Decision support for software.
Real findings from real engagements. Every one costed and traced to source.
| Risk | Why It Matters | Example Finding |
|---|---|---|
| Key person risk | One departure can halt delivery | Single developer owns 80% of a core product |
| Leaked secrets | Active credentials in git history | 47 secrets across 12 repos, some exposed for 3+ years |
| Licence exposure | GPL in a commercial product can force source disclosure | GPL dependency in a certified healthcare product. Nobody knew. |
| Vulnerabilities | Known exploits in production dependencies | $1M+ remediation backlog of 200+ critical vulnerabilities |
| AI adoption | AI-generated code with no review process | 40% of recent commits AI co-authored, zero review policy in place |
| Stalled migration | Buyer pays maintenance on two stacks for the price of one | React migration started 3 years ago, abandoned at 60%. Both stacks running, neither owned. |
| IP gaps | Offshore contributors with no assignment paperwork | 5-person offshore team committing under personal email accounts. No CLA on file. |
| Hidden slowdown | Forecasts and roadmaps get built on a pace that no longer holds | Team reports weekly releases. Actual cadence is monthly and decelerating, six quarters running. |
People · Velocity · Practices · Security · Dependencies · Technical Health · Legal · AI Adoption
Built for due diligence. Scales across the investment lifecycle.
Fits inside the exclusivity window. Key person risk quantified, deal blockers surfaced, remediation budget estimated.
What to fix, in what order, and what it costs. Ranked by business impact, not just severity.
Inherit a codebase with evidence, not opinions. What you have, what it costs, for an informed 90-day plan.
Is engineering investment increasing or decreasing risk and cost? Velocity, debt, and team concentration tracked over time.
Same metrics across every portfolio company. Which teams are to be modelled, and where to intervene.
Fix what matters before it shows up in a report. Know your position before the data room.
Let us know what you're looking at and what you need to know.
Provide code access.
Findings, costed and classified.
The ones that come up before every engagement.
More than a scan. It is the software read: the code and the team, costed, ranked by business impact, and traced back to the evidence, with a person checking every one. What the risks are, what they cost to fix, what to fix first. It can stand alone, or be the software part of a wider diligence.
Fast. Days, inside the exclusivity window, not weeks. It does not replace your commercial and financial diligence. It is the software read, the code and the team, evidenced and costed, and it can be part of your IT diligence. You get it without standing up a separate consulting engagement.
How it is built. We read which people and modules the revenue actually depends on, where the licence and IP exposure sits, how old the dependencies are, and which migrations got started and quietly dropped. A scanner misses most of this. A person checks all of it.
On your terms. An agent runs in your own environment and pulls the development record: history, structure, dependencies. You see what it collects before any of it leaves. What you share is deleted once the report lands. Leave out any repositories you want kept back. NDA as standard. The point is a credible read with the lightest possible touch on your code.
Point-in-time, on purpose. It is built for a decision: a deal, a new CTO, a board review. For a portfolio we re-run it on a cadence, so you can see which way things are heading.
Live deal, portfolio review, or inherited codebase. Leave your email and I'll come back to you on fit and timeline.