MyDealList · Due diligence
Pre-Acquisition Security & Penetration Testing: The Buyer's Vulnerability Checklist
Quick-action SaaS security audit for acquirers: OWASP Top 10 vulnerability mapping, cloud configuration policy checks, GDPR and SOC 2 alignment validation, penetration testing scope tiers, and using security findings for deal-price renegotiation.
Revenue screenshots do not transfer security posture. Sellers routinely present MRR dashboards while hiding IDOR vulnerabilities on billing APIs, misconfigured cloud storage with customer PII, expired SSL certificates on admin subdomains, and SOC 2 badges that cover a different legal entity than the one you are buying. A disciplined saas security audit workflow separates acquirers who compound cash flow from buyers who inherit a breach disguised as recurring revenue.
This masterclass is written for acquisition entrepreneurs evaluating SaaS, browser extensions, and API-first tools in the $10k–$500k range. You will learn how to run a quick-action vulnerability assessment web sprint, map findings to the OWASP Top 10, audit cloud config policies across AWS, GCP, Vercel, and Supabase, verify GDPR and SOC 2 alignment, structure penetration testing due diligence requests, and convert security scores into price reductions and escrow holdbacks before you wire funds.
Pair this with our technical due diligence checklist, micro-SaaS tech stack audit, and IP & copyright due diligence playbook for a complete buy-side operating stack.
Not legal or security advice. Penetration testing requires written authorization. Engage qualified security professionals and counsel before acting on findings or modifying production systems.
1. The Security Due Diligence Topology: What You Are Actually Inheriting
Security posture in a SaaS acquisition is not a single checkbox—it is a stack of overlapping controls that must each be verified independently. A clean codebase with an open S3 bucket still fails security diligence. A SOC 2 Type II report from 2023 with no change-management evidence since a major architecture refactor is marketing, not assurance.
1.1 The six-layer security ownership model
| Layer | What you audit | Failure mode post-close | Typical remediation cost |
|---|---|---|---|
| L1: Application security | OWASP Top 10, auth boundaries, API authorization, input validation | Data breach, account takeover, revenue leakage | $8k–$45k |
| L2: Infrastructure & cloud config | IAM policies, S3/GCS buckets, security groups, WAF rules | Public data exposure, lateral movement after compromise | $3k–$25k |
| L3: Dependency & supply chain | CVE scans, SBOM, third-party SDK permissions | Remote code execution via known exploit chains | $2k–$15k |
| L4: Data privacy & compliance | GDPR DPA, data retention, consent flows, subprocessors | Regulatory fines (up to 4% global revenue under GDPR) | $5k–$80k+ legal + engineering |
| L5: Operational security | Incident response plan, logging, MFA enforcement, secrets rotation | Undetected breach for months; credential stuffing success | $2k–$12k |
| L6: Third-party attestations | SOC 2, ISO 27001, pentest reports, bug bounty history | Enterprise sales blocked; insurance claims denied | $15k–$60k to achieve first audit |
1.2 Security Risk Score (SRS): The composite diligence metric
Quantify security exposure with a weighted composite score. Use this to negotiate price reductions, escrow holdbacks, or walk-away decisions— the same way you apply TDS for technical debt.
Example: a $60k micro-SaaS with SRS = 2.9 (critical IDOR + open bucket + no DPA) should trigger a $7,200–$10,800 price reduction or equivalent escrow holdback tied to remediation milestones.
“Security debt compounds faster than technical debt. A SQL injection you inherit on Day 1 becomes a GDPR notification on Day 47 and a churn event on Day 60. Price it before close, not after the breach.”
2. Pre-Audit Access: The Security Data Room Checklist
Never sign an LOI without defined security access. Minimum artifacts for any software acquisition:
- Staging or sandbox environment — mirror of production with synthetic data for safe testing
- Cloud console read-only access — AWS IAM, GCP, Vercel team viewer, Supabase dashboard
- Most recent pentest report — full findings with remediation status, not executive summary only
- SOC 2 Type II report — if claimed; verify scope, period, and entity name match the asset
- Subprocessor list + DPAs — for GDPR-relevant assets with EU customers
- Incident response log — past 24 months of security events, breaches, and near-misses
- Secrets inventory — where API keys live (Vault, env vars, CI); rotation policy
If the seller refuses staging access citing “production risk,” offer a time-boxed pentest window with written Rules of Engagement (RoE) and liability caps under NDA. No access = no close.
