Cyber security due diligence in the context of M&A, is the process of evaluating a target company's security posture before making a major investment or acquisition. It goes beyond questionnaires and compliance certificates to include penetration testing, vulnerability assessments, and compromise assessments that reveal exploitable weaknesses. Failing to perform technical testing has cost acquirers hundreds of millions in fines, remediation, and deal renegotiations.
What is cyber security due diligence in M&A?
Cyber security due diligence is the technical evaluation of a target company's security controls, vulnerabilities, and breach history during a merger or acquisition. It sits alongside financial, legal, and operational due diligence as a distinct workstream.
Standard IT due diligence covers asset inventories, software licensing, and infrastructure costs. Cyber due diligence goes further: it asks whether the target's systems can be breached, whether they have already been compromised, and what the remediation cost would be if vulnerabilities are found.
Most acquirers still rely on self-assessment questionnaires and compliance reports like SOC 2 or ISO 27001. These are necessary, but they are not sufficient. A SOC 2 report confirms that controls are designed and operating effectively at the time of audit. It does not tell you whether those controls can be bypassed by an attacker today. That gap is where penetration testing becomes essential.
Why do acquisitions inherit cyber security risk?
When you acquire a company, you acquire its vulnerabilities. Every unpatched server, misconfigured firewall, and compromised credential becomes your responsibility the moment the deal closes.
The data confirms this risk is not theoretical. According to Forescout's M&A cyber security survey, 62% of executives view acquisitions as introducing significant cyber risk, and 53% of companies have encountered critical cyber security issues that jeopardised deals. More concerning: 52% of acquirers discovered major cyber risk only after closing.
The Marriott/Starwood acquisition is the most cited example. Marriott acquired Starwood Hotels in September 2016. The Starwood reservation system had been compromised since 2014, but Marriott did not discover the breach until November 2018. The result: 339 million guest records exposed, a proposed £99 million GDPR fine from the UK ICO (later reduced to £18.4 million), and an FTC enforcement action covering three breaches affecting 344 million customers. The ICO specifically cited "failure to undertake sufficient due diligence when it bought Starwood" as a contributing factor.
Verizon's acquisition of Yahoo tells a similar story. After agreeing to a $4.83 billion deal in July 2016, Yahoo disclosed two previously unknown breaches affecting 3 billion accounts. Verizon renegotiated the price down by $350 million. A pre-deal compromise assessment would have identified indicators of the breach before the price was set.
What does a pre-acquisition penetration test cover?
A pre-acquisition security assessment is not a single test. It is a structured programme of technical evaluations, each designed to reveal a different category of risk.
External penetration testing evaluates the target's internet-facing infrastructure: firewalls, VPN gateways, mail servers, DNS, and cloud services. It identifies the attack surface that any threat actor can see and attempt to exploit. For a detailed breakdown of how external testing differs from internal testing, see our guide on internal vs external penetration testing.
Web application penetration testing targets customer-facing applications, portals, and e-commerce platforms. Testers follow the OWASP Testing Guide to identify injection flaws, authentication bypasses, and business logic vulnerabilities. This is particularly important for SaaS and platform acquisitions where the application is the product. Precursor Security delivers CREST-accredited web application penetration testing aligned to these standards.
Internal network penetration testing assesses Active Directory security, network segmentation, lateral movement paths, and privilege escalation opportunities. This phase requires post-LOI access with NDAs in place. It reveals risks that external testing cannot reach, including how far an attacker could move once inside the network. Learn more about internal network penetration testing scope and methodology.
API security testing evaluates authentication, authorisation, data exposure, and injection vulnerabilities in the target's APIs. This is increasingly relevant for fintech, healthtech, and platform acquisitions.
Compromise assessment is forensic analysis to determine whether the target has already been breached. It reviews endpoint telemetry, network logs, and indicators of compromise. Critically, the compromise assessment must run before any penetration testing that touches the internal environment. Pentest activity generates log artifacts and endpoint alerts that are indistinguishable from real attacker behaviour, contaminating the forensic baseline and making it harder to answer the question that matters most: was this network already compromised? This is the test that would have caught the Starwood breach before Marriott closed the deal.
