Private Equity|Technical Due Diligence Lead / CTO

M&A Digital Due Diligence

Assess digital infrastructure, technology stack, and security posture for acquisition targets

Acquiring a company means inheriting its technical debt, security vulnerabilities, and infrastructure decisions. EdgeDNS provides instant digital intelligence — WHOIS contacts (or privacy-proxy detection when they're hidden), CAA-restricted certificate issuance, HSTS / CSP grade, SSL chain validity, DNS posture, and registrar reputation — to assess technology maturity, security posture, and infrastructure quality during due diligence.

The Challenge

Technical due diligence in M&A is often rushed and incomplete. Acquisition timelines are compressed, data rooms provide self-reported information, and gaining access to target infrastructure requires NDAs and coordination. Questions about ownership transparency, certificate-authority controls, modern HTTP-security hygiene, SSL management, and hosting architecture go unanswered until post-acquisition.

The Solution

A single call to `/v1/composite/domain-intelligence` returns registrar + RDAP contacts (or `privacy_proxy_in_use: true` when they're hidden), DNSSEC posture, SSL chain + CAA records with issuer cross-reference, HTTP security headers (HSTS / CSP / X-Frame-Options / Referrer-Policy / Permissions-Policy) graded 0–100, threat-feed matches, CT-log activity, subdomain enumeration, and an aggregated `infrastructure_score` with a confidence value so analysts can flag partial results. Pair it with tech and CDN detection for the full picture.

Endpoints Used

Combine these EdgeDNS endpoints to build this solution.

GET

/v1/composite/domain-intelligenceTry in Playground

Domain Intelligence: One call: WHOIS + RDAP contacts + privacy-proxy detection + DNSSEC + SSL chain + CAA + HTTP security headers + CT logs + threat feeds + registrar reputation + infrastructure_score with confidence

GET

/v1/domain/techTry in Playground

Technology Detection: Identify frameworks, CMS, and technology stack maturity

GET

/v1/domain/cdnTry in Playground

CDN Detection: Identify CDN and edge infrastructure

Results You Can Achieve

Technology scorecard per target in minutes

Stack, security, hosting, and DNS posture compiled without target cooperation — suitable for early-stage opportunity screening. `infrastructure_score_confidence` flags partial scans so weak data isn't mistaken for a clean bill of health.

Ownership transparency signal

`whois.contacts.registrant/admin/tech` is surfaced when public. When redacted, `privacy_proxy_in_use: true` tells you the target is using a privacy service (WhoisGuard, Domains by Proxy, etc.) — an instant signal during deal hygiene.

Certificate-authority risk visible

CAA records returned with issuer cross-reference: `ssl.caa.enforces_restriction` shows whether the target restricts which CAs may issue, and `matches_current_issuer` warns when the live cert is from a CA that isn't in the allowlist (renewal will be denied).

Modern HTTP security headers, graded

HSTS (with preload-eligibility check), CSP (enforced vs report-only, `unsafe-inline` / `unsafe-eval` detection), X-Frame-Options, Referrer-Policy, Permissions-Policy — each parsed and rolled into a 0–100 grade. Mozilla-Observatory-style assessment with no second tool needed.

Surface remediation cost early

Outdated TLS, missing CAA, weak HSTS, broken DKIM, threat-feed listings, and registrar-reputation gaps quantified before LOI, so closing-cost adjustments are evidence-backed.

Repeatable methodology across portfolio

Same scoring model and confidence weights applied to every target produces comparable scorecards across a deal pipeline. `infrastructure_score_breakdown` exposes per-component weight + earned + succeeded for full auditability.

