A PE-backed acquirer recently signed an LOI on a healthcare SaaS target. The 30-day exclusivity window started, the diligence team got their access, and in week two they discovered the target had been hit by ransomware nine months earlier and quietly paid out. It hadn't surfaced because the target had no SOC, no MDR, and no statutory obligation to disclose at the time.
The buyer had two bad choices: walk and lose the option premium, or close and inherit the liability. They closed. They're now mid-litigation with the cyber insurer, and integration is six months behind plan.
This isn't an edge case. It's the pattern.
What's actually broken
The standard M&A cybersecurity diligence model assumes you have time. You sign LOI, you get exclusivity, you spend 30 days running assessments. The target answers questionnaires. You read SOC 2 reports. You score them on a heatmap. You close.
That model worked when the buyer could walk away cheaply, the target's tech stack was small enough to assess in 30 days, and the biggest risk was their compliance posture, not their actual exposure.
None of those are still true.
- Tech stacks have exploded. AI vendors get added without IT approval. Shadow integrations between SaaS tools create attack paths nobody documented.
- SEC and state-level disclosure rules have created direct liability for buyers who close on undisclosed incidents. The seller's silence is now your problem.
- Exclusivity windows are shrinking. Sellers are running competitive processes that compress real diligence to two weeks.
- Cyber insurance underwriters now ask for evidence of pre-acquisition assessments. "We trusted the SOC 2" is no longer a defensible answer.
What pre-LOI diligence actually looks like
Pre-LOI diligence is non-invasive by design. You don't need access to the target's environment. You need answers to four questions:
1. What's their public exposure?
Outside-in asset discovery: domains, subdomains, leaked credentials, exposed services, expired certificates, open ports. None of this requires the target's cooperation. All of it is signal sellers can't curate away.
2. Who's in their stack?
Third-party technology footprint via DNS records, certificate transparency logs, public job postings, vendor mentions in earnings releases, GitHub. This tells you what their fourth-party risk looks like before you've spoken to a single SaaS vendor.
3. Have they been breached?
Dark-web monitoring, breach databases, regulatory disclosures, news. If something has surfaced anywhere, you'll find it. The earlier you find it, the more leverage you have.
4. What's their AI exposure?
This is the new one. Vendor AI usage, trained-on-customer-data clauses, model deployment patterns, prompt injection surface. Most acquirers don't ask. Most targets can't answer.
Done well, this takes a week. It costs less than a single day of post-LOI legal fees. And it tells you whether to walk before you've spent meaningful capital.
The objection: "Sellers won't sit for it"
You're not asking the seller for anything. Pre-LOI diligence is what happens before you've made an offer. By definition, it's external research using sources sellers don't control.
When the conversation does eventually surface ("we ran some external diligence and have specific questions"), sellers almost always cooperate. They want the deal. The framing shifts from "trust us" to "we have findings, address them," and that's a stronger negotiating position for everyone.
Bottom line
If you're running more than three deals a year and you're not doing pre-LOI cyber diligence, you're underwriting risk you can't see. The cost is trivial. The downside is the deal you should have walked from.
Have a thesis you want pressure-tested before you sign? Send us the deal. We'll tell you what we'd want to know before LOI.
Tech and security across the entire M&A lifecycle.
From first look through post-close integration. Built by the practitioners who run M&A engagements for PE-backed acquirers and strategics.
Explore Anvil