The Anatomy of a Skipped Tech DD

Only 1 in 10 PE funds follow the obvious. The rest risk €100M.

Jacek Podoba

CEO, Altimi

May 4, 2026

min read

Behind that 9-in-10 number sits something more structural than a discipline gap. There are three strategic risks every mid-market deal carries on its technical layer – and the Investment Committee memo, however well written, is built to see almost none of them. Before we get to the eight places, we look to avoid pricey deadlocks, here is what we mean by typical PE deal exposures.

‍

1. The Three Exposures That Bend the Multiple

A mid-market software target lands on your desk. €20 million ARR.Net retention above 110%. Founder still in the chair. On paper, every conventional input checks out: the seller's deck is polished, the financial diligence is clean, the commercial DD reads well. The deal team is leaning toward yes.

And then, somewhere between the data room and the IC memo, three exposures begin to form – nobody is pricing them yet, but every single one is real. None appear in the financial diligence. None show up in the model. All three become tangible the moment you sign – and at least one will be material enough to bend the return curve, the management fee narrative, and, in the worst case, fund-level performance. Let's go straight to the merits.

01 · MISCLASSIFICATION – A SaaS that isn’t a SaaS

The asset looks like a textbook SaaS business: subscription revenue, low churn, a positive net retention story, a product that customers like. The deck describes it that way, the CIM describes it that way, and most of the deal team will, by the second week, describe it that way too. The trouble is that the market keeps calling things "SaaS" that aren't. A thin orchestration layer sitting on top of GPT-5 – or whichever model is the headline this quarter; if you're reading this in three months, mentally swap in the next one. A workflow tool whose core IP is a prompt template and a Stripe integration. A "platform" that turns out to be three serverless functions and a database. The multiple you're paying assumes durable software economics – recurring, defensible, gross-margin-stable. On closer inspection, the asset has the unit economics of a managed service. You don't find that on the deck or in the audited accounts. You find it in the architecture diagrams, in the observability stack the team uses day-to-day, and in how much engineering time disappears into firefighting versus shipping new product.

02 · COMMODITISATION – An AI that isn’t an AI

On the surface, the company has a credible AI story. There is a working product, paying customers, real engagement metrics, and an AI line in the pitch that has clearly helped close the round. Look one layer deeper and the picture changes. The "AI engine" the deck describes turns out to be a wrapper. The model isn't fine-tuned. The data isn't proprietary. There's no evaluation pipeline. There's no fallback when the underlying provider ships a price cut, a competitor, or a deprecation. Inference cost is sitting at a percentage of revenue that nobody on the deal team has stress-tested at next year's scale. None of this kills the thesis. All of it shifts the multiple -and the negotiation – if it's found before the SPA.

03 · MODERNIZATION – A platform that can’t keep growing

A €15M ARR business with a healthy customer base, a recognised brand in its niche, and a product roadmap that has clearly delivered for several years. The team is proud of what they've built, and they have reason to be. The catch sits underneath: a payment module written in 2017 that 40% of revenue still routes through. A monolith no one wants to refactor – not because they don't want to, but because it has never been the priority. Business needed to keep moving – organically, step by step, adding complexity, accumulating debt. Legacy keeps growing. A senior engineer who's been there nine years and is the only person who fully understands the billing engine. None of this is a red flag in isolation. All of it becomes one when you find out, four months post-close, that the Year-3 growth case in your model assumes a refactor that nobody has scoped, sequenced, or budgeted.

Three exposures. None of them in the deck. All of them quickly findable – and all of them missed, not because nobody was looking, but because nobody was looking in a structured way.

Bain has been measuring this for years, and the numbers haven't moved much. For pure-play software deals, where the technology is the asset, structured tech due diligence happens in roughly 15% of buyouts. For PE buyouts overall the rate is closer to 9% – even though, in the most recent year measured, 31% of all buyouts involved technology companies, and a much larger share targeted non-tech businesses where technology sits at the heart of the value proposition. PitchBook puts the volume of those tech-enabled deals at roughly 3× what it was five years ago. (Bain & Company, Global Private Equity Report 2026; Bain - Is Your Tech Due Diligence Good Enough?)

