See the Format Before You Commit
Every report follows the same structure, regardless of deal size: an executive summary in deal language, then findings categorized by severity with a plain-English cost or timeline attached. Below is an illustrative excerpt showing that structure.
Executive Summary: Northlane (target company)
Northlane's core platform is well-architected and actively maintained: the codebase reflects deliberate engineering decisions, not accumulated shortcuts. One finding below is a genuine blocker for SOC 2 attestation and should factor into pricing or holdback terms. A second reflects real but manageable key-person risk. Nothing found here is a reason to walk away, but two items should change the terms of the deal.
Example Findings
Three examples below, one per severity tier, to show the format. A real report isn't capped at three: it lists every finding the target actually has, across all six categories in What We Assess, however many or few that turns out to be.
Customer PII (name, email, last four of SSN) is written to plaintext application logs across all environments, including production.
Deal impact: Blocks SOC 2 attestation as-is. Estimated 3–4 weeks of engineering time to remediate before enterprise renewals can rely on it. Recommend a price adjustment or escrow holdback tied to remediation, not a walk-away on its own.
Recommended action: Before close: get a written remediation commitment and timeline from the target's engineering lead. After close: re-test within 30 days to confirm the fix landed before relying on it in front of a customer or auditor.
The billing service (Stripe integration, subscription logic) has no automated test coverage and one engineer who has touched it in the last 18 months.
Deal impact: Key-person risk on revenue-critical code. Budget 4–6 weeks of paid knowledge-transfer time post-close, and factor it into any retention or earn-out terms for that engineer.
Recommended action: Add a retention clause or consulting agreement for that engineer through the transition period. Prioritize test coverage on this service in the first post-close sprint, before any refactor touches it.
Frontend dependencies are two major versions behind current, with no known active exploits.
Deal impact: Routine maintenance. No cost to model into the deal. Flag for the first post-close engineering sprint.
Recommended action: No deal action needed. Add to the engineering team's backlog after close.
A redacted excerpt from a real engagement will replace this once the first one closes. Until then, get in touch and you can walk through the full report format directly on a call.
Book a call