A field-tested LOI framework built for IT security acquisitions — covering recurring revenue verification, key-man risk protections, certification audits, and liability carve-outs before you enter exclusivity.
An LOI for a cybersecurity consulting acquisition is not a generic business purchase term sheet. Cybersecurity firms present a unique combination of intangible value drivers — certified talent, retainer relationships, proprietary frameworks, and compliance delivery credentials — alongside outsized risks that must be addressed before exclusivity is granted. A buyer acquiring a $2M revenue penetration testing and vCISO advisory firm must distinguish recurring retainer revenue from one-time assessment projects, quantify key-man dependency before the founder's name appears on a single client renewal, and confirm that past assessment reports do not carry unresolved errors-and-omissions exposure. This guide walks through each section of a properly structured LOI for a cybersecurity consulting firm in the $1M–$5M revenue range, with negotiation notes specific to IT security deal dynamics, SBA-eligible transaction structures, and the earnout and equity rollover provisions most commonly used in this sector.
Find Cybersecurity Consulting Businesses to AcquireParties and Transaction Overview
Identifies the buyer, seller, and legal entity being acquired. Specifies whether the transaction is structured as an asset purchase or stock purchase, which is a critical threshold decision in cybersecurity given client contract assignability and potential liability exposure from past assessments.
Example Language
This Letter of Intent ('LOI') is entered into as of [Date] between [Buyer Legal Name] ('Buyer') and [Seller Legal Name] ('Seller'), the owner(s) of [Target Company Name], a [State] [LLC/Corporation] ('Company'). Buyer proposes to acquire substantially all assets of the Company, including all client contracts, intellectual property, proprietary frameworks, toolsets, employee relationships, and goodwill, structured as an asset purchase. The parties acknowledge that final transaction structure may be subject to modification based on due diligence findings, lender requirements under an SBA 7(a) loan, and client contract assignability review.
💡 Cybersecurity buyers should strongly prefer an asset purchase structure to isolate liability from prior client engagements, disputed security assessments, or any undisclosed data incidents. Sellers often push for a stock sale to achieve capital gains treatment — this tension is common and may be resolved through purchase price adjustments or indemnification escrows. If the company holds government contracts or CMMC certifications, consult legal counsel on whether an asset purchase triggers novation requirements under FAR clauses, which can significantly delay closing.
Purchase Price and Valuation
States the proposed total enterprise value, the basis for valuation, and how the purchase price was derived. For cybersecurity consulting firms, buyers typically apply a 4x–7x EBITDA multiple with the exact multiple hinging on recurring revenue percentage, team depth, and client concentration.
Example Language
Buyer proposes a total purchase price of $[X,XXX,000] ('Purchase Price'), representing approximately [5.0x] trailing twelve-month adjusted EBITDA of $[XXX,000] as represented by Seller. This multiple reflects the Company's stated recurring retainer revenue base representing [X]% of total revenue, team of [X] certified professionals holding active CISSP, CISM, and CEH credentials, and diversified client base with no single client exceeding [X]% of revenue. Buyer reserves the right to adjust the Purchase Price following completion of financial, operational, and technical due diligence, including independent verification of revenue categorization and EBITDA normalization.
💡 The 4x–7x range for cybersecurity consulting is wide by design — a firm with 60% recurring retainer revenue, three independently certified consultants, and multi-year contracts with healthcare or defense clients commands the upper range. A founder-dependent firm with 70% project-based revenue from one-time pen tests trades closer to 4x–4.5x. Buyers should normalize EBITDA for above-market founder compensation, personal expenses run through the business, and any non-recurring revenue from large one-time compliance projects. Sellers should document adjusted EBITDA clearly in a quality of earnings summary before LOI to avoid aggressive post-LOI retrading.
Deal Structure and Payment Terms
Breaks down how the total purchase price is allocated among cash at close, seller financing, earnout provisions, and any equity rollover. Cybersecurity deals routinely use multiple consideration tranches to address key-man risk and revenue quality uncertainty.
Example Language
The Purchase Price shall be funded as follows: (i) Cash at Close: $[X,XXX,000] representing approximately [70]% of the Purchase Price, to be funded through a combination of Buyer equity and proceeds from an SBA 7(a) loan; (ii) Seller Note: $[XXX,000] representing approximately [15]% of the Purchase Price, subordinated to SBA lender, bearing interest at [6]% per annum, payable over [24] months, subject to offset for indemnification claims; (iii) Earnout: Up to $[XXX,000] representing approximately [15]% of the Purchase Price, payable over [24] months following close contingent on the Company achieving trailing EBITDA of not less than $[XXX,000] in each earnout year; and (iv) Equity Rollover [if applicable]: Seller to retain [20]% equity interest in the combined entity alongside [PE Sponsor/Buyer] for a period of [3–5] years.
