Engagement Dashboard
Overview of active and recent engagements
Active Engagements
4
2 in processing, 1 in review, 1 in delivery
Completed (YTD)
12
+3 from last quarter
▲ 33%
Avg. Completion
23 hrs
vs. 88 hrs manual
▲ 74% faster
Revenue (YTD)
$487K
Across all engagement tiers
▲ 42%
Active Engagements
68
Acme SaaS Corp — Technology DD
SDLC 81
Sec 58
DevOps 85
—
NovaTech Industries — Technology DD
Track 14/39 evaluating...
76
CloudBridge Analytics — Technology DD
Report sent Apr 18
—
HealthFirst Platform — Technology DD
842 docs received
Recent Activity
CloudBridge Analytics report delivered to Summit Partners
2 hours ago
Acme SaaS Corp — 3 findings flagged for consultant review (confidence <85%)
4 hours ago
NovaTech Industries AI processing started — 39 tracks queued
6 hours ago
HealthFirst Platform VDR documents uploaded by General Atlantic
Yesterday
Acme SaaS Corp Security track evaluation complete — score: 58 (High Risk)
Yesterday
Engagement Pipeline
VDR Upload1 engagement
AI Processing1 engagement
Consultant Review1 engagement
Delivery1 engagement
Completed (Q2)4 engagements
Acme SaaS Corp — Technology DD
Meridian Capital Partners · Enterprise Tier · Engagement #ENG-2026-047
Composite Score
68
Moderate Risk
Documents Processed
1,247
of 1,247 uploaded
Findings Generated
184
67 strengths · 89 risks · 28 opps
Recommendations
94
Est. remediation: $1.2M–$2.8M
Overview
Track Scores
Timeline
Team
Track Score Summary
Risk Distribution
Critical Findings Requiring Review
4 CriticalNo incident response runbook or escalation procedure
The company lacks a documented incident response plan. Security incidents are handled ad-hoc with no defined escalation path, SLA, or communication protocol. This represents significant regulatory exposure under SOC 2, ISO 27001 A.16, and HIPAA §164.308(a)(6).
Production database credentials stored in plaintext config files
Database connection strings with credentials found in 3 configuration files committed to the Git repository. No secrets management solution (Vault, AWS Secrets Manager) in use. All production credentials should be considered compromised.
Virtual Data Room
1,247 documents uploaded · 1,247 classified · 0 pending
Drag & drop files or click to upload
Supports PDF, DOCX, XLSX, PPTX, ZIP, code repositories · AES-256 encrypted
File Name
Size
Classified To
Status
incident-response-plan.pdf
2.4 MB
Security Compliance
Processed
.gitlab-ci.yml
18 KB
SDLC DevOps
Processed
architecture-overview.pptx
8.7 MB
Architecture
Processed
employee-handbook-2025.pdf
4.1 MB
People
Processed
backend-repo.zip
156 MB
Architecture SDLC
Processed
soc2-type1-report.pdf
12.3 MB
Compliance Security
Processed
database-erd.xlsx
340 KB
Data Architecture
Processed
vendor-contracts-bundle.pdf
28.5 MB
Infrastructure
Processed
Showing 8 of 1,247 documents · Load more
AI Processing Status
Knowledge Graph evaluation across all applicable tracks
Overall Progress
100%
All tracks evaluated
Processing Time
4.2 hrs
vs. 88 hrs manual
Indicators Evaluated
847
of 1,279 in Knowledge Graph
Confidence Score
91%
Avg. across all findings
Track-by-Track Processing
DevOps & CI/CD
85/85 indicators · 22 findings · Score: 85
SDLC
59/59 indicators · 28 findings · Score: 81
Product Management
49/49 indicators · 18 findings · Score: 74
App Architecture
75/75 indicators · 32 findings · Score: 72
Delivery Infrastructure
97/97 indicators · 24 findings · Score: 68
Data & Analytics
48/48 indicators · 20 findings · 2 flagged for review
Enterprise Security & Governance
57/57 indicators · 34 findings · 6 flagged for review
AI / ML
30/30 indicators · 12 findings · Score: 42
Findings Review
184 findings generated · 12 flagged for review · 4 critical
All (184)
Strengths (67)
Risks (89)
Opportunities (28)
Needs Review (4)
🔴 No incident response runbook or escalation procedure
The company lacks a documented incident response plan. Security incidents are handled ad-hoc with no defined escalation path.
🔴 Production credentials in plaintext config files
Database connection strings with credentials found in 3 configuration files committed to the Git repository.
🟠 No automated rollback in CI/CD pipeline
Deployment pipeline lacks automated rollback capability. Failed deployments require manual intervention.
✅ Comprehensive automated test suite with 87% coverage
Well-structured test suite covering unit, integration, and e2e tests. CI enforces minimum coverage thresholds.
💡 Implement blue-green deployment for zero-downtime releases
Current single-deploy model creates 5-15 minute windows of degraded service during releases. Blue-green or canary deployment would eliminate this.
✅ Kubernetes-based infrastructure with auto-scaling
Production workloads run on EKS with horizontal pod autoscaling, demonstrating cloud-native maturity.
Showing 6 of 184 findings · Load more
Recommendations & Costing
94 recommendations · Estimated total remediation: $1.2M–$2.8M
Critical Priority
6
$120K–$280K est.
High Priority
32
$450K–$1.1M est.
Medium Priority
38
$380K–$920K est.
