TLDR
Traditional M&A due diligence checks compliance boxes but misses technical vulnerabilities that create real financial risk. Offensive security assessments test systems like attackers do, not auditors. Three categories of risk surface only through hands-on technical testing. Here’s a framework for due diligence that actually protects deal value.
The Question No One Asks
Your financial advisors just spent six weeks auditing the target company’s balance sheet. Your legal team reviewed every contract. The compliance audit came back clean: SOC 2 Type II, ISO 27001 certified, NIST framework implementation documented.
So why are you about to acquire a company that’s already been compromised?
In 2016, Marriott International acquired Starwood Hotels and Resorts. Standard due diligence was completed. Everything looked clean on paper. But attackers had accessed Starwood’s reservation database since 2014—two years before acquisition.[1,2]
The breach wasn’t discovered until September 2018. By then: 339 million guest records exposed.[3]
The damage:
- $52 million settlement with 50 U.S. states[3,4]
- $23.8 million UK GDPR fine[2]
- 20-year FTC compliance monitoring[3]
- Over $1 billion in lost revenue from customer attrition[5]
Marriott’s mistake wasn’t skipping due diligence. They conducted standard audits. The problem: no one tested whether systems could actually withstand attack. No one searched for existing compromises. No one validated that documented controls actually worked.[5,6]
The gap between “compliant” and “secure” cost over $1 billion.
The Real Math PE Firms Miss
Average M&A transaction: 2-4% of deal value on due diligence
Average spent on technical security assessment: 0%
Here’s what that looks like:
$200M acquisition
- Due diligence spend: $4-8M
- Security testing spend: $0
- Post-breach average cost: $3.9M
- Inherited breach cost: $15-50M+
> 73% of PE firms say undisclosed data breaches are deal-breakers.[7]
> 53% discover critical security issues only after closing.[7]
> 62% of M&A deals are delayed by cybersecurity problems.[7]
Yet technical security assessment remains optional in most transactions.
Where Traditional Diligence Fails
Traditional M&A due diligence requests documentation: security policies, incident response plans, training records. Auditors verify certifications: SOC 2, ISO 27001, NIST frameworks. They check boxes: firewall, antivirus, password requirements, encryption policies?
These audits confirm security processes exist. They don’t validate those processes work.
An audit verifies firewall rules are documented—not whether they can be bypassed. It confirms access controls exist in policy—not whether attackers can escalate privileges. It validates encryption is required—not whether production databases are actually encrypted.
Three Hidden Risk Categories
Configuration Drift: Systems start secure but deteriorate. Cloud storage set to public for testing, never changed back. Emergency changes bypass change management during outages. Debugging interfaces added and forgotten.
Compliance audits miss this completely. Policy says buckets must be private. Audit verifies policy exists. But customer data sits publicly accessible on the internet.
Legacy Technical Debt: Acquired companies run systems that should be retired. End-of-life databases with known exploits. Unpatched operating systems. Pre-modern authentication.
Starwood’s reservation system had security problems before acquisition—a 2015 breach went undetected for eight months. Marriott inherited the systems and years of accumulated vulnerabilities.
Third-Party Dependencies: Modern applications integrate with dozens of external services. Each integration is a potential attack path. Due diligence rarely examines these: Are API keys properly scoped? Can compromised integrations access sensitive data? How many former employees retain vendor access?
A Better Framework for Technical Diligence
Pre-LOI: Rapid Assessment (1-2 weeks)
Begin before the letter of intent, when terms are still negotiable.
Scope: External reconnaissance. Map internet-facing assets: web applications, APIs, administrative interfaces, forgotten subdomains. Scan for critical vulnerabilities. Identify exposed systems and data.
No internal access required. Test what any attacker could discover and exploit from outside.
Value: Surface deal-breakers before significant resource commitment.
Target companies with exposed customer databases represent fundamentally different risk than those with proper segmentation. Critical exposures—production systems with default credentials, unpatched applications with active exploits, publicly accessible customer data—enable informed decisions: walk away, demand price adjustments, or require remediation before closing.
Post-LOI: Comprehensive Testing (2-4 weeks)
Once internal access becomes available, expand beyond external reconnaissance.
Scope: Authenticated testing with standard employee credentials. Attempt privilege escalation to administrative access. Test lateral movement between network segments. Assess critical applications. Review cloud configurations and data exposure. Validate documented security controls actually function.
This answers: if an employee account is compromised, what can attackers access and how quickly?
