The First 100 Days After Close Decide Your Cyber Risk for the Whole Hold.

Cyber due diligence answers one question: is there anything here bad enough to change the price or kill the deal? It is a screen, run on limited access and a tight clock, and a clean diligence result means only that nothing disqualifying surfaced. It does not mean the target is secure. The day the deal closes, every undetected weakness in that company becomes the new owner's problem, and the meter on fixing it starts immediately.

The first 100 days are when a sponsor sets the security trajectory for the entire hold. Attention is highest, the integration budget is open, and the management team expects change. After that window, focus moves to the next deal and the portfolio company is left with whatever posture it had. Treating those 100 days as the moment to establish cyber baseline is the difference between a controlled hold and a surprise in year three. We have catalogued what that surprise looks like across the 2026 extortion campaign; many of those companies would have failed a serious 100-day review.

The 100-day sequence

The work divides into three phases. None of it requires a large internal security team; it requires a plan and an owner.

Days 1-30: Find out what you actually bought.

1. Run a compromise assessment before connecting the target's systems to anything that matters. Diligence rarely includes one; it is the only way to know whether you are inheriting an active intrusion.
2. Inventory identities and privileged access. Founder-led companies routinely have standing admin rights handed out for speed and never revoked.
3. Inventory every SaaS integration and OAuth grant touching customer data, the exact attack surface behind the year's largest breaches.

Days 30-70: Close the gaps that map to real loss.

1. Deploy or validate managed detection and response so someone is watching, because most acquired companies have alerts no one reads.
2. Enforce phishing-resistant MFA and kill help-desk password-reset paths that social engineering defeats.
3. Stand up vendor risk management for the critical third parties the company depends on.

Days 70-100: Make it durable.

1. Install ongoing leadership, typically a vCISO, so the work continues after the integration team leaves.
2. Run a tabletop exercise with management so the first time they rehearse a breach is not during a real one.
3. Set board-level reporting so cyber risk is visible for the rest of the hold.

Why the window closes

The 100-day discipline is not arbitrary. It maps to how attention and money actually flow in a deal. In the first weeks, the sponsor has leverage, the management team expects to be told what changes, and the integration budget exists to absorb the cost. By month four, the deal team has moved on, the budget is allocated, and any security gap that was not addressed has quietly become permanent, carried on the books at full risk until something forces the issue.

The cost asymmetry makes the case on its own. A compromise assessment and a remediation sprint in the first 100 days are a rounding error against the deal. An undetected breach that surfaces in year three, mid-hold or worse mid-sale, is a hit to enterprise value, a complication in the exit, and a story the next buyer's diligence will find. The 2026 breaches were not, for the most part, failures of money. They were failures of attention at exactly this stage.

Diligence tells a sponsor what they think they bought. The first 100 days tell them what they actually own. Closing that gap on a schedule, while the window is open, is the highest-return security work a sponsor does all hold.