Technical due diligence can make or break an acquisition or investment. After participating in dozens of these reviews, I've seen patterns in what kills deals or tanks valuations. Here are the 15 red flags that consistently concern investors, and how to address them before they become problems.
Category 1: Code Quality & Architecture
Red Flag 1: No Version Control History
What investors see: Repository created recently with one commit, or entire history squashed.
Why it matters: - Can't assess how the team works - No way to understand code evolution - Possible indicator of copied or purchased code - Makes debugging production issues harder
What good looks like: - Clean commit history going back to project inception - Meaningful commit messages - Evidence of code review (merge/pull requests) - Multiple contributors over time
Red Flag 2: Massive Codebase for Simple Functionality
What investors see: 500,000 lines of code for what should be a 50,000-line application.
Why it matters: - Maintenance costs scale with codebase size - Indicates poor abstractions or excessive copy-paste - Future development velocity will be slow - Onboarding new engineers takes longer
How to assess: Compare lines of code to feature complexity. A basic CRUD app shouldn't be 200 files. An e-commerce site doesn't need 50 microservices.
Red Flag 3: No Tests or Meaningless Tests
What investors see: Either zero test coverage, or tests that test nothing useful.
Meaningless test examples: ```javascript // This tests nothing test('renders', () => { render(<Component />); expect(true).toBe(true); });
// This tests implementation, not behavior test('calls API', () => { expect(mockApi).toHaveBeenCalledTimes(1); }); ```
Why it matters: - No confidence in making changes - Bugs reach production more often - Refactoring becomes terrifying - Technical debt compounds
What good looks like: - 60-80% code coverage on business logic - Integration tests for critical paths - Tests that verify behavior, not implementation - CI that runs tests on every commit
Red Flag 4: Outdated Dependencies
What investors see: Dependencies 3+ years old with known security vulnerabilities.
Common culprits: - Node.js on unsupported version (14 or below) - React 16 or earlier - Database drivers with unpatched CVEs - Framework versions no longer maintained
Why it matters: - Security vulnerabilities accumulate - Modernization becomes harder over time - May indicate team not investing in maintenance - Compatibility issues with new tools/services
Remediation cost reality: Updating from one major version to the next: $10-50K Updating from 3 major versions behind: $100-500K Complete rewrite: $500K-2M+
Category 2: Infrastructure & Operations
Red Flag 5: Manual Deployments
What investors see: Deployments require SSH access and running scripts manually.
Why it matters: - Human error causes outages - Deployments take hours instead of minutes - Can't deploy on weekends or during PTO - Rollbacks are slow and risky
What good looks like: - CI/CD pipeline for all environments - Deployments triggered by merge to main - Automated rollback on failed health checks - Deployment frequency: multiple times per week
Red Flag 6: No Environment Separation
What investors see: Development happens on production database, or staging shares resources with production.
Horror stories I've witnessed: - Developer runs test script, deletes production users - "Staging" load test takes down production - Debug logging filling production disks - Test email sends to real customers
Why it matters: - One mistake can destroy the business - Can't safely test changes - Compliance (SOC 2, HIPAA) often requires separation - No way to reproduce production issues safely
Red Flag 7: Single Points of Failure
What investors see: The entire business runs on one server, one database, or one person's laptop.
Common SPOFs: - Single EC2 instance (no auto-scaling, no redundancy) - Database without replicas or backups - SSL certs managed manually (and expiring) - Critical knowledge in one engineer's head
Why it matters: - Hardware failure = extended outage - Scaling impossible without rewrite - Key person risk is business risk - Disaster recovery is impossible
Red Flag 8: No Logging or Monitoring
What investors see: When asked about system health, the answer is "users tell us when something's broken."
Minimum viable monitoring: - Error tracking (Sentry, Bugsnag) - Uptime monitoring (external) - Basic resource utilization (CPU, memory, disk) - Request latency percentiles
Why it matters: - Can't proactively identify issues - Incident response is slow and chaotic - No data for capacity planning - Can't prove SLA compliance
Category 3: Security & Compliance
Red Flag 9: Secrets in Code
What investors see: API keys, database passwords, or private keys committed to the repository.
