Decision support for software.
Real findings from real engagements. Every one costed, traced to source, and classified as EBITDA adjustment, one-time remediation, or Year-1 CapEx.
| Risk | Why It Matters | Example Finding |
|---|---|---|
| Key person risk | One departure can halt delivery | Single developer owns 80% of a core product |
| Leaked secrets | Active credentials in git history | 47 secrets across 12 repos, some exposed for 3+ years |
| License exposure | GPL in a commercial product can force source disclosure | GPL dependency in a certified healthcare product. Nobody knew. |
| Vulnerabilities | Known exploits in production dependencies | $1M+ remediation backlog of 200+ critical vulnerabilities |
| AI adoption | AI-generated code with no review process | 40% of recent commits AI co-authored, zero review policy in place |
| Stalled migration | Buyer pays maintenance on two stacks for the price of one | React migration started 3 years ago, abandoned at 60%. Both stacks running, neither owned. |
| IP gaps | Offshore contributors with no assignment paperwork | 5-person offshore team committing under personal email accounts. No CLA on file. |
| Hidden slowdown | Forecasts and roadmaps get built on a pace that no longer holds | Team reports weekly releases. Actual cadence is monthly and decelerating, six quarters running. |
People · Velocity · Practices · Security · Dependencies · Technical Health · Legal · AI Adoption
Built for due diligence. Scales across the investment lifecycle.
Fits inside the exclusivity window. Key person risk quantified, deal blockers surfaced, remediation budget estimated.
What to fix, in what order, and what it costs. Ranked by business impact, not just severity.
Inherit a codebase with evidence, not opinions. What you have, what it costs, and a 90-day plan for the board.
Quarter-by-quarter signal on the hold. Is engineering investment increasing or decreasing risk and cost? Velocity, debt, and team concentration tracked over time.
Same metrics across every portfolio company. Which teams are shipping, which are struggling, and where to intervene.
Fix what matters before it shows up in a report that punctures your multiple. Know your position before the data room.
Let us know what you're looking at and what the IC needs to know.
Provide code access via read-only git or agent.
Findings, costed and classified.
Live deal, portfolio review, or inherited codebase. Leave your email and I'll come back to you on fit and timeline.