Skip to main content
ASM Cheatsheet
Case Study 2

Startup Acquisition Due Diligence

45-day due diligence period2 senior engineers, 1 week engagement

Background

Scenario: Tech giant acquiring AI startup
Acquisition Value: $150M
Timeline: 45-day due diligence period
ASM Team: 2 senior engineers, 1 week engagement

The Challenge

The acquiring company needed rapid security assessment of the target startup's digital footprint to:

  • Identify hidden security liabilities
  • Assess technical debt and remediation costs
  • Validate security representations in the deal
  • Plan post-acquisition integration

ASM Methodology

Week 1: Rapid Discovery

# Target company: AI-Startup Inc.
TARGET_DOMAINS="ai-startup.com,aistartup.io,ai-startup.ai"
ASSESSMENT_DIR="ma_assessment_$(date +%Y%m%d)"

mkdir -p "$ASSESSMENT_DIR"/{discovery,analysis,reports}
cd "$ASSESSMENT_DIR"

# Comprehensive asset discovery
for domain in $TARGET_DOMAINS; do
    echo "Discovering assets for: $domain"
    
    # Multiple discovery methods
    subfinder -d "$domain" -all -silent > "discovery/${domain}_subs.txt"
    amass enum -passive -d "$domain" -timeout 15 -o "discovery/${domain}_amass.txt"
    
    # Certificate transparency
    curl -s "https://crt.sh/?q=%.${domain}&output=json" | \
    jq -r '.[].name_value' | sort -u > "discovery/${domain}_ct.txt"
    
    # GitHub code search
    curl -s "https://api.github.com/search/code?q=${domain}" | \
    jq -r '.items[].repository.html_url' > "discovery/${domain}_github.txt"
done

# Consolidate findings
cat discovery/*_subs.txt discovery/*_amass.txt discovery/*_ct.txt | \
sort -u > discovery/all_assets.txt

echo "Total assets discovered: $(wc -l < discovery/all_assets.txt)"

Technology Stack Analysis

# Live service detection with technology profiling
httpx -l discovery/all_assets.txt -tech-detect -status-code -title \
    -content-length -response-time > analysis/live_services.txt

# Extract technology patterns
grep -o 'tech:\[[^]]*\]' analysis/live_services.txt | \
sort | uniq -c | sort -nr > analysis/tech_stack.txt

# Identify concerning technologies
grep -iE "(wordpress|drupal|php/[4-7]|apache/[1-2])" analysis/live_services.txt > analysis/outdated_tech.txt

# Look for development environments
grep -iE "(dev|test|staging|demo|beta)" discovery/all_assets.txt > analysis/dev_environments.txt

Critical Findings

Security Debt Identified

  1. $2M in immediate remediation costs

    • 23 critical vulnerabilities requiring patches
    • 156 outdated software components
    • 12 exposed databases with sensitive data

  2. Compliance Gaps

    • GDPR violations in EU customer data handling
    • SOC2 gaps in access controls
    • Missing encryption for PII data

  3. Operational Risks

    • Single points of failure in critical systems
    • No disaster recovery plan
    • Insufficient monitoring and logging

Asset Inventory Results

# Generate executive summary
cat > reports/executive_summary.md << EOF
# M&A Security Assessment: AI-Startup Inc.

## Key Metrics
- **Total Digital Assets:** 234
- **Live Services:** 89
- **Critical Vulnerabilities:** 23
- **Compliance Gaps:** 15

## Financial Impact
- **Immediate Remediation:** \$2,000,000
- **Compliance Costs:** \$500,000
- **Ongoing Security:** \$300,000/year

## Risk Rating: HIGH
Significant security debt requiring immediate attention post-acquisition.

## Recommendations
1. Negotiate \$2.5M reduction in acquisition price
2. Require 90-day security remediation plan
3. Implement security escrow for compliance costs
EOF

Deal Impact

Negotiation Results

  • $2.5M price reduction based on security findings
  • Security escrow account established for compliance costs
  • 90-day remediation timeline included in acquisition terms
  • Security warranties added to purchase agreement

Post-Acquisition Integration

# 90-day security remediation plan
cat > reports/remediation_plan.md << EOF
# 90-Day Security Remediation Plan

## Phase 1 (Days 1-30): Critical Issues
- Patch 23 critical vulnerabilities
- Secure exposed databases
- Implement basic access controls
- **Budget:** \$800,000

## Phase 2 (Days 31-60): Compliance
- GDPR compliance implementation
- SOC2 gap remediation
- Data encryption deployment
- **Budget:** \$700,000

## Phase 3 (Days 61-90): Integration
- Align with parent company security standards
- Implement monitoring and logging
- Establish ongoing security processes
- **Budget:** \$500,000

## Total Investment: \$2,000,000
EOF

Outcomes and ROI

Quantified Benefits

  • $2.5M saved in acquisition costs
  • Zero security incidents during integration
  • 100% compliance achieved within 90 days
  • 15x ROI on ASM investment ($50K spent, $750K+ saved)

Strategic Value

  • Risk-informed decision making for acquisition
  • Accelerated integration through early planning
  • Stakeholder confidence in security due diligence
  • Template established for future acquisitions