligence often spend twice as long and three times as much on integration.

  • Deal validation. Sometimes the most valuable outcome is killing a bad deal. The acquisition you don't make can save your company from years of integration pain and opportunity cost.

  • Retention planning. Understanding the team and their capabilities helps you retain the right people. Losing key engineers post-acquisition is one of the most common and costly mistakes in M&A.

  • Strategic confidence. When the board knows that technology decisions are backed by rigorous due diligence, they have more confidence in the CTO and are more willing to support future strategic technology investments.

Your due diligence capability is one of the most directly valuable skills you bring to the executive team. Invest in building it.

Common Pitfalls

  • Rushing the evaluation under business pressure. A two-week evaluation that misses critical issues costs far more than the extra weeks needed to be thorough. Push back on timelines that compromise rigor.

  • Focusing on code quality instead of architecture. Clean code in a fundamentally flawed architecture is still a bad system. Architecture is harder and more expensive to fix, so it deserves priority attention.

  • Ignoring the team assessment. Technology without the people who built and understand it loses most of its value. If key engineers will not stay post-acquisition, the technology may be worth far less than it appears.

  • Producing optimistic integration estimates. Integration always takes longer and costs more than expected. Systematically add buffer to every estimate, because under-estimating creates budget overruns and timeline delays that erode executive trust.

  • Letting deal excitement override honest assessment. When the CEO and board are enthusiastic about an acquisition, it takes courage to raise concerns. But presenting an honest, thorough evaluation is one of the most valuable things a CTO can do.

  • Using binary pass/fail thinking. The goal is not to find a perfect acquisition target. It is to understand the technology thoroughly so the business can make an informed decision about price, timeline, and risk.

Key Takeaways

  • Technical due diligence is one of the highest-leverage activities a CTO performs, directly informing decisions worth millions or billions of dollars.

  • The three fundamental questions to answer are: does the technology actually work at the required scale, can it be integrated with existing systems, and is the team capable of maintaining and evolving it.

  • Evaluate architecture, code quality, technical debt, security, infrastructure, and team capability as distinct but interconnected dimensions.

  • Red flags like no version control history, no automated tests, single-developer dependencies, and hardcoded secrets should be treated as serious concerns that may alter or kill a deal.

  • Findings should directly impact valuation, deal structure, and integration planning. Technical debt and remediation costs should reduce the price.

  • The due diligence report should be structured for non-technical decision-makers: executive summary with a green/yellow/red assessment, followed by detailed sections on technology, team, integration plan, and financial impact.

  • Sometimes the most valuable outcome of due diligence is recommending against an acquisition. The deal you do not make can save years of integration pain.