M&A Cyber and Tech Diligence: A 21-Day Field Guide for PE Operating Partners

Diligence that scopes to 'find things' produces a checklist. Diligence that scopes to 'quantify exposure' produces a memo your IC will actually act on, and a deal that survives year-one claw-backs.

Updated for 2026, The 21-day sequence still holds, but two exposure categories now sit at the top of every IC memo we write: agent infrastructure inherited at close, and the BAA chain hidden under a target's AI vendors. Pair this guide with The twelve agent-infrastructure pieces regulated buyers need and the vendor BAA chain procurement field guide for the 2026 versions of those questions. The diligence scoping mistake The PE deals that lose value to cyber-related claw-backs in year one are not the deals where diligence missed something. They are the deals where diligence was scoped to "find things" instead of "quantify exposure." We have read more than seventy cyber and tech diligence reports across mid-market PE in the last two years, buy-side, sell-side, and quality-of-earnings adjacencies. The reports look broadly similar. A maturity score against a framework. A list of findings. Some heat-mapped severities. A page or two on remediation. Most of them are well executed. Almost none of them are useful to the deal team in the way the deal team needs them to be useful. The mismatch is structural. The diligence vendor was scoped to assess controls. The operating partner is making a price decision. Those two questions overlap; they are not the same question. A control-gap report tells the operating partner that the target's identity posture is "below industry baseline." It does not tell the operating partner that the identity gap will cost between $400k and $1.1M to remediate in the first hundred days, that it carries a 12% probability of producing a notification-eligible incident in year one, and that the reps and warranties policy excludes pre-existing-knowledge events on a 30-day notice cure. The first answer goes into a binder. The second answer changes the offer. Scoping to "find things" is the default because it is what a Big Four advisory team is built to deliver. They have the playbook, the labor pyramid, and the QA pipeline to produce a defensible, framework-aligned findings report on a tight timeline. The deliverable is consistent across engagements. It is also priced and structured to satisfy the procurement workflow, not the deal workflow. When the IC asks "what does this finding mean for our model," the partner on the call answers in qualitative language, because the engagement was not scoped to produce a quantitative answer. Scoping to "quantify exposure" is a different engagement. It starts from the deal model, not the framework. It asks: what are the four or five categories of post-close cyber exposure that can produce a measurable hit to enterprise value, and for each one, what is the dollar range the operating partner should hold against the deal? The output is a memo that lives next to the QofE adjustments, not a separate appendix. The framework alignment is still there, we still walk every NIST CSF function, we still audit every SOC 2 trust service criterion the target claims, but the framework is the input to the quantification, not the output of the engagement. The reframe matters because the cost of getting it wrong is asymmetric. A control-gap report costs $40k–$120k and produces a list. An exposure quantification costs $50k–$150k and changes the price, the rep package, the escrow, or the integration plan. The marginal cost is small. The marginal value, when the diligence surfaces a real issue, is the difference between a clean year-one and a claw-back negotiation that drags into the exit. The rest of this guide is the version of cyber and tech diligence we run when the operating partner asks us to scope for quantification. We walk what most diligence misses, the four exposure categories that drive year-one claw-backs, the 21-day sequence with named artifacts at days 7, 14, and 21, the language that puts cyber on the IC memo, and the 100-day post-close scorecard that turns the diligence findings into integration gates. The intent is to make the playbook legible enough that an operating partner can run it themselves, evaluate the vendor running it, or know precisely what to ask for when they engage us. What cyber diligence misses 80% of the time Six things fall through the cracks of a standard Big Four cyber diligence engagement. We see them missed often enough that we now check each one explicitly on the first call with a deal team. The pattern is not that the diligence team is unqualified. It is that the engagement was scoped to a control framework, and these six items live in the seams between control families where no single line item flags them. 1. Identity sprawl across former employees, contractors, and shared accounts. The control framework asks whether the target has an access review process. It does not ask how many active accounts belong to people who left in the last twenty-four months. We routinely find 15–30% of the active identity population in mid-market targets is either offboarded-but-not-deprovisioned, contractor accounts that outlived the engagement, or shared service accounts with no individual accountability. Each of those identities is a foothold for an attacker and an integration cost on day one. The exposure shows up at close: the buyer inherits the population. 