2.1 Access request template (send before LOI)
| Artifact | Format | Red flag if missing |
|---|---|---|
| Penetration test report | PDF, dated within 12 months | Never tested or hiding critical findings |
| Vulnerability scan exports | Nessus, Qualys, or OWASP ZAP JSON | No continuous scanning program |
| Cloud config audit | Prowler, ScoutSuite, or AWS Security Hub export | Misconfigurations unknown to seller |
| Dependency audit | npm audit / Snyk report | Critical CVEs unpatched |
| Privacy policy + cookie consent | Live URLs + version history | GDPR non-compliance exposure |
3. The 4-Hour Quick-Action Security Audit Sprint
Before commissioning a $5k–$15k professional pentest, run this buyer-side sprint to filter obvious failures and build your SRS inputs. Non-technical buyers should hire a fractional security engineer for 4–6 hours ($600–$1,200).
3.1 Sprint timeline
| Block | Duration | Activities |
|---|---|---|
| 0:00 – 0:30 | 30 min | Recon: subdomains, tech stack, exposed endpoints (SecurityHeaders, BuiltWith) |
| 0:30 – 1:30 | 60 min | Automated vuln scan on staging (OWASP ZAP baseline or Nuclei) |
| 1:30 – 2:30 | 60 min | Manual auth testing: IDOR, privilege escalation, session fixation |
| 2:30 – 3:15 | 45 min | Cloud config review: public buckets, IAM over-permission, open SGs |
| 3:15 – 3:45 | 30 min | Compliance spot-check: privacy policy, cookie banner, DPA list |
| 3:45 – 4:00 | 15 min | Score SRS sub-components; draft pass/fail memo |
3.2 Automated vulnerability assessment web script
Run against staging only, with written authorization. This baseline script combines subdomain discovery, header analysis, and ZAP passive scanning:
#!/usr/bin/env bash
# Pre-acquisition vulnerability assessment — STAGING ONLY
# Requires: subfinder, httpx, nuclei, OWASP ZAP (or Docker)
set -euo pipefail
TARGET="${1:?Usage: ./security-audit.sh staging.example.com}"
OUT_DIR="./security-audit-$(date +%Y%m%d)"
mkdir -p "$OUT_DIR"
echo "[1/5] Subdomain enumeration..."
subfinder -d "$TARGET" -silent | httpx -silent -status-code -title \
> "$OUT_DIR/subdomains.txt"
echo "[2/5] Security headers check..."
while read -r url; do
curl -sI "$url" | grep -iE 'strict-transport|content-security|x-frame|x-content'
done < "$OUT_DIR/subdomains.txt" > "$OUT_DIR/headers.txt" 2>/dev/null || true
echo "[3/5] Nuclei critical/high scan..."
nuclei -l "$OUT_DIR/subdomains.txt" -severity critical,high \
-o "$OUT_DIR/nuclei-findings.txt"
echo "[4/5] OWASP ZAP baseline (Docker)..."
docker run --rm -v "$OUT_DIR:/zap/wrk" owasp/zap2docker-stable \
zap-baseline.py -t "https://$TARGET" -r "$OUT_DIR/zap-report.html" \
-J "$OUT_DIR/zap-report.json" || true
echo "[5/5] TLS certificate check..."
echo | openssl s_client -connect "$TARGET:443" -servername "$TARGET" 2>/dev/null \
| openssl x509 -noout -dates -issuer > "$OUT_DIR/tls.txt"
echo "Audit complete. Review $OUT_DIR/"3.3 Manual auth boundary tests (highest ROI)
Automated scanners miss authorization flaws—the #1 source of SaaS breaches. Test these manually on staging with two accounts (User A and User B):
- IDOR on resource IDs: copy User B's invoice/API key/export URL; access as User A
- Horizontal privilege escalation: change tenant_id or org_id in JWT/API requests
- Vertical escalation: access /admin routes as standard user; test GraphQL introspection
- Mass assignment: add “role”: “admin” to profile update JSON
- Password reset flow: token reuse, no expiry, predictable tokens
- API key scope: read-only key performing write/delete operations
4. OWASP Top 10: The SaaS Buyer's Mapping Framework
The OWASP Top 10 (2021, still the industry baseline in 2026) provides a structured lens for penetration testing due diligence. Map every finding to a category, assign severity, and attach remediation cost.