💡 The seller note tied to client retention is the most effective mechanism to manage key-man risk in cybersecurity acquisitions — it creates financial alignment for the founder to support transition without requiring complex earnout definitions. Earnouts should be defined on EBITDA rather than revenue to prevent sellers from discounting retainers or accepting low-margin projects to hit a revenue threshold. If a PE sponsor is involved, equity rollover of 15–25% is standard and attractive to founders who believe in the platform growth story. SBA lenders will require the seller note to be fully subordinated and on-standby for the first 24 months, which sellers sometimes resist — this must be disclosed early in negotiations.
Due Diligence Scope and Timeline
Defines the due diligence process, key focus areas specific to cybersecurity consulting, and the timeline for completion prior to entering a binding purchase agreement.
Example Language
Following execution of this LOI, Buyer shall have [60] days to complete due diligence ('Due Diligence Period'), which shall include but not be limited to: (i) financial due diligence including review of three years of accrual-basis financial statements, client revenue schedules categorized by retainer, project, and time-and-materials engagements, and EBITDA normalization analysis; (ii) revenue quality review including contract-by-contract analysis of renewal history, change-of-control provisions, and client concentration; (iii) technical and operational review including certification audit of all billable professionals, review of proprietary service delivery frameworks and SOPs, and assessment of toolset ownership and licensing; (iv) legal and liability review including all prior security assessment reports, errors-and-omissions insurance claims history, and employee non-solicitation and non-compete agreements; and (v) government contracting review if applicable, including CMMC, FedRAMP, or classified contract compliance status. Seller shall provide access to a virtual data room within [5] business days of LOI execution.
💡 Sixty days is appropriate for a cybersecurity consulting acquisition of this complexity — do not allow a seller to compress this to 30 days, particularly if government contracts or past incident exposure exists. Buyers should engage a technical advisor or senior cybersecurity professional to review service delivery frameworks and assess whether the methodology is truly proprietary or simply repackaged open-source tooling. The certification audit is non-negotiable: verify that CISSP, CISM, CEH, and OSCP credentials are individually held by team members and not lapsing within 12 months of close. Past assessment reports carry potential E&O liability and must be reviewed by legal counsel before close.
Exclusivity
Grants the buyer an exclusive negotiating period during which the seller agrees not to solicit or entertain competing offers, allowing the buyer to invest in due diligence with confidence.
Example Language
In consideration of Buyer's commitment to dedicate resources to due diligence and transaction costs, Seller agrees to negotiate exclusively with Buyer for a period of [60] days from the date of LOI execution ('Exclusivity Period'). During the Exclusivity Period, Seller and its representatives shall not solicit, initiate, or participate in discussions with any other party regarding a potential sale, merger, recapitalization, or disposition of the Company or its assets. The Exclusivity Period may be extended by mutual written agreement of the parties for up to an additional [30] days if due diligence is substantially complete but final documentation remains in progress.
💡 Sixty days of exclusivity is standard and appropriate given the due diligence scope for a cybersecurity consulting firm. Sellers should resist agreeing to exclusivity before receiving a signed LOI with clearly stated purchase price and structure — a loose indication of interest is not sufficient. Buyers should include a carve-out confirming that exclusivity does not prevent the seller from renewing client contracts or hiring replacement staff during the diligence period, as pausing normal business operations during exclusivity can erode the very value being acquired.
Key-Man and Transition Provisions
Addresses the single most critical risk in cybersecurity consulting acquisitions — founder or lead consultant dependency — by defining transition support obligations, employment or consulting agreement terms, and client relationship transfer protocols.
Example Language
Seller acknowledges that the Company's client relationships, technical reputation, and service delivery continuity are material to the value being acquired. As a condition to closing, Seller agrees to: (i) execute an Employment Agreement or Consulting Agreement for a transition period of not less than [24] months post-closing, with compensation of $[XXX,000] per year and performance incentives tied to client retention; (ii) cooperate in the introduction of Buyer's designated relationship managers to all clients representing more than [5]% of trailing revenue within [90] days of closing; (iii) provide written documentation of all active client engagement histories, security assessment methodologies, and account-specific service protocols; and (iv) refrain from soliciting clients or employees of the Company for a period of [3] years post-closing within [geographic scope or national scope for cybersecurity].
💡 The transition agreement is where many cybersecurity deals fail post-close. Founders who feel constrained by a non-compete or undervalued in their transition role disengage quickly, and clients notice. Structure the transition compensation generously relative to the earnout — a founder earning $200K during a 24-month transition is far cheaper than losing three retainer clients worth $600K in annual recurring revenue. Non-competes in cybersecurity are enforceable in most jurisdictions but must be reasonable in scope — a blanket national non-compete may not hold if challenged. Consider a narrower restriction tied to the specific verticals or client segments where the founder has direct relationships.