2. Untracked SaaS spend and shadow data flows. Procurement-tracked SaaS is what the diligence team enumerates. Shadow SaaS, credit-card-purchased tools, free-tier services with corporate data, individual-user subscriptions that the practice leader expensed, is what nobody enumerates. We have run discovery on targets where the procurement-tracked SaaS list had 38 vendors and the actual outbound data exfiltration map had 142 destinations. The remaining 104 are not necessarily a security problem. They are a known-unknowns problem. The integration team inherits the discovery work the diligence didn't do, and it adds three to six weeks to the post-close timeline. 3. IP-leak posture in collaboration tools. Every target uses Slack, Teams, Google Drive, Notion, or some equivalent. The diligence team verifies that the tool has an enterprise plan. It rarely audits what is actually in the tool. We have seen target collaboration environments containing clear-text customer credentials, source code with hard-coded secrets, customer lists in spreadsheets shared with external email addresses, and entire client engagement archives in personal Google Drive accounts that were never migrated to the corporate tenant. None of that lights up the framework score. All of it is a year-one liability for the buyer. 4. Third-party data sharing in the pre-close period. Between LOI and close, the target is legally distinct. Their existing vendor agreements, data-sharing contracts, and sub-processor relationships continue. The diligence engagement reviews the contracts as written. It rarely audits the data flows as operating. We have seen targets that were sharing customer-record extracts with a former parent company's marketing analytics team six months after the carve-out, under no current contract, with no current authorization, and with no logging on either side. The buyer inherits the exposure on close. If a regulator notices, the inheritance is the buyer's problem. 5. SBOM gaps and hidden open-source obligations. For any target with a software product, the software bill of materials is where the diligence theory meets the engineering reality. The control framework asks whether the target tracks dependencies. The exposure question is whether the target ships GPL-licensed code in a closed-source product, whether they ship dependencies with known unpatched CVEs, and whether the SBOM they hand the diligence team matches the SBOM their build pipeline actually produces. The three frequently disagree. The disagreement, on a software-product target, is a valuation conversation. 6. M&A-pause-period operational hygiene. When a target knows they are being sold, the change-management discipline degrades. Tickets close faster than they would in normal operations. Patches get deferred until "after the deal." Security incidents get triaged with a lighter hand because the leadership doesn't want a finding in the data room. We have seen the patch lag on a target's production fleet double in the ninety days before signing. None of that shows up in the control review. All of it shows up in the post-close incident curve. These six items are not exhaustive, there is a longer internal list we work from, but they are the six that account for the bulk of year-one surprises in the deals we have observed. Each of them is missed by control-framework diligence because each of them lives in the gap between what the framework asks and what the buyer actually inherits. The fix is not to throw the framework out. The fix is to scope an additional pass, typically a week of work, parallel to the framework review, that hunts specifically for these six categories. The four exposure categories that drive claw-backs When a PE-backed deal loses enterprise value to cyber-related issues in year one, the loss almost always traces to one of four exposure categories. We use these four as the spine of the diligence quantification memo. Each category gets a dollar range, a probability band, and a named owner. The IC sees the four numbers, not the forty-page appendix. Category A, Reps and warranties claims around breaches. Most R&W policies exclude pre-existing-knowledge events with a notice cure of 30–90 days post-bind. If a breach was in progress at signing, even an undetected one, and the target's leadership had any reasonable basis to know, the policy may decline. Even when the policy responds, the retention is typically $250k–$500k, and the loss adjustment can drag eighteen months. The exposure quantification asks: what is the probability that an undetected incident is in progress at the target right now, and what is the expected gross loss if it surfaces in year one? The honest answer for a mid-market target with framework gaps is rarely zero. Putting a number on it, even a wide range, is what changes the rep package. Category B, Regulatory exposure inherited at close. State privacy laws, sector-specific rules (HIPAA where the target touches healthcare data, FERPA where they touch student data, and the patchwork of state attorney general powers around consumer notification) each carry inherited exposure. The buyer becomes the controller of record on close. A finding from before the close is the buyer's finding to defend. The exposure quantification asks: which regulations apply to the target's data, what is the per-record statutory penalty range, and what is the realistic probability of an enforcement action triggering in the year after close? The dollar ranges here are large for healthcare-adjacent or consumer-data-heavy targets and small for B2B SaaS with no consumer touch. The point is to put a defensible band on the ledger, not to land on a single number. Category C, Integration cost overruns from undisclosed tech debt. This is the category most commonly underestimated by deal teams. The diligence report says the