What is technical due diligence (TDD)?
Technical due diligence (TDD) is an in-depth analysis of the state of a company from a technical perspective, including its products, technical infrastructure and architecture, product roadmap, services, practices, and IT staff. The TDD process is usually carried out prior to major corporate events such as mergers and acquisitions (M&A) or initial public offerings (IPOs). TDD is generally initiated by the investor, but a company may itself initiate TDD before seeking funds or investments. TDD can be executed by the investor or company’s in-house team, or by a third-party diligence agency.
Why is technical due diligence important?
Investors and acquirers use TDD to get answers to questions they may have before finalizing the deal. These questions may include:
What value does your company bring them?
What is the company’s real worth?
Is the company reasonably equipped to deliver on the promises made?
Investors and acquirers rely on TDD to determine whether investing in your company would be worthwhile. Your company can prepare for this by conducting a preliminary TDD in advance including internal assessment, audits, legal due diligence (LDD), and employee training. This can help to:
Identify your strengths, weaknesses, and potential areas for improvement.
Avoid legal issues by gathering and organizing company documentation.
Prepare the employees for investor interviews.
Identify bottlenecks that may impact the deal.
What are the stages of technical due diligence?
Before officially starting the TDD process, organizations should be prepared to be forthcoming and fully transparent throughout the process. Planning TDD usually begins once the investors and/or business partners have established a trust-based relationship and have signed a letter of intent.
Let’s review the six stages of TDD.
In this initial stage, the product developer or third-party vendor handling TDD conducts a code review. Code review includes checking for errors, inaccuracies, and general programming style. This is essentially a technical verification of the product intended to keep track of product feature delivery and progress.
2. Kick-off or planning
This early stage of TDD is more about the product’s business and branding aspects. In this stage, the involved parties share with each other the requirements and detailed steps of the process and define a timeline. The goal of this kick-off meeting is to ensure a clear idea of the product's vision, its value proposition for the customers, and its market growth potential. At this stage, investors are more focused on the business strategy as well as the uniqueness of the technology and market awareness.
3. Documentation and research
The TDD process requires well-prepared and consistent technical documentation. It should contain all of the details pertaining to the product's architecture, processes, infrastructure, backup and recovery, integrations, servers, frameworks, monitoring, and any other tech solution that is vital and thus requires documentation. Analysts perform due diligence by reviewing the product documentation. The more documented product information available, the better the due diligence analysis will be.
4. Technical diligence meeting
Investors arrange live meetings with the development team to analyze different software components of the product or services in real time. These meetings are absolutely necessary in order to learn about the internal specifics of the project and to hear the team's evaluation of its strengths and potential. During this meeting, the investors interview the technical managers and other key employees regarding both technical and non-technical issues.
5. Follow-up
After the initial technical diligence meeting, investors may request a follow-up meeting to answer any additional questions. Once all of the above steps are concluded, investors submit their feedback regarding the complete diligence assessment process.
6. Report
The final stage of the technical due diligence process involves the production of a detailed report containing all of the findings of document screening, code review, as well as meetings with the investors, product owners, and technical leaders. This final report details the startup business strategy, pros and cons, discovered flaws, possible risks, and expected updates. Finally, it determines whether the product or service was found to be technically reliable.
Key points of technical due diligence
With technical and legal due diligence, there may be as few as a dozen or even hundreds of requested items for review, depending on the organization’s size and the size of the investment. Our focus will therefore be on four major categories.
Explain the technology
When it comes to technical due diligence, one of the most basic and important matters is your technology, of course. You should therefore be prepared to present, explain, and describe your technology and be able to provide comprehensive technical documentation. This documentation should include:
Architecture charts
Performance indicators
Evaluation of the product's scalability
You should also be able to explain your entire infrastructure and the reasons for choosing the programming language, cloud platforms, databases, and other software components or tools your product is using. In addition, your documentation should showcase code quality metrics such as code coverage. This entire process will reassure investors and acquirers that they won’t face problems with the product’s integrity or security down the road.
