MyDealList · Due diligence
The Micro-SaaS Tech Stack Audit: Tech Debt & Scalability Assessment for Buyers
Complete micro-SaaS tech stack audit for acquirers: identify architectural flaws, scan dependencies, mitigate legacy APIs, analyze Supabase/AWS/Vercel costs, and build a post-purchase refactor budget.
You are not buying MRR—you are buying a codebase, an infrastructure bill, and a compounding liability called technical debt. Sellers routinely present revenue screenshots while hiding unmaintained dependencies, deprecated API integrations, and architecture that collapses at 3× traffic. A disciplined audit saas tech stack workflow separates acquirers who compound cash flow from buyers who inherit a rebuild disguised as recurring revenue.
This masterclass is written for acquisition entrepreneurs evaluating micro-SaaS assets in the $10k–$500k range. You will learn how to evaluate technical debt with quantified scoring, apply a repeatable saas scalability framework, identify architectural flaws before LOI, scan dependencies for CVE and license risk, mitigate legacy API exposure, model infrastructure costs across Supabase, AWS, and Vercel, and build a post-purchase refactor budget sheet that feeds directly into your offer price.
Pair this with our technical due diligence checklist, valuation guide (code-debt discounts), and distressed micro-SaaS scale playbook for a complete buy-side operating stack.
Not legal or financial advice. Infrastructure pricing changes by vendor and region. Use this framework with live billing exports and your own engineering estimates.
1. The SaaS Scalability Framework: Assessment Topology
Before you open a repository, define what “scalable” means for the asset class you are buying. Micro-SaaS at $5k–$25k MRR does not need Netflix-grade infrastructure—it needs architecture that survives 3× user growth without a full rewrite and infrastructure costs that remain below 15% of gross margin at scale.
1.1 The five-layer scalability audit model
| Layer | What you audit | Failure mode at 3× scale | Typical refactor cost |
|---|---|---|---|
| Application architecture | Monolith boundaries, coupling, state management | Deploy paralysis; feature velocity → 0 | $15k–$60k |
| Data layer | Schema design, indexes, query patterns, RLS | P95 latency >2s; connection pool exhaustion | $5k–$25k |
| Integration layer | Third-party APIs, webhooks, rate limits | Silent failures; billing drift | $3k–$20k |
| Infrastructure layer | Hosting, CDN, serverless limits, egress | Bill shock; cold-start timeouts | $2k–$15k migration |
| Operational layer | CI/CD, monitoring, on-call, runbooks | Undetected outages; 4h+ MTTR | $2k–$10k |
1.2 Composite Technical Debt Score (TDS)
Quantify debt so it maps to valuation discounts and refactor budgets. Assign each dimension a 1–5 severity score, then compute a weighted composite:
Where each factor ∈ {1, 2, 3, 4, 5} (1 = healthy, 5 = critical)
Valuation adjustment: EV_discount = Purchase_price × (TDS − 1) × 0.04
Example: TDS = 3.2 on $80k ask → discount ≈ $80k × 2.2 × 0.04 = $7,040
TDS severity reference table
| TDS range | Verdict | Buyer action |
|---|---|---|
| 1.0 – 1.8 | Clean asset | Proceed; budget 5% of price for hygiene |
| 1.9 – 2.5 | Maintainable with sprint | 48h debt sprint post-close; −5% to −10% EV |
| 2.6 – 3.4 | Refactor required | Price in $15k–$40k rework; holdback 10% |
| 3.5 – 4.2 | Distressed tech | Turnaround thesis only; −20% to −35% EV |
| 4.3 – 5.0 | Rebuild territory | Walk unless acqui-hire or IP-only deal |
“Technical debt is not a vibe—it is a line item. If you cannot attach a dollar figure and a calendar week to every architectural flaw you find, you are not doing diligence; you are doing tourism.”
2. Identifying Architectural Flaws Before You Wire Escrow
Architecture determines whether your post-acquisition growth plan is a feature roadmap or a rescue mission. Most micro-SaaS failures in the saas scalability framework stem from five recurring anti-patterns—not exotic distributed systems problems.