Where secrets hide: - .env files committed to git - Hardcoded in configuration files - In comments ("temporarily" hardcoded) - In old commits (git history never forgets)
Why it matters: - Past contributors have ongoing access - Git history is often public - Rotates secrets becomes hard - Compliance frameworks explicitly prohibit this
What good looks like: - Secrets in dedicated management (Vault, AWS Secrets Manager) - Environment variables injected at runtime - Automated secret rotation - Git history scanned for accidentally committed secrets
Red Flag 10: No Authentication/Authorization Review
What investors see: Admin endpoints accessible without authentication, or regular users can access other users' data.
Common vulnerabilities: - IDOR (changing user ID in URL accesses other accounts) - No rate limiting on authentication - Password reset tokens that don't expire - Sessions that never timeout
Why it matters: - Data breach waiting to happen - Regulatory fines (GDPR, CCPA) - Customer trust destruction - Possible grounds for deal termination
Red Flag 11: No Backup/Recovery Testing
What investors see: "We have backups" but they've never been tested.
Questions that reveal the truth: - When did you last restore from backup? - How long would recovery take? - What's your Recovery Point Objective? - Who has access to initiate recovery?
Reality check: Untested backups are not backups. They're hope.
Category 4: Team & Process
Red Flag 12: Bus Factor of One
What investors see: One engineer who is the only person who understands critical systems.
Warning signs: - All complex PRs authored by same person - Certain systems "we don't touch" - No documentation for key components - Long tenure with no knowledge transfer
Why it matters: - Acquisition loses value if key person leaves - Velocity depends on one person's availability - No peer review on critical code - Integration post-acquisition becomes harder
Red Flag 13: No Documentation
What investors see: New engineers take 6+ months to become productive because nothing is written down.
Documentation gaps: - Architecture decisions (ADRs) - Onboarding guides - API documentation - Runbooks for common incidents
Why it matters: - Onboarding is expensive - Tribal knowledge creates risk - Integration with acquirer systems is slow - Maintenance by new team post-acquisition is difficult
Red Flag 14: Inconsistent Development Practices
What investors see: Every part of the codebase uses different patterns, naming conventions, and libraries.
Symptoms: - 3 different HTTP clients in one project - Inconsistent error handling patterns - Some components tested, others not - Multiple solutions for same problem
Why it matters: - Higher cognitive load for developers - Bugs from unfamiliar patterns - Difficult to establish quality bar - Training is complicated
Category 5: Data & IP
Red Flag 15: Unclear IP Ownership
What investors see: Code written by contractors without work-for-hire agreements, or open source licenses that conflict with commercial use.
Problematic situations: - Founders wrote code before incorporation - Agencies retain IP rights by default - GPL-licensed code in commercial product - Third-party code without clear licensing
Why it matters: - Deal could unravel over IP disputes - May require expensive legal remediation - Possible liability post-acquisition - Relicensing may be impossible
Pre-Due Diligence Checklist
Before investors arrive, verify:
Code & Architecture: - [ ] Clean git history preserved - [ ] Codebase size proportional to functionality - [ ] Meaningful test coverage on critical paths - [ ] Dependencies updated within last 12 months
Infrastructure: - [ ] CI/CD pipeline exists and is used - [ ] Environment separation is real - [ ] No single points of failure - [ ] Monitoring and alerting in place
Security: - [ ] No secrets in code (including git history) - [ ] Authentication/authorization reviewed - [ ] Backups tested within last quarter
Team: - [ ] Knowledge spread across multiple people - [ ] Documentation exists for critical systems - [ ] Consistent coding standards
Legal: - [ ] IP ownership documented - [ ] Open source licenses reviewed - [ ] Contractor agreements have proper IP clauses
The Valuation Impact
Each red flag doesn't just risk the deal. It affects price.
Typical valuation adjustments: - No tests: -10-20% (remediation costs + risk) - Security issues: -15-30% (liability + remediation) - Technical debt: -20-40% (rewrite costs) - Key person risk: -10-25% (retention risk) - IP issues: Deal killer or -50%+
The best time to address these is before you need to. The second best time is now.
Preparing for technical due diligence? [We can help you identify and fix issues before investors see them](/contact).