How to Run a Technical Due Diligence?
- Sergio Visinoni from Sudo Make Me a CTO <makemeacto@substack.com>
- Hidden Recipient <hidden@emailshot.io>
How to Run a Technical Due Diligence?You have been asked to run or participate in a due diligence process, and you have no idea how to get started. Hopefully after reading today's article you'll gain more clarity and confidenceChances are that in your position as tech leader, you’ve performed technical due diligence on another company. Or maybe you’ve been on the receiving end, having to answer enquiries from consultants or fellow tech leaders. Lastly, you might be among those who have never taken part in such a process ever, and you might even wonder what the hell technical due diligence is. If you’ve always been afraid to ask for fear of looking dumb, you have two options. Linger in your secret ignorance, hoping nobody will find out, or keep reading¹. What is Technical Due Diligence?Wait, we’re always told we need to start from the business. So, let’s discard the technical bit for a moment, and let’s focus on the overall concept. What’s due diligence? Here is how the Merriam-Webster dictionary² defines it in the business context:
In layman's terms, that describes the process you go through to make sure you’re not going to make a shitty deal.
Similar to what you do when you check price-comparison sites⁴ or when you examine reviews on Amazon before buying a €20 item from an unknown vendor. Or when you read the fine print before signing up for an insurance contract. Except that in this case the stakes are slightly higher, and you usually would not find the answer to your questions by browsing public websites. When you’re running a Due Diligence (DD), it generally means someone has a serious intention of acquiring another company through an M&A⁵ type of operation. Such deals typically involve amounts ranging from hundreds of millions to billions of euros⁶, and their outcomes can have significant consequences. Every “deal” typically attracts multiple bidders competing for the opportunity to snatch a great bargain. More importantly, even though everyone in the industry knows exactly what is going on, who is talking to whom, which offer is most likely to be accepted, who is really going to benefit from it, etc., the whole process has to run behind a facade of confidentiality and secrecy. The main reason is that leaks could be cause for serious market manipulation. I’ve heard that’s illegal, and you don’t want to find yourself at the receiving end of a lawsuit for breach of confidentiality. Oh, and this is not legal advice⁷. Despite the official reasons for maintaining confidentiality, I suspect that some software vendors have a vested interest in perpetuating the illusion, particularly those who sell digital solutions that sound much more exciting and prestigious than they actually are. A prime example of this is the data room⁸! The Data Room
That’s one of the most frequent questions you hear when you start a due diligence process. You typically get bonus points for being the one asking it, as it signals your familiarity with the lingo and projects you as a veteran in the process. Technically, it should be called VDR, or Virtual Data Room, but we most commonly refer to it as Data Room. When I first heard the term, my imagination went wild. I was picturing a room inside a central-bank-style vault, bright light illuminating lines of racks of humming servers. Blue and green LEDs pulsing rhythmically at the pace of data being read and written on the storage. At a desk, a white-coat technician vaguely resembling Alan Turing would hand you a menu from which to order your favourite piece of data, or you could just go for the data du jour. Needless to say, like all nerdy phantasies, this one too turned out to be very inaccurate. In reality the Data Room is an (expensive) web application that does the following:
In essence, it's a file-sharing system with bolt-on extra security. There are obviously a lot of compliance-related reasons to do so. These reasons include keeping track of the data exchanged between the two (or more) companies and identifying who had access to a specific document in case of a leak. It’s a pretty simple job to do, but VDR vendors seem to find a particular satisfaction in offering those capabilities with a UX that’s a hybrid between Microsoft Access and Craigslist. If that doesn’t sound too terrible, please note that the way data is organised seems to have been invented by someone in love with SNMP OIDs⁹. I suspect that someone is sitting in a room twisting their moustache, secretly enjoying making life even more miserable for folks already burdened with the need to go through an arguably tedious process. I guess the VDR space can be qualified as a market ripe for disruption. But I digress. In essence, the data room is where you publish or retrieve all the information that has been requested as part of the due diligence process. The data room is generally open for a set amount of time, and one or more consultancy firms are involved with governing who has access to what, what can be asked, and how many questions you’re allowed to ask. More importantly, they’re there to ensure you only use the VDR to communicate. No emails, phones, or pigeons. Every live meeting between the parties has them present, sitting in silence, observing, and ensuring the respect of boundaries. A bit like traditional parents who sit in rooms while their children date potential partners. I always perceive a weird mix of voyeurism and oppression involved with both approaches. Now that you know all there is to know about the data room, let’s go back to the main topic of today’s article: running a tech due diligence. Enters the Technical Due DiligenceA full due diligence process tends to cover multiple dimensions and angles of the target company, including but not limited to its financial situation, commercial strategy, product metrics, organisational setup, and technical platforms or assets. By chance, duty, or punishment, you’ve been selected to run or participate to assess the technical dimension, what’s generally referred to as the tech due diligence. What do you do? You could wing it and ask a chatbot to give you the plan, collect all the data it suggests you do, violate all the restrictions by updating it to some AI-powered document processing repository, and have it generate a report. That’s not the approach I’d recommend, unless you really want to ensure you won't be asked to do it a second time¹⁰. The first thing you want to do at this stage is to understand the nature of the deal. Not all deals are born equal, and some are even born less equal than others. Broadly speaking, when it comes to M&As involving technology companies, you could group them in the following categories:
