The Anatomy of a Skipped Tech DD

Only 1 in 10 PE funds follow the obvious. The rest risk €100M.

Jacek Podoba

CEO, Altimi

May 4, 2026

min read

Only1 in 10 PE funds follow the obvious. The rest risk €100M

‍WHAT YOU WILLTAKE AWAY

• 91% of buy-side PE software dealsclose without structured Tech DD – a global figure that includes both US and Europeanbuyouts.

• Three invoices the InvestmentCommittee memo never shows – misclassification, commoditisation, modernization. Theycompound into €20M on a typical European deal (€100M+ on a US mid-marketdeal). After closing.

• Tech DD ≠ SOC 2 ≠ CTO call ≠ deal team with an LLM. A structured, fast-track, 2–3-week, RAG-scored Tech DD turns the billsabove into priced inputs before each transaction, not after-close surprises.

Behind that 9-in-10 number sits something more structural than adiscipline gap. There are three strategic risks every mid-market deal carrieson its technical layer – and the Investment Committee memo, however wellwritten, is built to see almost none of them. Before we get to the eight places, we look to avoid pricey deadlocks, here is what we mean by typical PE deal exposures.

‍

1. The Three Exposures That Bend the Multiple

A mid-market software target lands on your desk. €20 million ARR.Net retention above 110%. Founder still in the chair. On paper, everyconventional input checks out: the seller's deck is polished, the financialdiligence is clean, the commercial DD reads well. The deal team is leaningtoward yes.

And then, somewhere between the data room and the IC memo, threeexposures begin to form - nobody is pricing them yet, but every single one isreal. None appear in the financial diligence. None show up in the model. Allthree become tangible the moment you sign - and at least one will be materialenough to bend the return curve, the management fee narrative, and, in theworst case, fund-level performance. Let's go straight to the merits.

01 · MISCLASSIFICATION - A SaaS that isn’t a SaaS.

The asset looks like a textbook SaaS business: subscription revenue,low churn, a positive net retention story, a product that customers like. Thedeck describes it that way, the CIM describes it that way, and most of the dealteam will, by the second week, describe it that way too. The trouble is thatthe market keeps calling things "SaaS" that aren't. A thinorchestration layer sitting on top of GPT-5 - or whichever model is theheadline this quarter; if you're reading this in three months, mentally swap inthe next one. A workflow tool whose core IP is a prompt template and a Stripeintegration. A "platform" that turns out to be three serverlessfunctions and a database. The multiple you're paying assumes durable softwareeconomics - recurring, defensible, gross-margin-stable. The asset, on closerinspection, has the unit economics of a managed service. You don't find that inthe deck or in the audited accounts. You find it in the architecture diagrams,in the observability stack the team actually uses day-to-day, and in how muchengineering time disappears into firefighting versus shipping new product.

02 · COMMODITISATION - An AI that isn’t an AI.

On the surface, the company has a credible AI story. There is aworking product, paying customers, real engagement metrics, and an AI line inthe pitch that has clearly helped close the round. Look one layer deeper andthe picture changes. The "AI engine" the deck describes turns out tobe a wrapper. The model isn't fine-tuned. The data isn't proprietary. There'sno evaluation pipeline. There's no fallback when the underlying provider shipsa price cut, a competitor, or a deprecation. Inference cost is sitting at apercentage of revenue that nobody on the deal team has stress-tested at nextyear's scale. None of this kills the thesis. All of it shifts the multiple -and the negotiation - if it's found before the SPA.

03 · MODERNIZATION - A platform thatcan’t keep growing.

A €15M ARR business with a healthy customer base, a recognised brandin its niche, and a product roadmap that has clearly delivered for severalyears. The team is proud of what they've built, and they have reason to be. Thecatch sits underneath: a payment module written in 2017 that 40% of revenuestill routes through. A monolith no one wants to refactor - not because theydon't want to, but because it has never been the priority. Business needed tokeep moving. Legacy keeps growing. A senior engineer who's been there nineyears and is the only person who fully understands the billing engine. None ofthis is a red flag in isolation. All of it becomes one when you find out, fourmonths post-close, that the Year-3 growth case in your model assumes a refactorthat nobody has scoped, sequenced, or budgeted.

Three exposures. None of them in the deck. All of them quickly findable - and all ofthem missed, not because nobody was looking, but because nobody was looking ina structured way.

