M&A Cyber Due Diligence: Before You Sign
Cyber assessment of the target company: exploitable vulnerabilities, data exposure, historical incidents, compliance, fine contingencies.
Why now
The real pain
The buyer discovers post-closing that the target has a 3M-customer leak on the deep web, an ongoing LGPD fine and undisclosed ransomware from 6 months ago. The earn-out turns into a lawsuit. Pre-signing cyber due diligence protects the buyer and becomes price-negotiation material.
Context and regulation
/attack-surface
Due Diligence M&A
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
External attack surface inventory
Full ASM of the target: domains, subdomains, cloud assets, WAN exposures.
Sampled production pentest
Under NDA: focused pentest on systems supporting the revenue claimed in the DD.
Threat intel: historical incidents
Deep/dark web checks, criminal forums, breach databases. Has the target leaked in the past?
SOC and compliance maturity
Existence of prior pentest, SOC, EDR, security policy, training. Real capabilities.
LGPD/GDPR/ANPD process analysis
Pending fines, ANPD consent orders, class actions — contingent cyber liabilities.
Third-party analysis
Critical vendors used by target, contracts, SLAs, inherited risk.
Contract clause recommendation
Cyber R&W, specific indemnification, earn-out retention conditioned on remediation.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Confidential work in finance, healthcare and B2B SaaS transactions. Output used for price negotiation and earn-out structuring.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — Due Diligence M&A
Does the target know it's being audited?
Depends on the deal structure. In green-light DD, yes — collaborative with data room. In adversarial DD (rare outside hostile takeovers), only via public ASM/OSINT assets, without touching production.
How long and how much?
3-6 weeks for full DD. BRL 80-250k depending on target size and complexity. Typical investment = 0.5-2% of enterprise value, returns 5-50x in price/condition negotiation.
Can the result block the deal?
Technically yes, but rare. More commonly it feeds price adjustment, earn-out retention, specific indemnification or mandatory remediation clauses post-closing.
Do you talk to the deal's law firm?
Yes. We often coordinate deliverables with Pinheiro Neto, Mattos Filho, Demarest, BMA, Veirano. Output formatted for SPA/SHA citation.
/contact
Confidential cyber DD
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.