The 5 Tech Red Flags That Kill M&A Deals (After Close)
Most acquirers look at revenue and EBITDA. The ones who get burned look back six months later wishing they had looked at the tech stack.
I have sat in enough post-mortem rooms to know the pattern. The deal looked clean. The numbers checked out. The founders were compelling. And then, three months after close, the integration team starts pulling on threads and everything unravels.
The worst part? Every single red flag was there during due diligence. It just was not on anyone's checklist.
After 20 years moving from fieldwork to founder, from Georgia Tech buildings to Fortune 100 boardrooms, here are the five technical landmines I look for in every M&A engagement. The ones that appear spotless on paper and detonate after the ink dries.
Red Flag 1: The "We'll Document That Later" Tech Stack
Every target company has technical debt. That is not the red flag. The red flag is undocumented technical debt. Systems that only one or two engineers truly understand, with no written record of how they interact, what they depend on, or what breaks when you touch them.
I call this the bus factor problem. If two people left tomorrow, would the system still be operable? In acquisition targets, the bus factor is often 1. And that one person is about to get a retention package, get bored, and leave within 14 months.
What to look for: Request architecture documentation as part of diligence. If the team cannot produce it within a week, or if what they produce is a whiteboard photo from 2021, treat that as a serious liability. Estimate the remediation cost before you price the deal.
Red Flag 2: Shadow IT Everywhere
Shadow IT refers to unauthorized tools, apps, and platforms adopted by individual teams without IT approval. Sales teams running their own CRM integrations. Marketing spinning up third-party data tools. Engineering using personal cloud accounts for testing.
None of this shows up on the official vendor list. None of it appears in the security audit. All of it represents data exposure, compliance liability, and integration complexity that lands in your lap the moment the deal closes.
In one engagement, a target company had 47 SaaS tools that were not on any approved list, including two that were storing customer PII in ways that directly violated GDPR. The deal still closed. The fine came later.
What to look for: Request a full OAuth and SSO audit covering every tool connected to every corporate identity provider. Then ask the CFO and the IT lead separately for their vendor lists. The gap between those two lists is your shadow IT exposure.
Red Flag 3: The Frankenstein Integration Layer
As companies scale fast, they build integrations the same way. A Zapier here. A custom webhook there. A third-party middleware platform that was supposed to be temporary in 2019. Five years later, that temporary layer is mission-critical infrastructure that nobody on the current team built and nobody fully understands.
The danger is not just technical fragility. It is that when you go to integrate this business into your platform or your data architecture, you discover the entire operational flow runs through a patchwork of brittle connectors that break if you look at them wrong.
What to look for: Map every system-to-system data flow before close. Ask specifically: "What would break if we turned off this tool?" If the answer is "we are not sure," you have found a Frankenstein. Price the rebuild into your model.
Red Flag 4: Cybersecurity Theater
Most growing companies have just enough security to look compliant. SOC 2 Type I? Check. Annual pen test? Done. Security policy document? Posted on the intranet.
What they do not have is an actual security posture. Active monitoring, tested incident response procedures, access control hygiene, meaningful endpoint protection. The SOC 2 gets them through the diligence questionnaire. The reality is a different story.
I have reviewed acquisition targets where every employee had admin access to production databases. Where offboarding processes were manual and inconsistently followed, meaning former employees still had live credentials months after departure. Where the "annual pen test" report was three years old.
What to look for: Do not accept the SOC 2 report as the full picture. Request the full penetration test findings, not just the executive summary, and ask what was remediated versus accepted as risk. Interview the person actually responsible for security day to day, not the executive who signed the policy. Those are often two very different conversations.
Red Flag 5: The Data Quality Disaster Hiding in Plain Sight
This one is quiet. It does not crash systems. It does not trigger compliance alerts. It silently poisons every business decision you make after close.
Bad data quality in a target company, including duplicate records, inconsistent field definitions, unmaintained master data, and years of manual CSV imports, becomes your problem the moment you try to consolidate reporting, migrate to your CRM, or build any kind of unified analytics layer.
I have seen acquirers spend more on post-close data remediation than they saved in synergies. One client discovered that a target's customer count metric, which was central to the deal valuation, was counting unique email addresses rather than unique customers. Duplicates and inactive accounts had inflated the number by 34%.
What to look for: Ask for a data quality report, not just a data dictionary. Pull sample exports and look for duplicates, nulls, and inconsistencies in key fields. If the target uses a CRM, ask how old the oldest active record is and what their data hygiene process looks like. The answer will tell you everything.
The Bottom Line
None of these red flags are dealbreakers on their own. But each one carries a price. A remediation cost, a timeline impact, an integration risk. The acquirers who get hurt are not the ones who find these issues. They are the ones who did not look.
Good technology due diligence is not about finding reasons to kill a deal. It is about pricing it correctly, planning the integration honestly, and walking in with your eyes open.
“If you are about to make a technology-dependent acquisition and you have not had an independent technical review, you are betting millions on someone else's self-reporting. That is a bet I would not take.”
Jason Houck is a technology advisor with 20 years of experience working from fieldwork to Fortune 100. He specializes in M&A Technology Due Diligence, Operational Intelligence, Innovation Roadmaps, and Cybersecurity and Risk.