Before you wire funds on a commercial security integrator, verify these five critical areas — from RMR contract quality to state licensing compliance and technology obsolescence risk.
Acquiring a surveillance and access control integration company in the $1M–$5M revenue range requires a fundamentally different due diligence approach than buying a typical service business. The value of these companies lives in three places: the quality and stickiness of recurring monthly revenue (RMR) contracts, the transferability of licensed technicians and commercial client relationships, and the long-term viability of the technology platform installed across the customer base. A business generating $400K EBITDA on strong RMR with auto-renewing commercial contracts can command 5–6x multiples, while an identical-revenue business driven by one-time installation projects with no service tail may struggle to justify 3.5x. This checklist is organized around the five highest-leverage due diligence categories for security integration acquisitions: recurring revenue quality, licensing and regulatory compliance, customer concentration and transferability, technology stack risk, and key employee retention.
RMR is the primary value driver in security integration acquisitions. Verify contract structure, attrition rates, and renewal mechanics before relying on any income-based valuation.
Request a complete RMR schedule listing every contract with start date, term, monthly value, and auto-renewal clause.
Unverified RMR schedules routinely overstate true recurring income when month-to-month agreements are included.
Red flag: More than 30% of RMR is on month-to-month agreements with no auto-renewal provision.
Calculate trailing 12-month RMR attrition rate by reconciling the opening and closing contract counts.
Annual attrition above 8–10% signals weak customer retention and erodes the income-based valuation quickly.
Red flag: Seller cannot produce a reconciled attrition report or attrition exceeds 12% annually.
Confirm the ratio of RMR to total revenue and verify it meets the 20–40% threshold for a balanced acquisition.
Businesses below 20% RMR are project-dependent and carry significantly higher cash flow volatility post-close.
Red flag: RMR represents less than 15% of total revenue with no documented growth trend toward recurring services.
Review a sample of 10–15 monitoring and service agreements for assignment clauses and customer consent requirements.
Contracts requiring individual customer consent to assign can stall closing or trigger mass cancellations at transfer.
Red flag: Service agreements contain no-assignment clauses or require written client consent for ownership transfer.
Security integration is a licensed trade in most states. Unlicensed operations or lapsed technician certifications represent deal-killing regulatory and liability exposure for buyers.
Obtain copies of all active state and municipal contractor licenses and verify expiration dates and transferability.
Many state licenses are tied to a qualifying individual and cannot transfer automatically to a new owner entity.
Red flag: Any active license is held personally by the selling owner and is non-transferable to a new business entity.
Verify ESA, NICET, or other applicable technician certifications for all field staff and service personnel.
Certified technicians are required for certain commercial, government, and UL-listed installation contracts.
Red flag: Fewer than half of field technicians hold current ESA or NICET certifications required in primary service markets.
Search state licensing boards and local jurisdictions for any complaints, disciplinary actions, or permit violations.
Unresolved regulatory issues can result in license suspension, fines, or loss of specific commercial contracts post-close.
Red flag: Any open disciplinary proceeding, revoked permit, or unresolved customer complaint with a regulatory body.
Confirm cybersecurity practices for IP-connected surveillance systems managed on behalf of commercial clients.
Integrators managing networked surveillance systems carry data privacy liability; inadequate practices create post-close exposure.
Red flag: No documented cybersecurity policies, default credentials in use across client systems, or prior breach incidents undisclosed.
Commercial security clients are relationship-driven. Buyer must assess whether revenue is concentrated in a few accounts and whether those relationships transfer with the business or walk out with the seller.
Build a customer concentration table showing each client's percentage of total revenue and contract status.
A single client representing more than 20–25% of revenue creates unacceptable post-close revenue risk for most buyers.
Red flag: One or two clients represent more than 30% of total revenue without multi-year contracts in place.
Interview the seller directly about which client relationships are owner-managed versus handled by employed staff.
Owner-dependent client relationships are the single most common cause of post-acquisition revenue erosion in this sector.
Red flag: Seller is the primary point of contact for the top five revenue-generating accounts with no account manager in place.
Review customer tenure data and calculate the percentage of clients with more than three years of continuous service.
Long-tenured commercial security clients rarely churn — high tenure rates validate the stickiness of the installed base.
Red flag: Median customer tenure is less than two years or a significant number of top accounts were acquired in the last 18 months.
Verify that top commercial accounts — particularly property management and healthcare clients — are under written contracts.
Verbal or handshake agreements with large accounts are unenforceable and unassignable during a business transfer.
Red flag: Any top-10 revenue account is operating without a signed service or monitoring agreement currently in effect.
The technology platform installed across a security integrator's client base determines future service revenue, hardware refresh cycles, and competitive positioning. Assess obsolescence risk carefully.
Inventory all installed platforms by manufacturer — Avigilon, Genetec, Bosch, HID, Axis — and note platform generation and firmware currency.