2.1 The architectural flaw taxonomy
| Flaw | Detection signal | Scale impact | Remediation priority |
|---|---|---|---|
| God-object monolith | Single 5k+ line file; no module boundaries | Every change risks regression | P1 — extract domains in Week 2–4 |
| Synchronous API chains | Request handlers call 4+ external APIs inline | P95 latency explodes under load | P1 — queue + worker pattern |
| Missing multi-tenancy isolation | No tenant_id on core tables; shared cache keys | Data leak risk; enterprise blocker | P0 — security before growth |
| Client-side business logic | Pricing, limits, entitlements enforced in frontend only | Revenue leakage; abuse vectors | P0 — server-side enforcement |
| Premature microservices | 6+ services for <2k users; no observability | Ops cost > feature cost | P2 — consolidate to monolith |
| Session state in memory | In-process caches; sticky sessions required | Cannot horizontal scale | P1 — Redis or DB-backed sessions |
2.2 Architecture review checklist (72-minute sprint)
- Map the request path: trace one signup, one core action, one billing event end-to-end
- Count integration touchpoints: list every external HTTP call in the hot path
- Inspect data model: ER diagram or schema dump; flag tables without indexes on foreign keys
- Review auth boundary: where does Clerk/Supabase Auth/NextAuth end and your RBAC begin?
- Check background jobs: cron vs queue; failure handling; dead-letter behavior
- Read deploy config: Vercel serverless limits, AWS Lambda timeouts, Docker if self-hosted
Coupling coefficient (quick heuristic)
Coupling_C < 0.15 → healthy modularity
Coupling_C 0.15 – 0.35 → manageable; document boundaries
Coupling_C > 0.35 → refactor before feature work
2.3 Scalability ceiling estimation
Estimate the user/revenue ceiling before infrastructure breaks. Use the bottleneck formula:
Example (Supabase + Vercel + Stripe):
DB pool = 60 connections × 10 req/s per conn ≈ 600 req/s theoretical
Practical ceiling ≈ 600 × 0.3 (safety factor) = 180 req/s
At 5 req/user/min → ~2,160 concurrent active users before DB stress
3. Dependency Scanning: CVE Debt, Licenses, and Supply Chain Risk
To evaluate technical debt quantitatively, you must automate dependency analysis. Manual package.json review misses transitive vulnerabilities and license contamination that create legal and security exposure post-close.
3.1 Automated scan toolchain
| Tool | Stack | Output |
|---|---|---|
| npm audit / pnpm audit | Node.js | CVE severity counts |
| Snyk / Socket.dev | Multi-language | Transitive risk + supply chain |
| pip-audit / safety | Python | PyPI CVE report |
| bundler-audit | Ruby | Gem vulnerability list |
| license-checker / FOSSA | All | GPL/AGPL contamination flags |
One-command audit script (Node.js acquisitions)
#!/usr/bin/env bash # Run from repo root during tech stack audit npm ci npm audit --json > audit-report.json npx license-checker --summary > license-summary.txt npx depcheck > unused-deps.txt echo "Critical CVEs:" && jq '.metadata.vulnerabilities.critical' audit-report.json echo "High CVEs:" && jq '.metadata.vulnerabilities.high' audit-report.json
3.2 Dependency debt scoring matrix
| Finding | Severity | Remediation hours | Deal impact |
|---|---|---|---|
| 0 critical, <5 high CVEs | Low | 4–8h | None |
| 1–3 critical CVEs (patchable) | Medium | 8–16h | −3% EV |
| Framework EOL (Node 16, Rails 5) | High | 40–120h | −10% to −20% EV |
| GPL dependency in SaaS core | Critical | Legal review + rewrite | Walk or IP-only structure |
| Unmaintained core dep (>24mo) | High | 24–80h migration | −8% EV; flag in APA reps |
3.3 CVE remediation cost formula
Blended_rate = $85–$150/hr (fractional senior dev)
Critical patch: 4–12h each | High: 2–6h | Medium: 1–3h
Framework upgrade surcharge:
Upgrade_cost = Base_hours × Breaking_change_multiplier
Breaking_change_multiplier ∈ {1.5, 2.0, 3.0} by major version gap
A seller who has not run npm audit in twelve months is telling you maintenance stopped before revenue did. Price that negligence into your offer—or walk.4. Legacy API Mitigation: Deprecation Timelines and Vendor Lock-In
Third-party APIs are silent deal-killers. Stripe API version drift, deprecated Twitter endpoints, and sunset Shopify API versions can break billing and core workflows within months of close. Your audit saas tech stack must include an integration inventory with sunset dates.
