Post-Acquisition Day 1 IT Checklist: 47 Tasks That Can't Wait

The "Day 1" Vulnerability Gap

The ink is dry, the wire has hit, and the press release is live. For the deal team, the work is done. For the Operating Partner, the nightmare is just beginning.

The first 24 hours post-acquisition—Day 1—represent the highest concentration of risk in the entire investment lifecycle. While your deal team was focused on EBITDA adjustments and working capital targets, the acquired company’s IT environment was likely sitting in a state of suspended animation—or worse, active neglect.

The data confirms this fear. According to Forescout, 53% of buyers discover unknown cybersecurity problems after closing. Even more alarming, IBM reports that the average cost of a data breach jumps significantly when it occurs during a merger or acquisition transition. Why? Because you are connecting your pristine network to a potentially compromised one, often under the guise of "synergy" and "collaboration."

The "Access vs. Control" Fallacy

Most Day 1 plans focus on Access: getting the new employees email addresses, Slack logins, and access to the parent company’s intranet. This is a mistake. Your primary objective on Day 1 is not Access; it is Control.

You are inheriting:

• Tribal Knowledge: Admin passwords stored in the founder’s head or a sticky note.
• Shadow IT: SaaS subscriptions on personal credit cards that you are now paying for.
• Flight Risks: 33% of acquired employees leave in the first year. If one of those leavers is a disgruntled SysAdmin with root access, you have a catastrophic risk on your hands.

The following diagnostic checklist is not about integration strategy—that comes later. This is about triage and stabilization. It is the tactical, non-negotiable list of 47 tasks that must happen in the first 72 hours to prevent value destruction.

The 47-Point Day 1 Triage Checklist

We divide the checklist into three phases: Lockdown (Hours 0-24), Audit (Hours 24-72), and Stabilize (Week 1). Do not skip steps. Do not "wait for the meeting." Execute.

Phase 1: Lockdown (Hours 0-24)

Goal: revoke hostile access and secure the perimeter.

• 1. Global Admin Reset: Reset passwords for all Domain Admin, Global Admin (M365/Google), and root accounts. Enable MFA immediately on these accounts if not present.
• 2. Departure Kill-Switch: Identify all employees marked for immediate exit (if any) and disable access during the notification meeting, not after.
• 3. Financial Authority Revocation: Revoke banking tokens and wire transfer authority from former controllers/CFOs immediately.
• 4. Domain Registrar Lock: Verify ownership of DNS records (GoDaddy, Cloudflare) and enable transfer locks to prevent domain hijacking.
• 5. Social Media Handover: Secure credentials for LinkedIn, Twitter/X, and corporate Meta accounts. Enable MFA tied to a corporate (not personal) phone.
• 6. Offboarding the MSP: If the target used an MSP, notify them of the change in control and place a freeze on any "standard" changes without written authorization.
• 7. Physical Access Control: Issue new keycards or re-key server rooms and executive offices.
• 8. VPN Audit: Review active VPN sessions. Terminate connections from unknown locations or former employees.
• 9. Backup Verification: Locate the backups. Verify they are running. Disconnect one full backup set from the network (air-gap) immediately to protect against ransomware that might be dormant.
• 10. Endpoint Protection: Push a query to see how many endpoints are missing EDR/Antivirus agents. (Expect 15-20% coverage gaps).

Phase 2: The Silent Audit (Hours 24-72)

Goal: Identify what you actually bought before it breaks.

• 11. SaaS Discovery Scan: Connect a tool (or check CASB logs) to identify Shadow IT. You will find 3x more apps than were disclosed in diligence.
• 12. Codebase Repo Audit: Audit GitHub/GitLab repositories for hardcoded API keys and AWS secrets. This is the #1 vector for cloud breaches.
• 13. SSL Certificate Review: Check for expiring SSL certificates on public-facing assets. Nothing kills deal momentum like a "This site is not safe" warning on Day 2.
• 14. Cloud Spend Triage: Review AWS/Azure billing dashboards. Identify unattached volumes and idle instances bleeding cash.
• 15. Vendor Auto-Renewals: Review the AP ledger for the last 60 days. Identify any SaaS contracts auto-renewing in the next 30 days and send non-renewal notices to preserve optionality.
• 16. Data Room Closure: Shut down the Virtual Data Room (VDR) used for the transaction. Download the archive for legal retention.
• 17-25. Infrastructure Inventory: (Tasks 17-25 focus on mapping the network topology, identifying subnets, and documenting IP ranges).

Phase 3: Stabilization (Week 1)

Goal: Operational continuity without compromising security.

• 26. Helpdesk Unification: Establish a "triage" queue. Don't merge tickets yet, just visibility.
• 27. Branding Updates: Update email signatures (standardize disclaimer) but do not change email domains yet. Email migration failure is the fastest way to lose revenue.
• 28. Communication Bridge: Create a shared Slack/Teams channel for IT & Ops leadership between both companies.
• 29-47. Policy & Compliance: (Tasks 29-47 cover updating privacy policies, reviewing cyber insurance coverage applicability, and initial compliance gap analysis).

Execution: The "Zero Trust" Integration Model

The biggest mistake Operating Partners make is assuming the acquired network is "friendly." Until your team has fully audited and re-imaged the environment, you must treat the acquired network as Zero Trust—essentially a public coffee shop network.

The Cost of Skipping the Checklist

According to EY, companies spend approximately 14% of total deal value on integration. Yet, 40% of these efforts exceed budget due to "unexpected" technical debt and security remediation. The 47 tasks above are designed to surface those "unexpected" items in Week 1, allowing you to re-forecast your 100-day plan accurately.

The Golden Hour Rule

You have a "Golden Hour"—roughly the first week—where requests for passwords, access, and documentation are viewed as standard integration activities. After week 2, these requests are viewed as "bureaucracy" or "lack of trust." Use the political capital of the acquisition event to force compliance with these 47 tasks immediately.

Your Action Plan for Tomorrow:

1. Assign a "Day 1 Commander": This person (likely an Interim CIO or external consultant) has one job: executing the checklist. They do not attend "welcome" parties.
2. Print the List: Physical checklists prevent "I thought you did that" errors.
3. Verify, Don't Trust: When the acquired CTO says "MFA is enabled," ask for a screenshot of the policy configuration.

By securing control first, you earn the right to focus on synergy later. Don't let a breached admin account be the reason your value creation plan fails before it starts.