You underwrote the velocity. You're inheriting the cleanup crew.
Here is the scene that plays out about ten days before close. The QofE is clean. The SOC 2 is current. Your IT diligence vendor hands you a green checklist, and somewhere in your model is a roadmap — the new module, the integration, the migration — that justifies the multiple you're about to pay. Then the engineering team you just acquired spends its first two quarters not building any of it. They're ripping hardcoded credentials out of a repo and patching CVEs the prior owner filed under "later."
That gap is security technical debt, and the reason it never shows up in the model is that the standard checklist asks the wrong question. "Do you have a firewall? Do you run scans?" Yes and yes. The question that prices the asset is different: how much of the engineering capacity I'm paying full freight for is already committed to fixing the last owner's neglect? Compliance tells you a control exists. It tells you nothing about the backlog rotting behind it.
The market keeps the receipts. Yahoo's undisclosed breaches knocked $350 million off the Verizon purchase price — but that was a catastrophic, headline event. The quieter killer in a $30M-150M software deal isn't a breach; it's the remediation backlog you absorb silently at close. Synopsys' 2024 OSSRA report found 74% of commercial codebases now contain high-risk open source vulnerabilities — up from 48% a year earlier. Three of every four targets you screen are sitting on a foundation that's degrading faster than teams are patching it. You are paying 100% of the price for a team that's already pre-committed to someone else's cleanup.
A five-day audit that finds debt the checklist hides
You rarely get more than a week of confirmatory diligence on the technical asset, and you won't get unfettered access to production. So stop asking for self-reported answers and start pulling evidence. Three pulls, in order of signal-to-effort.
Pull the raw SCA export, not the summary slide
The target's deck will show a tidy "we scan continuously" claim. Ignore it. Request the raw Software Composition Analysis export — or run a blinded scan against a checkout — and filter for one thing: high-severity flaws older than 90 days. Age is the tell. A high-severity finding from last week is normal operations. Veracode's 2024 research found 46% of organizations carry persistent high-severity flaws that have sat unfixed for over a year. That isn't a backlog; it's a decision the prior team made to never fix it, and now it's yours. Count them. That count is your starting remediation queue.
Grep the history for secrets the live scan misses
Ask specifically for over-privileged service accounts and a secrets scan that includes git history — not just the current HEAD. Credentials get deleted from the latest commit and live forever in the log. When a target's app has API keys or database passwords committed to the repo, the fix is never "delete the key." It's rotate every exposed secret, re-architect the secrets workflow, and re-deploy everything that depended on the old path — work that runs in months, not sprints, and that nobody scoped.
Probe whether "cloud-native" actually means "cloud-hosted"
This is the most expensive surprise and the easiest to verify. Ask for the network topology. If dev and prod share a VPC, if there's a flat network with no segmentation, the target lifted-and-shifted a legacy app onto AWS or Azure and called it modernization. Bringing that infrastructure debt up to enterprise standard is a re-platforming project, and it is precisely the line item that never appears in the Quality of Earnings.
Turn the findings into a number — then into a clause
A vulnerability count is not a negotiating position. Two conversions make it one. First, the cost curve: fixing a defect once it's live in production runs roughly 30x the cost of catching it at design. The debt you're inheriting is already on the wrong side of that curve — you're paying the production multiple on every flaw, by definition. Second, the calendar: the average critical vulnerability now takes 205 days to remediate. Multiply your aged-critical count by realistic fix-time and engineer loaded cost, and the abstract "security risk" becomes a dated, dollar-denominated drag on EBITDA that overlaps your entire first-year value-creation window.
Once it's a number, it belongs in the documents, not the post-close ops review. If your audit surfaces, say, $2M of remediation engineering, you have three instruments and most sponsors reach for the wrong one. A flat purchase-price reduction is the blunt tool. Sharper: a specific indemnity sized to the finding, or a holdback escrow released against remediation milestones — the seller funds the cleanup of the asset they're handing you, and gets paid as it's actually done. A "technical debt covenant" tied to that escrow aligns the incentive instead of arguing about it.
The move on Monday: before your next confirmatory phase, hand your technical advisor a one-page evidence list — raw SCA export, git-history secrets scan, network topology diagram — and a rule that aged-critical counts feed the model, not the appendix. Quantified security debt becomes a price lever. Unquantified, it becomes your first two quarters.