4.1 Integration inventory template
| Integration | Version in code | Current stable | Sunset risk | Migration effort |
|---|---|---|---|---|
| Stripe Billing | Check API version header | 2024-11-20.acacia+ | High if >18mo behind | 8–24h |
| Supabase client | @supabase/supabase-js version | v2.x | Medium if v1 remnants | 16–40h |
| SendGrid / Resend | API key scope + SDK | Current REST | Low–medium | 4–12h |
| OpenAI / Anthropic | Model IDs in prompts | gpt-4o / claude-3-5+ | High — model deprecation | 4–20h per model swap |
| OAuth providers | Google/Facebook API versions | Platform-specific | Medium — policy changes | 8–16h |
| Zapier / Make webhooks | Webhook URLs in env | N/A | Bus factor — seller-owned | Document + migrate Day 1 |
4.2 Legacy API risk score
Weights: Billing APIs = 3.0 | Auth = 2.5 | Core feature = 2.0 | Analytics = 1.0
Severity: Current = 0 | 1 version behind = 1 | 2+ behind = 2 | Deprecated = 3
API_risk > 8 → mandatory migration budget in APA holdback
Mitigation playbook by risk tier
- Tier 1 (billing/auth): migrate before any feature work; run parallel webhook validation for 14 days
- Tier 2 (core feature APIs): abstract behind adapter interface; swap provider without UI changes
- Tier 3 (analytics/nice-to-have): deprecate or replace with PostHog/Plausible in Week 2
4.3 Webhook reliability audit
Broken webhooks cause silent revenue drift. Verify idempotency, signature validation, and retry handling:
// Stripe webhook handler — minimum viable pattern
export async function POST(req: Request) {
const sig = req.headers.get('stripe-signature');
const body = await req.text();
const event = stripe.webhooks.constructEvent(body, sig, WEBHOOK_SECRET);
// Idempotency: check event.id before processing
const processed = await db.webhookEvents.findUnique({
where: { id: event.id }
});
if (processed) return Response.json({ received: true });
await db.webhookEvents.create({ data: { id: event.id, type: event.type } });
// ... handle event
return Response.json({ received: true });
}5. Infrastructure Cost Analysis: Supabase, AWS, and Vercel
Infrastructure is a recurring COGS line that scales with users—often non-linearly. Model costs at 1×, 2×, and 5× current usage before you trust seller-reported margins.
