M&A Security Due Diligence
Powered by OSSTMM v4
The only M&A security assessment that delivers a single, contractually defensible number – not a narrative, not a heatmap. A mathematically derived measure of the security you are actually buying.
|The Problem with M&A Security Due Diligence Today
Every year, acquirers inherit security liabilities they did not know they were buying. The 2017 Marriott-Starwood breach exposed 500 million records from a network that Marriott acquired four years earlier. The Yahoo acquisition by Verizon was repriced by $350 million after undisclosed breaches came to light during due diligence. These are not edge cases – they are the predictable outcome of a broken process.
The conventional approach to M&A security due diligence has three fundamental failures:
- It produces narratives, not numbers. A list of findings with traffic-light ratings is not a contractual instrument. It cannot be used to negotiate price adjustments, R&W insurance premiums, or escrow holdbacks with any precision.
- It is checklist-driven, not surface-aware. Standard questionnaires ask whether controls exist, not whether they actually work or whether the trust surface is properly bounded.
- It ignores identity as the primary inherited risk. In modern environments, what you are really acquiring is a web of identity relationships – service accounts, app registrations, third-party integrations, and privileged access paths – none of which appear on a traditional asset register.
The Core Question No One Is Answering
How much security are you actually buying? Not how many policies exist. Not how many CVEs are open. A single number that reflects the real, measurable security state of the acquisition target – derived from evidence, not opinion.
Our Approach: OSSTMM v4 Quantitative Assessment
Griffin Cyber Solutions delivers M&A security due diligence using OSSTMM v4 – the Open Source Security Testing Methodology Manual, maintained by ISECOM and recognized as the most rigorous security testing methodology in use today.
At the center of every engagement is the RAV score – Risk Assessment Value – a mathematically derived measure of Actual Security across five operational dimensions. It is not an opinion. It is not a weighted average of checkbox responses. It is a calculated baseline you can attach to a deal.
The Five Dimensions We Score
Every acquisition target is assessed across five dimensions, each scored independently:
| Dimension | What We Measure |
|---|---|
| Visibility | What is externally exposed – DNS records, certificates, OSINT-retrievable infrastructure, data leakage from job postings and metadata |
| Induction | What can be inferred without direct interaction – leaked credentials, exposed stack details, passive reconnaissance findings |
| Interactions | The full interaction surface – authenticated and unauthenticated API endpoints, web application attack surface, network perimeter |
| Intervention | Whether detection and response actually function – SOC maturity, alerting coverage, incident response capability |
| Inquest | The audit and accountability layer – SIEM coverage, log integrity, non-repudiation of privileged transactions |
The RAV Score: A Number You Can Use in Negotiations
The RAV formula produces a score from 0 to 100+ per dimension, then aggregates to a single Actual Security figure for the target environment. Unlike risk scores, the RAV is built from evidence collected during the assessment – not estimated from questionnaire responses.
Why This Matters at the Deal Table
A RAV score below a defined threshold can trigger price adjustment clauses, escrow holdbacks, or R&W insurance adjustments. For the first time, buyers have a mathematically defensible baseline rather than a subjective narrative to anchor commercial negotiations around security findings.
What We Deliver
Phase 1 – Trust Surface Inventory
Before any testing begins, we map the trust surface of the target using OSSTMM v4 Trust Properties. This phase answers the foundational question: do we know what we are buying?
| Trust Property | M&A Relevance |
|---|---|
| Components | Full asset inventory – all systems, integrations, and third-party relationships |
| Symmetry | Identification of imbalanced trust relationships – vendors with excessive access, one-sided API integrations |
| Transparency | Whether the acquirer can actually observe audit logs, configurations, and access records |
| Oversight | Governance maturity – is security actively managed or purely reactive? |
| Durability | Whether the security posture can survive integration stress and transition periods |
| Size | Whether the trust surface is appropriately bounded or unnecessarily large |
Phase 2 – Dimensional RAV Assessment
Full OSSTMM v4 technical assessment across all five dimensions. Each dimension produces an evidence-backed score for Controls, OPSEC limiters, and Security Limitations. The aggregate is the target’s Actual Security baseline.
Phase 3 – Identity and IAM Trust Analysis
Identity is the most dangerous inherited liability in any acquisition. We apply OSSTMM v4 IAM analysis to the target’s full identity estate:
- Entra ID and Active Directory trust health – over-privileged accounts, orphaned service principals, excessive App Registration permissions
- Third-party integration trust mapping – OAuth grants, API keys, federated identity relationships
- Privileged access paths – break-glass accounts, emergency access procedures, administrative backdoors
- Non-repudiation coverage – whether privileged transactions are auditable and tamper-evident
Each finding is dual mapped to OWASP, NIST, PCI, HIPAA and more, where applicable, providing the cross-reference buyers and their legal counsel expect.
