If you are evaluating a technology acquisition, you will quickly encounter a confusing array of terms: technology due diligence, technical due diligence, IT due diligence, code review. They are often used interchangeably — by investors, advisors, and providers alike — but they are not the same thing.

Using the wrong type of assessment for your situation can leave material risks undetected. Understanding the distinction helps you commission the right engagement and ask the right questions of any provider you consider.

What Is a Code Review?

A code review is the most narrowly scoped of the four. It is a direct examination of the source code — assessing quality, structure, readability, and adherence to best practices. A well-conducted code review will surface issues such as poor coding standards, duplicated logic, inadequate error handling, and outdated dependencies.

Code reviews are valuable, but they are limited by design. They assess what has been written, not how the system is architected, operated, or secured at the infrastructure level. A code review is a component of technology due diligence — not a substitute for it. Commissioning a code review in place of a full TDD is one of the most common mistakes acquirers make.

What Is Technical Due Diligence?

Technical due diligence is a significantly broader assessment. It encompasses the codebase review but extends across the full engineering stack — examining architecture, scalability, security at the application layer, infrastructure, DevOps maturity, and engineering team capability.

Key areas covered in a technical due diligence typically include:

• Code quality and technical debt
• Architecture design and scalability
• Security vulnerabilities and application-level posture
• Infrastructure and deployment practices
• Development processes and engineering team capability

The term “technical” reflects the nature of the work — it is hands-on, engineering-led, and requires genuine technical expertise to conduct properly. For most SaaS and software acquisitions, a technical due diligence represents the minimum viable scope of assessment.

What Is IT Due Diligence?

IT due diligence focuses on the broader IT environment of a business — internal systems, network infrastructure, hardware, software licences, cybersecurity governance, and IT operations. It is most relevant for acquisitions of traditional or non-technology businesses where the IT infrastructure supports operations but is not the core product.

Where technical due diligence asks “is the software well-built?”, IT due diligence asks “is the IT environment well-managed?” The two can overlap — particularly around security and infrastructure — but serve different primary purposes.

For pure software and SaaS acquisitions, IT due diligence alone is rarely sufficient. For acquisitions of businesses with significant operational IT dependency — manufacturing, logistics, financial services — IT due diligence may be the more relevant starting point, often combined with elements of technical assessment.

What Is Technology Due Diligence?

Technology due diligence is the most comprehensive of the four. It encompasses everything in a technical due diligence — but extends the lens beyond the engineering layer to consider the strategic and commercial dimensions of the technology.

In addition to the full technical assessment, a technology due diligence examines:

• Technology strategy — is the product roadmap credible and well-resourced? Does the technology direction align with the acquirer’s plans?
• IP ownership and licensing — does the company actually own its core technology? Are there open source licences or third-party dependencies that create legal risk?
• Vendor and key person dependency — is the business dangerously reliant on a single provider, technology partner, or a small number of individuals?
• Technology as a value driver — is the technology a genuine competitive differentiator, or a commodity that could be replicated or replaced?
• Post-acquisition integration — how complex would it be to integrate this technology into an existing portfolio or platform?

Technology due diligence asks not just “is this well-built?” but “does this technology support the investment thesis — and what are the risks and opportunities it creates?”

Which One Do You Actually Need?

Security deserves particular attention. It sits at the intersection of all four assessment types — yet none of them covers it fully in isolation. A code review may surface insecure coding practices but will miss infrastructure vulnerabilities. A technical due diligence will assess security posture at the application layer but may not examine compliance certifications or third-party vendor risk. An IT due diligence covers network and systems security but rarely goes deep into the codebase. Only a full technology due diligence treats security as a cross-cutting concern — examining it at the code, architecture, infrastructure, and compliance levels simultaneously.

For a SaaS or technology acquisition of any significance, technology due diligence is the appropriate scope. A code review alone or a purely technical assessment will leave gaps that could prove costly post-close.

How VeryDiligent Can Help

At VeryDiligent, we use the term technology due diligence deliberately — because we believe a genuinely useful assessment must go beyond the code. Our engagements combine deep, engineering-led technical assessment with strategic analysis of technology risk, IP ownership, vendor dependency, security posture, and post-acquisition integration complexity.

The result is findings that are actionable not just for your technical team, but for your deal structuring, investment committee, and portfolio management.

Contact us today to discuss your upcoming transaction.

Related reading: In-house vs External Technology Due Diligence | Cybersecurity Due Diligence: The New Dealbreaker | What Should a Technology Due Diligence Report Include?