Bain has been measuring this for years, and the numbers haven'tmoved much. For pure-play software deals, where the technology is theasset, structured tech due diligence happens in roughly 15% of buyouts. For PEbuyouts overall the rate is closer to 9% - even though, in the mostrecent year measured, 31% of all buyouts involved technology companies,and a much larger share targeted non-tech businesses where technology sits atthe heart of the value proposition. PitchBook puts the volume of thosetech-enabled deals at roughly 3× what it was five years ago. (Bain & Company, Global Private Equity Report 2026; Bain - Is Your Tech Due Diligence Good Enough?)

Read that again. Roughly nine in ten PEbuy-side deals - in a market where technology is increasingly the value driver -close without structured technical due diligence. Roughly seven in ten of thedeals where the asset is the technology close without it. The volume oftech-enabled deals has tripled in five years; the share of them that get aprofessional technical look has not.

Those 9% / 15% / 31% figures are global buyout numbers – Europe sitsinside the sample, not above it. A 2024 Statista survey of European PE firmsranks ESG (78%) as the top due-diligence focus area, with cybersecurity second;structured Tech DD does not make the European top five at all (Statista, 2024). Europe is not quieter on TechDD because it is more careful. The topic is not named in the room.

*Figure 1. The market doubled tech-driven deal share. The sharethat gets a Tech DD did not move.*

Tech DD is the cheapest line item with the highest variance in theentire deal process. And it is the one most often skipped - or, just as often,handled by a half-hour call with an ex-Google friend, an interim CTO on aper-day rate, or a member of the deal team running it in-house, supported by AItools. None of those people are bad operators. None of them are a structuredtechnical method.

The alternative is not a 200-page Deloitte deck or a McKinseytransformation programme. That is, almost certainly, why only ~10% of deals canjustify the cost, the timeline, and the orchestration overhead of abinder-style report - the economics simply don't fit a mid-market hold. Thereis a faster, sharper, more applied way to do this work: a 2–3 week,thesis-driven exercise that produces a RAG-scored decision document an IC canvote on, not a binder no one will open. That is the discipline this article walksthrough. Eight places where these three exposures actually hide. Three shortnotes from real engagements. The math behind a missed call. And the threereflexes we'd encourage any IC to adopt before the next vote.

2. Eight Places We Look First

When we get into a target, the three exposures almost always clusterin the same eight places. Not because the playbook is generic - because theunderlying economics are. Once you know where to look, the findings repeat. Thecomposite illustrations below come from real engagements; no single client isidentifiable.

*Figure 2. Where each of the three bills surfaces across theeight Tech DD areas. Severity scaled by the Altimi TechDD methodology.*

1 · Architecture & Stack. The deck says "modernmicroservices." The architecture diagram says 40% of revenue still routesthrough a 9-year-old payment module wrapped by three abstraction layers. The IChas underwritten a 5× ARR growth thesis over the hold; that single module nowsits on the critical path of every refactor that thesis implies. Sequence itwrong, and Year-2 platform work blocks Year-3 expansion.

2 · Code Quality. The aggregate test-coveragenumber on the seller's slide is 81% – a figure most ICs will read as"healthy." Break it down by module and the picture changes: thepublic-facing API is well-tested, but the billing engine – where every bug is adirect invoice error for a paying customer – sits at 12%. The headline isinvestor-grade; the part that moves churn and net retention is essentiallyuntested. One regression, one escalation, one customer comparing notes, and thehit lands on the very metrics commercial DD trusted.

3 · Infrastructure & Cloud. The deck highlights AWS asthe primary provider with enterprise account support – defensible, and wheremore than half of modern software runs today. The exposure sits one layer down:the data plane and managed services are deeply coupled to that vendor'sprimitives, with no abstraction layer in between. A back-of-the-envelopeestimate to lift-and-shift to a second provider – or to a parallel region forfailover – lands at $4–6M and 12–18 months of engineering. On top of that, anactive customer in a regulated jurisdiction is asking for in-region dataresidency the current setup can't deliver. None of them are on the deck. All ofit sits between the IC's growth case and the next enterprise renewal.

4 · Security & Compliance. A SOC 2 audit is on file,presented as proof of maturity. SOC 2 is not a Tech DD – a distinction misreadin data rooms often. SOC 2 attests that controls exist; Tech DD asks whetherthe architecture, the code, and the team behind them deliver what the IC memoassumes. On the asset itself, a simple scan surfaces an exposed admin endpointbehind a guessable subdomain. Compliance attestation, real exposure –increasingly two different conversations under EU NIS2.

5 · AI & Data Maturity. The "AI engine" is, on inspection, a wrapper around a third-party model. No evaluation harness,no fallback model, no spend governance. The current inference bill: $94k amonth, growing linearly with usage, never projected past current ARR. Thedefensibility argument doesn't survive the architecture diagram.