Phase 4 – STAR Report Delivery
The Security Test Audit Report (STAR) is the formal deliverable. The v4 STAR format includes:
- Dimensional RAV breakdown with per-dimension scores and evidence references
- Trust Surface Analysis – OBSERVE properties scored per key asset class
- Limitations Register – all findings classified as Anomaly, Weakness, Vulnerability, Concern, or Exposure
- Mobius Defense gap analysis – where the continuous security loop breaks under integration pressure
- Remediation roadmap with effort and impact classifications
- Executive summary written for legal counsel and corporate development teams, not security practitioners
Service Tiers
| Tier | Scope | Indicative Timeline |
|---|---|---|
| Light | Passive assessment only. OSINT, DNS, certificate analysis, metadata, IAM export review. STAR summary report with RAV baseline. | 2-3 days |
| Standard | Full dimensional RAV with authenticated testing across all five dimensions. Complete STAR v4 report with executive summary. | 5-7 days |
| Deep Dive | Standard plus IAM deep dive, full identity trust mapping, integration risk analysis, and executive briefing for deal team and legal counsel. | 10-20 days |
Ongoing Retainer: Post-Close Integration Monitoring
The 90 days following close are the highest-risk period in any acquisition. We offer a post-close retainer that tracks RAV score movement as the two environments merge, flagging trust surface expansion and identity integration risks in real time.
Why GCS Does This Better
There are three types of providers currently offering M&A security work: Big 4 advisory firms, boutiques, and generalist penetration testing shops. None of them produce a quantitative security baseline.
| Provider Type | What You Actually Get |
|---|---|
| Big 4 Advisory | Governance questionnaires, policy gap analysis, framework compliance checklists. High cost, low technical depth. No RAV. No tested evidence. |
| Tech Boutiques | Architecture reviews and code audits focused on product, not security posture. Good for software quality, not for trust surface analysis. |
| Pen Test Shops | Vulnerability lists with CVSS scores. Findings without dimensional context. No trust surface model. No contractual baseline. |
What Griffin Cyber Solutions Delivers That No One Else Does
- Quantitative baseline. A mathematically derived RAV score, not a narrative.
- Methodology credibility. Built on OSSTMM v4, the most rigorous testing methodology available – maintained by ISECOM and used by governments and financial institutions.
- Identity depth. Identity-first. We treat the IAM estate as the primary due diligence surface because it is where post-acquisition breaches originate.
- Cross-framework mapping. Dual-mapped findings. Every finding is mapped to OSSTMM v4 Limitations taxonomy and OWASP, NIST, HIPAA, PCI etc. where applicable, satisfying the cross-reference requirements of legal and compliance teams.
- Commercial utility. Deal-ready deliverables. Our STAR report is written for corporate development and legal teams, not just security practitioners. It is designed to anchor commercial negotiations.
- Senior expertise. Nearly 25 years of practitioner experience in offensive security, governance, risk, and compliance – with deep ISECOM affiliation.
The Single Most Important Differentiator
We can give you a number. No other provider in this space delivers a contractually usable quantitative, repeatable, security baseline derived from evidence – not estimation. When the deal team asks, ‘what security are we buying?’, we answer with a figure, not a color on a chart.
Who This Is For
Our M&A security due diligence service is designed for:
- Private equity firms evaluating technology or digitally dependent acquisitions who need a defensible security baseline before signing.
- Corporate development teams at mid-market companies acquiring businesses for the first time without in-house security capability.
- M&A legal counsel advising on representations and warranties clauses who need quantitative evidence to underpin security-related provisions.
- R&W insurance underwriters who require a technical security baseline as a condition of coverage or to price premiums accurately.
- Founders and management teams of acquisition targets who want to demonstrate security posture to buyers proactively and accelerate the process.
Typical Engagement Trigger Points
| Situation | How We Help |
|---|---|
| Pre-LOI screening | Light assessment to flag material security liabilities before committing to full due diligence cost |
| Full due diligence period | Standard or Deep Dive engagement producing the STAR report and RAV baseline for the deal file |
| Post-close integration | Retainer monitoring RAV score movement and identity trust surface expansion through the integration period |
| Vendor or partner onboarding | Standard assessment applied to critical third-party relationships outside M&A contexts |
Let’s Get Started
Every engagement begins with a no-cost scoping call to confirm the target environment, timeline, and the specific commercial questions the assessment needs to answer.
We operate under NDA before any scoping conversation begins. All assessment data and findings are treated as confidential deal materials.
Ready to put a number on the security you are buying?