Low Priority
18
$90K–$210K est.
| Recommendation | Track | Priority | Duration | OTC Cost | Annual Cost | Linked Finding |
|---|---|---|---|---|---|---|
| Establish incident response runbook & test quarterly | Security | Critical | <1 mo | $5K–$15K | $2K–$5K | SEC-IR-001 |
| Implement secrets management (HashiCorp Vault / AWS SM) | Security | Critical | 1–3 mo | $15K–$40K | $5K–$12K | PSEC-SM-003 |
| Implement automated rollback in CI/CD pipeline | SDLC | High | 1–3 mo | $10K–$30K | $0 | SDLC-RM-007 |
| Deploy blue-green or canary deployment strategy | DevOps | High | 1–3 mo | $10K–$50K | $3K–$8K | DO-DEP-004 |
| Establish formal data governance program | Data | High | 3–6 mo | $25K–$75K | $15K–$30K | DATA-GOV-001 |
| Develop ML model monitoring & retraining pipeline | AI/ML | Medium | 3–6 mo | $40K–$100K | $20K–$40K | AIML-OPS-002 |
Showing 6 of 94 recommendations · Load more
Report Builder — Acme SaaS Corp
Technology Due Diligence Report · ENG-2026-047 · Prepared for Meridian Capital Partners
Report Version & Metadata
Version number, dates, engagement details
Ready
▼
Version
Report Date
Engagement ID
Client
Target Company
Status
Changelog (from v2.0)
Updated AI/ML track scoring following additional documentation review. Revised remediation cost estimates for security findings. Added 3 new Q&A thread responses from client.
Summary Cards
Composite score, critical findings count, total findings, data coverage
Ready
▼
Composite Score
Rating
Critical Findings
Require immediate attention
Total Findings
Across 8 diligence tracks
Data Coverage
52 of 60 items received
Executive Summary
3 paragraphs · Company overview, key findings, remediation outlook
In Review
▼
Acme SaaS Corp operates a multi-tenant B2B platform serving approximately 2,400 mid-market customers across healthcare and fintech verticals. The core application is built on a modern stack (React, Python/FastAPI, PostgreSQL) deployed on AWS with containerized services via ECS Fargate. Annual recurring revenue stands at $24.6M with 118% net revenue retention.
The technology estate demonstrates strong engineering culture with mature CI/CD practices (DevOps: 85, SDLC: 81) and high test coverage. However, the review identified critical gaps in security governance (score: 58) and nascent AI/ML capabilities (score: 42) that present material risk. Four critical findings require immediate remediation at an estimated $120K–$280K. An additional five high-severity findings relate to technical debt in the authentication subsystem, inconsistent API versioning, and gaps in automated test coverage for payment processing modules.
Post-remediation, the technology platform is well-positioned to support 3x revenue scaling. The technology team of 42 engineers demonstrates strong domain expertise, and the CTO has a credible 18-month roadmap addressing most identified gaps. Estimated total remediation cost for critical and high-severity findings is $340K–$520K over a 6-month horizon.
Risk Matrix
9 findings · 4 critical, 2 high, 2 medium, 1 low
Ready
▼
⠿
Track
Est. Remediation
Impact Statement
⠿
Track
Est. Remediation
Impact Statement
⠿
Track
Est. Remediation
Impact Statement
⠿
Track
Est. Remediation
Impact Statement
+ 5 more findings (2 high, 2 medium, 1 low) · Show all
Track Scores & Detailed Findings
8 tracks · Score, meter, severity breakdown, expandable detail per track
Ready
▼
🚀 DevOps & CI/CD
/ 100
Findings
Severity Breakdown
Est. Remediation
🔄 SDLC & Quality
/ 100
Findings
Severity Breakdown
Est. Remediation
📋 Product Management
/ 100
Findings
Severity Breakdown
Est. Remediation
🏗️ App Architecture
/ 100
Findings
Severity Breakdown
Est. Remediation
☁️ Delivery Infrastructure
/ 100
Findings
Severity Breakdown
Est. Remediation
📊 Data & Analytics
/ 100
Findings
Severity Breakdown
Est. Remediation
🔒 Enterprise Security
/ 100
Findings
Severity Breakdown
Est. Remediation
🤖 AI / ML
/ 100
Findings
Severity Breakdown
Est. Remediation
Data Request Gap Analysis
60 items · 46 received, 6 partial, 8 missing
Ready
▼
Architecture
Infrastructure
DevOps
Team
Security
Architecture
AI/ML
Infrastructure
Security
Security
Q&A Threads
3 questions · 2 answered, 1 pending response
1 Pending
▼
Architecture
James Morrison · April 12, 2026
Answered
Regarding the monolithic data pipeline — has the Acme team provided any timeline or internal plans to decompose this before our involvement?
Your Response
Yes — the CTO's 18-month roadmap includes a "Pipeline Modernization" initiative slated for Q3 2026. Their initial plan calls for extracting the enrichment and delivery stages into separate services first, which aligns with our recommended decomposition sequence. They've budgeted 2 engineers for this, though our assessment suggests 3 would be needed to hit the Q3 target.
Security
James Morrison · April 14, 2026
Answered
How concerned should we be about the custom OAuth implementation from a compliance standpoint?
Your Response
It's a manageable remediation but should be prioritized in the first 90 days post-close. The custom implementation isn't inherently insecure — it passes basic OWASP checks — but auditors will flag the lack of a certified identity provider. Migration to Auth0 or Cognito is a 6–8 week effort. I'd recommend making this a condition of the 100-day plan rather than a deal consideration.
AI/ML
Sarah Chen · April 16, 2026
Needs Response
The AI/ML score of 42 is concerning. Is this typical for companies at Acme's stage, or is this a genuine red flag for the investment thesis?
Your Response
Click "AI Draft Response" to generate a starting point, or "Manual Edit" to write directly...
