MyDealList · Due diligence

Pre-Acquisition Security & Penetration Testing: The Buyer's Vulnerability Checklist

Quick-action SaaS security audit for acquirers: OWASP Top 10 vulnerability mapping, cloud configuration policy checks, GDPR and SOC 2 alignment validation, penetration testing scope tiers, and using security findings for deal-price renegotiation.

40 min read

Revenue screenshots do not transfer security posture. Sellers routinely present MRR dashboards while hiding IDOR vulnerabilities on billing APIs, misconfigured cloud storage with customer PII, expired SSL certificates on admin subdomains, and SOC 2 badges that cover a different legal entity than the one you are buying. A disciplined saas security audit workflow separates acquirers who compound cash flow from buyers who inherit a breach disguised as recurring revenue.

This masterclass is written for acquisition entrepreneurs evaluating SaaS, browser extensions, and API-first tools in the $10k–$500k range. You will learn how to run a quick-action vulnerability assessment web sprint, map findings to the OWASP Top 10, audit cloud config policies across AWS, GCP, Vercel, and Supabase, verify GDPR and SOC 2 alignment, structure penetration testing due diligence requests, and convert security scores into price reductions and escrow holdbacks before you wire funds.

Pair this with our technical due diligence checklist, micro-SaaS tech stack audit, and IP & copyright due diligence playbook for a complete buy-side operating stack.

Not legal or security advice. Penetration testing requires written authorization. Engage qualified security professionals and counsel before acting on findings or modifying production systems.

1. The Security Due Diligence Topology: What You Are Actually Inheriting

Security posture in a SaaS acquisition is not a single checkbox—it is a stack of overlapping controls that must each be verified independently. A clean codebase with an open S3 bucket still fails security diligence. A SOC 2 Type II report from 2023 with no change-management evidence since a major architecture refactor is marketing, not assurance.

1.1 The six-layer security ownership model

LayerWhat you auditFailure mode post-closeTypical remediation cost
L1: Application securityOWASP Top 10, auth boundaries, API authorization, input validationData breach, account takeover, revenue leakage$8k–$45k
L2: Infrastructure & cloud configIAM policies, S3/GCS buckets, security groups, WAF rulesPublic data exposure, lateral movement after compromise$3k–$25k
L3: Dependency & supply chainCVE scans, SBOM, third-party SDK permissionsRemote code execution via known exploit chains$2k–$15k
L4: Data privacy & complianceGDPR DPA, data retention, consent flows, subprocessorsRegulatory fines (up to 4% global revenue under GDPR)$5k–$80k+ legal + engineering
L5: Operational securityIncident response plan, logging, MFA enforcement, secrets rotationUndetected breach for months; credential stuffing success$2k–$12k
L6: Third-party attestationsSOC 2, ISO 27001, pentest reports, bug bounty historyEnterprise sales blocked; insurance claims denied$15k–$60k to achieve first audit

1.2 Security Risk Score (SRS): The composite diligence metric

Quantify security exposure with a weighted composite score. Use this to negotiate price reductions, escrow holdbacks, or walk-away decisions— the same way you apply TDS for technical debt.

SRS = (0.30 × AppScore) + (0.25 × CloudScore) + (0.15 × DepsScore) + (0.15 × ComplianceScore) + (0.10 × OpsScore) + (0.05 × AttestationScore) Where each sub-score ∈ [0, 5]: 0 = verified clean 5 = critical unmitigated risk Interpretation: SRS ≤ 1.5 → proceed with standard security reps in APA SRS 1.6–2.5 → require security holdback (8–12% purchase price) SRS 2.6–3.5 → renegotiate price or demand pre-close remediation SRS > 3.5 → walk unless breach-response thesis with security budget

Example: a $60k micro-SaaS with SRS = 2.9 (critical IDOR + open bucket + no DPA) should trigger a $7,200–$10,800 price reduction or equivalent escrow holdback tied to remediation milestones.

“Security debt compounds faster than technical debt. A SQL injection you inherit on Day 1 becomes a GDPR notification on Day 47 and a churn event on Day 60. Price it before close, not after the breach.”

