How to Actually Do Technical Due Diligence (Without Getting Duped)
Technical due diligence isn’t just for big shots in suits. If you’re buying a micro startup, you’d better know what you’re really getting. Here’s how to peel back the tech curtain and spot the red flags before they torch your wallet.
So, you're thinking of buying a digital asset, maybe a $12K Shopify app built during a hackathon or some AI wrapper that went viral on Product Hunt for a day. Cool. But you’re not buying the hype – you’re buying the code, the infrastructure, and the oh-so-glamorous technical debt no one’s posting about on LinkedIn.
This isn't HGTV for startups. It’s more like buying a car from a guy in a parking lot at 2am – you’d better look under the hood.
1. Get the Damn Documentation
First, request everything. Full codebase access (read-only is fine), system diagrams, CI/CD configs, and whatever passes as their security playbook. If they delay or “can’t find it,” that’s not forgetfulness – that’s neglect.
Ask them to complete a self-assessment. A surprising number of founders will admit to themselves that if you just hand them a form and leave them alone, they will. You might hear, “We’ve been meaning to fix that for months,” which translates to, “This house has termites.”
2. Dive Into the Code (Or Pay Someone Who Can)
This is the haunted attic. You’re looking for ancient dependencies, zero unit tests, magic numbers littered across files, or a README that hasn’t been touched since 2021.
Instant dealbreaker: A 30,000-line monolith in PHP 5.6 with zero version control.
Fixable flaw: A React front-end with scattered linting issues and some duplicated logic. Ugly? Yes. But maintainable.
If you can’t tell the difference, hire a freelance CTO or pay someone from Upwork who’s seen code nightmares and lived to tell the tale.
3. System Architecture: Scalable or Scrapheap?
Ask real questions: Can this thing handle 10x user load? Is it married to an obscure API from a dying startup? Are deployments manual and undocumented?
One founder I knew had to SSH into a DigitalOcean droplet and run a Python script to send a newsletter. That’s not “quirky.” That’s a lawsuit waiting to happen.
4. Security: Are They One Breach from Bankruptcy?
Look for basics: HTTPS, proper access controls, logging, and GDPR compliance. If they've never heard of OWASP, be concerned. And if your login gives you access to admin dashboards without 2FA? Run.
Also, ask if they’ve had any past incidents. It’s not a dealbreaker – but how they responded might be.
5. Human vs Machine Clues
Talk to whoever built it. If it’s one person, that’s fine. Ask how they ship updates, test changes, and what happens when something breaks. If they say, “Oh, I just fix it live,” don’t laugh – leave.
Then look at the docs. Not just the README. Onboarding guides, API notes, Slack messages that got copy-pasted into Notion and never cleaned up. It’s messy? Sure. But that doesn’t always mean bad.
Pro tip: Bad docs + great code = fine.
Bad docs + bad code = nightmare.
6. Technical Debt Isn’t Always Toxic
Here’s the dirty secret: Technical debt can be your leverage.
That ugly MVP with no tests and spaghetti code? If it’s making $2K MRR and the founder’s burned out, you can swoop in, clean it up, and 3x the value.
But beware: not all mess is recoverable. Debt that’s architectural – like a monolith that should’ve been modular or DB schemas that don’t scale – will eat your margins. Know what kind of debt you’re inheriting.
7. Summarise It All in a Brutal Report
Don’t just nod thoughtfully – write everything down. What’s solid, what’s scary, what needs a full rebuild? Keep it short but blunt. If you wouldn’t put your own money into it after reading the report, why would you expect someone else to?
Postmortem Tips for Smart Buyers
- Hire outside help where you’re weak – backend, security, and infrastructure.
- Think ahead: can you scale and maintain this without screaming into a pillow daily?
- And trust your instincts. If the founder is dodgy or defensive, they probably have something to hide.
Buying a digital asset without technical due diligence is like investing in a crypto coin because the logo looks cool. You're not here to fantasise. You're here to buy leverage. Just make sure that leverage isn’t wrapped in duct tape and denial.
Trust, but verify.
Sources:
- Sphere Inc. – Technical Due Diligence Checklist
- Cypro – Technical Due Diligence Insights