Safeguard
Use Case · M&A Diligence

M&A Software Supply Chain Diligence.

Acquire a company, know its software risk in 24 hours. Point Safeguard at the target's GitHub org, get a baseline SBOM, a risk register, a vendor-concentration heatmap, and a license-exposure report before the diligence call.

<24h
Baseline SBOM + risk register
4-tier
Vendor concentration heatmap
98%
License-class coverage
100%
Sealed-tenant diligence

Most Software Diligence Is A Questionnaire.

Acquirer asks for documents. Target sends them. Nobody runs the binaries, nobody reads the dependencies, nobody checks the licenses. Half the post-close surprises are baked in by Monday.

01

Self-reported SBOMs miss what matters

The target&apos;s engineering team produces an SBOM under deadline pressure. It captures the framework dependencies and misses the transitive graph, the vendored copies, the in-house forks of OSS libraries that haven&apos;t been merged upstream in 18 months.

02

License exposure shows up at integration

Copyleft contamination, ambiguous dual-licensing, expired commercial licenses on enterprise libs — none of this is in the data room. It surfaces six months post-close when your IP lawyer reviews the merged codebase.

03

Vendor concentration is invisible

The target depends on a single small maintainer for 40% of its build chain. That maintainer&apos;s burnout is your post-close risk. No standard diligence pack surfaces it.

04

Known-vulnerable versions in production

The target&apos;s SCA tool says &quot;clean.&quot; Their lockfile actually pins three KEV-listed versions. The pre-close report doesn&apos;t catch it. The post-close incident does.

The 24-Hour Diligence Pipeline

Read-only Access, Sealed Tenant, Complete Report.

Stage 1 — Ingest & Baseline

Point Safeguard at the target&apos;s GitHub/GitLab/Bitbucket org with a read-only token. The engine pulls every repo, builds the dependency graph, and produces a baseline SBOM in CycloneDX or SPDX inside a sealed diligence tenant.

Read-only ingestion
Sealed diligence tenant
CycloneDX + SPDX export

Stage 2 — Risk Register

Eagle ranks every package by vulnerability density, license risk, maintainer concentration, and abandonment signal. The output is a prioritised risk register the deal team and security team can both read.

Vulnerability + KEV scoring
Maintainer-abandonment flags
Deal-team-readable export

Stage 3 — Concentration + License Heatmap

Two visualisations land in the report: vendor concentration (which maintainers carry disproportionate weight) and license exposure (which copyleft, dual, or commercial licenses are in the graph and where they sit).

Tier-1 vendor heatmap
License-class breakdown
Post-close watch-list
24-Hour Timeline

From Read-Only Token To Investment Memo.

A Worked Diligence

  1. t = 0Setup

    Target provides a read-only token, scoped to their primary GitHub org. Sealed diligence tenant provisioned.

  2. t + 2hEngine

    240 repos ingested, full transitive dependency graph reconstructed, baseline SBOM generated.

  3. t + 6hEagle

    Risk register ranked: 14 critical vulns, 3 KEV-listed in production paths, 47 packages with maintainer-abandonment signals.

  4. t + 12hGriffin

    License analysis: 2 strong-copyleft contamination paths into the proprietary SDK, 1 expired commercial license on a core analytics lib.

  5. t + 18hHeatmap

    Vendor concentration heatmap: 38% of build chain weighted on 4 individual maintainers, top concentration on a single Apache-licensed lib with one active committer.

  6. t + 24hMemo

    Final report delivered: SBOM, risk register, license-exposure map, vendor-concentration heatmap, post-close watch-list.

What Goes In The Memo

A diligence report your deal team and security team both understand, structured for the investment committee.

Baseline SBOM

CycloneDX or SPDX, version-pinned, every transitive included.

Vulnerability posture

KEV-listed criticals, CVSS distribution, exploit availability.

License-exposure map

Which copyleft, dual, commercial licenses sit where in the graph.

Vendor-concentration heatmap

Top-tier maintainers, single-maintainer risk, abandonment signals.

Comparison delta

Diff vs the target&apos;s self-reported SBOM — where they missed components.

Post-close watch-list

What to monitor in the first 90 days after integration.

Indemnification suggestions

Specific risks that should be carved out in the SPA.

Diligence tenants are sealed by default. Source code, scan results, and reports are accessible only to the named diligence team. Read-only token revoked at close.

Deal Case

How A Strategic Acquirer Repriced A Deal Mid-Diligence

An enterprise software acquirer ran Safeguard against a target's GitHub org during the technical diligence window. The 24-hour report surfaced two strong-copyleft contamination paths into the target's proprietary SDK that nobody — on either side of the table — had spotted. The license-exposure finding became a material indemnification carve-out in the SPA and unblocked the close.

24h
Diligence cycle
2 paths
Copyleft contamination found
Material
Carve-out negotiated

Diligence that doesn't surprise you post-close.

Book a working session with the diligence team. We'll walk through the 24-hour report format and the sealed-tenant model.