2. Pre-Audit Access: The Security Data Room Checklist

Never sign an LOI without defined security access. Minimum artifacts for any software acquisition:

  • Staging or sandbox environment — mirror of production with synthetic data for safe testing
  • Cloud console read-only access — AWS IAM, GCP, Vercel team viewer, Supabase dashboard
  • Most recent pentest report — full findings with remediation status, not executive summary only
  • SOC 2 Type II report — if claimed; verify scope, period, and entity name match the asset
  • Subprocessor list + DPAs — for GDPR-relevant assets with EU customers
  • Incident response log — past 24 months of security events, breaches, and near-misses
  • Secrets inventory — where API keys live (Vault, env vars, CI); rotation policy

If the seller refuses staging access citing “production risk,” offer a time-boxed pentest window with written Rules of Engagement (RoE) and liability caps under NDA. No access = no close.

2.1 Access request template (send before LOI)

ArtifactFormatRed flag if missing
Penetration test reportPDF, dated within 12 monthsNever tested or hiding critical findings
Vulnerability scan exportsNessus, Qualys, or OWASP ZAP JSONNo continuous scanning program
Cloud config auditProwler, ScoutSuite, or AWS Security Hub exportMisconfigurations unknown to seller
Dependency auditnpm audit / Snyk reportCritical CVEs unpatched
Privacy policy + cookie consentLive URLs + version historyGDPR non-compliance exposure

3. The 4-Hour Quick-Action Security Audit Sprint

Before commissioning a $5k–$15k professional pentest, run this buyer-side sprint to filter obvious failures and build your SRS inputs. Non-technical buyers should hire a fractional security engineer for 4–6 hours ($600–$1,200).

3.1 Sprint timeline

BlockDurationActivities
0:00 – 0:3030 minRecon: subdomains, tech stack, exposed endpoints (SecurityHeaders, BuiltWith)
0:30 – 1:3060 minAutomated vuln scan on staging (OWASP ZAP baseline or Nuclei)
1:30 – 2:3060 minManual auth testing: IDOR, privilege escalation, session fixation
2:30 – 3:1545 minCloud config review: public buckets, IAM over-permission, open SGs
3:15 – 3:4530 minCompliance spot-check: privacy policy, cookie banner, DPA list
3:45 – 4:0015 minScore SRS sub-components; draft pass/fail memo

3.2 Automated vulnerability assessment web script

Run against staging only, with written authorization. This baseline script combines subdomain discovery, header analysis, and ZAP passive scanning:

#!/usr/bin/env bash
# Pre-acquisition vulnerability assessment — STAGING ONLY
# Requires: subfinder, httpx, nuclei, OWASP ZAP (or Docker)
set -euo pipefail

TARGET="${1:?Usage: ./security-audit.sh staging.example.com}"
OUT_DIR="./security-audit-$(date +%Y%m%d)"
mkdir -p "$OUT_DIR"

echo "[1/5] Subdomain enumeration..."
subfinder -d "$TARGET" -silent | httpx -silent -status-code -title \
  > "$OUT_DIR/subdomains.txt"

echo "[2/5] Security headers check..."
while read -r url; do
  curl -sI "$url" | grep -iE 'strict-transport|content-security|x-frame|x-content'
done < "$OUT_DIR/subdomains.txt" > "$OUT_DIR/headers.txt" 2>/dev/null || true

echo "[3/5] Nuclei critical/high scan..."
nuclei -l "$OUT_DIR/subdomains.txt" -severity critical,high \
  -o "$OUT_DIR/nuclei-findings.txt"

echo "[4/5] OWASP ZAP baseline (Docker)..."
docker run --rm -v "$OUT_DIR:/zap/wrk" owasp/zap2docker-stable \
  zap-baseline.py -t "https://$TARGET" -r "$OUT_DIR/zap-report.html" \
  -J "$OUT_DIR/zap-report.json" || true

echo "[5/5] TLS certificate check..."
echo | openssl s_client -connect "$TARGET:443" -servername "$TARGET" 2>/dev/null \
  | openssl x509 -noout -dates -issuer > "$OUT_DIR/tls.txt"

echo "Audit complete. Review $OUT_DIR/"

