What I've Learned from many M&A Projects
Over the past several years I've been involved in many mergers and acquisitions. Some were small product acquisitions, others were major platform consolidations worth tens of millions. Each one taught me something different about how technology assets are valued, what buyers really care about, and where deals fall apart.
When Ideagen was acquired by Hg Capital in a transaction valued at over £1 billion, I saw firsthand what private equity firms look for in a technology business. It's not just about revenue multiples or user growth - it's about whether the product can scale, whether the architecture supports future expansion, and whether there are hidden risks that could derail the investment thesis.
The Three Pillars of Tech Due Diligence
Evaluating code quality, architecture patterns, technical debt, and scalability. Is the platform built to grow or will it need a costly rewrite?
Assessing security controls, vulnerability management, secure development practices, and compliance frameworks. Finding risks before they become deal-breakers.
Reviewing infrastructure security, incident response capabilities, data protection, and cyber risk exposure. Understanding what you're inheriting.
How I Categorize Acquisition Targets
After evaluating dozens of products, we developed a framework that corporate acquirers use to understand what they're buying. Every product falls into one of three categories:
Ready to Scale
Modern architecture, well-documented codebase, strong security controls, automated deployment, solid engineering culture. These products can integrate quickly and scale without major investment.
Requires Remediation
Good product-market fit but technical debt, security gaps, or architectural limitations. Viable with 6-12 months of focused engineering work. Buyers need to budget for improvements.
Legacy Risk
Outdated technology stack, significant security vulnerabilities, poor documentation, architectural constraints. Often better to rebuild than remediate. Changes valuation expectations significantly.
What Buyers Really Want to Know
Corporate acquirers ask questions to gain a comprehensive understanding of the investment they are considering:
- Can this product scale to 10x the current user base without a complete rewrite?
- Are there security or compliance risks that could delay integration or impact customers?
- What's the real technical debt, and how much will it cost to address?
- Is the engineering team capable of delivering on the product roadmap post-acquisition?
- What dependencies, licenses, or contractual obligations come with the technology?
My role is to provide clear, actionable answers to these questions. Not vague assessments, but specific findings with remediation costs, timelines, and risk ratings. Investors and boards need clarity to make confident decisions.
Application Security Due Diligence
Security due diligence has become critical in M&A. Data breaches, compliance failures, and security incidents can destroy deal value overnight. I assess security across the entire development lifecycle:
- Secure development practices: code reviews, static analysis, dependency scanning
- Authentication and authorization controls, data encryption, API security
- Vulnerability management programs and penetration testing history
- Compliance frameworks: SOC 2, ISO 27001, GDPR, HIPAA readiness
Cyber Due Diligence
Beyond application security, cyber due diligence examines the broader threat landscape. It evaluates infrastructure security, incident response capabilities, and the organization's overall cyber risk posture:
- Infrastructure security: cloud configuration, network segmentation, access controls
- Incident response plans, security monitoring, and breach history
- Third-party risk management and vendor security assessments
- Data protection controls, backup strategies, and disaster recovery capabilities
The goal is to identify material cyber risks before they become post-acquisition surprises. Buyers need to understand what they're inheriting and what investments will be required to bring security up to their standards.