target has "legacy infrastructure." The integration plan budgets six months of platform work. The actual platform work, once the buyer's engineering team is in the codebase, runs twelve to eighteen months and 2–3x the budget. The exposure quantification puts a P50 and P90 on the integration cost based on a structured architecture review, not on the target's self-reported state. The delta between P50 and the deal-model assumption goes into the IC memo as a flagged adjustment. Category D, IP/data-handling exposure that hits valuation at next round. The least visible exposure, and the one that most often surfaces only at the exit diligence. If the target has open-source license obligations the buyer cannot defend, customer data shared with sub-processors the buyer cannot enumerate, or trade secrets the target's engineering culture treats as casually as engineering Slack messages, the next buyer's diligence will surface it. The valuation hit lands at exit, not at year one, but the work to remediate has to happen in years one and two, or the exit slips. The exposure quantification asks: what is the cost to put the target's IP and data posture into a state that survives the next diligence, and what is the multiple impact if it doesn't? The four categories together produce four ranges. We sum the P50s for the IC memo's headline "cyber-attributable hold-back" number, and we hand the deal team the full P10/P50/P90 for each category as supporting detail. When the deal closes, those four numbers become the gating posture for the 100-day integration. When the deal does not close, when the exposure quantification is large enough that the deal economics don't pencil, the operating partner walks away with a defensible rationale that is not "the cyber report had a lot of red." It is "the quantified cyber and tech exposure exceeded our model by $X and we declined to revise the offer." The 21-day diligence sequence The diligence engagement we run on a typical mid-market deal is twenty-one calendar days, with named artifacts at days 7, 14, and 21. The sequence is structured so that the deal team can use partial output if the timeline tightens, at day 7 there is enough to walk the LOI, at day 14 there is enough to draft rep language, at day 21 there is the full quantification memo. We publish the structure here because, like the rest of this guide, the value is in the sequence, not in our running it. Days 1–3: Kickoff, scope, and data-room walk. The first 72 hours are scoping. We walk the data room with the deal team's lead. We confirm the four exposure categories the deal team wants quantified, usually all four, sometimes a subset if the deal model has already retired one. We agree the artifact dates. We pull the target's existing security documentation, audit reports, penetration test history, vendor BAAs (where applicable to the vertical), and the technology architecture pack. We schedule the target-side interviews for days 4–9. Days 4–7: Target interviews and external posture review. Five to seven structured interviews with the target's CTO/CISO equivalent, head of engineering, head of IT, head of compliance, and DPO/general counsel. Each is 90 minutes, recorded with consent, and transcribed. Parallel to the interviews, our external posture review runs: passive reconnaissance, exposed-credential check against breach corpora, certificate transparency review, DNS and email-auth posture, and a perimeter scan against the target's known external footprint. Day 7 artifact: Initial Exposure Memo. Three pages. The four exposure categories with preliminary ranges, the top five identified gaps, and a list of open questions that need access to internal systems. The deal team can walk the LOI at day 7 if the indicative numbers are red enough. Days 8–10: Internal access and tooling review. Read-only access to the target's identity provider, MDM, EDR, CASB or DLP if present, and ticketing/SIEM if available. We pull the operational data, not the policy documents, to see what the environment actually looks like. The identity sprawl assessment, the SaaS shadow inventory, and the patch-lag review all happen here. This is the phase where the six commonly-missed items from section 2 get checked explicitly. Days 11–14: Architecture review and tech-debt quantification. A structured walk of the target's product architecture (for software-product targets) or operational architecture (for services targets). We review the SBOM, the deployment topology, the data-flow diagrams, the secrets-management posture, and the build pipeline. Where the target's diagrams disagree with the operating reality, we flag the disagreement and price it. Day 14 artifact: Mid-engagement Findings Pack. Ten to fifteen pages. The control-framework alignment table (NIST CSF or equivalent), the six-item supplemental review, the architecture review, and updated exposure ranges. This is the artifact that goes to outside counsel for rep-language drafting. Days 15–18: Quantification, peer benchmarking, and remediation pricing. We take the findings from days 4–14 and price each one. Remediation cost. Probability of incident in year one. Expected loss given incident. We benchmark against the comparable engagements in our archive, sanitized, anonymized, but real, and we calibrate the ranges. This is the phase where the work product moves from "list of gaps" to "memo of dollar exposures." Days 19–21: Memo drafting and IC walkthrough. The final memo is twelve to eighteen pages. Executive summary on page one with the four-category dollar ranges. Detailed quantification per category. Remediation plan with sequenced 100-day actions. Recommended