Skip to content
Technical assessment

Technical Due Diligence: What Really Gets Checked Before You Invest In (or Buy) a Startup

Before you put money into a startup or acquire a software product, technical due diligence tells you whether you're buying an asset or a liability. Here's what gets checked, the red flags that matter, and how it's run.

9 min read

Technical due diligence is the independent assessment of a company's software, team, and technical risks, done before investing or acquiring, to understand whether behind the sales narrative there's a solid asset or hidden debt. In a round or an acquisition, the pitch tells the vision; technical due diligence checks whether the product that backs it actually exists, holds the load, and is yours after closing. It's the difference between buying an engine and buying a photo of the engine.

What it is (and why it's not just any audit)

The technique is the same as a code audit, but the context and the stakes change. A technical audit is commissioned by the owner to understand and improve their own software. Due diligence is commissioned by whoever is about to put money in: an investor or an acquirer who has to assess someone else's asset before a transaction. The output changes: not an internal roadmap, but a judgment useful to decide whether to close the deal, at what price, and on what terms.

What a technical due diligence checks

You don't read every line of code: you look for the risks that move the value. In practice, five areas.

Code and architecture

Quality, order, and readability of the code, presence of tests, architectural choices consistent with what the product will need to become. Perfection isn't required: what you need is to understand how much it will cost to maintain and grow, and how much technical debt comes along with it.

Team and bus factor

Who wrote the software, and what happens if that person leaves. If a single person knows how everything works — the dreaded bus factor of one — you're buying a risk, not just a product. You also look at how much the team depends on irreplaceable external consultants.

Security and compliance

Handling of personal data (and GDPR compliance), secrets and passwords in the repository, known vulnerabilities in dependencies, access control. A hole here isn't a technical detail: it's a potential liability you inherit at closing.

Intellectual property and licenses

The question that's worth the deal: does the code really belong to the company?Contracts with employees and freelancers that assign ownership, open source licenses compatible with commercial use, no component that forces you to make your code public. If the IP isn't clean, you're buying far less than you think.

Infrastructure, scalability, and cost

How it runs in production, what it costs today, and what it will cost at 10x the users. An architecture that holds 1,000 users but blows up at 50,000 changes the plan — and the price. Here you take apart the almost-always-optimistic assumption that it "scales without problems".

The red flags that break (or reprice) a deal

Some problems get fixed after closing. Others change the valuation or make you walk away from the table. These are the ones I weight:

  • Bus factor of one. A single person knows the entire system, with no documentation and no redundancy.
  • Unclear intellectual property. Code written by freelancers with no signed assignment, or licenses incompatible with commercial use.
  • Zero tests and no separate environment. Every change is a gamble in production: future maintenance cost is high and unpredictable.
  • Secrets in plain text and neglected security. Keys and passwords in the repository, sensitive data unprotected: liabilities waiting to surface.
  • Metrics that don't hold up to the raw data. When the pitch numbers don't add up once you look at the source, the problem is no longer just technical.

How it's run, in practice

It's not a surprise inspection: it's a collaborative, confidential process, usually a few days for an early-stage startup and one to two weeks for a mature product. Broadly:

  • Read-only access to the repository, documentation, and environments, under NDA.
  • Analysis of the code and architecture, with automated tools and targeted reading of the parts that matter.
  • Interviews with the technical team, where the risks the code alone doesn't reveal often surface.
  • A written report with a clear judgment, risks ranked by severity, and the impact on the deal — readable even by non-technical people.

Who commissions it and when

Usually whoever puts up the money: business angels, venture capital or private equity funds, or a company acquiring another. But increasingly the selling foundercommissions it too, to arrive at the table with a clear picture already in hand and negotiate from a position of strength instead of enduring the other side's discoveries. The right moment is before the final term sheet: due diligence exists to confirm or correct its terms, not to decorate a deal that's already closed.

In short

Technical due diligence turns "it looks like a good product" into an informed decision. It tells you whether you're buying an asset or a liability, where the risks are, and what they're worth in terms of price and terms. On a six- or seven-figure deal, it's the spend with the best return.

Frequently asked questions

What is technical due diligence?

It's the independent assessment of a company's software, team, and technical risks, done before investing or acquiring, to understand whether behind the narrative there's a solid asset or hidden debt. It exists to decide whether to close the deal, at what price, and on what terms.

How long does technical due diligence take?

For an early-stage startup a few days usually suffice; for a mature product or a larger acquisition it runs one to two weeks. It depends on the size of the codebase, the number of people to interview, and how tidy the documentation is.

What's the difference between technical due diligence and a technical audit?

The technique is the same, the context and who commissions it change. A technical audit is requested by the owner to understand and improve their own software. Due diligence is requested by whoever is about to invest or buy, to assess someone else's asset before a transaction: the output is built for a deal decision, not an internal roadmap.

What are the most serious red flags in technical due diligence?

A single developer who knows how everything works (a bus factor of one), unclear intellectual property or code with incompatible licenses, no tests and no separate environments, secrets in plain text in the repository, and product metrics that don't hold up against the raw data. Each can change the price or break the deal.

Who commissions technical due diligence?

Usually whoever puts up the money: business angels, venture capital and private equity funds, or a company acquiring another. Sometimes the selling founder commissions it too, to arrive at the table with a clear picture already in hand and negotiate from a stronger position.

Weighing an investment or an acquisition and need someone to look under the hood before you sign? I run independent technical assessments, and if after closing you need a technical lead to grow the product I also work as a Fractional CTO. First call free, reply within 24 hours.

Keep reading

Want a diagnosis of your case?

30 free minutes to figure out what you need. Guaranteed reply within 24 hours.