3.3 Manual auth boundary tests (highest ROI)

Automated scanners miss authorization flaws—the #1 source of SaaS breaches. Test these manually on staging with two accounts (User A and User B):

  1. IDOR on resource IDs: copy User B's invoice/API key/export URL; access as User A
  2. Horizontal privilege escalation: change tenant_id or org_id in JWT/API requests
  3. Vertical escalation: access /admin routes as standard user; test GraphQL introspection
  4. Mass assignment: add “role”: “admin” to profile update JSON
  5. Password reset flow: token reuse, no expiry, predictable tokens
  6. API key scope: read-only key performing write/delete operations

4. OWASP Top 10: The SaaS Buyer's Mapping Framework

The OWASP Top 10 (2021, still the industry baseline in 2026) provides a structured lens for penetration testing due diligence. Map every finding to a category, assign severity, and attach remediation cost.

4.1 OWASP Top 10 → acquisition risk matrix

OWASP categorySaaS-specific signalDeal impact if foundTypical fix cost
A01: Broken Access ControlIDOR, missing RBAC, client-side entitlementsP0 — data breach, churn, litigation$5k–$30k
A02: Cryptographic FailuresPlaintext PII at rest, weak TLS, hardcoded keysP0 — regulatory fines$3k–$20k
A03: InjectionSQL/NoSQL injection, command injection in webhooksP0 — full database compromise$2k–$15k
A04: Insecure DesignNo rate limiting, missing threat model, trust client inputP1 — abuse, revenue leakage$8k–$40k (architecture)
A05: Security MisconfigurationDebug mode in prod, default creds, open CORSP1 — quick wins for attackers$1k–$8k
A06: Vulnerable ComponentsCritical CVEs in dependencies (Log4j-class)P1 — RCE without code changes$1k–$10k
A07: Auth FailuresWeak passwords allowed, no MFA, session never expiresP1 — account takeover at scale$2k–$12k
A08: Software/Data IntegrityUnsigned webhooks, CI/CD without branch protectionP2 — supply chain compromise$3k–$15k
A09: Logging FailuresNo audit trail, PII in logs, 7-day retention onlyP2 — breach undetected for months$2k–$8k
A10: SSRFURL fetch features, webhook validators, PDF generatorsP1 — internal network access$3k–$18k

4.2 OWASP finding severity → SRS sub-score conversion

For each OWASP category, assign AppScore based on worst open finding: Critical (CVSS ≥ 9.0) unpatched → category score = 5 High (CVSS 7.0–8.9) unpatched → category score = 4 Medium (CVSS 4.0–6.9) unpatched → category score = 3 Low (CVSS < 4.0) or patched < 90d → category score = 2 No findings in category → category score = 0 AppScore = max(category scores) × 0.6 + mean(category scores) × 0.4 Example: one Critical IDOR (5), two Medium XSS (3,3), rest clean (0,0,0,0,0,0,0) AppScore = max(5,3,3,0...) × 0.6 + mean(1.1) × 0.4 ≈ 3.4

5. Cloud Config Policies: The Infrastructure Security Audit

Misconfigured cloud resources cause more SaaS breaches than novel exploits. Audit IAM, storage, network, and serverless policies before close—especially on AWS, GCP, Vercel, Railway, and Supabase stacks common in micro-acquisitions.

5.1 Cloud config policy checklist by platform

PlatformCritical checksPass criteriaFail = deal impact
AWSS3 Block Public Access, IAM least privilege, Security GroupsNo public buckets; no *:* IAM policies; MFA on rootCustomer PII exposure
GCPCloud Storage IAM, VPC firewall, service account keysUniform bucket-level access; no SA keys in repoLateral movement after key leak
VercelEnv var scope, deployment protection, team RBACProduction secrets not in preview; 2FA enforcedSecret leak via preview deploy
SupabaseRLS policies, anon key exposure, storage bucketsRLS on every user table; storage not publicFull database read via anon key
Railway / RenderService networking, env isolation, persistent volume encryptionInternal services not publicly routedAdmin panel exposed to internet