Representations and Warranties
Outlines the key representations the seller must make regarding the accuracy of financials, validity of client contracts, status of employee agreements, absence of litigation, and accuracy of certifications and compliance credentials.
Example Language
Seller represents and warrants to Buyer that as of the date hereof and as of the closing date: (i) all financial statements provided to Buyer accurately reflect the revenues, expenses, and EBITDA of the Company on an accrual basis; (ii) all client contracts are valid, enforceable, and to Seller's knowledge contain no change-of-control provisions that would result in automatic termination upon closing without client consent; (iii) all employees and contractors identified as certified professionals hold current and valid certifications as represented, with no known lapsing credentials within 12 months; (iv) the Company has not been party to, and has no knowledge of, any pending or threatened errors-and-omissions claim, data breach notification obligation, or client dispute arising from a prior security assessment or consulting engagement; (v) all employee non-solicitation agreements, non-competes, and NDAs are current, executed, and to Seller's knowledge enforceable under applicable state law; and (vi) if the Company holds any government contracts, all applicable compliance requirements including CMMC, FedRAMP, or DFARS clauses are currently satisfied.
💡 The E&O and data breach representation is the most negotiated rep in cybersecurity consulting acquisitions. Sellers should expect buyers to request a survival period of 3–5 years for this specific representation given that breach events or client disputes arising from past assessments may not surface for years after an engagement. Buyers should require cyber liability and E&O insurance to remain in force for at least 24 months post-close as a condition of the transaction, with the seller funding a tail policy if coverage is not transferable. Certification representations should be verified independently — never rely solely on a seller-provided credential list.
Conditions to Closing
Enumerates the conditions that must be satisfied before the transaction can close, including lender approval, client consent where required, employee agreement execution, and regulatory clearances.
Example Language
The obligation of Buyer to consummate the transaction is subject to satisfaction of the following conditions prior to or at closing: (i) Buyer's receipt of SBA 7(a) loan approval in an amount sufficient to fund the cash-at-close component of the Purchase Price; (ii) written consent or acknowledgment from clients representing no less than [80]% of trailing twelve-month recurring retainer revenue, confirming continued engagement post-closing on materially similar terms; (iii) execution of Employment or Consulting Agreements by Seller and no fewer than [X] key certified technical staff identified during due diligence; (iv) delivery of all client contracts, vendor agreements, employee agreements, and IP assignments in form acceptable to Buyer's counsel; (v) no material adverse change in the Company's business, client base, or financial condition between LOI execution and closing; and (vi) resolution to Buyer's reasonable satisfaction of any outstanding E&O claims, data incident notifications, or government contracting compliance deficiencies identified during due diligence.
💡 The client consent condition is the most operationally complex condition in a cybersecurity consulting closing. Change-of-control clauses in retainer agreements — particularly with healthcare, finance, or government clients — may require affirmative written consent before an assignment is effective. Buyers who fail to audit these clauses before LOI often discover that 20–30% of their acquired recurring revenue base requires consent they cannot obtain. This condition should be structured as a percentage threshold rather than an all-or-nothing requirement, with a purchase price reduction mechanism if consent falls below the target threshold.
Revenue Quality Adjustment Mechanism
Buyers should insist on a post-closing true-up mechanism that reduces the seller note or triggers escrow release conditions if recurring retainer revenue falls below a defined threshold within 12 months of closing. In cybersecurity consulting, the difference between a 60% recurring revenue firm and a 60% project-based firm can represent a full turn of EBITDA multiple — typically $400K–$700K on a $2M revenue deal. Define recurring revenue precisely in the LOI to avoid disputes: only true multi-month retainer contracts with automatic renewal provisions should count, not open-ended time-and-materials arrangements billed monthly.
Earnout Definition and EBITDA Normalization
Earnout provisions in cybersecurity consulting acquisitions must specify how EBITDA is calculated post-closing, including treatment of buyer integration costs, changes in compensation for retained staff, and any new overhead allocated by a PE platform. Sellers should negotiate for earnout measurement on a standalone basis — excluding any costs imposed by the buyer's organization — and cap the buyer's ability to change pricing, service mix, or client acquisition strategy in ways that structurally impair earnout achievement. Buyers should ensure the earnout period begins only after a defined transition stabilization period of 90–180 days.
Non-Compete Scope and Carve-Outs
Non-compete agreements in cybersecurity must balance legitimate business protection with the technical founder's career reality. A blanket 3-year national non-compete in cybersecurity consulting is increasingly challenged and may be unenforceable in states like California, Minnesota, or Oklahoma. Buyers should focus restriction language on specific client lists, vertical markets served, and named competitors rather than broad industry prohibitions. Sellers should negotiate carve-outs for academic publishing, conference speaking, open-source contributions, and advisory board roles that do not involve direct competitive service delivery.
