ACQI runs 89 discovery modules across 8 categories. This is what each one covers — and why it matters for M&A IT due diligence.
The 8 Module Categories
Category 1: Active Directory / Azure AD (18 modules)
Covers: domain structure, OU hierarchy, group membership (including nested), trusted forests, GPO inventory, service accounts, password policies, SID history, ACL analysis, account lockout policies, Kerberos settings, NTLM fallback configuration, certificate template exposure, privileged identity baseline, AD CS configuration, DNS zone configuration, trust relationship settings, and legacy protocol usage (LDAP, NTLM v1).
M&A relevance: AD is the identity backbone. Almost every breach scenario post-merger involves the AD environment in some way. These 18 modules catch what a manual AD audit typically misses.
Category 2: Microsoft 365 / Exchange Online (15 modules)
Covers: mailbox inventory (user, shared, room, equipment), Exchange Online configuration, Teams configuration and channel structure, SharePoint Online site structure, OneDrive usage and sharing, M365 group governance, Power Platform environment, Viva modules, external sharing settings, mail flow rules, connectors and hybrid configuration, OAuth application grants, conditional access policies, sensitivity labels, and M365 license utilization.
M&A relevance: Almost every company has M365. The combination of mailbox count, external sharing settings, and OAuth grants is the most common source of post-merger data leakage incidents.
Category 3: Azure Infrastructure (14 modules)
Covers: Azure subscription structure and management groups, resource group topology, virtual network configuration, VPN and ExpressRoute connections, Azure Firewall and NSG rules, Azure AD application registrations, service principals, managed identities, Azure Key Vault configuration, Azure Storage accounts and blob access, VM inventory and security configuration, Azure SQL/Database services, Azure AD Domain Services, and Azure Lighthouse for delegated administration.
M&A relevance: The acquired company’s Azure environment is frequently the biggest unknown in a tech M&A. Many companies have development subscriptions, trial subscriptions, or abandoned resources that are still accruing cost and creating security exposure.
Category 4: Security Posture (12 modules)
Covers: endpoint protection coverage and version, Windows Defender / Sentinel configuration, Azure Security Center recommendations, conditional access maturity, MFA coverage across all accounts, privileged account coverage (Azure AD and AD), password spray detection settings, sign-in risk policies, application security posture, data loss prevention (DLP) rules, sensitivity label adoption, and Microsoft Purview information governance.
M&A relevance: Security posture at the time of acquisition becomes the acquirer’s responsibility the moment the deal closes. These 12 modules produce a comparable security score for both companies — so the acquirer knows exactly what they’re inheriting.
Category 5: SaaS / Shadow IT (11 modules)
Covers: discovered SaaS applications (authenticated via network traffic analysis), OAuth application inventory (connected apps with granted permissions), SaaS license utilization, SaaS-to-SaaS data flows, IT-managed vs. unmanaged application classification, SaaS credential risk, shared credential detection, and SaaS data residency.
M&A relevance: The shadow IT problem. The average mid-size company has 40-60% of its SaaS footprint that IT doesn’t know about. These are the applications that create GDPR Article 28 gaps, licensing waste, and data security blind spots.
Category 6: Network and Infrastructure (10 modules)
Covers: on-premises network topology (discovered via AD site/subnet configuration, DHCP scopes, DNS records), WAN and MPLS connections, firewall rules and objects, load balancer configuration, proxy server settings, certificate stores and expiration monitoring, remote access solutions (VPN, RDS, DirectAccess), WiFi infrastructure and authentication (WPA2/WPA3 Enterprise), and MDM/Mobile Device Management enrollment.
M&A relevance: Network diagrams don’t exist at most acquired companies — or they’re out of date. These modules produce the actual network topology from what’s running, not what’s documented.
Category 7: Data and Application Inventory (5 modules)
Covers: Line-of-Business application inventory (discovered via process analysis on endpoints), application dependency mapping (which apps depend on which databases, middleware, and infrastructure), database inventory (SQL Server, Oracle, PostgreSQL, MySQL instances and versions), file share inventory and access control lists, and backup system configuration and last test dates.
M&A relevance: Application inventory is the prerequisite for every integration decision — what needs to be migrated, what needs to be replaced, what can be decommissioned. These modules deliver it.
Category 8: Integration-Specific (4 modules)
Covers: tenant-to-tenant migration complexity score, identity overlap analysis (matching accounts across both environments pre-merger), blast radius scoring for key integration scenarios (AD migration, M365 consolidation, Azure subscription merge), and application readiness assessment for known migration paths.
M&A relevance: These four modules are specific to the integration planning phase and produce the outputs that the integration PM uses to build the migration plan.
The 89-Module Advantage in Practice
A typical manual IT audit covers 15-20 discovery points. The scope of what gets missed is significant.
In a 2025 manufacturing acquisition we reviewed post-close, the manual IT audit had catalogued 3 M365 tenants, 4 Azure subscriptions, and 2 AD forests. ACQI’s 89-module scan found: 7 M365 tenants (including 4 that were trial tenants that had been abandoned but were still processing company data), 11 Azure subscriptions (including 2 that were running up $18K/month in compute costs for projects that had been cancelled in 2023), and 3 AD forests (the third was a legacy forest from a 2019 acquisition that had never been consolidated).
That third forest had 340 active user accounts that were still receiving email and had VPN access to the manufacturing network.
The manual audit found what they were looking for. The 89-module scan found what was actually there.