What should be on a technical due diligence checklist?

A thorough technical due diligence checklist covers eight areas: compliance and security violations, requirements drift, ownership and knowledge concentration (key-person risk), amenability to expansion, operational reliability, IP and open-source license risk, technical debt hotspots, and cost-to-replicate. Each item is best assessed from the code, commit history, and dependencies directly rather than from a questionnaire, so every line is backed by reproducible evidence.

What is the difference between an engineering due diligence checklist and a technical due diligence checklist?

They are largely the same thing — both assess a software asset's real condition for an investor or acquirer. Engineering due diligence sometimes puts more weight on the team and delivery process, while technical due diligence emphasizes the code, architecture, and risk, but the eight areas above apply to both.

Technical Due Diligence Checklist (2026): 8 Areas to Assess

How to use this

A technical due diligence checklist (sometimes called an engineering due diligence checklist) is the set of questions a buyer or investor needs answered about a software asset before a deal closes. The eight areas below are the ones that decide whether you keep, fix, rebuild, or walk.

One caveat worth stating up front: a checklist tells you what to look for, not what's true. The same eight items answered from a three-day round of management interviews produce a very different picture than the same items answered from the code, commit history, and dependencies. Use the list to scope the work — then insist the answers come from the system itself.

The checklist

Eight areas to assess.

Compliance & security violations

Known and latent security vulnerabilities, including business-logic flaws scanners miss
Hardcoded secrets, credentials, and keys in the codebase or history
Exposure against the standards the system claims (SOC 2, PCI DSS, GDPR, HIPAA as applicable)
Audit-trail and logging gaps on sensitive operations

Requirements drift

How far the built system diverges from what was specified (PRDs to tickets to commits to code)
Features described in the pitch that don't exist, or exist only partially, in the code
"Ghost" features and dead code that imply abandoned directions

Ownership & knowledge concentration (key-person risk)

Which engineers hold unique expertise over critical modules, by commit history
Bus factor on revenue-critical systems (a bus factor of one is a material finding)
Reliance on departed contributors or outside contractors for core components

Amenability to expansion (scalability)

The real deployed architecture versus the diagram in the data room
Coupling, bottlenecks, and single points of failure that bite past today's scale
Whether the system can support the growth thesis without a re-platform

Operational reliability

Deployment history, failure modes, and recovery posture
Operational debt — the gap between software that demos and software that runs reliably
Observability and the team's ability to detect and resolve incidents

IP & open-source license risk

Every declared and undeclared third-party dependency
Copyleft contamination and AGPL exposure that affect what you can ship
End-of-life and unmaintained packages
Confirmation that the target actually owns the custom IP

Technical debt hotspots

Code that is both complex and frequently changed — where cost and risk concentrate
Debt quantified by business domain, in money and time, not a vague rating
The velocity tax the team pays each quarter to keep the system running

Cost-to-replicate

Total custom code normalized to person-years
Genuine custom IP separated from open-source and boilerplate
What it would realistically take to rebuild the asset today

The part the checklist can't give you

A checklist is necessary. It isn't sufficient.

Every item above can be marked "done" and still miss the thing that costs you — because the value is in how each is answered. Read from interviews, the checklist reflects what the team believes. Read from the code, commits, and dependencies, it reflects what is actually there. Our technical due diligence answers all eight from the system itself, in two weeks, as evidence traceable to the commit.

Common questions

The checklist, answered.

Is a technical due diligence checklist enough on its own?

No. A checklist tells you what to look for, not what's true. The same checklist answered from interviews versus from the code itself produces very different results. The checklist is necessary; reading the actual system is what makes the answers defensible.

What's the difference between an engineering and a technical due diligence checklist?

Largely the same thing — both assess a software asset's real condition for an investor or acquirer. Engineering due diligence sometimes weights the team and delivery process more; technical due diligence emphasizes code, architecture, and risk. The eight areas apply to both.

Can you run this checklist for us?

Yes — that's our technical due diligence. Two weeks, fixed price, read-only, with every finding answered from the code, commits, and dependencies and formatted for an investment committee.

The technical due diligence checklist.