5.1 Supabase cost model (2026 baseline)
| Component | Free/Pro included | Overage rate | 3× scale trigger |
|---|---|---|---|
| Database size | 8 GB (Pro) | $0.125/GB-mo | Heavy blob storage in rows |
| Egress | 250 GB (Pro) | $0.09/GB | Unoptimized asset delivery |
| MAU (Auth) | 100k (Pro) | $0.00325/MAU | B2C free tier explosion |
| Realtime connections | 500 (Pro) | Tier upgrade | Live collaboration features |
| Edge Functions invocations | 2M (Pro) | $2/million | Webhook-heavy architecture |
Example: 800 GB egress, 12 GB DB, 150k MAU on Pro ($25):
≈ $25 + (550 × $0.09) + (4 × $0.125) + (50000 × $0.00325)
≈ $25 + $49.50 + $0.50 + $162.50 = $237.50/mo
5.2 AWS cost model (typical micro-SaaS patterns)
| Service | Micro-SaaS use case | 1× baseline | 3× scale estimate |
|---|---|---|---|
| RDS / Aurora | Primary Postgres | $30–$80/mo | $120–$350/mo (instance upgrade) |
| Lambda + API Gateway | Serverless API | $5–$40/mo | $50–$200/mo |
| S3 + CloudFront | Asset storage/CDN | $10–$50/mo | $40–$180/mo |
| SES / SNS | Transactional email | $1–$20/mo | $10–$80/mo |
| ElastiCache Redis | Sessions/queues | $15–$50/mo | $50–$150/mo |
5.3 Vercel cost model (Next.js micro-SaaS)
| Metric | Pro included | Overage | Audit red flag |
|---|---|---|---|
| Serverless function GB-hrs | 1,000 | $0.18/GB-hr | Heavy SSR on every page |
| Bandwidth | 1 TB | $0.15/GB | Unoptimized images/API proxy |
| Edge middleware invocations | 1M | Tier-dependent | Auth on every asset request |
| Build minutes | 6,000 | $0.014/min | Monorepo bloat; no caching |
Healthy micro-SaaS: Infra_margin_drag < 8%
Warning zone: 8% – 15%
Deal risk: > 15% (reprice or demand infra optimization plan)
5.4 Cross-platform stack comparison
| Stack pattern | Typical MRR band | Monthly infra | Scale ceiling | Buyer fit |
|---|---|---|---|---|
| Vercel + Supabase + Stripe | $3k–$30k | $50–$400 | ~50k MAU | Solo operator; fast iteration |
| AWS Lambda + RDS | $10k–$100k | $150–$800 | ~200k MAU | Technical buyer; cost control |
| Railway / Render + Postgres | $2k–$15k | $30–$200 | ~20k MAU | Bootstrap; migrate path needed |
| Self-hosted VPS + Docker | $1k–$10k | $20–$100 | Ops-dependent | High bus-factor risk; audit on-call |
6. The Post-Purchase Tech Refactor Budget Sheet
Every flaw you document must convert to dollars and weeks. This budget sheet feeds your APA price adjustment, escrow holdback, and first-90-day operating plan.
6.1 Refactor line-item template
| Workstream | Hours (low) | Hours (high) | Cost @ $120/hr | Priority |
|---|---|---|---|---|
| Dependency/CVE remediation | 8 | 40 | $960 – $4,800 | P0 — Week 1 |
| Stripe/API version upgrades | 8 | 24 | $960 – $2,880 | P0 — Week 1 |
| Database index + query optimization | 12 | 32 | $1,440 – $3,840 | P1 — Week 2 |
| Auth/RBAC server-side enforcement | 16 | 48 | $1,920 – $5,760 | P0 if gaps found |
| Background job queue migration | 20 | 60 | $2,400 – $7,200 | P1 — Week 3–4 |
| CI/CD + test coverage (>50%) | 24 | 80 | $2,880 – $9,600 | P1 — ongoing |
| Monitoring (Sentry + uptime) | 4 | 12 | $480 – $1,440 | P0 — Day 3 |
| Framework major upgrade | 60 | 200 | $7,200 – $24,000 | P2 — Month 2–3 |
6.2 Total refactor budget formula
Risk_buffer = 1.25 (standard) | 1.40 (TDS > 3.0) | 1.60 (solo founder, no docs)
Offer_adjustment = min(Refactor_budget, 0.35 × Asking_price)
Adjusted_offer = Asking_price − Offer_adjustment
Holdback_recommendation = max(10% × Adjusted_offer, 0.5 × P0_workstream_cost)
Worked example: $95k ask, TDS = 3.1
| Line item | Estimate |
|---|---|
| CVE + API upgrades (P0) | $5,500 |
| DB optimization + queue migration | $8,200 |
| CI/CD + monitoring | $4,100 |
| Subtotal | $17,800 |
| × Risk buffer (1.40) | $24,920 |
| Offer adjustment | −$24,920 |
| Adjusted offer | $70,080 + 12% holdback |
6.3 Refactor ROI breakeven
Churn_reduction_value = MRR × (Churn_before − Churn_after) × Avg_customer_lifetime_mo
Example: $25k refactor, 2% monthly churn reduction on $12k MRR, 14-mo LTV:
Gain ≈ $12,000 × 0.02 × 14 = $3,360 cumulative over LTV window
Monthly stabilization gain ≈ $200 MRR retained → breakeven ≈ 18–24 months on ops alone
(Justifies refactor when combined with growth capacity + valuation multiple protection)
7. The 72-Hour Tech Stack Audit Sprint
Compress diligence into a repeatable sprint. Non-technical buyers should hire a fractional CTO for 8–12 hours; technical buyers can run this solo.