Read that again. Roughly nine in ten PE buy – side deals – in a market where technology is increasingly the value driver – close without structured technical due diligence. Roughly seven in ten of the deals where the asset is the technology close without it. The volume of tech-enabled deals has tripled in five years; the share of them that get a professional technical look has not.

Those 9% / 15% / 31% figures are global buyout numbers – Europe sits inside the sample, not above it.
A 2024 Statista survey of European PE firms ranks ESG (78%) as the top due-diligence focus area, with cybersecurity second; structured Tech DD does not make the European top five at all (Statista, 2024). Europe is not quieter on Tech DD because it is more careful. The topic is not named in the room.

*Figure 1. The market doubled tech-driven deal share. The sharethat gets a Tech DD did not move.*

Tech DD is the cheapest line item with the highest variance in the entire deal process. And it is the one most often skipped – or, just as often, handled by a half-hour call with an ex-Google friend, an interim CTO on a per-day rate, or a member of the deal team running it in-house, supported by AI tools. None of those people are bad operators. None of them are a structured technical method.

The alternative is not a 200-page Deloitte deck or a McKinsey transformation programme. That is, almost certainly, why only ~10% of deals can justify the cost, the timeline, and the orchestration overhead of a binder-style report – the economics simply don't fit a mid-market hold. There is a faster, sharper, more applied way to do this work: a 2–3 week, thesis-driven exercise that produces a RAG-scored decision document an IC can vote on, not a binder no one will open. That is the discipline this article walks through. Eight places where these three exposures actually hide. Three short notes from real engagements. The math behind a missed call. And the three reflexes we'd encourage any IC to adopt before the next vote.

2. Eight Places We Look First

When we get into a target, the three exposures almost always cluster in the same eight places. Not because the playbook is generic – because the underlying economics are. Once you know where to look, the findings repeat. The composite illustrations below come from real engagements; no single client is identifiable.

*Figure 2. Where each of the three bills surfaces across theeight Tech DD areas. Severity scaled by the Altimi TechDD methodology.*

1 · Architecture & Stack. The deck says "modern microservices." The architecture diagram says 40% of revenue still routes through a 9-year-old payment module wrapped by three abstraction layers. The IC has underwritten a 5× ARR growth thesis over the hold; that single module now sits on the critical path of every refactor that thesis implies. Sequence it wrong, and Year-2 platform work blocks Year-3 expansion.

2 · Code Quality. The aggregate test-coverage number on the seller's slide is 81% – a figure most ICs will read as "healthy." Break it down by module and the picture changes: the public-facing API is well-tested, but the billing engine – where every bug is a direct invoice error for a paying customer – sits at 12%. The headline is investor-grade; the part that moves churn and net retention is essentially untested. One regression, one escalation, one customer comparing notes, and the hit lands on the very metrics commercial DD trusted.

3 · Infrastructure & Cloud. The deck highlights AWS as the primary provider with enterprise account support – defensible, and where more than half of modern software runs today. The exposure sits one layer down: the data plane and managed services are deeply coupled to that vendor's primitives, with no abstraction layer in between. A back-of-the-envelope estimate to lift-and-shift to a second provider – or to a parallel region for failover – lands at $4–6M and 12–18 months of engineering. On top of that, an active customer in a regulated jurisdiction is asking for in-region data residency the current setup can't deliver. None of them are on the deck. All of it sits between the IC's growth case and the next enterprise renewal.

4 · Security & Compliance. A SOC 2 audit is on file, presented as proof of maturity. SOC 2 is not a Tech DD – a distinction misread in data rooms often. SOC 2 attests that controls exist; Tech DD asks whether the architecture, the code, and the team behind them deliver what the IC memo assumes. On the asset itself, a simple scan surfaces an exposed admin endpoint behind a guessable subdomain. Compliance attestation, real exposure – increasingly two different conversations under EU NIS2.

5 · AI & Data Maturity. The "AI engine" is, on inspection, a wrapper around a third-party model. No evaluation harness, no fallback model, no spend governance. The current inference bill: $94k a month, growing linearly with usage, never projected past current ARR. The defensibility argument doesn't survive the architecture diagram.

6 · Scalability & Growth. The 5× load test held. The 10× load test broke at the database layer eleven minutes in. The IC growth case assumed 8× by Year 3. That gap is a refactor – or a re-platform – that needs to be priced into the value bridge before, not after, the SPA.