Value: Generate detailed remediation roadmap with accurate costs. Security gaps discovered pre-close get addressed during integration planning—as normal integration work, not emergency response after breach.
Assessment also informs integration strategy. Discovering the target runs a flat network with no segmentation means delaying integration until proper architecture is implemented. Learning this post-close, after systems connect, exposes your production environment to their vulnerabilities.
What Offensive Assessment Actually Finds
Offensive security approaches systems like adversaries do. No assumptions about what “should” be secure. Instead: attempt to break in, escalate privileges, access sensitive data, move laterally.
Typical findings:
- Forgotten staging environments accessible with default credentials
- Administrative interfaces without authentication
- No segmentation between development and production systems
- Service accounts with administrative privileges everywhere
- Customer PII in development databases
- Database credentials in source code repositories
- Backup systems accessible without authentication
Financial translation:
- External admin interface with default credentials → $50K remediation pre-close vs. $2M post-breach
- Flat network enabling lateral movement → $300K remediation pre-close vs. $15M preventable breach
- Database credentials in source code → $75K remediation pre-close vs. $50M customer data breach
A $100K offensive assessment identifies issues costing tens of millions after attack.
Red Flags in Seller Responses
Technical questioning during diligence reveals security posture more accurately than documentation review.
“When was your last penetration test?”
- Red flag: “Never” or “more than two years ago”
- Red flag: Cannot articulate findings or remediation steps
- Green flag: Recent testing with documented remediation
“How do you handle security updates for production systems?”
- Red flag: “Our IT team handles that” without specifics
- Red flag: No defined patching timeline
- Green flag: Specific timelines, testing procedures, emergency processes
“What’s your average time to patch critical vulnerabilities?”
- Red flag: 60-90+ days (indicates resource or cultural problems)
- Industry standard: Under 30 days
- Green flag: Under 15 days with documented process
“Have you experienced security incidents in the past 24 months?”
- Red flag: Defensive responses or inability to articulate incidents
- Note: Companies detecting zero incidents may lack visibility
- Green flag: Identified incidents with documented response and remediation
Who’s Responsible for This?
This isn’t your IT team’s job. They’re not adversarial testers.
This isn’t your compliance auditor’s job. They verify paperwork.
This isn’t the target company’s job. They’re motivated to minimize findings.
This requires independent offensive security specialists with M&A experience. Firms that translate technical findings to deal terms. Teams that understand both exploitation and business risk.
Conclusion: Due Diligence That Protects Value
Compliance certifications confirm security processes are documented. Offensive security tests whether systems can actually be compromised. Only one reveals technical reality determining post-acquisition risk.
Marriott verified Starwood had policies and certifications. No one tested whether attackers were already inside. The gap cost over $1 billion.
Pre-close technical assessment costs $50K-$150K depending on scope—trivial in middle-market and enterprise acquisitions. Firms routinely spend multiples on financial audits and legal review. Technical security deserves the same priority.
Monday Morning Action
Add one line to your next LOI: “Closing contingent on satisfactory offensive security assessment by buyer’s designated third party.”
That single sentence protects hundreds of millions in deal value.
The target company that refuses? That’s also valuable information.
References
[1] StrongDM. “Marriott/Starwood Data Breach: How It Happened.” 2025. https://www.strongdm.com/what-is/marriott-data-breach
[2] Hotel Tech Report. “Marriott Data Breach FAQ: What Really Happened?” February 2023. https://hoteltechreport.com/news/marriott-data-breach
[3] Infosecurity Magazine. “Marriott Agrees $52m Settlement for Massive Data Breach.” October 2024. https://www.infosecurity-magazine.com/news/marriott-settlement-massive-data/
[4] New York State Attorney General. “Attorney General James Announces $52 Million Multistate Settlement with Marriott over Data Breach.” 2024. https://ag.ny.gov/press-release/2024/attorney-general-james-announces-52-million-multistate-settlement-marriott-over
[5] CoverLink Insurance. “Cyber Case Study: Marriott Data Breach.” November 2021. https://coverlink.com/case-study/marriott-data-breach/
[6] Data Protection Network. “The data breach that cost Marriott £18.4 million – what went wrong?” March 2023. https://coverlink.com/case-study/marriott-data-breach/
[7] Forescout. “Cybersecurity in M&A Study.” 2022. https://www.forescout.com/resources/cybersecurity-in-merger-and-acquisition-report/