We read fourteen firms' own descriptions of how they work. Roughly half assess the business of your target's technology and call it "technical." Most of the rest also sell the thing their diligence recommends. Here are the two tests that separate substance from theater — and how each firm scores.
"Technical due diligence" is an unregulated phrase. It's used by source-code experts and by strategy consultants who never open a repository. When you're about to wire the money, the label tells you nothing — so stop reading the label and ask two questions.
The honest dividing line in this whole market. Some firms run static analysis, read the commit history, and walk the dependency tree. Others run architecture workshops and management interviews, review the documents, and write up what they were told. Both are useful. Only one of them can see an IP-contaminating license, a dependency rotting toward an exploit, a revenue-critical service one departing engineer holds in their head, or how much of the codebase a model wrote. Bain says the quiet part out loud: "You don't need the keys to the source code or the server farm to learn an awful lot about a business from the outside in." True — and exactly the point. Outside-in diligence is structurally blind to what's inside.
Most providers also sell the remedy: the dev shops want the rebuild, the fractional-CTO networks want the seat, the big consultancies want the value-creation program. That isn't villainy — continuity has real value. But a firm that profits from the work its own report recommends has a thumb on the scale, however light. The cleanest read comes from someone with no stake in what you do about it.
Apply both filters and the field thins fast. Almost everyone fails at least one. Here's who's left, grouped honestly — with what each does well, and the catch.
The small group that actually opens the repository and isn't trying to sell you the rebuild afterward. This is the quadrant a serious buyer should start in — ourselves included, and we'll tell you where a peer fits better.
Computer scientists — published researchers, patent-holders, professors — who read source code for a living, with roots in expert-witness work where a finding has to survive cross-examination. Assessment-only; nothing to upsell. That's about as independent as it gets. The catch: their site is oddly silent on method — you can't tell whether an engagement is a deep tooled scan or a senior human forming an opinion — and a litigation/IP center of gravity may not be native to a fast deal clock.
The most explicitly code-level of the boutiques: their framework names an actual code audit, code scan, and optional open-source compliance scan, wrapped in investor-readable workshops, with a 2–4 week SLA and serious PE logos (Silver Lake, TCV). Independent advisory, DD only. The catch: the deliverable is pitched as "doesn't require a CS degree to understand," and a workshop-heavy front end can mean the scan is one input feeding a narrative rather than the spine. For a deeply technical target, confirm how deep the scan actually goes.
Not an advisory — a scanning platform, and a good one. Its GenAI Bill of Materials quantifying how much of a codebase is AI-written is genuinely of-the-moment, and "served 7 of the 9 largest global investors" is a real credibility marker. No rebuild to sell. The catch: a scan score isn't a judgment. Sema replaces the data layer of diligence, not the engineer who decides whether the architecture fits your thesis. You still need someone reading the output.
A self-serve, deliberately non-LLM code-intelligence platform aimed at the underserved end — non-technical founders, CFOs, operators — with a free tier and a rebuild-cost valuation output. Refreshingly un-gated. The catch: self-serve scanning for non-technical users invites dashboard theater — green metrics read as a clean bill of health with no one qualified interpreting them. Automated counts flag symptoms, not which ones matter for this deal.
Us, placed honestly. We read the code, commits, tickets, ownership and dependencies — and we lead with an independent read: the read is the product, not a funnel to a rebuild we're hoping to win. Two weeks, fixed price, read-only, and you keep a searchable knowledge base. Built for lower-mid-market PE, M&A, and new or fractional CTOs.
Where we're not the answer: if you're a mega-fund pricing a $500M platform, Crosslake and Bain operate at a strategy-and-benchmarking altitude we don't. If you need IP findings that hold up in court, that's Quandary Peak. If you just want raw scan data, buy a tool. What we do that the interview-led firms can't is open the repository; what we do that the dev shops won't is have nothing to sell you afterward. See how the read works.
Genuinely capable code-level work, with a commercial gravity that pulls toward findings shaped like billable follow-on work. Often the right call anyway — just read the report knowing whose interest it serves.
The strongest combination in the study: real code scans and pen tests, interpreted by former CTOs, on top of TechIndicators® benchmarks drawn from 6,000+ prior M&A transactions. "Your code is in the 30th percentile of 6,000 deals" is a claim almost no one else can make. The catch: diligence is the front door to a full suite — modernization, technical-debt programs, interim C-suite, portfolio advisory. The findings are credible; the commercial pull is toward billable value-creation work.