Appendices
5 documents · 44 total pages
Ready
▼
Portfolio Overview
Meridian Capital Partners · 3 active engagements · 8 monitored companies
Active DD Engagements
3
1 complete, 1 in review, 1 processing
Portfolio Companies
8
Monitored via KPI tracking
Avg. Tech Score
71
Across portfolio
Open Alerts
3
KPI stagnation detected
Due Diligence Engagements
68
Acme SaaS Corp
76
CloudBridge Analytics
—
NovaTech Industries
KPI Monitoring — Portfolio Health
| Company | Tech Score | Deployment Freq. | Uptime | MTTR | Alert |
|---|---|---|---|---|---|
| DataSync Pro | 82 | 12/week | 99.97% | 18 min | — |
| PayVault Inc | 78 | 8/week | 99.95% | 22 min | — |
| LogiTrack Systems | 65 | 3/week | 99.82% | 45 min | Stagnation |
| MedConnect Health | 61 | 2/week | 99.71% | 58 min | MTTR Rising |
Technology DD Report — Acme SaaS Corp
Prepared by Valeon Partners · April 2026
Composite Score
68
Moderate risk · investable with remediation
Critical Findings
4
Require immediate attention
Total Findings
31
Across 8 diligence tracks
Data Coverage
87%
52 of 60 items received
📊 Executive Summary
Acme SaaS Corp operates a multi-tenant B2B platform serving approximately 2,400 mid-market customers across healthcare and fintech verticals. The core application is built on a modern stack (React, Python/FastAPI, PostgreSQL) deployed on AWS with containerized services via ECS Fargate. Annual recurring revenue stands at $24.6M with 118% net revenue retention.
The technology estate demonstrates strong engineering culture with mature CI/CD practices (DevOps: 85, SDLC: 81) and high test coverage. However, the review identified critical gaps in security governance (score: 58) and nascent AI/ML capabilities (score: 42) that present material risk. Four critical findings require immediate remediation at an estimated $120K–$280K. An additional five high-severity findings relate to technical debt in the authentication subsystem, inconsistent API versioning, and gaps in automated test coverage for payment processing modules.
Post-remediation, the technology platform is well-positioned to support 3x revenue scaling. The technology team of 42 engineers demonstrates strong domain expertise, and the CTO has a credible 18-month roadmap addressing most identified gaps. Estimated total remediation cost for critical and high-severity findings is $340K–$520K over a 6-month horizon.
⚠️ Risk Matrix
| Finding | Severity | Track | Impact | Remediation |
|---|---|---|---|---|
| No incident response runbook or escalation procedure | Critical | Security | Regulatory exposure: SOC 2, ISO 27001, HIPAA §164.308(a)(6) | Document IR plan with escalation matrix; 3 weeks, ~$25K |
| Production credentials stored in plaintext config files | Critical | Security | 3 config files with DB credentials committed to Git; breach vector | Migrate to Vault/Secrets Manager; 2 weeks, ~$15K |
| AI/ML models deployed without validation framework | Critical | AI/ML | No model monitoring, drift detection, or rollback capability | Implement MLOps pipeline with monitoring; 3 months, ~$150K |
| Monolithic data pipeline — single point of failure | Critical | Architecture | Revenue-impacting outage risk; 74% of workflows on single service | Decompose into event-driven microservices; 4–5 months, ~$200K |
| No vulnerability scanning in CI/CD pipeline | High | DevOps | 47 packages out of date with known CVEs undetected | Add Trivy/Snyk to CI pipeline; 1 week, ~$5K |
| Legacy authentication subsystem (custom OAuth) | High | Security | Elevated attack surface; not SOC 2 audit-ready | Migrate to Auth0/Cognito; 6–8 weeks, ~$45K |
| Payment module test coverage at 38% | Medium | SDLC | Regression risk in revenue-critical code paths | Target 85% coverage; 6 weeks, ~$30K |
| Container images not scanned in CI | Medium | DevOps | 12 high-severity CVEs in production images | Add scanning + base image update policy; 1 week |
| No formal runbook documentation | Low | Infrastructure | Increased MTTR during incidents; key-person dependency | Document top-10 incident playbooks; 3 weeks |
🔍 Track Findings
🚀 DevOps & CI/CD
85
/ 100
1 high · 1 medium · 4 total findings
🔄 SDLC & Quality
81
/ 100
1 high · 2 medium · 5 total findings
📋 Product Management
74
/ 100
2 medium · 1 low · 3 total findings
🏗️ App Architecture
72
/ 100
1 critical · 1 high · 6 total findings
☁️ Delivery Infrastructure
68
/ 100
2 high · 2 medium · 5 total findings
📊 Data & Analytics
65
/ 100
1 high · 2 medium · 4 total findings
🔒 Enterprise Security
58
/ 100
2 critical · 1 high · 7 total findings
🤖 AI / ML
42
/ 100
1 critical · 2 high · 5 total findings
🚀 DevOps & CI/CD — Detailed Findings
High No vulnerability scanning in CI/CD pipeline
Dependencies not scanned for known CVEs. Manual Trivy scan during diligence revealed 47 packages out of date with known vulnerabilities across production services.
Medium Container images not scanned before deployment
Docker images pushed to ECR without scanning. 12 high-severity CVEs found in production images including 3 in base OS packages with available patches.
🔄 SDLC & Quality — Detailed Findings
High Payment module test coverage at 38%
The payments service — handling $24.6M ARR in billing flows — has unit test coverage of 38% and zero integration tests against the Stripe API. Three billing regressions shipped to production last quarter. Overall codebase coverage is 71%.
Medium No formal code review SLA
PRs require one approval but have no defined review turnaround expectation. Average review time is 3.8 days with high variance (p95 = 13 days). Two senior engineers account for 61% of all approvals.
📋 Product Management — Detailed Findings
Medium No structured feature flagging or experimentation framework
Feature releases are deployed directly without progressive rollout. No LaunchDarkly, Statsig, or equivalent in place. Product decisions lack A/B testing data; most decisions are based on qualitative feedback from 3–4 key accounts.
🏗️ App Architecture — Detailed Findings
Critical Monolithic data processing pipeline
The core ETL and event processing layer is a single Python service (~52K LOC) handling ingestion, transformation, enrichment, and delivery. Processes 3.1M events/day supporting 74% of revenue-generating workflows. No circuit-breaker or bulkhead patterns implemented.
High Inconsistent API versioning strategy
Public API (280+ consumers) uses a mix of URL path versioning (/v1/, /v2/) and header-based versioning with no deprecation policy. Breaking changes deployed twice in last 12 months without consumer notice.