Outdated on-premise DVR/NVR installations signal impending hardware refresh costs and potential client defection to cloud competitors.
Red flag: More than 40% of installed base is analog or first-generation IP systems without a documented upgrade path or plan.
Obtain and review all active vendor dealer agreements, authorized partner certifications, and territory exclusivity rights.
Preferred dealer status with Avigilon or Genetec provides margin advantages and access to enterprise deals unavailable to non-partners.
Red flag: Key dealer agreements contain change-of-control termination clauses that would void partner status upon acquisition.
Assess whether the technology stack is open-platform or proprietary and evaluate customer lock-in versus switching cost risk.
Proprietary platforms create short-term lock-in but long-term client dissatisfaction if the platform falls behind market innovation.
Red flag: Primary platform is an obscure or discontinued brand with no active manufacturer support or certified upgrade program.
Review any cloud-managed security service agreements and confirm cloud platform vendor stability and pricing structure.
Cloud VMS and access platforms (Eagle Eye, Brivo, Verkada) carry SaaS-style margin but require ongoing vendor relationship management.
Red flag: Cloud service resale margins are below 20% or vendor agreements have been renegotiated unfavorably in the prior 12 months.
Licensed technicians and experienced project managers are scarce and expensive to replace. Evaluate who runs the business day-to-day and what it takes to keep them post-close.
Map every employee's role, certification status, tenure, and compensation against their replacement cost in the current labor market.
A single departing NICET-certified lead technician can stall installations and trigger contract defaults with commercial clients.
Red flag: One technician holds the majority of active certifications required for compliance with existing commercial service contracts.
Review all existing employment agreements, non-solicitation clauses, and non-compete agreements for field and sales staff.
Without enforceable non-solicitation agreements, departing technicians can directly solicit commercial clients post-close.
Red flag: No non-solicitation or non-compete agreements exist for any technicians or sales staff who maintain client relationships.
Assess the owner's current role — technical lead, primary sales rep, or operations manager — and design transition accordingly.
Owner-operators who serve dual roles as lead technician and primary salesperson represent severe key-person concentration risk.
Red flag: Owner performs more than 50% of field service calls or holds more than 40% of active client relationships personally.
Evaluate whether dispatch, project management, and service scheduling operate through documented SOPs or tribal knowledge.
Undocumented processes create operational fragility post-close and increase dependence on individual employees to function.
Red flag: No written SOPs exist for service dispatch, project handoffs, or preventive maintenance scheduling for recurring contracts.
Find Surveillance & Access Control Businesses For Sale
Vetted targets with diligence packages — skip the cold search.
Aim for a business where recurring monthly revenue represents at least 20–40% of total revenue. Below 20% signals a project-dependent business with high cash flow volatility. The strongest acquisitions in this space generate 30–40% RMR from long-term commercial monitoring, managed video, and service maintenance agreements — this is what supports 5x–6x EBITDA multiples. Anything primarily driven by one-time installation revenue should be priced and structured more conservatively, often with an earnout tied to RMR growth milestones post-close.
Licensing is one of the most deal-sensitive issues in security integration acquisitions. Most states require a separate contractor license for alarm, access control, or low-voltage work, and many licenses are tied to a qualifying individual — often the selling owner. If that license cannot transfer to the new entity, you may face a gap in legal operating authority that delays closing or requires the seller to remain as a licensed qualifier post-close. Begin the licensing review in the first 30 days of diligence, confirm the transferability of every active license with the relevant state board, and build adequate transition time into your closing timeline.
Owner-dependent customer relationships are the most common value risk in lower middle market security integration deals. The most effective structure is a combination of a seller earnout tied to RMR retention over 12–24 months post-close, plus a formal employment or consulting agreement that keeps the seller engaged in customer transitions and sales handoffs. Tie a meaningful portion of the purchase price — typically 10–20% — to verified RMR retention at 12 and 24 months. This aligns the seller's financial interest with a smooth customer transition and protects you from paying full value for relationships that don't transfer.
Start by inventorying every installed system by manufacturer, product generation, and platform type — distinguishing between legacy analog, first-generation IP, and modern cloud-managed deployments. Older DVR/NVR-based systems represent near-term hardware refresh costs and client churn risk as customers migrate to cloud video platforms. Verify that all dealer and authorized partner agreements with brands like Avigilon, Genetec, Axis, and HID are transferable and contain no change-of-control termination clauses. Also assess the cybersecurity posture of IP-connected client systems — networked surveillance platforms are a growing liability surface, and undisclosed prior incidents or lax security practices create post-close exposure you cannot price into a deal after the fact.
More Surveillance & Access Control Guides
More Due Diligence Checklists
Stop cold-searching. Find signal-scored Surveillance & Access Control targets with seller motivation already identified.
Create your free accountNo credit card required
For Buyers
For Sellers