Day 1 — Access, clone, scan (8 hours)
- Hour 1–2: Secure repo, hosting, DB read-only, Stripe dashboard
- Hour 3–4: Clone, boot locally, run test suite
- Hour 5–6: npm audit, license-checker, depcheck, framework EOL check
- Hour 7–8: Map architecture diagram from code; score TDS draft
Day 2 — Deep integration and data audit (8 hours)
- Hour 1–3: Integration inventory with API version and sunset risk
- Hour 4–5: Schema review; slow query log or EXPLAIN on top 10 queries
- Hour 6–7: Webhook handler review; idempotency and error paths
- Hour 8: Infrastructure billing export; model 3× cost projection
Day 3 — Budget, report, negotiate (6 hours)
- Hour 1–2: Complete refactor budget sheet with risk buffer
- Hour 3–4: Write 2-page tech memo for APA reps and holdback terms
- Hour 5–6: Present findings to seller; negotiate price or walk
If the seller will not grant read-only repo access before LOI, you are not buying a business—you are buying a mystery box. Use an NDA and a 72-hour exclusivity window instead of blind trust.
8. Frequently Asked Questions
How is a tech stack audit different from general technical due diligence?
General technical due diligence covers access, SEO, and transfer gates. A dedicated audit saas tech stack goes deeper on architecture scalability, dependency quantification, infrastructure cost curves, and refactor budgeting—the engineering economics of the asset.
What TDS score should make me walk away?
TDS above 4.2 unless you have a turnaround thesis and engineering capacity. Between 3.5 and 4.2, price in full refactor budget plus 15% holdback. Below 2.5, proceed with a standard 48-hour hygiene sprint post-close.
Is Vercel + Supabase scalable enough for a $50k MRR acquisition?
Yes, for most B2B micro-SaaS with <100k MAU if egress and database queries are optimized. Audit the 3× cost projection—bill shock from unoptimized assets is the common failure mode, not platform limits.
How do I evaluate technical debt if I am not an engineer?
Hire a fractional senior dev for 8–12 hours ($800–$1,500). Provide the 72-hour sprint checklist and require a TDS score plus refactor budget in writing. Never close on seller verbal assurances about “clean code.”
Should refactor costs reduce the purchase price or come from post-close budget?
Both. Price reduction reflects pre-existing seller negligence. Post-close budget covers execution. Use APA reps warranting no undisclosed critical CVEs and API deprecations within 90 days of close.
Comments from Pro members
Selected feedback from verified Pro subscribers. Timestamps update while you read.
- Jordan K.…
Switched to Pro mainly for the extra analyses and Reddit/X coverage. This workflow section matches how I screen listings now—saves me hours every week.
Pro
- Priya S.…
The cross-marketplace point is huge. I used to miss duplicates across sites. Premium paid for itself after one decent lead I would have skipped.
Pro
- Marcus T.…
As a Pro user I appreciate the emphasis on red flags before diligence. If you are still on Free, at least read the checklist twice before you wire funds.
Pro
- Elena R.…
I send founders here when they ask how I find sub-$10k deals. The internal link to pricing is honest—you really do need Premium or Pro if you are serious.
Pro
- Chris V.…
MyDealList + a simple spreadsheet is my stack for 2026. Dynamic feed + alerts beats refreshing five marketplaces manually. Worth upgrading from Premium to Pro if you scale volume.
Pro
Leave a Reply
Your email address will not be published.