Medium Shared database schema coupling
Five microservices directly query tables owned by the billing service, bypassing its API contract. Schema changes require coordinated deployments, increasing risk and slowing releases.
☁️ Infrastructure — Detailed Findings
High No validated cross-region DR failover
Production runs in us-east-1 only. No cross-region replication for PostgreSQL or Redis. RDS backups exist (24-hour retention) but have never been tested for PITR. Stated RPO/RTO targets are unvalidated.
Medium Infrastructure-as-Code coverage at 58%
Terraform manages core networking and ECS, but 42% of resources (IAM policies, CloudWatch alarms, S3 lifecycle rules, Lambda functions) were provisioned via AWS console with no IaC representation.
📊 Data & Analytics — Detailed Findings
High No data lineage or catalog tooling
Analytics queries run against production replica with no governed data warehouse. No lineage tracking, data dictionary, or catalog tooling. Business users build reports on undocumented tables.
Medium ETL jobs lack monitoring and alerting
14 Airflow DAGs run daily with no SLA monitoring. Two data pipeline failures in the last quarter went undetected for 72+ hours, affecting downstream reporting.
🔒 Enterprise Security — Detailed Findings
Critical No incident response runbook
No documented IR plan, escalation procedure, or communication templates. Last security incident (Jan 2026) was handled ad-hoc by the CTO. Regulatory exposure across SOC 2, ISO 27001 A.16, and HIPAA §164.308(a)(6).
Critical Production credentials in plaintext
3 config files with database credentials committed to Git repository. AWS access keys found in 2 Lambda function environment variables. No secrets rotation policy in place.
High Custom OAuth implementation
Authentication handled by homegrown OAuth 2.0 server (~6K LOC). Token rotation, refresh token handling, and session management contain non-standard implementations. Last security audit was 14 months ago.
🤖 AI / ML — Detailed Findings
Critical No model validation or monitoring framework
Two ML models in production (churn prediction, lead scoring) deployed without validation framework, drift detection, or rollback capability. Model performance unmeasured since initial deployment 8 months ago.
High Training data not versioned or governed
Training datasets stored in unversioned S3 buckets with no data lineage. PII handling in training pipelines not documented. No bias testing or fairness metrics implemented.
📋 Data Request Gap Analysis
46 Received
6 Partial
8 Missing
System architecture diagrams
Architecture
Received
Cloud infrastructure topology (AWS)
Infrastructure
Received
CI/CD pipeline configuration
DevOps
Received
Employee roster with roles and tenure
Team
Received
Penetration test results (last 12 months)
Security
Partial — Q3 report only
Database schema documentation
Architecture
Partial — 4 of 8 services
ML model documentation & training data provenance
AI/ML
Partial — summary only
Disaster recovery test results
Infrastructure
Not provided
Third-party dependency audit report
Security
Not provided
Incident post-mortem log (last 24 months)
Security
Not provided
💬 Questions & Answers
James Morrison · April 12, 2026 Architecture
Regarding the monolithic data pipeline — has the Acme team provided any timeline or internal plans to decompose this before our involvement? Want to understand if this was already on their roadmap.
Dustin Grant · Valeon Partners · April 12, 2026
Yes — the CTO's 18-month roadmap includes a "Pipeline Modernization" initiative slated for Q3 2026. Their initial plan calls for extracting the enrichment and delivery stages into separate services first, which aligns with our recommended decomposition sequence. They've budgeted 2 engineers for this, though our assessment suggests 3 would be needed to hit the Q3 target.
James Morrison · April 14, 2026 Security
How concerned should we be about the custom OAuth implementation from a compliance standpoint? We're planning SOC 2 Type II certification within 12 months post-close.
Dustin Grant · Valeon Partners · April 14, 2026
It's a manageable remediation but should be prioritized in the first 90 days post-close. The custom implementation isn't inherently insecure — it passes basic OWASP checks — but auditors will flag the lack of a certified identity provider. Migration to Auth0 or Cognito is a 6–8 week effort. I'd recommend making this a condition of the 100-day plan rather than a deal consideration.
Sarah Chen · April 16, 2026 AI/ML
The AI/ML score of 42 is concerning. Is this typical for companies at Acme's stage, or is this a genuine red flag for the investment thesis?
📎 Appendices
📄
Appendix A — Full Technology Stack Inventory
16 pages
📄
Appendix B — AWS Infrastructure Cost Analysis
10 pages
📄
Appendix C — SDLC Metrics Dashboard (DORA)
8 pages
📄
Appendix D — Remediation Roadmap & Cost Estimates
6 pages
📄
Appendix E — AI/ML Capability Assessment Detail
4 pages
End-to-End Encrypted · AES-256
Enterprise Security & Governance
Score: 58 / 100 · Critical Risk · 26 topics evaluated · 57 indicators
Track Score
58
Critical Risk
Strengths
4
Risks
26
2 Critical · 12 High
Recommendations
19
$200K–$480K est.
Key Findings
No incident response runbook or escalation procedure
Missing documented IR plan. Regulatory exposure: SOC 2, ISO 27001 A.16, HIPAA §164.308(a)(6).
Production credentials stored in plaintext
3 config files with database credentials committed to Git repository.
No vulnerability scanning in CI/CD pipeline
Dependencies not scanned for known CVEs. 47 packages out of date with known vulnerabilities.
SOC 2 Type I certification achieved
Completed Jan 2026. Demonstrates commitment to security governance framework.
KPI Dashboard — Acme SaaS Corp
Post-acquisition technology health monitoring · Updated daily
99.94%
Uptime (30d)
Target: 99.9%
12
Deploys / Week
↑ from 8 at acquisition
18 min
MTTR
Target: <30 min
87%
Test Coverage
↑ from 82% at acquisition
4.2
Tech Debt Ratio
Target: <3.0
Uptime Trend (90 days)
Deployment Frequency
⚠️ Stagnation Alert — Tech Debt Ratio
Tech debt ratio has been above target (3.0) for 6 consecutive weeks, currently at 4.2. Recommendation: schedule dedicated tech debt sprint. This metric correlated with declining deployment velocity in 3 prior portfolio companies.
