Due Diligence Checklist for Acquiring a Cybersecurity Consulting Firm

Request a revenue waterfall segmenting retainer, managed security, project, and time-and-materials income by client for 3 years.

Recurring retainer revenue commands higher multiples; project revenue is lumpy and non-repeatable.

Red flag: Less than 40% of revenue comes from retainer or managed security service contracts.

Review every active client contract for change-of-control clauses, termination rights, and assignment restrictions.

Unassignable contracts can trigger immediate client termination upon closing, destroying value.

Red flag: Multiple contracts contain change-of-control termination clauses with no client consent already obtained.

Confirm no single client exceeds 20% of total annual revenue and review top-5 client tenure.

Concentration above 20% creates catastrophic revenue risk if one relationship exits post-acquisition.

Red flag: One client represents 30% or more of revenue with no multi-year contract in place.

Verify that revenue reported as recurring has actual executed multi-year or auto-renewing agreements, not informal arrangements.

Sellers routinely reclassify annual project renewals as recurring revenue to inflate valuation.

Red flag: Retainer revenue lacks signed agreements and is based on verbal or handshake client commitments.

Map every client relationship to a named employee other than the founder and document direct contact history.

If all client relationships run through the founder, the business has no transferable goodwill.

Red flag: Founder is the primary or sole contact for more than 50% of revenue-generating clients.

Audit active certifications for all technical staff including CISSP, CISM, CEH, OSCP, and renewal dates.

Client contracts and government engagements often require specific certifications; lapsed credentials create compliance gaps.

Red flag: Fewer than 3 staff hold active, independently verified certifications; certifications are founder-only.

Review employment agreements, non-solicitation clauses, and non-competes for all client-facing and technical staff.

Without enforceable agreements, key consultants can depart and solicit clients immediately after closing.

Red flag: Non-solicitation agreements are absent, expired, or legally unenforceable in the firm's operating state.

Conduct confidential retention interviews or assess turnover history for the past 24 months among senior consultants.

High certified-staff turnover signals cultural or compensation problems that worsen post-acquisition.

Red flag: More than two CISSP- or CISM-certified employees departed in the past 18 months.

Obtain all past security assessment and penetration testing reports delivered to clients in the last 5 years.

A client breach following a clean assessment creates direct E&O liability that transfers to the buyer.

Red flag: Firm issued clean assessments to clients who subsequently suffered material data breaches.

Review current errors-and-omissions and cyber liability insurance policies including coverage limits, exclusions, and claims history.

Inadequate E&O coverage leaves the acquirer exposed to pre-close incidents discovered after signing.

Red flag: E&O coverage is below $1M per occurrence or policy has open claims or exclusions tied to prior incidents.

Request a litigation and dispute history report including any threatened claims, client complaints, or regulatory inquiries.

Undisclosed disputes become the buyer's problem the moment the acquisition closes.

Red flag: Any unresolved litigation, regulatory action, or formal client complaint related to a security engagement outcome.

Verify that all client NDAs and data handling agreements comply with current state and federal privacy regulations.

Cybersecurity firms handle sensitive client data; outdated agreements create regulatory exposure for the acquirer.

Red flag: Client NDAs are templated, outdated, or absent for engagements involving regulated data environments.

Confirm CMMC level certification status and identify which employees hold active facility or personnel clearances.

Clearances and CMMC certifications cannot always be transferred and may lapse with ownership changes.

Red flag: Federal revenue depends on clearances held personally by the founder with no plan for transfer.

Review all active federal contracts for novation requirements and agency approval timelines triggered by ownership transfer.

Federal contract novation can take months and revenue may be suspended during the approval process.

Red flag: Government contracts represent over 30% of revenue with no novation pre-approval obtained.

Audit compliance with CMMC, NIST 800-171, or FedRAMP requirements for any contracts requiring these frameworks.

Non-compliance discovered post-close can result in contract termination and debarment risk.

Red flag: Firm claims CMMC or NIST compliance but lacks documented assessments or third-party validation.

Assess whether the firm's SAM.gov registration, DUNS/UEI, and past performance records are current and transferable.

Lapsed registrations can disqualify the firm from bidding on new federal work immediately post-acquisition.

Red flag: SAM.gov registration is lapsed or past performance records are incomplete or misattributed.

Review all documented SOPs, service delivery playbooks, and methodology frameworks for core offerings like pen testing and compliance audits.

Undocumented delivery processes make the business entirely dependent on individual tribal knowledge.

Red flag: No written SOPs exist; all service delivery relies on the founder's undocumented methodology.

Identify any proprietary tools, scripts, assessment frameworks, or reporting templates owned by the firm versus licensed from third parties.

Proprietary IP creates switching costs and differentiation; licensed tools may not transfer without renegotiation.

Red flag: Core toolsets are personally licensed to the founder and not owned or licensed by the business entity.

Confirm the firm's technology stack including PSA, ticketing, SIEM, and vulnerability management platforms are under business-name contracts.

Tools licensed under the founder's personal accounts cannot transfer without vendor reprocessing and potential service gaps.

Red flag: Critical security platforms are under personal accounts or have vendor contract provisions that restrict assignment.

Evaluate whether the firm holds any vertical niche differentiators such as HIPAA assessment methodologies, CMMC readiness frameworks, or financial sector expertise.

Defensible vertical niches reduce commoditization risk and support premium retainer pricing post-acquisition.

Red flag: Service offerings are entirely horizontal with no documented vertical expertise or niche market positioning.