4.1 OWASP Top 10 → acquisition risk matrix
| OWASP category | SaaS-specific signal | Deal impact if found | Typical fix cost |
|---|---|---|---|
| A01: Broken Access Control | IDOR, missing RBAC, client-side entitlements | P0 — data breach, churn, litigation | $5k–$30k |
| A02: Cryptographic Failures | Plaintext PII at rest, weak TLS, hardcoded keys | P0 — regulatory fines | $3k–$20k |
| A03: Injection | SQL/NoSQL injection, command injection in webhooks | P0 — full database compromise | $2k–$15k |
| A04: Insecure Design | No rate limiting, missing threat model, trust client input | P1 — abuse, revenue leakage | $8k–$40k (architecture) |
| A05: Security Misconfiguration | Debug mode in prod, default creds, open CORS | P1 — quick wins for attackers | $1k–$8k |
| A06: Vulnerable Components | Critical CVEs in dependencies (Log4j-class) | P1 — RCE without code changes | $1k–$10k |
| A07: Auth Failures | Weak passwords allowed, no MFA, session never expires | P1 — account takeover at scale | $2k–$12k |
| A08: Software/Data Integrity | Unsigned webhooks, CI/CD without branch protection | P2 — supply chain compromise | $3k–$15k |
| A09: Logging Failures | No audit trail, PII in logs, 7-day retention only | P2 — breach undetected for months | $2k–$8k |
| A10: SSRF | URL fetch features, webhook validators, PDF generators | P1 — internal network access | $3k–$18k |
4.2 OWASP finding severity → SRS sub-score conversion
5. Cloud Config Policies: The Infrastructure Security Audit
Misconfigured cloud resources cause more SaaS breaches than novel exploits. Audit IAM, storage, network, and serverless policies before close—especially on AWS, GCP, Vercel, Railway, and Supabase stacks common in micro-acquisitions.
5.1 Cloud config policy checklist by platform
| Platform | Critical checks | Pass criteria | Fail = deal impact |
|---|---|---|---|
| AWS | S3 Block Public Access, IAM least privilege, Security Groups | No public buckets; no *:* IAM policies; MFA on root | Customer PII exposure |
| GCP | Cloud Storage IAM, VPC firewall, service account keys | Uniform bucket-level access; no SA keys in repo | Lateral movement after key leak |
| Vercel | Env var scope, deployment protection, team RBAC | Production secrets not in preview; 2FA enforced | Secret leak via preview deploy |
| Supabase | RLS policies, anon key exposure, storage buckets | RLS on every user table; storage not public | Full database read via anon key |
| Railway / Render | Service networking, env isolation, persistent volume encryption | Internal services not publicly routed | Admin panel exposed to internet |
5.2 AWS Prowler one-liner for buyer-side audit
# Read-only IAM role required — seller grants SecurityAudit policy pip install prowler prowler aws --severity critical high \ --output-formats csv json \ --output-directory ./prowler-audit \ --status FAIL # Flag immediately: # - s3_bucket_public_access # - iam_user_mfa_enabled_console (root/admin without MFA) # - ec2_securitygroup_allow_ingress_from_internet_to_any_port # - rds_instance_public_access # - cloudtrail_multi_region_enabled (must be true)
5.3 Supabase RLS verification query
Row Level Security bypass is the most common Supabase acquisition vulnerability. Run on a read-only database connection:
-- Tables WITHOUT row-level security enabled (FAIL if user data) SELECT schemaname, tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public' AND rowsecurity = false; -- Policies that use USING (true) — effectively no isolation (FAIL) SELECT schemaname, tablename, policyname, qual FROM pg_policies WHERE schemaname = 'public' AND qual = 'true';
5.4 CloudScore formula
6. GDPR & SOC 2 Alignment: Compliance Due Diligence
Security and compliance overlap but are not identical. A pentest-clean app can still fail GDPR if consent flows are broken or subprocessors lack DPAs. Enterprise buyers require SOC 2 alignment—verify scope, not just badge presence.
