Every signal on the deal.
One workspace.

Anvil turns a target data room into ranked findings, a defensible score, and a Day-1 plan, so diligence runs in one place instead of forty spreadsheets.

02 Assess · the core loop

Documents in. Ranked findings out.

Hudson reads across the entire data room at once, security questionnaires and SOC 2 results, pentest and SBOM output, contracts and policy documents, then drafts findings, each with a severity, a rationale, and the exact source it came from. You review, resolve, and watch the committee score move in real time. Try it:

N
Northwind SystemsLive deal score
D
60/ 100 Deal-shaping issues. Renegotiate or walk.
F D C B A

Resolve findings on the right to see the committee score move.

Critical5
High2
Medium2
Pending9
Critical No formal vendor risk management program

No documented process for vetting third parties before onboarding. 34 vendors are in scope and none have been formally reviewed.

Source Vendor Risk Policy · flagged by Hudson
Critical Single database server with no automated failover

The primary RDS PostgreSQL instance has no read replica or failover. A single zone outage takes the platform down.

Source Architecture Overview.pdf · flagged by Hudson
Critical Shared admin credentials on critical SaaS tools

Salesforce and CrowdStrike admin logins are shared across the IT team, with no per-user attribution or rotation.

Source IT Security Policy.pdf · flagged by Hudson
Critical Arbitrary code execution via PIL.ImageMath.eval

An image-processing dependency permits code execution through crafted input. CVE-2023-50447, CVSS 9.8.

Source SBOM · Pillow 9.4.0 · flagged by Hudson
Critical SSRF bypass via octal IP representation

URL validation can be bypassed with octal encoding, enabling server-side request forgery against internal services.

Source Penetration Test Report 2025.pdf · flagged by Hudson
High MFA enforcement gap on admin accounts in finance and HR

SOC 2 testing found MFA implemented only for engineering admins. Finance and HR admins authenticate without it.

Source SOC 2 Type II Report 2025.pdf · flagged by Hudson
High No disaster recovery test in 18+ months

A DR runbook exists but has not been exercised since 2024. The recovery time objective is unverified.

Source BCDR Policy.pdf · flagged by Hudson
Medium Customer breach notification SLA is informal

The IR plan leaves breach notification timing as a case-by-case CEO decision. Acquirer customers expect 24 to 72 hours.

Source Incident Response Plan v2.1.pdf · flagged by Hudson
Medium Single Auth0 tenant is a single point of failure

Auth0 is the sole identity provider with no documented failover. An outage would lock every user out of the platform.

Source Architecture Overview.pdf · flagged by Hudson
01 Source & screen

Every target on one board, already scored.

Anvil keeps the whole pipeline in view, each deal carrying its live composite score and stage. Triage what is worth diligence before the team spends a single hour on it.

Composite score and stage on every deal
Portfolio roll-up across active targets
Hand off directly from Scout sourcing
Anvil deal pipeline with stages, scores and portfolio summary
Portfolio score
73avg
4 live deals · next close Aug 5
03 Quantify

Put a dollar figure on the risk.

Every finding rolls into a model: remediation cost, integration spend, and the run-rate savings the thesis depends on. The committee sees the number, not just the narrative.

Remediation and integration cost modeled live
Run-rate savings and payback period
Drivers traced back to specific findings
Anvil deal economics with savings, payback and drivers
Annual savings
$505k4-mo payback
04 Decide

The whole deal on one screen.

Score, findings, policies, infrastructure, personnel, and progress in a single cockpit. When the partner asks what you are buying, the answer is one click away, not buried in a folder.

Deal score, findings and progress at a glance
Top risks surfaced automatically
Drill from any tile into the evidence
Anvil deal overview cockpit with score, findings and top risks
Deal score
D61 / 100
54 findings · 19 crit / high
05 Integrate

A Day-1 plan, built from the findings.

The moment the deal closes, Anvil turns open findings into a phased plan with owners and status. Here is the live board, drag a card across to move it.

Columns
Generate from findings
2 of 8 done
To do2
Highfrom finding
No dedicated CISO or security leader
Unassigned
Highfrom finding
Business continuity and DR plans outdated by 7 years
Unassigned
In progress2
Highfrom finding
No 24/7 security operations center capability
Unassigned
Mediumfrom finding
Endpoint detection deployed to only 78% of endpoints
Unassigned
Blocked1
Mediumfrom finding
MFA gaps across critical systems
Unassigned
Validation1
Mediumfrom finding
Risk results not reported to executive leadership
Unassigned
Done2
Highfrom finding
Risk assessments not performed for new vendors
Unassigned
from technology
Security awareness training rolled out
Unassigned
Drag a card between columns, or click a card to advance it. The progress bar tracks what is done.
See it

See what you're buying.

Join the deal teams switching to Anvil. We'll walk you through a live deal, end to end.