Acquire a company, know its software risk in 24 hours. Point Safeguard at the target's GitHub org, get a baseline SBOM, a risk register, a vendor-concentration heatmap, and a license-exposure report before the diligence call.
Acquirer asks for documents. Target sends them. Nobody runs the binaries, nobody reads the dependencies, nobody checks the licenses. Half the post-close surprises are baked in by Monday.
The target's engineering team produces an SBOM under deadline pressure. It captures the framework dependencies and misses the transitive graph, the vendored copies, the in-house forks of OSS libraries that haven't been merged upstream in 18 months.
Copyleft contamination, ambiguous dual-licensing, expired commercial licenses on enterprise libs — none of this is in the data room. It surfaces six months post-close when your IP lawyer reviews the merged codebase.
The target depends on a single small maintainer for 40% of its build chain. That maintainer's burnout is your post-close risk. No standard diligence pack surfaces it.
The target's SCA tool says "clean." Their lockfile actually pins three KEV-listed versions. The pre-close report doesn't catch it. The post-close incident does.
Point Safeguard at the target's GitHub/GitLab/Bitbucket org with a read-only token. The engine pulls every repo, builds the dependency graph, and produces a baseline SBOM in CycloneDX or SPDX inside a sealed diligence tenant.
Eagle ranks every package by vulnerability density, license risk, maintainer concentration, and abandonment signal. The output is a prioritised risk register the deal team and security team can both read.
Two visualisations land in the report: vendor concentration (which maintainers carry disproportionate weight) and license exposure (which copyleft, dual, or commercial licenses are in the graph and where they sit).
Target provides a read-only token, scoped to their primary GitHub org. Sealed diligence tenant provisioned.
240 repos ingested, full transitive dependency graph reconstructed, baseline SBOM generated.
Risk register ranked: 14 critical vulns, 3 KEV-listed in production paths, 47 packages with maintainer-abandonment signals.
License analysis: 2 strong-copyleft contamination paths into the proprietary SDK, 1 expired commercial license on a core analytics lib.
Vendor concentration heatmap: 38% of build chain weighted on 4 individual maintainers, top concentration on a single Apache-licensed lib with one active committer.
Final report delivered: SBOM, risk register, license-exposure map, vendor-concentration heatmap, post-close watch-list.
A diligence report your deal team and security team both understand, structured for the investment committee.
CycloneDX or SPDX, version-pinned, every transitive included.
KEV-listed criticals, CVSS distribution, exploit availability.
Which copyleft, dual, commercial licenses sit where in the graph.
Top-tier maintainers, single-maintainer risk, abandonment signals.
Diff vs the target's self-reported SBOM — where they missed components.
What to monitor in the first 90 days after integration.
Specific risks that should be carved out in the SPA.
Diligence tenants are sealed by default. Source code, scan results, and reports are accessible only to the named diligence team. Read-only token revoked at close.
An enterprise software acquirer ran Safeguard against a target's GitHub org during the technical diligence window. The 24-hour report surfaced two strong-copyleft contamination paths into the target's proprietary SDK that nobody — on either side of the table — had spotted. The license-exposure finding became a material indemnification carve-out in the SPA, repriced the deal by $4.2M, and unblocked the close.
Book a working session with the diligence team. We'll walk through the 24-hour report format and the sealed-tenant model.