Dark web monitoring searches for leaked credentials, stolen data, or network access being sold on dark web marketplaces. It provides an external view of whether the target's data has already been exfiltrated.
All testing should be conducted by a CREST-accredited provider following established frameworks: OWASP Testing Guide for web applications, PTES (Penetration Testing Execution Standard) for methodology, and NIST SP 800-115 for technical guidance.
How does penetration testing compare to questionnaires and compliance reports?
The table below shows what each assessment type reveals, what it misses, and the cost to the buyer when gaps go undetected.
| Assessment type | What it reveals | What it misses | Cost to buyer if missed |
|---|---|---|---|
| Self-assessment questionnaire | Policy existence, stated controls, compliance certifications | Misconfigurations, unpatched systems, active compromises | Inherited breaches, regulatory fines |
| SOC 2 / ISO 27001 report | Control design and operating effectiveness at a point in time | Technical vulnerabilities, lateral movement paths, API flaws | Unknown attack surface, post-deal remediation costs |
| External penetration test | Exploitable perimeter vulnerabilities, exposed services, credential leaks | Internal network weaknesses, insider threat paths | Partial view of risk |
| Full cyber due diligence (external + internal + web app + compromise assessment) | Exploitable vulnerabilities across the full attack surface, evidence of prior compromise, dark web exposure | Nothing material (when scoped correctly) | Informed pricing, warranty/indemnity terms, remediation budget |
Questionnaires rely on self-reporting. The target company has a financial incentive to minimise disclosed risks during a sale process. SOC 2 and ISO 27001 reports are point-in-time attestations: vulnerabilities introduced after the audit period are invisible to the buyer.
Penetration testing removes this information asymmetry. It provides evidence-based, adversary-simulated findings that the buyer's security team and legal counsel can act on directly. To understand the difference between a vulnerability scan and a full penetration test in this context, see vulnerability assessment vs penetration testing.
What happens when cyber due diligence is skipped?
The consequences of skipping technical security assessment before an acquisition are well documented.
Marriott International inherited a four-year-old breach from its Starwood acquisition. The UK ICO fine, FTC enforcement action, and $52 million state settlement were all avoidable with a pre-deal compromise assessment. The ICO made clear that the acquiring company bears responsibility for the security failures of the target.
Yahoo/Verizon resulted in a $350 million price reduction when breaches were disclosed after the deal was agreed. The SEC separately fined Yahoo $35 million for failing to disclose the breaches to investors.
Change Healthcare, acquired by UnitedHealth Group in 2022, suffered a ransomware attack in February 2024 attributed to ALPHV/BlackCat. Over 100 million patient records were compromised in what became the largest healthcare data breach in US history. UnitedHealth Group reported $872 million in direct response costs in a single quarter.
The broader data reinforces these examples. According to IBM's 2024 Cost of a Data Breach Report, the average data breach now costs $4.88 million globally, up 10% from 2023. In healthcare, the average rises to $9.77 million. Forescout found that 73% of acquirers consider an undisclosed breach an immediate deal-breaker, yet 52% of companies discovered major cyber risk only after the deal had closed.
How should buyers scope a pre-deal security assessment?
Pre-deal penetration testing works best as a phased programme aligned to the M&A timeline.
Phase 1: External attack surface mapping (pre-LOI or early exclusivity). This can begin with publicly available information. External penetration testing of the target's internet-facing assets identifies perimeter vulnerabilities, exposed services, and leaked credentials without requiring internal access.
Phase 2: Compromise assessment and dark web intelligence (post-LOI, before internal testing). Forensic analysis of endpoints and network telemetry to identify evidence of prior or active compromise. Dark web searches for leaked credentials and stolen data. This phase must complete before internal penetration testing begins. Penetration testing generates artifacts in logs and endpoint telemetry (port scans, authentication events, lateral movement attempts) that are indistinguishable from real attacker behaviour. If a compromise assessment runs after or alongside penetration testing, the forensic baseline is contaminated and it becomes significantly harder to determine whether the target was already breached. This is the test that would have caught the Starwood breach before Marriott closed the deal.
