Acquisitions are decided on financials, legal exposure, and strategic fit. Cyber risk rarely makes the checklist — and that omission has cost acquirers dearly. When you buy a company, you don't just buy its products and its people. You inherit its entire security posture: its architecture and its technical debt, its exposed credentials, and any breach it hasn't yet discovered or disclosed. Traditional financial and legal due diligence almost never surfaces that risk. A focused security assessment does.
What you're actually buying
Every acquisition target has an attack surface, and most have never had it independently tested. That surface becomes yours at close. So do the consequences of anything already wrong with it: an unpatched internet-facing server, a leaked API key sitting in a public repository, a customer database with no access controls, or an intrusion that started months before the deal and simply hasn't been detected. You will own the remediation cost, the regulatory exposure, and the reputational fallout — whether or not anyone flagged it during diligence.
Cyber risk is deal risk
This isn't hypothetical. In one widely reported acquisition, the discovery of undisclosed data breaches reduced the final purchase price by roughly $350 million. That is the kind of number that changes a negotiation. The lesson is simple: security issues found before the papers are signed are a line item in the deal; the same issues found after are your problem, at full cost. Technical due diligence turns unknown cyber risk into a clear, quantified picture your deal team can actually act on.
What technical security due diligence covers
Every engagement is scoped to the deal, but a typical assessment on behalf of the acquirer covers:
- External attack surface. Everything an attacker can reach without inside access — exposed services, forgotten infrastructure, and misconfigurations across the target's internet-facing footprint.
- Applications and APIs. The web applications, APIs, and mobile apps that carry the target's revenue and its customers' data.
- Cloud and infrastructure. Configuration of the cloud accounts and infrastructure the business runs on, including identity, access, and the exposure of sensitive data stores.
- Internal network. Where access is granted, how far an attacker who gains a foothold could move — lateral movement, privilege escalation, and domain compromise.
- Secrets and credential exposure. Leaked keys, tokens, and credentials in code, repositories, and public sources that could hand an attacker the keys directly.
- Security program maturity. Practical signals of how the target actually operates — patching cadence, MFA coverage, logging, and incident-response readiness.
Red flags that change a deal
Some findings are worth pausing a transaction over: evidence of prior or ongoing compromise, exposed secrets and credentials, unpatched critical vulnerabilities on internet-facing systems, and the absence of basic controls like MFA and logging. Any one of these can materially affect valuation, deal terms, or the decision to proceed at all. Better to know before you sign than to explain it to your board afterward.
Working quietly, on a deal timeline
Security due diligence has to fit the way deals actually run: fast, confidential, and often before anything is public. Early, non-intrusive external reconnaissance can frequently begin with little or no involvement from the target — useful before a letter of intent is signed. Once data-room or environment access is available, testing goes deeper. Every engagement runs under a strict NDA and follows the same four-phase methodology we apply across all of our work. The deliverable is written for two audiences at once: a concise, risk-rated summary for the deal team, and the full technical detail your engineers need to act on.
Diligence doesn't end at close
The signature is the beginning, not the end. After the deal closes, integration teams need to re-test the acquired environment, confirm that pre-close findings have actually been remediated, and fold the new systems into a single, consistent security standard. Acquisitions are one of the most common ways insecure systems enter an otherwise well-run organization — closing that gap is part of protecting the investment you just made.
Make cyber part of the checklist
If your organization is acquiring, cyber risk deserves a seat at the diligence table next to financial and legal review. Rarefied provides pre-acquisition security due diligence that turns unknown risk into a deal-ready picture — quietly, quickly, and under full NDA. Get in touch before your next deal closes.