Q&A Threads
3 threads · 2 resolved · 1 pending response
Thread: Security Remediation Timeline
PendingMT
Michael TorresApr 20, 2026 · 2:14 PM
Regarding the critical security findings — specifically the incident response gap and plaintext credentials. What's the realistic timeline to remediate these before close? We're targeting a June 30 close date.
DG
Dustin GrantApr 20, 2026 · 4:32 PM
The secrets management fix (Vault/AWS SM) is a 30-60 day implementation — achievable before close if started immediately. The IR runbook can be established in 2-3 weeks. I'd recommend making both conditions of close with a holdback provision. I've costed these at $20K–$55K total, which is de minimis relative to the deal size. Happy to walk through the implementation plan on our next call.
MT
Michael TorresApr 21, 2026 · 9:45 AM
That's helpful. Can you also provide a 100-day remediation roadmap covering all High and Critical items? We want to present this to our IC alongside the investment memo.
Marketplace
Browse anonymized, pre-scored companies from completed and active due diligence engagements
Sort:
Showing 12 of 12 companies
Interested in a company?
Request the full scored report or schedule a walkthrough with the Valeon team.
Create New Engagement
Set up a new due diligence engagement in 4 steps
1
Company & Client
2
Engagement Scope
3
Track Selection
4
Review & Launch
Target Company
PE Client (Buyer)
Engagement Type
Service Tier
Standard
$25K
Core tracks only (8 tracks, ~500 indicators). AI-scored report with findings and recommendations. 4-week timeline.
Enterprise
$50K
Full track coverage (up to 20 tracks, ~1,000 indicators). Includes management interviews, custom benchmarks, and remediation roadmap.
Premium
$150K
All tracks (39 tracks, 1,279 indicators). White-glove service with on-site interviews, board-ready deliverables, and 90-day post-close support.
Select Evaluation Tracks
8 tracks selected · 679 indicators
Click to toggle tracks. Core tracks are pre-selected based on your tier.
✓
SDLC & Engineering
59 indicators
✓
DevOps & Reliability
45 indicators
✓
Software Architecture
75 indicators
✓
Enterprise Security
57 indicators
✓
Compliance
226 indicators
✓
Product Security
86 indicators
✓
Product Management
49 indicators
✓
Enterprise Systems
97 indicators
✓
AI / Machine Learning
30 indicators
✓
Data Engineering
42 indicators
✓
Cloud Infrastructure
38 indicators
✓
AI Disruption Risk
15 indicators
✓
Market Fit & Expansion
12 indicators
✓
Talent & Org Structure
28 indicators
✓
Technical Debt
35 indicators
VDR Configuration
The platform will generate a categorized document request list based on your selected tracks and indicators.
Engagement Summary
What happens next
📋
VDR Created
Document request list auto-generated from selected tracks. Target company invited to upload.
🤖
AI Processing Queued
Knowledge Graph indicators activated. AI evaluation begins as documents are uploaded to the VDR.
📊
Client Portal Ready
PE client gets live access to track progress, preliminary scores, and Q&A threads as evaluation proceeds.
✅
Ready to launch
Clicking "Launch Engagement" will create the engagement, set up the VDR, and send invitations.
User Management
12 active users across 4 organizations
| User | Organization | Role | Status | Last Active | |
|---|---|---|---|---|---|
| Dustin Grant | dustin@valeonpartners.com | Valeon Partners | Admin | Active | Now |
| Sarah Chen | schen@valeonpartners.com | Valeon Partners | Consultant | Active | 2 hrs ago |
| James Wright | jwright@valeonpartners.com | Valeon Partners | Consultant | Active | Yesterday |
| Michael Torres | mtorres@meridiancap.com | Meridian Capital | Client | Active | 4 hrs ago |
| Rachel Kim | rkim@acmesaas.com | Acme SaaS Corp | Target Co. | Active | Apr 19 |
| David Park | dpark@leoncapital.com | Leon Capital Group | Admin | Active | Apr 18 |
Knowledge Graph Management
21,224 decision nodes · 39 tracks · 394 topics · 1,279 indicators
Total Nodes
21,224
Technology DD vertical
Tracks
39
13 Tech · 25 Process · 1 People
Indicators
1,279
712 Essential · 567 Additional
Last Updated
Apr 19
3 indicators revised
Tracks
Compliance226 indicators
Enterprise Systems97 indicators
Product Security86 indicators
Software App Architecture75 indicators
SDLC59 indicators
Enterprise Security & Gov57 indicators
Product Management49 indicators
AI / Machine Learning30 indicators
+ 31 more tracks
Recent Changes
AIML-OPS-002 indicator revised — added MLOps maturity scoring criteria
Apr 19, 2026
AI Disruption track added — 15 new indicators for AI readiness evaluation
Feb 12, 2026
Market Fit & Expansion track added — 12 indicators for market positioning
Feb 12, 2026
SEC-IR-001 finding text updated — added HIPAA §164.308 reference
Jan 28, 2026
Compliance — 14 new ISO 27001:2022 clause mappings added
Jan 15, 2026
Platform Settings
Configuration, integrations, and system preferences
General
Integrations
Security
Billing
Platform
Production
Integrations
DealCloud CRM
PE deal pipeline sync
AWS (S3 / RDS)
Infrastructure & storage
OpenAI / Anthropic
LLM Gateway
Salesforce
CRM integration
AI Configuration
Human-in-the-loop threshold
Findings below this confidence score require consultant review
Default indicator depth
Which indicator tiers activate by default
Auto-approve high-confidence findings
Automatically approve findings with confidence ≥95%
Virtual Data Room