Phase 3: Web application and API testing (during exclusivity). Test customer-facing applications, partner portals, and APIs. This requires coordination with the target's technical team under NDA but does not need full network access.
Phase 4: Internal network testing (post-LOI, under NDA). With authorised access, test Active Directory, internal segmentation, privilege escalation paths, and endpoint security. This phase reveals the risks that matter most for post-deal integration planning.
All phases should complete before closing. The findings feed directly into pricing discussions, warranty and indemnity clause negotiations, and Day 1 remediation planning.
Choose a CREST-accredited penetration testing provider with experience in M&A engagements. CREST accreditation ensures the testing team meets competency standards, follows ethical guidelines, and delivers reports that legal and compliance teams can rely on in deal negotiations.
What ROI does pre-deal penetration testing deliver?
A full pre-acquisition security assessment (external, internal, web application, compromise assessment) typically costs between £15,000 and £50,000 depending on the target's size and complexity.
Compare that to the cost of getting it wrong:
- $4.88 million: average cost of a data breach (IBM 2024)
- $350 million: deal price reduction (Yahoo/Verizon)
- £18.4 million: regulatory fine for inherited breach (Marriott/ICO)
- $872 million: single-quarter response cost (Change Healthcare/UnitedHealth)
Even at £50,000, pre-deal testing costs less than 1% of the average breach cost.
The financial return extends beyond breach avoidance. Pre-deal findings give buyers the evidence to negotiate price adjustments, request specific remediation before closing, insert warranty and indemnity clauses tied to identified vulnerabilities, and build accurate post-deal remediation budgets. Without pre-deal testing, these costs surface as unplanned expenses during integration, when remediation is more expensive and more disruptive.
How should findings influence the deal?
Pre-deal penetration test findings should feed directly into commercial and legal negotiations. Categorise findings into three tiers:
Deal-breakers: Active compromises, evidence of data exfiltration, or systemic failures (such as no network segmentation and no patching programme) that indicate the target's security is fundamentally unrecoverable within a reasonable timeframe and budget.
Price adjustments: Significant vulnerabilities that require material remediation investment. Use the findings to negotiate a price reduction or establish a remediation escrow/holdback tied to specific fixes within defined timescales.
Remediation roadmap items: Moderate and low-severity findings that can be addressed during post-deal integration. Build these into a 90-day remediation plan with clear ownership, timelines, and verification testing.
Share the penetration test report with your legal team to inform warranty and indemnity clause drafting. Specific findings create specific warranty language, which is stronger protection than generic cyber security representations.
The goal is not a perfect security posture at closing. The goal is informed decision-making: know what you are buying, price it accurately, and plan for Day 1.
Frequently Asked Questions
What is cyber security due diligence in M&A? Cyber security due diligence is the technical evaluation of a target company's security posture during a merger or acquisition. It includes penetration testing, vulnerability assessments, compromise assessments, and dark web monitoring to identify exploitable risks before the deal closes.
How much does a pre-acquisition penetration test cost compared to an inherited breach? A pre-acquisition penetration test typically costs between £10,000 and £50,000 depending on scope. By comparison, the average data breach costs $4.88 million (IBM 2024), and inherited breaches have led to regulatory fines exceeding £18 million and deal price reductions of $350 million.
Can a SOC 2 report replace penetration testing during due diligence? No. A SOC 2 report attests that security controls are designed and operating effectively at a point in time. It does not test whether those controls can be bypassed by an attacker. Penetration testing simulates real-world attacks to find exploitable vulnerabilities that compliance reports miss.
When should penetration testing happen in the M&A timeline? External testing can begin pre-LOI using publicly available information. Once NDAs are in place, run a compromise assessment before any internal penetration testing begins, as pentest artifacts contaminate the forensic baseline needed to determine whether the target is already compromised. Internal network and web application testing follow after the compromise assessment clears the environment. All testing should complete before closing to inform final pricing and contract terms.
What frameworks should a pre-acquisition penetration test follow? Pre-acquisition penetration tests should be conducted by CREST-accredited providers following established frameworks such as the OWASP Testing Guide for web applications, PTES (Penetration Testing Execution Standard) for methodology, and NIST SP 800-115 for technical guidance.