5.2 AWS Prowler one-liner for buyer-side audit

# Read-only IAM role required — seller grants SecurityAudit policy
pip install prowler
prowler aws --severity critical high \
  --output-formats csv json \
  --output-directory ./prowler-audit \
  --status FAIL

# Flag immediately:
# - s3_bucket_public_access
# - iam_user_mfa_enabled_console (root/admin without MFA)
# - ec2_securitygroup_allow_ingress_from_internet_to_any_port
# - rds_instance_public_access
# - cloudtrail_multi_region_enabled (must be true)

5.3 Supabase RLS verification query

Row Level Security bypass is the most common Supabase acquisition vulnerability. Run on a read-only database connection:

-- Tables WITHOUT row-level security enabled (FAIL if user data)
SELECT schemaname, tablename, rowsecurity
FROM pg_tables
WHERE schemaname = 'public'
  AND rowsecurity = false;

-- Policies that use USING (true) — effectively no isolation (FAIL)
SELECT schemaname, tablename, policyname, qual
FROM pg_policies
WHERE schemaname = 'public'
  AND qual = 'true';

5.4 CloudScore formula

CloudScore = min(5, Critical_failures × 2 + High_failures × 1 + Medium_failures × 0.5) Where failures come from Prowler/ScoutSuite/manual review. Example: 1 public S3 bucket (Critical) + 2 SGs open to 0.0.0.0/0 (High) CloudScore = min(5, 1×2 + 2×1) = 4.0

6. GDPR & SOC 2 Alignment: Compliance Due Diligence

Security and compliance overlap but are not identical. A pentest-clean app can still fail GDPR if consent flows are broken or subprocessors lack DPAs. Enterprise buyers require SOC 2 alignment—verify scope, not just badge presence.

6.1 GDPR alignment checklist (EU customer exposure)

RequirementEvidence to requestPassFail impact
Lawful basis documentedPrivacy policy + consent recordsConsent before non-essential cookiesArt. 83 fines up to €20M or 4% revenue
Data Processing AgreementsSigned DPAs with all subprocessorsStripe, SendGrid, AWS, analytics coveredProcessor liability transfers to you
Right to erasure workflowDemo delete-account flow + audit logFull deletion within 30 daysDSAR backlog post-close
Data residencyRegion config for DB and backupsEU data stays in EU if claimedSchrems II transfer violations
Breach notification processIncident response plan with 72h SLADocumented DPA notification workflowRegulatory penalty multiplier
Records of Processing (ROPA)Internal data inventory spreadsheetAll PII categories mappedCannot answer regulator inquiries

6.2 SOC 2 verification matrix

SOC 2 badges on marketing sites are frequently misleading. Verify these six points before crediting compliance value in your offer:

  1. Entity match: report legal name = APA target entity
  2. Report type: Type II (not Type I only); period covers last 12 months
  3. Trust criteria: Security minimum; Availability/Confidentiality if claimed
  4. Scope: production environment included; not “corporate IT only”
  5. Exceptions: read management response to every qualified opinion
  6. Subservice orgs: AWS, Stripe listed with complementary controls noted

6.3 ComplianceScore formula

ComplianceScore = GDPR_gap_score + SOC2_gap_score (each 0–2.5, sum capped at 5) GDPR_gap_score: 0 = full alignment (DPA, erasure, consent, ROPA) 2.5 = no DPA + no erasure workflow + EU customers SOC2_gap_score: 0 = valid Type II in scope, < 12 months old 1.0 = Type I only or expired report 2.5 = badge claimed but no report provided

7. Professional Penetration Testing Due Diligence

The 4-hour sprint filters obvious failures. For deals above $75k or assets with enterprise customers, commission a scoped pentest before close. Budget $3k–$12k depending on scope and firm tier.