Acme SaaS Corp — Technology Due Diligence · Managed by Valeon Partners
Documents Uploaded
89
of 142 requested
Completion
63%
+8% this week
37% remaining
Questions Pending
7
3 high priority
Days Remaining
18
Deadline: May 10, 2026
Upload Progress by Category
Architecture & Infrastructure
85%
SDLC & DevOps
78%
Security & Compliance
52%
Product & Engineering Org
71%
Data & AI/ML
38%
Financial & Contracts
60%
Recent Activity
CI/CD Pipeline Config uploaded by Rachel Kim
2 hours ago
AWS Architecture Diagram uploaded by Tom Nguyen
4 hours ago
Question answered: "Clarify DR testing cadence" — Rachel Kim
Yesterday
New question from Valeon: "Provide SOC 2 Type II audit timeline"
Yesterday
3 documents uploaded in Security & Compliance
Apr 19
Engagement started — Virtual Data Room opened
Apr 1
Document Requests
142 total requests · 89 uploaded · 46 pending · 7 overdue
🏗️ Architecture & Infrastructure (17 of 20)
85%
System architecture diagram (current state)
Apr 20
Uploaded
AWS/cloud infrastructure overview
Apr 18
Uploaded
Database schema documentation
Apr 15
Uploaded
Disaster recovery plan & last test results
—
Pending
Network topology & firewall rules
—
Overdue
🔒 Security & Compliance (13 of 25)
52%
SOC 2 Type II report (most recent)
Apr 12
Uploaded
Information security policy
Apr 10
Uploaded
Penetration test results (last 12 months)
—
Pending
Incident response plan & runbook
—
Pending
SOC 2 Type II audit timeline & remediation log
—
Overdue
HIPAA/PCI compliance certifications
—
Pending
⚙️ SDLC & DevOps (14 of 18)
78%
CI/CD pipeline configuration & docs
Apr 22
Uploaded
Git branching strategy & PR workflow
Apr 14
Uploaded
Test automation coverage report
Apr 16
Uploaded
On-call rotation & incident history (12 months)
—
Pending
🧪 Data & AI/ML (6 of 16)
38%
Data architecture overview
Apr 11
Uploaded
ML model inventory & performance metrics
—
Pending
Data governance policy
—
Pending
ETL pipeline documentation & SLAs
—
Overdue
Data retention & deletion policy
—
Pending
Upload Documents
Drag and drop or select files to upload to the Virtual Data Room
Drop files here to upload
PDF, DOCX, XLSX, PNG, CSV — up to 500MB per file
Assign to Request
Recent Uploads
CI_CD_Pipeline_Config.pdf
2.4 MB
AcceptedAWS_Architecture_v3.pdf
8.1 MB
AcceptedSOC2_TypeII_2025.pdf
4.7 MB
AcceptedDB_Schema_Export.xlsx
1.2 MB
Under ReviewInfoSec_Policy_v2.docx
890 KB
AcceptedQuestions from Valeon
7 pending · 23 answered · respond within 48 hours when possible
High Priority Pending
Asked Apr 21 · Due Apr 23
SOC 2 Type II — Provide timeline for remediation of the 3 noted exceptions in the 2025 report
The 2025 SOC 2 Type II report lists 3 exceptions in Change Management (CM-04, CM-07) and Access Control (AC-12). Please provide the remediation timeline and current status for each.
Medium Priority Pending
Asked Apr 20 · Due Apr 24
Clarify disaster recovery testing cadence and last successful test date
What is the current DR testing schedule, and when was the last full failover test completed? Please include RTO/RPO targets and actual results.
Medium Priority Pending
Asked Apr 19 · Due Apr 23
ML model inventory — list all models in production with accuracy metrics and retraining frequency
For each ML model currently serving production traffic, please provide: model name, purpose, accuracy/performance metrics, last retrained date, and retraining schedule.
Answered
Answered Apr 18
Confirm number of production microservices and inter-service communication patterns
✓ Answered by Rachel Kim — "47 services, gRPC internally, REST for external APIs. Architecture doc uploaded to VDR."
Answered
Answered Apr 16
Provide breakdown of test coverage by service tier
✓ Answered by Tom Nguyen — "Core services avg 82% coverage, supporting services 61%. Full report uploaded."
Engagement Timeline
Key milestones and deadlines for the Acme SaaS Corp ITDD engagement
Completed
VDR Opened & Initial Request List Sent
April 1, 2026 — 142 document requests across 6 categories
Completed
Kickoff Call — Scope & Timeline Alignment
April 3, 2026 — Attendees: Valeon (2), Meridian Capital (1), Acme (3)
In Progress
Document Upload & Q&A Phase
April 3 – May 2, 2026 — 63% complete (89 of 142 documents)
Upcoming
Management Interviews (Technical Leadership)
May 5–7, 2026 — CTO, VP Engineering, Head of Security, Data Lead
Upcoming
VDR Close & Document Review Complete
May 10, 2026 — All documents must be uploaded by this date
Upcoming
Draft Report Delivery to Meridian Capital
May 19, 2026 — Preliminary findings and recommendations
Upcoming
Final Report & Presentation
May 26, 2026 — Final scored report delivered to Meridian Capital
Company Comparison
Side-by-side scoring across two completed engagements
Acme SaaS Corp
Composite: 68 · SaaS · $28M ARR
VS
CloudBridge Analytics
Composite: 76 · Data & Analytics · $16M ARR
Key Differences
CloudBridge leads in Data (+23), Architecture (+10), AI/ML (+29)
Significantly stronger data infrastructure and ML maturity. Their analytics-native architecture gives them a natural advantage in these tracks.
Acme leads in DevOps (+7) and has comparable SDLC
Acme's CI/CD pipeline and deployment practices are more mature. SDLC scores are within 2 points — effectively equivalent.
Both weak in Security (58 vs 69) — neither meets enterprise benchmarks
Security is a remediation priority regardless of which company is acquired. Budget 6-12 months of dedicated security improvement post-close.
