In a rapidly evolving technological landscape, staying ahead of the game is paramount. Enter the game-changers – innovative scanning tools that are reshaping the world of technology due diligence. These tools are more than just a leap forward; they are a revolution. Vaultinum managing director for the UK and Northern Europe, Josh Nunn, explains in conversation with Real Deals.

How has demand for tech 
due diligence evolved in recent years?

During the past two years, we have seen increased demand for due diligence on underlying software assets. That’s both pre-deal and post-deal, as well as vendor due diligence when prepping a company for exit. 

When a private equity firm announces a deal today, that’s an immediate green flag for cyber hackers looking to extract profit by enacting ransomware

Historically, private equity firms have focused on the surrounding technology setup, but they now recognise it is the source code of a software itself that contains much of the value that they are investing in. Furthermore, technology risk has increased significantly. When a private equity firm announces a deal today, that’s an immediate green flag for cyber hackers looking to extract profit by enacting ransomware. 

Where is this kind of technology due diligence most relevant?’

It is relevant in every sector where a company has some form of tech setup, although the due diligence is likely to be more in-depth where the software is proprietary rather than off the shelf. We are not just talking about fintech and legaltech companies here. It could be an environmental company that has developed software to run earthquake scanners, for example. That would still be primed for cyberattacks, intellectual property disputes and other vulnerabilities. 

There are often varying levels of maturity and common vulnerabilities where technology is a smaller part of a company, as opposed to a business centred around selling software to third parties.

Finally, it is in deal sizes of €10m and above where we typically see a few extra weeks of due diligence being applied to proprietary coding. Tech due diligence is still relevant below that threshold but there is usually less of a buildup of technology, so there are often less complications within it, as much as this rule comes with many exceptions. 

How have tech advances changed the nature of tech due diligence?

During the past few years, data-driven scanning tools have emerged that can give investors a view on the software asset itself. This contrasts with the previous way of doing things, where a consultant would talk to the team about what they have been building over many years rather than now using a code-scanning tool prior to these sit-downs to present an initial view and allow for deeper conversations on the security and scalability of the software asset.

Nowadays, 10 million lines of code can be scanned in less than an hour, revealing every single potential cybersecurity risk, checking checking all open source usage and providing an understanding of the scalability of the software asset. This can then be contextualised by speaking with developers and with the CTO to understand why certain decisions were made. The advent of these scanning tools is important because it provides more accurate results and saves significant time.

Nowadays, 10 million lines of code can be scanned in less than an hour, revealing every single potential cybersecurity risk, checking checking all open source usage and providing an understanding of the scalability of the software asset

We created our code-scanning tool based on constant feedback from midmarket private equity firms and beyond, working with clients to understand what is relevant and defines investment value for them so that we only deliver the most relevant data.

Is tech due diligence more about risk mitigation or 
value creation?

The short answer is it is both – and that is why it is so powerful and exciting. If you are investing a substantial amount of money in a company, you need to be aware of every single thing that could go wrong and would result in that money being put at risk. Risk mitigation is therefore a large part of tech due diligence. 

But tech due diligence can also provide the starting point for looking at how to grow an asset, expand a team or add on to existing software. It can help inform how a bolt-on acquisition can be integrated into the platform company, for example, and all without having to hire costly developers and while reducing the roadmap creation exercise from months to weeks. 

What do you see as the future of tech due diligence?

It is important to note that these scanning tools are still relatively new in themselves. This isn’t a trend that has already swept the private equity industry and now we are waiting for phase two. 

There are firms that are tentatively experimenting with what data-driven technology due diligence can offer on an ad hoc basis, and there are firms that are slightly further down the road, actively hiring cyber and IP experts onto their teams, precisely to support data-driven due diligence and value creation processes. 

When we work with certain private equity houses, often all they will require is the data itself. They have the internal resources to analyse and understand what it all means. For other firms without that internal expertise, we can provide full technology due diligence. 

But while data-driven technology due diligence is undoubtedly becoming more pervasive, it is not yet universal. The next step is for this to become standard practice across the private equity industry. 

This content was produced in association with