7.1 Pentest scope tiers for acquisitions

TierScopeDurationBudget
Tier 1: Web app baselineOWASP Top 10, auth flows, API endpoints3–5 days$3k–$5k
Tier 2: Web + API + cloudTier 1 + AWS config review + mobile if applicable5–8 days$6k–$10k
Tier 3: Full red teamTier 2 + social engineering + internal pivot10–15 days$12k–$25k

7.2 Rules of Engagement (RoE) clauses for seller authorization

  • In-scope targets only — staging URLs and IP ranges listed explicitly; production off-limits unless seller opts in
  • Testing window — date/time bounds; no DDoS or destructive payloads
  • Data handling — findings encrypted at rest; destroyed 90 days post-close
  • Liability cap — buyer indemnifies seller for authorized testing damage
  • Deliverables — full technical report + executive summary + retest option within 30 days

7.3 Pentest report red flags (reject or renegotiate)

Red flagWhat it meansBuyer action
Report > 18 months oldArchitecture likely changedRequire fresh pentest as closing condition
Critical findings “accepted risk”Seller knowingly ships vulnerabilitiesAdd remediation escrow; increase SRS
Scope excludes API or admin panelReport is marketing documentCommission independent Tier 2 test
No retest confirmationFixes may be unverifiedDemand retest letter or re-scan
Different firm than SOC 2 auditorNot inherently bad—but verify independenceCross-reference finding overlap

8. Converting Security Findings into Deal-Price Renegotiation

Security findings are negotiation leverage only when translated to dollars and timelines. Use the Security Remediation Budget (SRB) formula to compute EV adjustment, then layer holdback structure on top.

8.1 Security Remediation Budget (SRB)

SRB = Σ (finding_remediation_cost × probability_of_exploit) Default probability weights: Critical + internet-facing → P = 0.85 High + authenticated only → P = 0.55 Medium → P = 0.25 Low → P = 0.10 Example findings: IDOR on billing API (Critical, $18k fix, P=0.85) → $15,300 Open S3 bucket (Critical, $4k fix, P=0.85) → $3,400 Missing MFA on admin (High, $2k fix, P=0.55) → $1,100 3 Medium XSS (Medium, $3k total, P=0.25) → $750 ───────────────────────────────────────────────────── SRB total → $20,550

8.2 Price adjustment formula

Adjusted_Price = Base_Offer − SRB − (SRS_penalty × Base_Offer) SRS_penalty: SRS ≤ 1.5 → 0% SRS 1.6–2.5 → 5% SRS 2.6–3.5 → 10% SRS > 3.5 → 15% (or walk) Example: $60k offer, SRB = $20,550, SRS = 2.9 SRS_penalty = 10% → $6,000 Adjusted_Price = $60,000 − $20,550 − $6,000 = $33,450 Negotiation floor: never accept less than SRB as discount unless seller pre-remediates with verified retest before close.

8.3 Escrow holdback structure for security reps

Holdback %Trigger conditionRelease criteria
8–12%SRS 1.6–2.5; medium findingsPentest retest pass within 90 days post-close
12–18%SRS 2.6–3.5; critical findings patched pre-closeIndependent retest + 6-month no-breach warranty
15–20%Undisclosed breach history suspected12-month survival; clawback for pre-close incidents

Pair SRB math with reps and warranties from our legal framework guide. Require seller rep that no Critical/High findings in the pentest report were known and undisclosed.

9. Master Security Diligence Checklist (Print & Execute)

Use this consolidated checklist on every SaaS target. Score each item Pass / Fail / N/A; compute SRS before LOI revision.

9.1 Application layer

  • OWASP ZAP or Nuclei scan completed on staging (Critical = Fail)
  • Manual IDOR test on billing, exports, API keys (any fail = P0)
  • Admin routes blocked for standard users
  • Rate limiting on auth and API endpoints
  • CSP, HSTS, X-Frame-Options headers present
  • Dependency audit: zero Critical CVEs unpatched > 30 days
  • Secrets not in git history (run gitleaks or trufflehog)

9.2 Infrastructure layer

  • No public S3/GCS buckets with customer data
  • IAM least privilege; no root access keys in use
  • MFA enforced on all admin cloud accounts
  • Supabase RLS enabled on all user-data tables
  • TLS 1.2+ only; no expired certificates on subdomains
  • CloudTrail or equivalent audit logging enabled