Management Interviews
4 scheduled · 2 completed · 6 total for Acme SaaS Corp (Enterprise Tier)
Interview Schedule
| Interviewee | Title | Date & Time | Tracks | Status | Notes |
|---|---|---|---|---|---|
| David Park | CTO | May 5, 10:00 AM | Architecture Strategy | Scheduled | |
| Lisa Wang | VP Engineering | May 5, 2:00 PM | SDLC DevOps | Scheduled | |
| James Park | Head of Security | May 6, 10:00 AM | Security Compliance | Scheduled | |
| Maria Santos | Data Lead | May 7, 10:00 AM | Data AI/ML | Scheduled | |
| Rachel Kim | Engineering Manager | Apr 18, 2:00 PM | SDLC | Completed | |
| Tom Nguyen | DevOps Lead | Apr 16, 10:00 AM | DevOps Infra | Completed |
Interview Note Template
Structured template auto-generated from the engagement's active tracks and indicators. Each interview links notes to specific findings.
Architecture Depth Questions
Monolith vs. microservices decision history · Service boundaries · API design philosophy · Technical debt assessment · Scalability constraints
Security & Compliance Questions
SOC 2 remediation timeline · Pen test cadence · Incident response history · Data classification approach · Vendor security review process
Team & Culture Questions
Hiring pipeline · Key-person dependencies · Retention strategy · Engineering career ladder · Onboarding time-to-productivity
Data & AI/ML Questions
ML model inventory · Training data governance · Model monitoring · Retraining cadence · Data pipeline SLAs · Feature store maturity
AI Confidence Dashboard
Human-in-the-loop threshold: 85% · 184 total findings · 142 auto-approved · 42 flagged for review
Auto-Approved
142
Confidence ≥ 85%
Flagged for Review
34
Confidence 60-84%
Low Confidence
8
Confidence < 60%
Avg Confidence
87.3%
Across all findings
Findings Requiring Review (42)
SEC-IR-001
Incident response plan lacks tabletop exercise cadence
42%
Security · Insufficient source data
AIML-GOV-003
No model monitoring or drift detection in production
48%
AI/ML · Missing documentation
DATA-RET-007
Data retention policy not aligned with regulatory requirements
51%
Data · Contradicting sources
ARCH-SCALE-002
Database sharding strategy unclear for 10x traffic growth
64%
Architecture · Needs interview validation
SEC-VULN-004
Pen test results reference unresolved critical CVEs
68%
Security · Partial data
SDLC-TEST-009
Test coverage claims inconsistent between docs and CI reports
72%
SDLC · Contradicting sources
DEVOPS-MON-005
Observability stack covers 60% of services — gaps in newer microservices
78%
DevOps · Estimated from partial data
INFRA-DR-006
RTO/RPO targets documented but never validated in DR test
82%
Infrastructure · High confidence, needs confirmation
Export Center
Generate reports, presentations, and data exports for Acme SaaS Corp
Executive Summary PDF
2-page board-ready overview with composite score, key findings, and recommendations
Full DD Report
Comprehensive scored report with all tracks, findings, evidence links, and remediation roadmap
Presentation Deck
Valeon-branded slide deck with score visualizations, key findings, and talking points
Data Export (Excel)
Raw scores, indicators, findings, and recommendations in structured spreadsheet format
Investment Memo
PE-ready memo with technology risk/opportunity assessment, financial impact analysis, and post-close priorities
Remediation Roadmap
Prioritized 90-day post-close improvement plan with effort estimates and quick wins
Recent Exports
Acme_SaaS_Executive_Summary_v3.pdf
1.8 MB
Apr 21, 3:14 PMAcme_SaaS_Board_Deck_v2.pptx
4.2 MB
Apr 20, 11:30 AMAcme_SaaS_Raw_Data_Export.xlsx
890 KB
Apr 18, 2:45 PMIndustry Benchmarks
Acme SaaS Corp scores vs. anonymized SaaS industry benchmarks (n=47 companies scored)
Percentile Ranking by Track
| Track | Acme Score | Industry Median | Percentile | Assessment |
|---|---|---|---|---|
| DevOps | 85 | 72 | 82nd | Above Average |
| SDLC | 81 | 68 | 76th | Above Average |
| Product Management | 74 | 71 | 55th | Average |
| Architecture | 72 | 70 | 52nd | Average |
| Infrastructure | 68 | 66 | 50th | Average |
| Data | 65 | 62 | 48th | Average |
| Security | 58 | 71 | 22nd | Below Average |
| AI/ML | 42 | 55 | 18th | Below Average |
Strengths vs. Peers
Acme's DevOps and SDLC practices rank in the top quartile of SaaS companies scored. CI/CD pipeline maturity and deployment frequency exceed industry norms. This is a genuine competitive advantage that should be preserved post-acquisition.
Gaps vs. Peers
Security (22nd percentile) and AI/ML (18th percentile) are material weaknesses relative to the SaaS benchmark set. Security gaps carry compliance and reputational risk. AI/ML immaturity limits product differentiation. Both require investment within 6-12 months post-close.