rep language and escrow posture. Recommended integration gates. Day 21 artifact: Diligence Quantification Memo plus the 100-Day Cyber Integration Scorecard. We deliver both. The memo goes to the IC. The scorecard goes to the operating partner who will own the integration. The 21-day clock starts when the data room opens to us. If the target delays system access (which happens), the timeline slips proportionally, but the day-7 artifact almost always lands on time, because external posture and target interviews don't depend on internal access. When the deal team needs a fast read for a competitive process, we have run a compressed 10-day version of the sequence; the artifact at day 10 is closer to the day-14 pack than the day-21 memo, and we are explicit about the precision tradeoff. Quantifying cyber risk in deal language Cyber and tech diligence does not earn its place on the IC memo by being thorough. It earns its place by being legible to the rest of the memo. The QofE adjustments are dollars. The market sizing is dollars. The synergy case is dollars. A cyber section that arrives in maturity-score language is the section the IC skims. The format we use, and the format we recommend regardless of who runs the engagement, is three lines per exposure category and a one-line headline. The headline reads: "Cyber-attributable exposure: $X.X–$Y.Y million expected, P90 $Z.Z million, recommended hold-back $W.W million, integration cost-to-cure $V.V million in first 12 months." Five numbers. The IC reads them in fifteen seconds. Each number is defensible from the supporting detail. The three lines per category read, in plain English: (1) what is the exposure (a sentence, not a paragraph); (2) what is the dollar range and the basis for the range (peer benchmark, statutory penalty math, remediation cost build-up, or insurance retention); (3) what is the recommended deal-structure response (rep language, escrow, indemnity carve-out, integration gate, or "no action, quantified for awareness"). When a category genuinely does not warrant action, we say so and quantify it anyway, because the act of quantifying is what makes the rest of the memo defensible. The IC trusts the categories where we recommend action because they trust the categories where we recommend none. A note on cyber insurance: insurance is a backstop, not a strategy. We include the target's existing cyber policy in the diligence pack and we model the recommended post-close policy. We do not net the insurance against the exposure ranges in the headline. The retention, the sub-limits, and the exclusions are real, and the loss adjustment timeline is long enough that "the insurance will cover it" is not a substitute for a hold-back. Insurance shows up in the memo as a separate line, recommended limits, recommended endorsements, gaps in the existing policy, and not as a discount on the exposure number. The other note on language: the IC memo language should never use the word "compliance" as a substitute for the word "exposure." A target can be compliant and exposed. A target can be non-compliant and minimally exposed because the gap in question doesn't carry meaningful loss. The diligence quantification keeps those two questions separate. Compliance is a control statement. Exposure is a dollar statement. The IC is making a price decision, which is a dollar decision, which means the relevant statement is the second one. The 100-day post-close cyber integration scorecard The diligence memo answers one question: should we close, and at what price? It does not answer the next question, which is what gets done in the first hundred days post-close. The artifact that bridges the gap is the 100-Day Cyber Integration Scorecard. We ship it as the second deliverable on day 21, paired with the diligence memo, so that the deal team has the integration plan in hand before the wire hits. The scorecard is structured around four phases, days 1–14, 15–45, 46–75, and 76–100, and across the four exposure categories from section 3. Each cell of the matrix has a named owner, a binary completion criterion, and a gating decision. Phases gate forward: phase two does not start until phase one's gating items are green. Days 1–14, Stabilize. Identity inventory and emergency deprovisioning of departed-employee and stale-contractor accounts. SaaS discovery (the unmanaged inventory exercise, completed). Backup and restore validation on the target's critical systems. EDR coverage audit and gap closure. Incident response runbook walkthrough with the new combined team. Gating items: zero stale identities with administrative privilege; backup restore verified within RTO; EDR on 95%+ of in-scope endpoints. Functional owner: combined-entity IT lead. Days 15–45, Quantify the inherited environment. Full architecture and data-flow review against the post-close operating reality. Vendor and sub-processor inventory reconciliation. SBOM verification on the target's product, if applicable. Data-classification audit on collaboration tools (the IP-leak review from section 2, run in earnest). Patch-lag remediation to baseline. Gating items: data-flow map signed by combined-entity DPO; vendor inventory matches contract inventory within 5%; collaboration-tool exposure register closed or formally accepted. Functional owner: combined-entity head of security or productized retainer (vCISO if no full-time leader is in seat). Days 46–75, Remediate the priority register. The remediation list from the diligence quantification memo, sequenced and assigned. Identity provider consolidation (or bridge plan if consolidation is multi-quarter). MFA enforcement to baseline. Logging