6.1 GDPR alignment checklist (EU customer exposure)
| Requirement | Evidence to request | Pass | Fail impact |
|---|---|---|---|
| Lawful basis documented | Privacy policy + consent records | Consent before non-essential cookies | Art. 83 fines up to €20M or 4% revenue |
| Data Processing Agreements | Signed DPAs with all subprocessors | Stripe, SendGrid, AWS, analytics covered | Processor liability transfers to you |
| Right to erasure workflow | Demo delete-account flow + audit log | Full deletion within 30 days | DSAR backlog post-close |
| Data residency | Region config for DB and backups | EU data stays in EU if claimed | Schrems II transfer violations |
| Breach notification process | Incident response plan with 72h SLA | Documented DPA notification workflow | Regulatory penalty multiplier |
| Records of Processing (ROPA) | Internal data inventory spreadsheet | All PII categories mapped | Cannot answer regulator inquiries |
6.2 SOC 2 verification matrix
SOC 2 badges on marketing sites are frequently misleading. Verify these six points before crediting compliance value in your offer:
- Entity match: report legal name = APA target entity
- Report type: Type II (not Type I only); period covers last 12 months
- Trust criteria: Security minimum; Availability/Confidentiality if claimed
- Scope: production environment included; not “corporate IT only”
- Exceptions: read management response to every qualified opinion
- Subservice orgs: AWS, Stripe listed with complementary controls noted
6.3 ComplianceScore formula
7. Professional Penetration Testing Due Diligence
The 4-hour sprint filters obvious failures. For deals above $75k or assets with enterprise customers, commission a scoped pentest before close. Budget $3k–$12k depending on scope and firm tier.
7.1 Pentest scope tiers for acquisitions
| Tier | Scope | Duration | Budget |
|---|---|---|---|
| Tier 1: Web app baseline | OWASP Top 10, auth flows, API endpoints | 3–5 days | $3k–$5k |
| Tier 2: Web + API + cloud | Tier 1 + AWS config review + mobile if applicable | 5–8 days | $6k–$10k |
| Tier 3: Full red team | Tier 2 + social engineering + internal pivot | 10–15 days | $12k–$25k |
7.2 Rules of Engagement (RoE) clauses for seller authorization
- In-scope targets only — staging URLs and IP ranges listed explicitly; production off-limits unless seller opts in
- Testing window — date/time bounds; no DDoS or destructive payloads
- Data handling — findings encrypted at rest; destroyed 90 days post-close
- Liability cap — buyer indemnifies seller for authorized testing damage
- Deliverables — full technical report + executive summary + retest option within 30 days
7.3 Pentest report red flags (reject or renegotiate)
| Red flag | What it means | Buyer action |
|---|---|---|
| Report > 18 months old | Architecture likely changed | Require fresh pentest as closing condition |
| Critical findings “accepted risk” | Seller knowingly ships vulnerabilities | Add remediation escrow; increase SRS |
| Scope excludes API or admin panel | Report is marketing document | Commission independent Tier 2 test |
| No retest confirmation | Fixes may be unverified | Demand retest letter or re-scan |
| Different firm than SOC 2 auditor | Not inherently bad—but verify independence | Cross-reference finding overlap |
8. Converting Security Findings into Deal-Price Renegotiation
Security findings are negotiation leverage only when translated to dollars and timelines. Use the Security Remediation Budget (SRB) formula to compute EV adjustment, then layer holdback structure on top.
8.1 Security Remediation Budget (SRB)
8.2 Price adjustment formula
8.3 Escrow holdback structure for security reps
| Holdback % | Trigger condition | Release criteria |
|---|---|---|
| 8–12% | SRS 1.6–2.5; medium findings | Pentest retest pass within 90 days post-close |
| 12–18% | SRS 2.6–3.5; critical findings patched pre-close | Independent retest + 6-month no-breach warranty |
| 15–20% | Undisclosed breach history suspected | 12-month survival; clawback for pre-close incidents |
Pair SRB math with reps and warranties from our legal framework guide. Require seller rep that no Critical/High findings in the pentest report were known and undisclosed.
9. Master Security Diligence Checklist (Print & Execute)
Use this consolidated checklist on every SaaS target. Score each item Pass / Fail / N/A; compute SRS before LOI revision.