Real automated software-composition analysis "down to the code level," plus AI-enhanced review, inside a mature PE consulting practice with widely-cited research. The catch: independence is compromised by design — they openly market a post-close "Value Management Office" and a "Hold Period Health Check," so diligence is explicitly the on-ramp to integration and value-creation engagements they then deliver.
Actually reads code — their audit requires repo, CI, and log access — and does something almost no one in this market does: publishes pricing ($5,000–$30,000). A buyer even praised their builder's-eye perspective. The catch: they're a custom-software shop that also sells modernization and post-acquisition integration, so the same firm can recommend the work it's positioned to do. To their credit, they say so openly rather than hide it.
Capable, often excellent firms — but on their own published methods, the work is architecture review, framework evaluation, security checklists, benchmarking, and management workshops, not reading the code. Right for strategic questions; blind to code-level risk. (Where a firm's site doesn't state a method, we say so rather than guess.)
Unmatched at connecting technology to enterprise value, with proprietary benchmarks and global sector depth across 1,000+ engagements. For a board-level "should we pay this multiple," Bain operates where boutiques can't. The catch: by their own words, they often don't look at the source code — so for IP risk, code-quality time-bombs, dependency rot, or AI-generated-code exposure, this is strategic tech diligence, structurally blind to the code, with a strong pull toward the value-creation program they sell next.
A deep bench of genuinely senior, name-brand fractional CTOs — for a non-technical sponsor, "a real Silicon Valley CTO will look at this" is reassuring and credible. The catch: the site never commits to a code-level method (it reads as senior-practitioner judgment via review and interview), and the core business is placing those same CTOs into interim seats — so the firm diligencing the target can be hired to run it afterward.
A structured, named method (the ATAM architecture-evaluation framework plus CIS security controls) and 200+ diligence projects since 2018 — solid at the lower-mid-market tier. The catch: ATAM is an architecture/interview method, not a code scan, and they openly pitch that "those same resources can step in to remediate" — the assessor advertising itself as the fixer is the independence conflict stated as a feature.
Real, current AI/LLM build depth — useful hands-on context when the question is "is this AI real or hype." The catch: the site presents technical-sounding reviews but shows no evidence of actually reading code, and the firm's main business is AI development and offshore staffing — so an "is this AI real?" verdict comes from a vendor that sells AI builds. The independence problem here is acute.
Both pair investor-facing diligence with large, mature offshore engineering benches (ISHIR since 1999; KMS in Vietnam). If a finding is "this needs rebuilding," they genuinely can build it. The catch: that's exactly the conflict — diligence is a top-of-funnel channel for selling development and staffing. (KMS's method page was unreachable when we checked, so its "code benchmarks" claim rests on marketing copy we couldn't fully verify.)
If the answer is mostly meetings, workshops, and documents, it's architecture and process diligence — valuable, but not a read of the code. Make them name the repository, the commit history, and the dependency tree, or know that nobody looked.
If the answer is the rebuild, the fractional seat, or the transformation program, factor the incentive into how you read the findings. It doesn't make them wrong — it tells you which way the thumb presses.
Ask them to walk you through what they read versus who they talk to. A code-level firm examines the source, commit history, and dependencies; many firms that market "technical" diligence run workshops, framework evaluations, and security checklists and call the result technical. Bain says outright you don't need the source code for its kind of diligence — fine for strategy, blind to IP risk, dependency rot, and AI-generated code.
Most providers also sell what their diligence recommends — development and staffing, fractional executives, or transformation programs. That's not disqualifying, but it creates an incentive to surface findings shaped like the work they're positioned to win. A firm with no downstream stake has no such pull on its conclusions.
It depends on the question. Mega-cap platform deal where strategy and benchmarking dominate: Bain or Crosslake. Litigation-grade IP review: Quandary Peak. Raw scan data: a tool like Sema or Code Registry. An independent, code-level read on a lower-mid-market deal that isn't a funnel to a rebuild: an independent boutique such as Founders Led Studio or Code & Co.
We read the code, we lead with an independent read, and we'll tell you honestly if another firm above fits your deal better. Two weeks. Fixed price. Read-only.
Get a Read