top of page


federated, high impact, advanced business case, legal




Key Roles

Risk Manager, Technical Investigator, Deal Lead

Key Feature Aspects:

fair, easy, fast, rigorous

About this Use Case


Progress Updated Periodically

The Mergers & Acquisitions diligence practice is overdue for a modern approach. Both the buy-side and sell-side benefit from highly accurate assessments. With so many other non-cyber factors to consider during M&A, the fact that cyber risk can be scientifically quantified using services like BreachRisk can allow teams to efficiently evaluate cyber risk and focus on more subjective elements of the process.

Success Summary

Why BreachRisk™ is a good fit

Standardization and participation are key aspects here. Our sponsoring organizations know our process and trust our results, and standardization compliments process. Targets quickly recognize that our assessments are not only rigorous, but extremely fair.

Barriers or misconceptions

M&A is a textbook negotiation process. At each gate, more trust is gained from each side. We've quickly been able to overcome hesitancy of the target to run our services.

Key outcomes

Targets can justify a higher valuation. Sponsors (buyers) can have a better understanding of what they are buying - especially if they need to prepare for large IT/security overhaul during the integration phase post-acquisition.


BreachRisk fully emulates real attacker activities with actual measurements and testing. Attackers conduct a wide variety of activities when planning and conducting attacks.

When applied to M&A use cases, BreachRisk services apply capabilities during one or more of the following 3 phases: pre-diligence, active diligence, and post-acquisition system integration.

  • Pre-diligence is defined as a "passive phase" prior to focused due diligence, similar to an initial survey, and does not require participation of the target entity.

  • Active diligence begins when the target beings due diligence in earnest, and participates to ensure full coverage of the analysis.

  • Post-acquisition monitoring is typically a very high-risk time for both buy-side and sell-side because of large IT and security configuration changes typically accompany the merging of two organizations, and because attackers actively seek to attack buy-side and sell-side targets that they presume have large amounts of liquid capital on hand for both purchase and for other various purposes.

Our job at BreachBits is to "do what attackers do" and quantify the risk of a breach. We generally perform the following continuous activities during analysis. Analysis based on these activities is designed to be independently defensible but also to corroborate surveys or analysis from sources other than BreachBits:

  • Attack Surface Discovery. "Where does this entity exist in cyberspace?" Our analysis attempts to find the entity in cyberspace the same way an attacker would. This can discover and confirm where the entity is present to aid other diligence activities.

  • Attack Surface Monitoring. "When the attack surface changes, how is it changing?" Modern IT infrastructures are constantly changing, both as a result of deliberate changes from the target, but also from a vast infrastructure provided by third-parties that evolve independent of the target's control, i.e. cloud services. Continuous monitoring of these changes is necessary to properly characterize risk.

  • Attack Planning. "What and where will attackers plan to attack?"  Cyber attackers are very methodical. When you can understand how they would plan to launch attacks, it provides incredible value when characterizing risk of a breach. This can help sell-side adjust defensive strategy prior to close, and informs buy-side for cyber and technology migration risks they may inherit.

  • Dark Web Exposures. "Can attackers find information on the dark web that could be used to cause a breach?"Attackers attempt to obtain information from nefarious sources to make attacks easier. This could include stolen passwords, stolen records, and more. This activity enhances our other testing activities and provides general observations that help tell the story of the target's ability to protect sensitive data.

  • Perimeter Testing. "Can observable perimeter risks actually be breached?"To fully eliminate false positives that typically accompany cyber risk analysis, it is necessary to actually attempt attacks in the same ways attackers would. False positives significantly threaten the confidence of analysis for both buy-side and sell-side, and therefore must be eliminated. This activity greatly enhances the fidelity of our findings and can save considerable time during diligence by proving or disproving theoretical threats altogether, e.g. the time typically consumed by correspondence and issue tracking between buy-side and sell-side agents. Testing activities require the consent of the target and can therefore only be performed during active diligence and post-acquisition monitoring.

  • Cloud Testing. "Can observable cloud risks actually be breached?"This activity is similar to perimeter testing, but performed against cloud infrastructure of the target. Testing activities require the consent of the target and can therefore only be performed during active diligence and post-acquisition monitoring.

  • Spearphishing. "Can attackers exploit users of the target via email?"The vast majority of high-impact breaches begin when attackers can trick employees of the target via malicious email attacks. It is especially important to measure the target's susceptibility to these types of attacks. We actively attempt to defeat policy, technical, and training controls of the target organization. This also helps tell the story of the target's ability to emplace technical security controls and effective policy and behavior training for employees. Testing activities require the consent of the target and can therefore only be performed during active diligence and post-acquisition monitoring.

  • Risk Quantification. "On a 10-piont scale, what's the risk of a breach?"Fair characterization of risk observations is as important as the analysis itself. Our quantification is derived from a carefully crafted calculus based on industry-supported standards and expert determinations. Each analysis during all phases includes a risk score that is standardized, allowing for both an absolute risk characterization but is also allows for comparison to other targets. This allows risk ranking among groups of targets and vendors.

  • Vendor/Supply Chain Analysis. "Can attackers breach the target's vendor ecosystem?"Many attacks start by compromising a lesser-defended third party and then exploiting trusted technology interfaces to reach the target. Our same activities aimed at the target directly can be used to analyze the target's vendor pool. This activity requires tight cooperation from the target and can even include participation by the target's vendors.

bottom of page