9.1 Application layer
- OWASP ZAP or Nuclei scan completed on staging (Critical = Fail)
- Manual IDOR test on billing, exports, API keys (any fail = P0)
- Admin routes blocked for standard users
- Rate limiting on auth and API endpoints
- CSP, HSTS, X-Frame-Options headers present
- Dependency audit: zero Critical CVEs unpatched > 30 days
- Secrets not in git history (run gitleaks or trufflehog)
9.2 Infrastructure layer
- No public S3/GCS buckets with customer data
- IAM least privilege; no root access keys in use
- MFA enforced on all admin cloud accounts
- Supabase RLS enabled on all user-data tables
- TLS 1.2+ only; no expired certificates on subdomains
- CloudTrail or equivalent audit logging enabled
9.3 Compliance layer
- Privacy policy matches actual data collection
- Cookie consent before non-essential tracking (EU traffic)
- DPAs signed with all subprocessors handling PII
- Account deletion workflow tested and documented
- SOC 2 Type II verified in scope (if enterprise customers claimed)
- Incident response plan exists with 72h breach notification SLA
9.4 gitleaks secrets scan (run on cloned repo)
# Install: https://github.com/gitleaks/gitleaks gitleaks detect --source ./cloned-repo --report-path gitleaks-report.json # FAIL deal if findings include: # - AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY # - stripe live keys (sk_live_) # - database connection strings with production hosts # - private keys (.pem, id_rsa) # PASS with remediation if only revoked/test keys in old commits
10. Post-Close Security Hardening: First 14 Days
Security diligence does not end at close. Execute this sprint before announcing the acquisition or onboarding enterprise customers.
| Day | Action | Owner |
|---|---|---|
| Day 1 | Rotate all secrets: API keys, DB passwords, JWT signing keys | Buyer ops |
| Day 2–3 | Patch Critical/High findings from diligence report | Engineering |
| Day 4–5 | Enable MFA on all admin accounts; revoke seller access | Buyer ops |
| Day 6–7 | Deploy WAF rules; close public bucket ACLs | Engineering |
| Day 8–10 | Update privacy policy ownership; notify subprocessors of control change | Legal + ops |
| Day 11–14 | Commission retest of pre-close Critical findings; document clean bill | Security vendor |
11. FAQ: Security Diligence for Digital Acquirers
What SRS score should make me walk away?
SRS above 3.5 unless you have a security turnaround thesis and $25k+ remediation budget. Between 2.6 and 3.5, price in full SRB plus 12–18% holdback. Below 1.5, proceed with standard credential rotation post-close.
Can I run a pentest on production without seller permission?
No. Unauthorized testing violates CFAA and equivalent laws globally. Always obtain written RoE. Use staging mirrors for buyer-side sprint work; reserve production testing for seller-authorized professional engagements only.
Is a SOC 2 badge enough for a $100k+ acquisition?
Never. Verify the report scope, entity, period, and exceptions. Cross- reference SOC 2 control descriptions against your cloud config audit— auditors routinely accept complementary subservice controls that leave application-layer gaps unaddressed.
How do I evaluate security if I am not a security engineer?
Hire a fractional security consultant for 6–8 hours ($800–$1,500). Provide the 4-hour sprint checklist and require SRS score plus SRB in writing. Never close on seller verbal assurances about “we were never hacked.”
Should security remediation reduce purchase price or come from post-close budget?
Both. Price reduction reflects pre-existing seller negligence (SRB + SRS penalty). Post-close budget covers execution and credential rotation. Use escrow holdbacks to align seller incentives for pre-close Critical remediation.
Does GDPR matter if the target has no EU customers today?
Yes, if you plan geographic expansion or the product could attract EU users organically. GDPR compliance debt is cheaper to fix pre-close when seller still has operational context. Budget $5k–$15k for first-time compliance if gaps exist.
Comments from Pro members
Selected feedback from verified Pro subscribers. Timestamps update while you read.
- Jordan K.…
Switched to Pro mainly for the extra analyses and Reddit/X coverage. This workflow section matches how I screen listings now—saves me hours every week.
Pro
- Priya S.…
The cross-marketplace point is huge. I used to miss duplicates across sites. Premium paid for itself after one decent lead I would have skipped.
Pro
- Marcus T.…
As a Pro user I appreciate the emphasis on red flags before diligence. If you are still on Free, at least read the checklist twice before you wire funds.
Pro
- Elena R.…
I send founders here when they ask how I find sub-$10k deals. The internal link to pricing is honest—you really do need Premium or Pro if you are serious.
Pro
- Chris V.…
MyDealList + a simple spreadsheet is my stack for 2026. Dynamic feed + alerts beats refreshing five marketplaces manually. Worth upgrading from Premium to Pro if you scale volume.
Pro
Leave a Reply
Your email address will not be published.