Certification Continuity and Talent Retention Incentives
The value of a cybersecurity consulting firm is partially embedded in its team's active certifications. Buyers should negotiate seller-funded retention bonuses for CISSP, CISM, CEH, and OSCP-credentialed staff as a condition of closing, funded from the seller's proceeds or through the seller note. Retention periods of 12–24 months with defined payout triggers create alignment between certified staff and the new owner's integration goals. Buyers should also require the seller to fund a professional development escrow sufficient to cover one full round of certification renewals for the core technical team.
Indemnification Escrow for E&O and Breach Liability
Cybersecurity consulting firms carry a unique tail liability risk: a client breach that occurs after a clean security assessment can generate E&O claims against the consulting firm that performed the work, sometimes years after the engagement. Buyers should require 10–15% of the purchase price placed in escrow for 24–36 months as a source of recovery for indemnification claims arising from pre-closing assessments, data incidents, or client disputes. Sellers should negotiate a dollar-threshold basket — typically 1% of purchase price — before indemnification obligations are triggered, and a cap on indemnification equal to the escrow amount for general reps, with a higher or uncapped exposure only for fraud or intentional misrepresentation.
Find Cybersecurity Consulting Businesses to Acquire
Enough information to write a strong LOI on day one — free to join.
Cybersecurity consulting firms with 50% or more of revenue from multi-year retainer or managed security service contracts, a team of three or more independently certified professionals, and diversified client bases with no single client above 15–20% of revenue typically trade at 5x–7x trailing EBITDA in the current lower middle market. Firms dominated by one-time penetration testing projects, founder-dependent client relationships, or revenue concentrated in one or two large accounts trade in the 4x–5x range. For a firm generating $500K in adjusted EBITDA, the difference between a 4.5x and a 6.5x transaction is $1M in purchase price — which is why proving revenue quality before LOI is the single highest-value action a seller can take.
Address key-man risk with three interlocking LOI provisions: first, a transition employment or consulting agreement of at least 24 months with compensation structured to retain engagement; second, a seller note of 15–20% of purchase price that is reducible if named clients representing a defined percentage of retainer revenue do not renew within 18 months of closing; and third, a pre-closing requirement that the seller begin introducing buyer's designated account managers to all clients exceeding 5% of revenue before the transaction closes. Buyers should not rely on a non-compete alone to manage this risk — key-man risk in cybersecurity is about relationship continuity, not just competitive restraint, and the best protection is a well-compensated, motivated founder who has financial reasons to ensure clients stay.
Yes, cybersecurity consulting firms are SBA 7(a) eligible provided the target meets standard SBA eligibility requirements and the deal is structured appropriately. SBA lenders will scrutinize revenue quality heavily — specifically the ratio of recurring retainer revenue to project-based revenue — because the cash flow predictability of retainer contracts supports the debt service coverage ratios lenders require. Goodwill-heavy acquisitions, which most cybersecurity consulting deals are, are eligible under SBA guidelines as long as the loan does not exceed the SBA maximum of $5M and the transaction includes a meaningful equity injection, typically 10–20% of total project cost. Seller notes are permitted but must be on full standby for 24 months, which sellers occasionally find unacceptable — raising this early in LOI negotiations prevents late-stage deal failures.
A well-prepared cybersecurity consulting data room should include three years of accrual-basis financial statements reviewed or audited by a CPA, a client revenue schedule breaking down each client by revenue type and contract term, copies of all active client contracts with change-of-control provisions flagged, a certification roster listing all team members with credential names and expiration dates, copies of all employee non-solicitation agreements and non-competes, the company's errors-and-omissions and cyber liability insurance policies with claims history, samples of proprietary service delivery frameworks and SOPs for core offerings, any government contract documentation including CMMC or FedRAMP compliance records, and a description of all toolsets used in service delivery with ownership and licensing status clearly identified. Sellers who assemble this package before going to market consistently receive higher offers and experience fewer due diligence re-trades.
Earnouts in cybersecurity consulting acquisitions work best when measured on EBITDA rather than revenue, calculated on a standalone basis excluding costs imposed by the buyer's organization, and paid in annual tranches over 24 months rather than as a single back-end payment. Sellers should negotiate for an earnout definition that excludes integration expenses, platform overhead allocations, and buyer-directed pricing changes that structurally reduce revenue. Buyers should ensure the earnout begins only after a 90–180 day transition period and includes provisions that accelerate full earnout payout if the seller is terminated without cause during the earnout period. A well-structured earnout in a $3M revenue cybersecurity firm might be $400K–$600K contingent on maintaining $500K EBITDA in each of years one and two post-close — meaningful enough to motivate the founder without representing more than 20–25% of total purchase price.
More Cybersecurity Consulting Guides
More LOI Templates
Get enough diligence data to write a confident LOI from day one.
Create your free accountNo credit card required
For Buyers
For Sellers