Tech Due Diligence Red Flags

These are the twelve technical patterns we flag most often in buy-side diligence engagements. None is automatically disqualifying; together, they signal a target that will cost materially more to operate than the projections assume.

1. Key-person concentration on a production-critical system

The classic. One engineer, usually a co-founder, who owns a system that touches money or customer data. Mitigation costs are retention packages and 12-month parallel rebuilds.

2. Cloud-cost disclosure that doesn't match the invoices

Pull the actual cloud bills, not the management accounts' allocation. Discrepancies over 15% almost always trace to customer concentration the seller doesn't want disclosed.

3. A clean pen test with exactly one Critical

A real engineering team finds Medium and Low issues constantly. A pen test report with one Critical and nothing else is almost always scoped to hide the rest of the surface area.

4. AI training data without licence basis in writing

The seller's lawyers should already have this in a binder. If they don't, you'll be the buyer who finds it during post-close litigation.

5. Customer churn concentrated in the last quarter

Often a sign of a known-bad release, a competitor product launch, or a contract clause coming up for renewal that the seller is hoping you'll close before they have to renegotiate.

6. Deployment frequency below weekly

Healthy SaaS deploys daily. Below weekly in a 50+ engineer team is a strong signal of architectural debt that has slowed feature velocity to the point where the team has given up trying to ship faster.

7. Manual processes hidden in the runbook

Read the on-call runbook. Any step that says "ask Alex" or "rerun the script in /home/alex" is a key-person risk that doesn't appear on the org chart.

8. Vendor concentration above 40%

A foundation-model provider, payment processor, or hosting provider above 40% of variable cost is a single point of pricing failure. Sellers know this; they will not volunteer the concentration calculation.

9. Source-code repositories that are read-only

A target that has migrated to a new VCS but kept the old one read-only is hiding history. Insist on full history access or a written explanation for the migration.

10. Eval infrastructure that is one engineer's laptop

For AI startups specifically. If the evaluation harness lives on a single laptop, you cannot trust the model's reported performance, and you cannot replicate it post-close.

11. Customer support tickets that the engineering team doesn't see

Two-tier support where engineers are insulated from customer issues is correlated with the worst post-close NPS surprises we've audited.

12. A 'roadmap' that is just the last two quarters' missed features

A target whose roadmap is the carry-over of unshipped features is a target whose engineering team is not in control of its own delivery. The post-close investment to fix this is consistently underestimated.