Code Example

M&A technical due diligence assessment

javascript

async function assessAcquisitionTarget(targetDomains) {
  const headers = { 'Authorization': 'Bearer YOUR_API_KEY' };

  const assessments = await Promise.all(
    targetDomains.map(async (domain) => {
      // Domain-intelligence is the workhorse — WHOIS + RDAP contacts + SSL +
      // CAA + HTTP security headers + threat feeds + DNSSEC + registrar
      // reputation, all in one call. Add tech / CDN detection alongside.
      const [intelRes, techRes, cdnRes] = await Promise.all([
        fetch(`https://api.edgedns.dev/v1/composite/domain-intelligence?domain=${domain}`, { headers }),
        fetch(`https://api.edgedns.dev/v1/domain/tech?domain=${domain}`, { headers }),
        fetch(`https://api.edgedns.dev/v1/domain/cdn?domain=${domain}`, { headers }),
      ]);
      const intel = (await intelRes.json()).data;
      const tech = (await techRes.json()).data;
      const cdn = (await cdnRes.json()).data;

      const risks = [];

      // 1. Ownership transparency: surface RDAP contacts or flag if hidden
      const ownership = intel.whois?.privacy_proxy_in_use
        ? { hidden_behind_privacy_proxy: true }
        : intel.whois?.contacts ?? null;
      if (intel.whois?.privacy_proxy_in_use) {
        risks.push('Ownership hidden behind privacy proxy — request unmasked contact details during diligence');
      }

      // 2. Certificate-authority controls
      if (intel.caa && !intel.caa.enforces_restriction) {
        risks.push('No CAA restriction — any public CA may issue certificates for this domain');
      }
      if (intel.caa?.matches_current_issuer === false) {
        risks.push('Live cert issuer is not in the CAA allowlist — renewal will be denied');
      }

      // 3. HTTP security headers grade
      const hdr = intel.http_headers;
      if (hdr?.fetched && ['D', 'F'].includes(hdr.grade)) {
        risks.push(`HTTP security headers grade ${hdr.grade} — HSTS/CSP/XFO gaps need remediation`);
      }

      // 4. Confidence-weighted infrastructure assessment
      const infraConf = intel.summary?.infrastructure_score_confidence ?? 0;
      if (infraConf < 0.7) {
        risks.push(`Infrastructure scan confidence ${(infraConf * 100).toFixed(0)}% — re-run before relying on score ${intel.summary.infrastructure_score}`);
      }

      // 5. Threat intelligence
      if (intel.threat?.is_threat) {
        risks.push('Domain appears in threat intelligence feeds — investigate before proceeding');
      }

      return {
        domain,
        ownership,
        infrastructure: {
          cdn: cdn.provider,
          technologies: tech.technologies?.map(t => t.name),
          dns_provider: intel.dns_provider?.provider,
          dnssec: intel.whois?.dnssec ?? false,
          ssl_valid: intel.summary?.ssl_valid,
          ssl_days_until_expiry: intel.ssl?.days_until_expiry,
          caa_restricts_issuance: intel.caa?.enforces_restriction ?? false,
          security_headers_grade: intel.http_headers?.grade ?? null,
          infrastructure_score: intel.summary?.infrastructure_score,
          confidence: intel.summary?.infrastructure_score_confidence,
          registrar: intel.whois?.registrar?.name,
          registrar_grade: intel.registrar_reputation?.grade,
        },
        risks,
      };
    })
  );

  return {
    target: targetDomains[0],
    domainCount: assessments.length,
    assessments,
    overallRisk: assessments.some(a => a.risks.length > 2) ? 'elevated' : 'acceptable',
  };
}

Learn More

Explore industry standards and best practices related to this use case.

PwC: Understanding Cyber Due Diligence

PwC guidance on assessing cybersecurity risks during mergers and acquisitions

Deloitte: M&A Due Diligence and Governance

Deloitte framework for technology and digital due diligence in M&A transactions

Ready to build M&A Digital Due Diligence?

Get started with 200 free API requests per month. No credit card required.

Get Started Free Try the Playground

Other Use Cases

Email Marketing / DevOps

Email Deliverability Monitoring

Improve inbox placement with proactive email authentication monitoring

Security Engineer / Compliance Officer

Security Compliance Auditing

Automate security posture assessments for SOC 2 and ISO 27001