and audit-trail uplift to retention standard. Vendor BAAs / DPAs renegotiated where the target's posture is below the buyer's standard. Gating items: top-quartile findings closed; logging meets retention standard; BAA/DPA gaps closed for tier-one vendors. Functional owner: combined-entity head of security. Days 76–100, Institutionalize and report. Quarterly security review process stood up. Board-level reporting cadence established. Incident response tabletop run with combined team. Post-mortem on integration: what worked, what slipped, what gets carried into the year-one operating plan. Gating items: tabletop completed and documented; year-one cyber operating plan approved; budget commitments confirmed. Functional owner: portfolio CFO with the combined-entity head of security. The scorecard works because every cell has an owner, a criterion, and a gate. The operating partner reviews the scorecard at the standard portfolio-monitoring cadence, typically every two weeks for the first hundred days, and the gating decisions force the conversations that integration plans usually defer. When phase two does not start because phase one's gating items are not green, that is a feature. The deal model assumed the integration would happen on a timeline. The scorecard makes the timeline real. The scorecard is also the artifact paired with this guide. The downloadable version includes the matrix, the named owners by role, the gating criteria, and a worksheet for the buyer to add deal-specific items from the diligence memo. We update the template every six months as the playbook evolves; the version paired with this guide is current as of publication. Where the Diagnostic fits Operating partners run diligence with the resources they have. Sometimes that is a Big Four advisory team retained for the full sequence, sometimes that is a boutique vendor for the cyber-specific scope, sometimes that is internal corp-dev with a checklist. The scoping mistake, to "find things" rather than "quantify exposure", happens at every resource level, because it is a scoping mistake, not a capability mistake. Where we fit is the exposure quantification engagement. Our M&A Cyber and Tech Diligence Diagnostic is a fixed-scope, fixed-price written assessment that runs the 21-day sequence above and produces the day-7 Initial Exposure Memo, the day-14 Findings Pack, and the day-21 Quantification Memo plus the 100-Day Scorecard. The deliverables are written; they stand on their own; we do not retain on the integration unless the operating partner explicitly engages our productized vCISO retainer for the combined entity. The Diagnostic is the diligence engagement. The retainer, where engaged, is the post-close gating partner. The two are separate scopes with separate prices. When operating partners ask why we publish the playbook, the answer is the one we apply to every guide we ship: the value is in the running, not in the secret. The operating partner who reads this guide and runs the sequence themselves is doing it right. The operating partner who reads it and asks us to run it is buying a written report on a fixed timeline, not a relationship. Either path produces the deliverable. The deliverable is what survives the deal. What an operating partner can do today Three actions an operating partner can take this month, before the next diligence engagement opens: 1. Pull the cyber section from your last three diligence memos and ask whether they are quantification or finding lists. Read them as if you are an IC member who has fifteen seconds. Do they tell you the dollar exposure, the recommended deal-structure response, and the integration cost? If they don't, the next engagement should be scoped differently, regardless of who runs it. 2. Audit one closed deal against the four exposure categories. Pick a portfolio company at the 12-month mark. Walk the four categories, R&W exposure, regulatory exposure, integration cost overruns, IP/data-handling exposure, and ask which ones produced surprises in year one. The exercise calibrates your sense of which categories your diligence is currently catching and which it is missing. It also tells you whether you should hold a larger escrow on the next deal in the same vertical. 3. Adopt the Scorecard as the integration framework on the next deal. Even before the diligence engagement starts on the next target, pre-commit to the 100-Day Cyber Integration Scorecard as the post-close cadence. The diligence memo is then sequenced into the Scorecard, and the operating partner has a known artifact to monitor against. The framework works on its own; it works better when the diligence is already producing inputs in the format the Scorecard consumes. The 100-Day Cyber Integration Scorecard download paired with this guide gives you the matrix, the gating criteria, and the worksheet for tailoring the framework to the deal in front of you. Use it on the next diligence engagement. Use it on the post-close cadence. Update it as the playbook compounds, the version paired with this guide is the version we are running today, and we will keep it current as the field moves. For operating partners running diligence on a live process, the Diagnostic is the scoped engagement that produces the memo above. The Private Equity industry page covers how we work with PE platforms specifically. The M&A without surprises service line covers the broader engagement model, diligence, post-close gating, and (where engaged) the productized retainer. Outside counsel routing diligence in support of a deal can route through our counsel page for the engagement-letter template and the standard scope language.