9.3 Compliance layer

  • Privacy policy matches actual data collection
  • Cookie consent before non-essential tracking (EU traffic)
  • DPAs signed with all subprocessors handling PII
  • Account deletion workflow tested and documented
  • SOC 2 Type II verified in scope (if enterprise customers claimed)
  • Incident response plan exists with 72h breach notification SLA

9.4 gitleaks secrets scan (run on cloned repo)

# Install: https://github.com/gitleaks/gitleaks
gitleaks detect --source ./cloned-repo --report-path gitleaks-report.json

# FAIL deal if findings include:
# - AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
# - stripe live keys (sk_live_)
# - database connection strings with production hosts
# - private keys (.pem, id_rsa)

# PASS with remediation if only revoked/test keys in old commits

10. Post-Close Security Hardening: First 14 Days

Security diligence does not end at close. Execute this sprint before announcing the acquisition or onboarding enterprise customers.

DayActionOwner
Day 1Rotate all secrets: API keys, DB passwords, JWT signing keysBuyer ops
Day 2–3Patch Critical/High findings from diligence reportEngineering
Day 4–5Enable MFA on all admin accounts; revoke seller accessBuyer ops
Day 6–7Deploy WAF rules; close public bucket ACLsEngineering
Day 8–10Update privacy policy ownership; notify subprocessors of control changeLegal + ops
Day 11–14Commission retest of pre-close Critical findings; document clean billSecurity vendor

11. FAQ: Security Diligence for Digital Acquirers

What SRS score should make me walk away?

SRS above 3.5 unless you have a security turnaround thesis and $25k+ remediation budget. Between 2.6 and 3.5, price in full SRB plus 12–18% holdback. Below 1.5, proceed with standard credential rotation post-close.

Can I run a pentest on production without seller permission?

No. Unauthorized testing violates CFAA and equivalent laws globally. Always obtain written RoE. Use staging mirrors for buyer-side sprint work; reserve production testing for seller-authorized professional engagements only.

Is a SOC 2 badge enough for a $100k+ acquisition?

Never. Verify the report scope, entity, period, and exceptions. Cross- reference SOC 2 control descriptions against your cloud config audit— auditors routinely accept complementary subservice controls that leave application-layer gaps unaddressed.

How do I evaluate security if I am not a security engineer?

Hire a fractional security consultant for 6–8 hours ($800–$1,500). Provide the 4-hour sprint checklist and require SRS score plus SRB in writing. Never close on seller verbal assurances about “we were never hacked.”

Should security remediation reduce purchase price or come from post-close budget?

Both. Price reduction reflects pre-existing seller negligence (SRB + SRS penalty). Post-close budget covers execution and credential rotation. Use escrow holdbacks to align seller incentives for pre-close Critical remediation.

Does GDPR matter if the target has no EU customers today?

Yes, if you plan geographic expansion or the product could attract EU users organically. GDPR compliance debt is cheaper to fix pre-close when seller still has operational context. Budget $5k–$15k for first-time compliance if gaps exist.

Comments from Pro members

Selected feedback from verified Pro subscribers. Timestamps update while you read.

  • Jordan K.

    Switched to Pro mainly for the extra analyses and Reddit/X coverage. This workflow section matches how I screen listings now—saves me hours every week.

    Pro

  • Priya S.

    The cross-marketplace point is huge. I used to miss duplicates across sites. Premium paid for itself after one decent lead I would have skipped.

    Pro

  • Marcus T.

    As a Pro user I appreciate the emphasis on red flags before diligence. If you are still on Free, at least read the checklist twice before you wire funds.

    Pro

  • Elena R.

    I send founders here when they ask how I find sub-$10k deals. The internal link to pricing is honest—you really do need Premium or Pro if you are serious.

    Pro

  • Chris V.

    MyDealList + a simple spreadsheet is my stack for 2026. Dynamic feed + alerts beats refreshing five marketplaces manually. Worth upgrading from Premium to Pro if you scale volume.

    Pro

Leave a Reply

Your email address will not be published.

Live activity

Team in Chicago found a gem with AI