Deal Memo Generator
Generate a formatted investment memo from the scored DD report for Acme SaaS Corp
Memo Configuration
✓ Executive Summary
✓ Technology Assessment
✓ Risk Analysis
✓ Remediation Costs
✓ Post-Close Priorities
Financial Impact
Team Assessment
Preview: Generated Memo Outline
1. Executive Summary — Acme SaaS Corp composite score 68/100 · $28M ARR · SaaS vertical
2. Technology Assessment — 8 tracks scored · Strengths: DevOps (85), SDLC (81) · Weaknesses: Security (58), AI/ML (42)
3. Risk Analysis — 184 findings · 4 critical · 14 high · 42 require human review
4. Remediation Cost Estimate — $180-240K in first 12 months · Security: $90-120K · AI/ML: $60-80K
5. Post-Close 90-Day Priorities — SOC 2 remediation · Pen test program · Data governance framework · Key-person retention
2. Technology Assessment — 8 tracks scored · Strengths: DevOps (85), SDLC (81) · Weaknesses: Security (58), AI/ML (42)
3. Risk Analysis — 184 findings · 4 critical · 14 high · 42 require human review
4. Remediation Cost Estimate — $180-240K in first 12 months · Security: $90-120K · AI/ML: $60-80K
5. Post-Close 90-Day Priorities — SOC 2 remediation · Pen test program · Data governance framework · Key-person retention
Portfolio Risk Overview
Meridian Capital Partners — All active and recent technology due diligence engagements
Active Deals
3
In various DD stages
Completed (YTD)
5
All scored and delivered
Avg Composite Score
71
Across all engagements
Total Invested
$175K
DD engagement fees YTD
Risk Heat Map
| Company | Stage | Composite | DevOps | SDLC | Security | Architecture | Data | AI/ML | Status |
|---|---|---|---|---|---|---|---|---|---|
| Acme SaaS Corp | In Review | 68 | 85 | 81 | 58 | 72 | 65 | 42 | In Review |
| NovaTech Industries | Processing | — | — | — | — | — | — | — | Processing |
| HealthFirst Platform | VDR Upload | — | — | — | — | — | — | — | VDR Upload |
| CloudBridge Analytics | Complete | 76 | 78 | 83 | 69 | 82 | 88 | 71 | Delivered |
Interview Preparation
Upcoming interviews scheduled with Valeon Partners — review topics and prepare
CTO Interview — David Park
May 5, 2026 · 10:00 AM · 60 minutes · Video Call
Topics to Prepare:
Architecture Decisions
Monolith-to-microservices journey, service boundaries, API strategy, and technical debt priorities
Technology Strategy
3-year technology roadmap, build vs. buy decisions, cloud strategy, and vendor lock-in considerations
Scalability Planning
Current scale limits, database sharding plans, CDN strategy, and performance bottlenecks
Team & Leadership
Engineering org structure, key-person dependencies, hiring pipeline, and retention strategy
VP Engineering Interview — Lisa Wang
May 5, 2026 · 2:00 PM · 60 minutes · Video Call
Topics: SDLC practices, CI/CD pipeline, testing strategy, code review process, DevOps culture, on-call rotation
Head of Security Interview — James Park
May 6, 2026 · 10:00 AM · 60 minutes · Video Call
Topics: SOC 2 remediation, pen testing cadence, incident response, data classification, vendor security reviews, compliance certifications
Billing & Usage
Revenue tracking, API usage, and cost-per-engagement economics
Revenue (YTD)
$487K
▲ 42%
16 engagements
Avg Revenue / Engagement
$30.4K
Mix: 8 Standard, 6 Enterprise, 2 Premium
API Costs (YTD)
$12.3K
LLM inference + embeddings
Gross Margin
89%
After platform costs
Monthly Revenue
Jan
$25K
Feb
$50K
Mar
$75K
Apr
$112K
API Usage This Month
LLM Tokens (GPT-4 / Claude)
62%
Embedding Tokens
45%
Document Processing
78%
Cost per Engagement
Standard ($25K)Avg cost: $1,200 → 95% margin
Enterprise ($50K)Avg cost: $3,800 → 92% margin
Premium ($150K)Avg cost: $18,000 → 88% margin
Audit Trail
Complete activity log across all users, engagements, and platform actions
Timestamp
User
Action
Resource
Apr 22, 3:14 PM
Dustin Grant
Exported Executive Summary PDF
Acme SaaS Corp
Apr 22, 2:47 PM
Sarah Chen
Approved finding SDLC-DEPLOY-003 (confidence: 91%)
Acme SaaS Corp
Apr 22, 1:30 PM
Rachel Kim
Uploaded CI_CD_Pipeline_Config.pdf to VDR
Acme SaaS VDR
Apr 22, 11:15 AM
Tom Nguyen
Uploaded AWS_Architecture_v3.pdf to VDR
Acme SaaS VDR
Apr 22, 10:00 AM
System
AI Processing started — DevOps track evaluation initiated
Acme SaaS Corp
Apr 21, 4:30 PM
Michael Torres
Viewed DD Report — Track Detail
Acme SaaS Corp
Apr 21, 3:00 PM
Dustin Grant
Updated AI confidence threshold to 85%
Platform Settings
Apr 21, 2:15 PM
Michael Torres
Posted Q&A question: "SOC 2 remediation timeline"
Acme SaaS Corp
Apr 21, 11:00 AM
Sarah Chen
Flagged finding SEC-IR-001 for manual review (confidence: 42%)
Acme SaaS Corp
Apr 20, 9:30 AM
Dustin Grant
Logged in from 192.168.1.42 (Austin, TX)
Platform
Knowledge Graph Editor
Add, modify, and preview indicators, tracks, and scoring logic
▼Enterprise Security 57
▸Access Control (12)
▸Incident Response (8)
▸Vulnerability Mgmt (11)
▸Network Security (9)
▸Data Protection (10)
▸Governance (7)
▸Compliance 226
▸Product Security 86
▸SDLC 59
▸Software Architecture 75
▸Enterprise Systems 97
▸AI / Machine Learning 30
▸DevOps 45
Enterprise Security
57 indicators · 6 topics · Last edited Apr 19, 2026
8 / 10
Higher weight increases this track's contribution to the composite score
Sample Indicators
| ID | Indicator | Tier | Weight | |
|---|---|---|---|---|
| SEC-AC-001 | Multi-factor authentication enforced for all admin access | Core | High | ✏️ |
| SEC-AC-002 | Role-based access control (RBAC) implemented with principle of least privilege | Core | High | ✏️ |
| SEC-IR-001 | Documented incident response plan with defined severity levels | Core | Critical | ✏️ |
| SEC-VM-003 | Automated vulnerability scanning on all production infrastructure | Light | Medium | ✏️ |