6 · Scalability & Growth. The 5×load test held. The 10× load test broke at the database layer eleven minutesin. The IC growth case assumed 8× by Year 3. That gap is a refactor - or are-platform - that needs to be priced into the value bridge before, not after,the SPA.

7 · Team & Delivery. Three of sevensenior engineers hold all production deployment knowledge. Two have non-competeclauses expiring within the holding period. Underneath that, the SDLC itself isinformal: there is no documented branching model, code review is ad hoc, releasesship from individual laptops, and the incident-response playbook lives in aprivate Slack channel. This isn't "key-person risk" as a footnote. Itis the operating reality of every release window for the next 36 months - and ameaningful part of the post-acquisition cost of getting the engineeringorganisation onto a delivery cadence the value bridge can rely on.

8 · 90-Day Roadmap. The output oflooking at the seven areas above isn't a list of complaints. It is a single,sequenced 90-day intervention plan: payment-module decoupling (Area 1) and thebilling-engine test coverage (Area 2) addressed first, because both sit on thecritical path of the growth thesis; multi-region failover and thecloud-portability roadmap (Area 3) and the network-boundary fix (Area 4)running in parallel, on a 60-day clock; an AI evaluation harness andinference-spend governance (Area 5) stood up before the next contract renewal;the 10× scalability fix (Area 6) and the SDLC and key-person work (Area 7)phased into months 2 and 3. Total: €640k of opex pulled forward, mapped to a14-month modernization line item, integrated into the IC's value bridge beforethe SPA. That is the difference between a Tech DD and a CTO call - not a longerreport, but a sequenced intervention an operator can actually execute.

Eight places. The same three exposures, hiding in different rooms of the same house.

A useful counterweight on the "high-quality investors caughtit" assumption: in May 2025, Builder.ai collapsed after raisingapproximately $450M from a cap table that included Insight Partners, Microsoft,the Qatar Investment Authority, Iconiq Capital, Lakestar and Jungle Ventures –valuing the business at roughly $1.5B at peak. The post-collapse investigationshowed revenue overstated by approximately 4×, an "AI" with asubstantial human-in-the-loop component, and a defensibility argumentstructurally weaker than the deck implied. If these investors canunderwrite an asset of that profile without a structured technical method, thegap is not a story about under-resourced mid-market funds. It is a structuralone across the industry – which is exactly why the 9% number from Bain looksthe way it does. Quality of investors and quality of Tech DD are not the same thing.

3. Three Engagements, Three Findings

Practical examples from our track record of structured Tech DD thatproduced powerful insights into a considered investment decision. Three shortnotes – anonymised, paraphrased – each tagged to the area in Section 2 wherethe finding landed.

A mature cross-border B2B marketplace

Operating cross-border across Europe for well over a decade,sub-200k transactions annually - real scale, real network effects on bothsides. The commercial metrics looked clean and the platform had clearly provenits resilience over time. When we got into the architecture, we found thatorganic growth had created tight inter-module dependencies and limited APIboundaries. Not unusual for a platform at this stage, but it means deliveryslows as the team grows and external integrations get harder to execute cleanly.The business had scaled well - the tech just needed to catch up with the ambition.‍

Where it landed: Architecture &Stack and Scalability & Growth. What the PEbuyer captured: a sequenced API-boundary anddecoupling programme, priced into Years 1–2 of the value bridge before signing.The result - delivery velocity that holds flat as headcount and integrationsscale, and a Year-3 growth case that is no longer dependent on a refactornobody had budgeted.

‍Anestablished SaaS platform in CEE

Strong merchant traction across CEE. Retention looked solid and theproduct roadmap was credible on paper. When we got under the hood, dependencygovernance and versioning across open-source components weren't standardised,and CI/CD maturity was behind where you'd expect for the platform's scale. Somemodules were solid; others carried accumulated technical debt that wasn'tvisible from the outside. Nothing that can't be addressed - but it needs to bemodelled into the post-close roadmap before commitments are made.‍

Where it landed: Code Quality and the 90-Day Roadmap. What the PE buyer captured: ‍a 12-month engineering-hygiene workstream - dependency governance,versioning, CI/CD uplift - negotiated into the SPA and pre-funded out of theseller's ask, not discovered in Year 2 at the cost of a transformation budgetand exit-multiple haircuts.