This is a broad categorisation, and no deal will fall perfectly within the boundaries of one specific category. However, every deal typically veers towards one or the other. What matters is that your analysis and investigation on the technical side will vary widely depending on the investment thesis. What you’ll be looking for when acqui-hiring will be very different from what you’ll be interested in if it’s a matter of acquiring a brand and clients. These principles might sound obvious, but it’s not uncommon to see people apply a blanket approach because that’s the one they’ve been taught to follow, without even doubting it might be the most relevant. What to look for in different casesAt this point you might be wondering if I have anything non-obvious to offer, and I hope that what follows will satisfy that. Let’s look again at the categories above and see what should be in scope and what can largely be ignored when conducting technical due diligence. We’ll look at the 4 defined cases, leaving the last “undefined” one out, as that would be the case where applying a by-the-book approach would be the most appropriate strategy. Acquiring Brands and ClientsIn these types of deals, it is crucial that your company's intention to absorb the client base and brand position will not be screwed by unforeseen surprises. Usually, limited technology plays a role in this process, but it can become an obstacle in the most complex scenarios. In Scope
Not So Relevant
Acquire a Company to Keep it Running IndependentlyThe most important thing to validate here is that the company can keep operating and growing on the current foundations for the foreseeable future. And if that’s not the case, flag all the major investments required to secure it. In Scope
Not So Relevant
Acquiring a Company for a Full IntegrationThe primary concern here is the cost and effort involved: how long will it take, and how challenging will it be, to fully integrate the target company's systems into our own platform, thereby achieving the best possible outcomes? It is not easy to answer precisely, given the level of detail available in a DD process, but you are still requested to provide an indication. In Scope
Not So Relevant I’m sorry to say that very little is out of scope here. Perhaps the primary colours used in the design system. Acqui-hiringI do not have direct experience with this type of operation. Therefore, my recommendations here are more speculative than experience-based. In Scope
Not So Relevant
Do you want to know more about the details?After defining the scope of the assessment, you must determine the necessary steps to execute it. Let me know in the comments section below if you'd like a follow-up article that explores the details of the execution. In the meantime, if you're someone that identified themself as a Woman In Tech, you might want to have a look at the promo below. WIT Promo for Q1 2026I’ve recently decided to resume offering quarterly promos for people who are willing to benefit from my services. I’m happy to announce that I’ve opened up the Q1 promo that will run until the end of March 2026. I’m making it easier for Women In Tech to level up their engineering leadership skills by offering an exclusive discount to the Sudo Make Me a CTO: 30% off for the first 12 months. You can find out all the details at the official promo page, or by clicking the button below. Feel free to share this opportunity with people you know, and do not hesitate to reach out if you’d like to learn more about it. You can always schedule a free 30-minute session to get all your questions addressed. Looking forward to seeing the community grow with more diversity. 1 The most enthusiastic among you might be screaming, ‘There’s a better way that’s so 2026: I can ask my favourite AI chatbot for an explanation.’ Yes, you can do that, indeed. That doesn’t mean you should. I will not recommend, suggest, support, or promote that approach. Do it at your own risk. 2 If you don’t know what a dictionary is, you might not be old enough to read what follows. Do it at your own risk. 3 The actual source. 4 Are price comparison sites still a thing in 2026, or is this just Gen X legacy? 5 M&A: Mergers and Acquisitions. I still remember the first time I asked a business person (my boss!) to explain the acronym to me the first time I had to deal with it. By sharing the definition, I hope I might spare you the shame of having to ask someone in your chain of command. 6 I’m deliberately avoiding using the other major currency, the one most commonly found in the offshore bank accounts of techno-fascists, broligharcs, and worldwide dictators, as a statement of intellectual liberation from the cultural dominance that currency, and what it represents, has been exerting on the rest of us for way too long. Besides, I live in Europe. 7 I, too, do not want to find myself at the receiving end of a lawsuit 8 Dramatic music playing 9 If you’re unfamiliar with the concept, you can have a look at a list of examples here. Not the first thing that comes to mind when you think human-friendly. 10 The most ruthless among you might even be attracted by the potential opportunities offered by a fraud conviction. You might end up meeting fine people of the Jeffrey Epstein calibre, and who knows what will happen next? This is obviously not financial, legal or ethical advice. 11 It’s in quotes because the deal was very unusual, even in 2025-gen-AI-madness terms. You're currently a free subscriber to Sudo Make Me a CTO. For the full experience, upgrade your subscription. |
Similar newsletters
There are other similar shared emails that you might be interested in:
