Technical due diligence for the deal that has to close on Tuesday.
Independent architecture, code-health, security, and team-capability audit for VCs, acquirers, and their portfolio companies. 5-day turnaround, fixed £12-20K, red-flag report ready for the IC meeting.
What is technical due diligence?
Technical due diligence is an independent audit of a target company's software, infrastructure, security, and engineering team. For UK VCs and acquirers, it produces an evidence-based go/no-go signal before the term sheet is signed. Empyreal Infotech runs technical due diligence as a 5-day fixed-price engagement, delivered by senior engineers who ship production software — not spreadsheet-only auditors. Output: a written report covering code health, architecture risk, cloud spend forecast, security posture, GDPR/UK-GDPR compliance, hiring pipeline durability, and a red/amber/green recommendation with three questions to ask the founder.
What you get, every engagement.
Code + architecture health
Repo walkthrough, coverage of critical paths, dependency freshness, technical debt ledger, and the two ADRs the target should have written but didn't.
Security + compliance posture
Threat model, OWASP top-10 pass, secrets hygiene, GDPR/UK-GDPR position, DPA state, breach history. SIG-Lite + CAIQ pre-filled where relevant.
Cloud + infra economics
AWS/GCP/Azure spend today, spend at 3× traffic, spend at 10× traffic. The bill that appears in year-two if you don't restructure now.
Team + hiring durability
Bus factor by system, seniority distribution, hiring pipeline signal, retention risk. Named questions to ask the founder in the CEO/CTO interview.
The technical due diligence engagement, week by week.
- 01
You brief us on the deal shape, deal timeline, and the specific concerns the IC has raised. NDA + repo access provisioned.
Kick-off call. You brief us on the deal shape, deal timeline, and the specific concerns the IC has raised. NDA + repo access provisioned.
- 02
Read the codebase, walk the AWS/GCP console, review CI/CD, sample recent PRs, interview the target CTO for 60 minutes.
Repo + infra walkthrough. Read the codebase, walk the AWS/GCP console, review CI/CD, sample recent PRs, interview the target CTO for 60 minutes.
- 03
Every red flag from day 1-2 gets a dedicated deep-dive. Reproducible risks are quantified in £ and in weeks.
Deep-dive on flagged systems. Every red flag from day 1-2 gets a dedicated deep-dive. Reproducible risks are quantified in £ and in weeks.
- 04
A 25-page written report, a one-page red/amber/green summary for the IC meeting, and three questions we'd ask the founder before you sign.
Report + IC-ready summary. A 25-page written report, a one-page red/amber/green summary for the IC meeting, and three questions we'd ask the founder before you sign.
Questions we get about technical due diligence, with real answers.
A written 25-page report covering: code quality + architecture, security posture, cloud spend forecast at 3× and 10× traffic, GDPR + UK-GDPR compliance, third-party dependency risk, hiring pipeline durability, bus-factor analysis, and a red/amber/green recommendation. Plus a one-page IC-ready summary and three specific questions to ask the founder.
5 working days, fixed. Kick-off call on day 0, repo + infra walkthrough days 1-2, deep-dive on flagged risks days 3-4, written report on day 5. If the target's codebase is unusually large (over 500K lines) we'll extend by 2 days and quote separately — that's rare.
Fixed £12-20K depending on the target's size: £12K for a seed-stage single-product company, £16K for a Series A multi-product target, £20K for a growth-stage or M&A target with multiple codebases. No day-rate clock. Report is delivered whether the deal closes or not.
Yes — mutual NDA before the target's name is even shared. We also carry professional indemnity insurance and can provide the certificate to your IC. Every diligence is delivered under a scoped engagement letter that names the specific deal, the target, and the recipient of the report.
Every claim in the report cites the file, commit, or dashboard screenshot that supports it. Reproducible risks are quantified in weeks-of-engineering-to-fix. Two 2025 reports were formally challenged by the target during closing; both were upheld after joint review.
Yes. Standard 12-month re-audit is £6K fixed, delivered against the original report so you can see what got fixed, what got worse, and what the incumbent team now owns. Useful evidence for the next fundraise or exit.
Send a 5-line brief. That's it.
Give us the target's name (under NDA), the deal stage, and the IC's three biggest concerns. We'll come back with a scope, a fee, and a start date.