In addition, you must also be able to explain how your technology compares to the competition using valid facts and statistics. This point is critical, as it shows that you have indeed conducted your market research well and that you have a clear understanding of where you stand.
To prepare for this, make sure to archive relevant documents, including those related to the product design, API, POC results, architectural descriptions, and other operational metrics.
Scan and audit third-party software
Another important step of TDD is to conduct a comprehensive scan of your codebase and to produce a list of all of the product’s third-party and open-source software dependencies. This list should also include other metadata such as:
Software information including package name, supplier, version, and author
Dependency paths
Any other relevant information
Since open source software components help R&D teams develop and deliver better value faster and more frequently, investors will often scrutinize how you are managing open source components. Third-party software should also be well documented.
Today most organizations use software composition analysis (SCA) tools like Snyk Open Source to help generate a software bill of materials (SBOM). This vital report helps you create a list of all your software’s assets, allowing you to cross this off your TDD checklist.
Get started in capture the flag
Learn how to solve capture the flag challenges by watching our virtual 101 workshop on demand.
You can also work with a company like Snyk that offers open source audit services. Snyk offers blind audits, so target company source code doesn’t need to be exposed or uploaded anywhere, satisfying data security requirements.
Snyk services can also help you identify license compliance issues on snippet level in both managed and unmanaged code. Open source licenses usually impose certain obligations that must be fulfilled when code is distributed. One example is the GNU General Public License (GNU GPL), which requires derivatives or combinations to be made available under the same license as well, introducing the risk of IP contamination in your source code. Other licenses require certain notices in documentation or have restrictions for how the product is promoted.
Failure to satisfy open source license obligations can lead to possible litigation, expensive re-engineering, product recalls, and bad publicity, so it’s important to stay in compliance, and to identify any compliance issues during the technical due diligence process.
Organizational structure
Each individual within the organization has an impact on the product’s success, which depends on their performance within their specific role.
Investors usually demand an organizational chart providing information on departments, employees, contractors, and outsourced resources. Organizational charts should highlight the roles and responsibilities of key members such as the CTO and CIO as well as other employees like support, development, testing, product management, and HR teams.
Organizational charts should always be up to date and should include information on all contractors and employees laid out in a clear and organized manner along with their resumes, contracts, and associated costs.
Organizational charts help govern the software development and product development workflows and analyze key performance indicators for the development team.
Product and technology roadmap
A technology roadmap helps potential investors understand the specifics of your current product offerings as well as plans for the future. This roadmap lays out the company’s long-term plan and how its technology supports both existing and future product initiatives. As such, assessment of the product and technology roadmap is important for investors in order to evaluate the company’s potential.
A detailed roadmap defines:
The technology stack, including programming languages, frameworks, databases, servers, and technical components required for product development and deployment.
Scalability and availability metrics of the application system.
Operating systems, disaster recovery, diagnostic monitoring, data repositories, load testing, and more.
A technology roadmap is used to inspect the target company's products and services based on the following parameters:
Progress of products in development and those already on the market
Revenues generated from each product
Distinguishing factors of the company product compared to competitor products on the market
Potential of market conditions to influence the target company's market growth and revenues
The product’s current total addressable market and plans for its evolution
Resources and costs associated with the products in development
Ensure you’re TDD-ready
Technical due diligence is crucial for any company seeking an investment, acquisition, or merger. The TDD can often make or break the deal. Even if you’re not currently thinking about investments or acquisitions, it is wise to prepare in advance for any future opportunities. Ensuring proper documentation, having the results of your POCs, and maintaining all software licenses will go a long way in facilitating technical due diligence should the need for TDD arise.
Snyk tools such as Snyk Open Source and Snyk Code can be used throughout the TDD process to ensure security and compliance standards are met.
Up Next
The Importance of Policy as Code in Your Compliance Strategy
Learn why compliance as code should become a key part of your overall security strategy, enabling security at scale based on automated Policy as Code rules.
Keep reading