.png)
Cyber due diligence is usually run late, by people outside the deal team, and delivered as a pass/fail memo no one reads closely. That treats security as a compliance checkbox instead of what it is: a set of liabilities and costs that change the price. Five specific questions move it from the back of the process to the part of the model that affects valuation.
Cyber due diligence is usually run late, by specialists outside the deal team, and delivered as a pass/fail memo that lands after the valuation is mostly set. That treats security as a compliance gate instead of what it is: a set of liabilities and costs that belong in the model. The fix is not a longer questionnaire. It is asking five specific questions whose answers move price, indemnity, and post-close budget.
None of these require the deal team to become technical. They require insisting on answers that are concrete rather than reassuring, and treating a vague answer as a finding in itself.
Cyber due diligence done as a compliance checkbox produces a memo no one reads. Done as five pointed questions, it produces numbers that change the model.
The five questions
- Has anyone confirmed this company is not already breached? Not do you have a policy, but has someone looked. A compromise assessment is the only answer that counts. Given typical dwell times, an undetected intrusion is the risk most likely to detonate right after close.
- Which third-party integrations and OAuth grants touch customer data? The largest breaches of the past two years came through connected apps, not core systems, the pattern behind the Snowflake customer campaign and the 2026 Salesforce wave. If the target cannot produce this inventory, that is the finding.
- Who has privileged access, and how much of it is standing and unmanaged? Founder-led and fast-grown companies hand out admin rights for speed and rarely revoke them. Unmanaged privilege is both a breach risk and a sign of how the company is run.
- Is there real detection and response, or just tools? Most targets own security products no one monitors. Managed detection and response is the difference between owning a smoke detector and having one with a battery in it.
- Does the incident and disclosure history reconcile? Read past breach notices, SOC 2 reports, and security claims against each other. When a company's own documents do not line up, that gap is the story, the pattern we dissected in the Canvas / Instructure breach.
Turning answers into price
Each question maps to a deal lever. An active compromise can pause or kill the transaction. An unmanaged integration and identity sprawl become a funded remediation line in the 100-day plan. A detection gap becomes an operating cost the model has to carry. A disclosure history that does not reconcile becomes a reason to tighten reps, raise the indemnity, or widen the escrow.
That is the point of asking them early. Cyber diligence delivered as a checkbox produces a document that gets filed. Delivered as five questions tied to value, it produces adjustments the deal team can act on while there is still room to act. The work is the same; the timing and framing are what make it matter. For the broader discipline, see cyber due diligence and third-party risk management.
The best deal teams do not ask whether the target is secure. They ask five questions specific enough that the answers change the number.
Cyber diligence as a checkbox produces a memo that gets filed. Cyber diligence as five pointed questions produces adjustments to the price.
Cloudskope runs cyber due diligence built for deal teams: a compromise assessment, an integration and identity review, and a findings memo that translates technical risk into price, indemnity, and post-close cost, in the deal's timeline.
