playbook

Add-On Acquisition IT Due Diligence: The Fast 72-Hour Assessment

Add-on acquisitions don't get the same DD treatment as platform deals. Here's a 72-hour sprint that catches the IT risks that transfer to the platform company.

Luna ·
add-on private-equity due-diligence fast-dd m-and-a

Platform deals get full IT due diligence. Add-on acquisitions get a spreadsheet.

This is how platform companies end up with their Azure AD tenant compromised by an add-on that had a founder’s personal email as a global admin account, or whose only IT person was using his own Gmail for all company business.

Here is the 72-hour sprint for add-on IT DD. It is not a full ACQI 89-module scan. It is the fast version that catches the risks that transfer to the platform company.

Hours 0-24: Identity Discovery

The most important discovery for add-ons is identity — because an add-on’s identity problems become the platform company’s problems on Day 1.

What to run:

  1. ACQI AD / Azure AD discovery module (condensed): All accounts in the add-on’s domain, all privileged accounts, all service accounts
  2. MFA status: What percentage of user accounts have MFA enabled? (If < 50%, the add-on is a high-risk identity environment)
  3. Shared account audit: Are there any accounts shared across multiple users? (A red flag for accountability gaps)
  4. External access audit: What Azure AD / M365 applications have been authorized by the add-on? What third-party OAuth apps have access?

The specific finding that destroys platform companies: Add-on companies with Azure AD tenants that were set up by a consultant or MSP who used their own email as a global admin, then left. The consultant’s email still has global admin on the add-on’s Azure AD. When the add-on is integrated into the platform company’s tenant, if the integration path involves any Azure AD Connect configuration, the consultant’s account is now a privileged account in the platform company’s environment.

Hours 0-24 also:

  • Check whether the add-on has any Azure AD P2 licenses (if not, they don’t have conditional access policies — which means they have no real access governance)
  • Check the add-on’s M365 tenant age — tenants less than 6 months old may not have had security defaults properly configured

Hours 24-48: SaaS and Application Discovery

Add-ons have more shadow IT than established platform companies. They’re small enough that IT采购 is informal and engineers use whatever tools they want.

What to run:

  1. ACQI SaaS discovery module: All authenticated SaaS applications observed in the network
  2. SaaS license audit: What is the add-on actually paying for? (Credit card statement review if no formal IT procurement)
  3. OAuth app audit: What apps have been granted access to the add-on’s M365 or Azure AD environment?

The finding that kills platforms: An add-on company that has been using a freemium project management tool, a free cloud storage service, and a free AI tool for the past 3 years — all with company data. None of these are on the IT department’s radar. When the add-on is integrated into the platform, those tools are still running, with company data in them, with no DPO agreements, no security review, and no way to audit who has access.

Hours 24-48 also:

  • Review the add-on’s data flows: Where does data go? What third parties have been given API access?
  • Identify any SaaS tools that would need to be migrated to the platform company’s tenant or replaced with platform-approved equivalents

Hours 48-72: Network and Security Posture

What to run:

  1. ACQI network discovery: Any VPN connections the add-on has? Any direct network connections to the platform company’s network?
  2. Endpoint protection: What percentage of the add-on’s endpoints have active EDR coverage?
  3. External exposure: What is the add-on’s public IP range? What is exposed on the internet?

The specific finding: An add-on that has a site-to-site VPN to the platform company’s network, established during the pre-acquisition relationship. The VPN credentials are still active. If the add-on’s network is compromised, the attacker has direct access to the platform company’s network through that VPN.

This is found in 30% of add-on acquisitions where there was a pre-existing commercial relationship.

The final output: The 72-hour assessment produces a risk memo. Three sections:

Section A: Identity Risks (with risk rating: High / Medium / Low)

  • What identity risks transfer to the platform company
  • What must be remediated before integration

Section B: Data Risks

  • What SaaS applications contain company data
  • What data flows must be secured before integration

Section C: Network Risks

  • What network connections exist between the add-on and any platform company
  • What must be secured before integration

The Decision Framework

The 72-hour assessment produces one of three outcomes:

Proceed: No high-risk findings. Integration can proceed on standard timeline.

Proceed with conditions: Some high-risk findings that can be remediated pre-integration. Use deal mechanism (escrow holdback, specific reps and warranties) to cover the remediation cost.

Escalate to full DD: Critical findings that suggest a deeper problem with the add-on’s IT environment. Full ACQI 89-module scan and a detailed technical investigation before proceeding with the acquisition.

The “escalate to full DD” outcome is triggered by any of the following findings:

  • No MFA on any privileged accounts
  • Active external access from an unknown third party to the Azure AD tenant
  • No documented IT policies or procedures (suggests organizational maturity gap that will affect integration)
  • Any VPN connection to the platform company that was established without IT department involvement

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team