7 · Team & Delivery. Three of seven senior engineers hold all production deployment knowledge; two have non-competes expiring within the holding period. Underneath, the SDLC is informal: no documented branching model, ad-hoc code review, releases from individual laptops, incident-response playbook in a private Slack channel. This isn't key-person risk as a footnote – it is the operating reality of every release window for the next 36 months, and a meaningful slice of the post-acquisition cost of getting engineering onto a delivery cadence the value bridge can rely on.

8 · 90-Day Roadmap. The output of the seven areas above isn't a list of complaints. It is one sequenced 90-day intervention: payment-module decoupling (Area 1) and billing-engine test coverage (Area 2) first, both on the critical path of the growth thesis; multi-region failover and cloud portability (Area 3) plus the network-boundary fix (Area 4) in parallel on a 60-day clock; AI evaluation harness and inference-spend governance (Area 5) before the next renewal; the 10× scalability fix (Area 6) and SDLC + key-person work (Area 7) phased into months 2 and 3. Total: €640k of opex pulled forward, mapped to a 14-month modernization line item, integrated into the value bridge before the SPA. That is the difference between a Tech DD and a CTO call – not a longer report, but a sequenced intervention an operator can execute.

Eight places. The same three exposures, hiding in different r ooms of the same house.

A useful counterweight on the "high-quality investors caught it" assumption: in May 2025, Builder.ai collapsed after raising approximately $450M from a cap table that included Insight Partners, Microsoft, the Qatar Investment Authority, Iconiq Capital, Lakestar and Jungle Ventures – valuing the business at roughly $1.5B at peak. The post-collapse investigation showed revenue overstated by approximately 4×, an "AI" with a substantial human-in-the-loop component, and a defensibility argument structurally weaker than the deck implied. If these investors can underwrite an asset of that profile without a structured technical method, the gap is not a story about under-resourced mid-market funds. It is a structural one across the industry – which is exactly why the 9% number from Bain looks the way it does. Quality of investors and quality of Tech DD are not the same thing.

3. Three Engagements, Three Findings

Practical examples from our track record of structured Tech DD that produced powerful insights into a considered investment decision. Three short notes – anonymised, paraphrased – each tagged to the area in Section 2 where the finding landed.

A mature cross-border B2B marketplace

Operating cross-border across Europe for well over a decade, sub-200k transactions annually – real scale, real network effects on both sides. The commercial metrics looked clean and the platform had clearly proven its resilience over time. When we got into the architecture, we found that organic growth had created tight inter-module dependencies and limited API boundaries. Not unusual for a platform at this stage, but it means delivery slows as the team grows and external integrations get harder to execute cleanly. The business had scaled well – the tech just needed to catch up with the ambition.‍

Where it landed: Architecture & Stack and Scalability & Growth. What the PE buyer captured: a sequenced API-boundary and decoupling programme, priced into Years 1–2 of the value bridge before signing. The result – delivery velocity that holds flat as headcount and integrations scale, and a Year-3 growth case that is no longer dependent on a refactor nobody had budgeted.

‍An established SaaS platform in CEE

Strong merchant traction across CEE. Retention looked solid and the product roadmap was credible on paper. When we got under the hood, dependency governance and versioning across open-source components weren't standardised, and CI/CD maturity was behind where you'd expect for the platform's scale. Some modules were solid; others carried accumulated technical debt that wasn't visible from the outside. Nothing that can't be addressed – but it needs to be modelled into the post-close roadmap before commitments are made.‍

Where it landed: Code Quality and the 90-Day Roadmap. What the PE buyer captured:
‍a 12-month engineering-hygiene workstream - dependency governance, versioning, CI/CD uplift – negotiated into the SPA and pre-funded out of the seller's ask, not discovered in Year 2 at the cost of a transformation budget and exit-multiple haircuts.

A cloud-based platform serving multi-site operators

Strong product-market fit, real switching costs, clear traction in an underpenetrated vertical. The team looked stable and the product metrics were encouraging. What Tech DD surfaced was that critical system knowledge – incident response, integration logic, deployment procedures – was concentrated in a small number of individuals without formalised ownership. Common in founder-led companies at this stage, but it changes the post-acquisition risk profile significantly. Continuity needs to be engineered, not assumed.‍

Where it landed: Team & Delivery. What the PE buyer captured: a documented continuity plan, a targeted retention package for the critical few, and a 90-day knowledge – transfer programme – built into the IC model before signing. Post-acquisition risk priced into the entry, not absorbed by the first incident in
Year 1.

