TypeScript Developer
for SaaS

Technical due diligence serves investors and acquirers who need independent assessment of technology assets. The investment thesis depends on technical assumptions... the team can execute the roadmap, the architecture supports planned growth, the security posture doesn't create liability. Due diligence validates or challenges these assumptions. The approach combines automated analysis with experienced human judgment. SonarQube and Semgrep catch code quality issues at scale. Trivy and Snyk surface dependency vulnerabilities and container CVEs. GitGuardian scans git history for leaked credentials. These tools run fast and find patterns humans miss. But automation can't assess architectural appropriateness or organizational health. Security scanners find known patterns, but miss business logic flaws like broken authorization checks or race conditions in billing code. The human element... reading code, understanding architecture, interviewing teams... is irreplaceable. Findings must translate to business terms to enable informed investment decisions. 'Cyclomatic complexity of 47' means nothing to an investment committee. 'Six months of engineering time required before the mobile launch your thesis depends on' does. The deliverable is a risk-weighted report partners can defend in IC, not a PDF dump of scanner output.

Due diligence engagements follow a structured methodology ensuring comprehensive coverage within tight deal timelines. Phase one is scoping: understanding the investment thesis and identifying technical assumptions to validate. Phase two is data gathering: read-only code repository access via GitHub or GitLab, infrastructure console review across AWS or GCP, documentation collection, and structured interviews with the CTO, lead engineers, and at least one mid-level IC who'll speak candidly. Phase three is analysis: static analysis sweeps, architecture review against stated scalability claims, security assessment using the OWASP ASVS checklist, license and supply chain audit, and team capability assessment including bus factor and retention risk. Phase four is synthesis: connecting technical findings to business implications with quantified remediation estimates. The report includes executive summary, risk-rated findings matrix (critical, high, medium, low), architecture diagrams as-built versus as-claimed, remediation roadmap with effort and cost estimates, and a one-page IC-ready summary. I present findings live to the investment team, field questions during negotiation, and support rep-and-warranty discussions with the target's counsel. For urgent deals I can compress the standard 2-3 week timeline to 7-10 days with narrower scope, working directly with deal leads to prioritize the assumptions most load-bearing on the valuation.