M&A security due diligence
pre-close, day-one, and post-close on one engagement record

The pre-close findings land in a slide deck circulated to the deal team, then nothing flows into the integration phase. The acquirer security team rediscovers the same findings post-close, the deal-impact tagging is lost, and the residual-risk register cannot reconstruct what the diligence assessment knew. The diligence work happens twice and the second pass usually misses what the first pass surfaced.

The credential-rotation list, the access-removal list, the network-isolation decisions, and the third-party revalidation list are scattered across deal-team email threads, integration-lead Slack messages, and a partial spreadsheet a project manager pieced together the week before close. At the moment of legal close, the runbook cannot be executed without a multi-hour reconstruction the closing team does not have time for.

Third-party pentest reports, audit packs, prior questionnaire responses, and scanner exports the seller surfaced during diligence sit in a shared drive without provenance. When a post-close finding contradicts a seller representation, the legal team cannot evidence what the seller disclosed, when, and on what artefact. The diligence record cannot defend the SPA representation chain.

The data-room access window is finite, often two to six weeks, and the seller controls what the acquirer can review. When the pre-close scope expands without an explicit decision, the assessment runs out of access budget before the priority items are covered. The diligence summary lands at the deal-team meeting with material gaps that should have been answered first.

Pre-close findings are tagged for severity using the assessment teams scoring habits, but the acquirer remediation programme has its own SLA discipline and severity calibration. When the post-close integration adopts the diligence severity verbatim, half the queue ages incorrectly and the integration backlog cannot be meaningfully compared to the rest of the acquirer programme. Severity has to be calibrated against the acquirer programme at the integration handover.

A pre-close finding can be price-affecting, an escrow trigger, a day-one must-fix, or a post-close integration item, and each tag drives a different downstream action. When the diligence record carries severity but not deal-impact tagging, the deal team cannot extract the negotiation-relevant findings without re-reading the full backlog and the integration team cannot sequence the day-one runbook from the diligence output.

The current stage (LOI, due diligence, exclusivity, signing, closing) and the date range during which the seller authorises data-room access and external assessment activity. The access window is the budget the diligence assessment operates inside, and surfacing it on the engagement keeps scope decisions calibrated to the time available rather than to an open-ended assessment plan.

The verified target domains the seller authorises the acquirer to scan externally, the cloud properties the seller has agreed to expose for review, the repositories the seller is willing to share for code-level review, the third-party SaaS the target operates that the seller will introduce, and the assessment activities the SPA permits during the diligence window. Activities outside the authorised list are out of scope until the seller extends the agreement.

The third-party pentest reports, audit packs, scanner exports, prior security questionnaire responses, compliance certifications, and incident-response history the seller has shared, captured on the engagement with the date received, the source contact, and the artefact reference. The provenance is the chain that the legal team and the acquirer security committee read when a post-close finding raises a representation question.

The named deal-team members on the acquirer side (corporate development, legal, integration leads, security leadership) and the named target-side counterparts (CISO, head of IT, head of engineering, deal sponsor). Routing during the diligence window depends on knowing who can answer which question, and the engagement record holds the contact map so questions do not bounce through the deal lawyer for every clarification.

The acquirer-defined threshold for material findings (price-affecting, escrow trigger, day-one must-fix, post-close integration item) recorded against the engagement so every finding lands with a deal-impact tag rather than only a severity. The taxonomy is acquirer-specific because the same finding can be price-affecting on a deal where the security posture is the headline risk and a post-close integration item on a deal where the seller has already remediated comparable issues.

The day-one items the acquirer commits to executing at legal close (credential rotation, access removal, network isolation, third-party revalidation) and the post-close roadmap commitments the acquirer makes to the deal team. The lists are decisions that bind the integration team after close, so they live on the engagement with the named owners rather than in the slide deck the deal team circulated.

Diligence work feeds the security leadership reporting workflow (the deal-side risk surfaces on the security committee cadence), the exception management workflow (residual-risk decisions accepted as condition of close), the asset ownership mapping workflow (every acquired asset resolved to a named owner), and the vulnerability prioritisation workflow (post-close backlog calibrated against the acquirer programme).

Post-close diligence rolls into the security testing programme management workflow and the broader evidence management workflow. Acquired assets that are decommissioned during integration close out through the asset decommissioning workflow with the consolidation event recorded as the retirement cause.

Every pre-close finding carries a deal-impact tag at the moment it is logged. The deal team reads the negotiation-relevant findings without re-reading the full backlog, and the integration team reads the post-close commitments without reconstructing them from severity alone.

The day-one runbook lives on the engagement with named owners, sequencing, and verification checkpoints. The closing team executes from one source rather than reconstructing it from email threads at the moment of legal close.

The pre-close findings remain on the engagement post-close so the integration team reads what the diligence team learned. The integration backlog inherits the deal-impact tagging and the seller-artefact custody chain rather than rediscovering them.

The diligence findings, the day-one execution record, the post-close integration backlog, and the activity log all read from the same engagement. ISO 27001, SOC 2, PCI DSS, NIST, and CSF 2.0 assessors get the evidence as a query rather than a multi-week reconciliation sprint.