‍

4. The Anatomy of a €100M Hit for US deal – €20M in Europe, Same Math

At this point the math is almost a formality, but it's worth doing once, slowly, because the order of magnitude is the part most decks understate.

Take a typical mid-market software target. €20M ARR. Buy-side multiple at 10× ARR - €200M enterprise value, in line with the market for high-quality recurring revenue with net retention above 110%. Apply any of the three exposures from Section 1 - misclassification, commoditisation, or modernization – and the multiple compresses. Two turns is a soft scenario. Five turns is a hard one and not unusual when the AI defensibility claim collapses. In other words: €20M ARR × (10× − 5×) = €100M - the downside one missed Tech DD prints on the IC memo.

The €100M figure anchors a US mid-market deal (€10M ARR × 10×). Run the same logic on a European mid-market deal (€5M ARR × 6×) and the unpriced exposure compresses to €15–20M. Same math, different scale.

On the European side, the math is identical, the numbers smaller. European software M&A in 2025 cleared at a median of ~3× EV/Revenue, with the top quartile around 7× (Aventis Advisors, 2026); roughly half of all DACH and Southern European software transactions closed under €5M EV (Dealsuite, 2025). On a typical European target – €5M ARR × 6× = €30M EV – two turns of compression alone are €10M; layer in commoditisation and unpriced modernization debt, and the unpriced exposure lands at €15–20M. Half of EV at risk on the same three risks, on a fund with a much smaller margin for error.

That is what makes the 9% number uncomfortable. In a market where roughly nine out of ten buy-side software deals close without a structured Tech DD, the variance on the IC outcome is being absorbed entirely by post-close transformation budgets – or worse, by writedowns. Not before the SPA. After.

‍

5. The Three IC Reflexes

If the Tech DD is the instrument, the IC is the operator. Three reflexes turn the instrument into a decision rule.

Reflex 1 · Two questions that change the IC memo. Before the next deal goes to vote, ask the team: "What is the refactor implied by our Year-3 growth case, and who has scoped it?" Then: "What does our value bridge look like if that refactor is sequenced into Year 1 instead of Year 2?" If the answers are vague, a structured Tech DD is the cheapest way to make them concrete. The refactor thesis isn't a Tech DD finding. It's a valuation argument – the same dollar of opex, sequenced twelve months earlier, moves the exit multiple. ICs that internalise this stop treating Tech DD as a hygiene item and start treating it as a value-creation lever.

Reflex 2 · Time-box the assessment, pre-budget the intervention. A pre-transaction engagement, time-boxed and scoped against the thesis. The output is a RAG-scored decision, not a 200-page report. And – increasingly material in 2026 – that assessment now has to absorb EU NIS2 obligations explicitly: business-critical systems, supplier security, incident reporting, board accountability. NIS2 is not a compliance after thought; it is a line item that lands in the operating budget of every PE-backed software business with EU revenue, and ICs that have not pre-budgeted it are pricing it twice – once at acquisition, once at audit.

Reflex 3 · A walk-or-reprice rule the IC uses. When the assessment returns Red on Architecture or AI Maturity – walk or reprice by at least the full modernization cost plus a risk premium. When it returns Amber on Security or Team – fund a 90-day intervention out of the seller's ask in the SPA. When it returns Green across the board – close faster, with a clean conscience and a documented basis for the IC vote. The point of a structured Tech DD is not to find reasons to say no. It is to make the yes defensible and the no fast.

---

A Note from the Author

I wrote this article because the conversations I am having with PE Partners and Principals in DACH, Benelux, and the UK have shifted in the last eighteen months. The deal flow is denser, the AI claims are louder, and the variance between a clean IC and a difficult one increasingly comes down to what the technical due diligence – or its absence – surfaced before the SPA.

I am not arguing for more reports. I am arguing for sharper input into the decisions that already get made every week. If any of the three bills sounded familiar – or if a deal under exclusivity is making one of the eight areas in Section 2 itch – I am happy to compare notes.

– Jacek Podoba, CEO @ Altimi | Tech Due Dilligence & Software Services

‍