Acloud-based platform serving multi-site operators

Strong product-market fit, real switching costs, clear traction inan underpenetrated vertical. The team looked stable and the product metricswere encouraging. What Tech DD surfaced was that critical system knowledge -incident response, integration logic, deployment procedures - was concentratedin a small number of individuals without formalised ownership. Common infounder-led companies at this stage, but it changes the post-acquisition riskprofile significantly. Continuity needs to be engineered, not assumed.‍

Where it landed: Team & Delivery. What the PE buyer captured: a documented continuity plan, a targeted retention package for thecritical few, and a 90-day knowledge - transfer programme - built into the ICmodel before signing. Post-acquisition risk priced into the entry, not absorbedby the first incident in Year 1.

‍

4. The Anatomy of a €100M Hitfor US deal – €20M in Europe, Same Math

At this point the math is almost a formality, but it's worth doingonce, slowly, because the order of magnitude is the part most decks understate.

Take a typical mid-market software target. €20M ARR. Buy-sidemultiple at 10× ARR - €200M enterprise value, in line with the market forhigh-quality recurring revenue with net retention above 110%. Apply any of thethree exposures from Section 1 - misclassification, commoditisation, ormodernization - and the multiple compresses. Two turns is a soft scenario. Fiveturns is a hard one and not unusual when the AI defensibility claim collapses.In other words: €20M ARR × (10× − 5×) = €100M - the downside one missedTech DD prints on the IC memo.

The €100M figure anchors a US mid-market deal (€10M ARR × 10×). Runthe same logic on a European mid-market deal (€5M ARR × 6×) and the unpricedexposure compresses to €15–20M. Same math, different scale.

On the European side, the math is identical, the numbers smaller.European software M&A in 2025 cleared at a median of ~3× EV/Revenue, withthe top quartile around 7× (Aventis Advisors, 2026); roughly half of allDACH and Southern European software transactions closed under €5M EV (Dealsuite, 2025). On a typical European target– €5M ARR × 6× = €30M EV – two turns of compression alone are €10M; layer incommoditisation and unpriced modernization debt, and the unpriced exposurelands at €15–20M. Half of EV at risk on the same three risks, on a fundwith a much smaller margin for error.

*Figure 3. No single bill kills the deal. Three bills togetherhalve the multiple.*

That is what makes the 9% number uncomfortable. In a market whereroughly nine out of ten buy-side software deals close without a structured TechDD, the variance on the IC outcome is being absorbed entirely by post-closetransformation budgets – or worse, by writedowns. Not before the SPA. After.

‍

5. The Three IC Reflexes

If the Tech DD is the instrument, the IC is the operator. Threereflexes turn the instrument into a decision rule.

Reflex 1 · Two questions that change the IC memo. Before the next deal goes to vote, ask the team: "What isthe refactor implied by our Year-3 growth case, and who has scoped it?" Then: "What does our value bridge look like if that refactor issequenced into Year 1 instead of Year 2?" If the answers are vague, astructured Tech DD is the cheapest way to make them concrete. The refactorthesis isn't a Tech DD finding. It's a valuation argument – the same dollar ofopex, sequenced twelve months earlier, moves the exit multiple. ICs thatinternalise this stop treating Tech DD as a hygiene item and start treating itas a value-creation lever.

Reflex 2 · Time-box the assessment, pre-budget the intervention. A pre-transaction engagement, time-boxed and scoped against thethesis. The output is a RAG-scored decision, not a 200-page report. And – increasingly material in 2026 – that assessment now has to absorb EU NIS2 obligations explicitly:business-critical systems, supplier security, incident reporting, boardaccountability. NIS2 is not a compliance afterthought; it is a line item thatlands in the operating budget of every PE-backed software business with EU revenue,and ICs that have not pre-budgeted it are pricing it twice – once atacquisition, once at audit.

Reflex 3 · A walk-or-reprice rule the IC uses. When the assessment returns Red on Architecture or AI Maturity – walkor reprice by at least the full modernization cost plus a risk premium. When itreturns Amber on Security or Team – fund a 90-day intervention out of theseller's ask in the SPA. When it returns Green across the board – close faster,with a clean conscience and a documented basis for the IC vote. The point of astructured Tech DD is not to find reasons to say no. It is to make the yesdefensible and the no fast.

‍

A Note from the Author

I wrote this article because the conversations I am having with PEPartners and Principals in DACH, Benelux, and the UK have shifted in the lasteighteen months. The deal flow is denser, the AI claims are louder, and thevariance between a clean IC and a difficult one increasingly comes down to whatthe technical due diligence – or its absence – surfaced before the SPA.

I am not arguing for more reports. I am arguing for sharper inputinto the decisions that already get made every week. If any of the three billssounded familiar – or if a deal under exclusivity is making one of the eightareas in Section 2 itch – I am happy to compare notes.

– Jacek Podoba, Altimi CEO.

‍