MergeSentinelSample cybersecurity due diligence report
Apex Corp cyber diligence report for Bertie Wooster Enterprises
Apex Corp is a $50 million revenue aerospace target operating in AWS. Submitted evidence was classified against the 74-item Master DD Matrix and scored with FAIR: core controls exist, but buyer-grade evidence is uneven across privileged access, incident response, and AI governance.
Current Total Annualized Loss Expectancy (ALE)
$1.4M
Deal Adjustment Range
$3.1M - $4.8M
Remediation Range
$420K - $775K
FAIR Coverage
61%
Executive Summary
Acquisition target: Apex Corp. Buyer: Bertie Wooster Enterprises.
Apex Corp appears supportable for acquisition, but the cyber posture should be treated as conditional rather than clean. The company has a functional security program and reasonable AWS operating maturity for its size, yet the diligence record does not fully prove privileged access discipline, incident readiness, or aerospace-specific compliance coverage. The recommended deal posture is proceed with conditions: require focused pre-close evidence, reserve budget for post-close cloud hardening, and consider a targeted escrow for unresolved control gaps.
Deal Decision
Plain-English readout for the IC.
No single issue blocks the transaction today, but the buyer should not price Apex Corp as a fully mature security program.
Key Findings
Evidence-linked, deal-ready findings
Privileged access controls need stronger evidence
The diligence record shows MFA mandates and least-privilege language in policy, but no current privileged account inventory or quarterly access review evidence was provided.
Business impact: A compromised administrator account could reach production aerospace customer data, triggering contract and export-control exposure.
Technical impact: Unverified admin sprawl across AWS control plane; blast radius of a single credential compromise cannot be bounded.
Recommendation: Require a signed privileged access inventory with MFA status and the latest quarterly access review before close.
Owner: Buyer security lead with target IT director
Effort: 2-3 weeks with existing IT staff
Incident response evidence is incomplete
An incident response plan exists and names an on-call rotation, but no tabletop exercise records or restore-test results were submitted.
Business impact: An incident in the first year post-close would be handled by an untested plan, extending downtime for revenue-critical engineering systems.
Technical impact: Recovery time objectives are asserted, not demonstrated; backup restore path has no recent verification.
Recommendation: Request the most recent tabletop record and a verified restore test; schedule a joint exercise for Day 1 if none exists.
Owner: Target CISO; buyer integration PMO to observe
Effort: 1 facilitated tabletop + restore test, ~2 weeks elapsed
Board Summary
Apex Corp has enough cybersecurity maturity to remain an attractive aerospace acquisition target, but Bertie Wooster Enterprises should condition close on evidence of access controls and incident readiness. The dollarized cyber exposure is meaningful but manageable with targeted escrow, remediation budget, and Day 1 integration oversight.
CFO / Deal Team Summary
Use the FAIR deal adjustment range as an analytical starting point, not a final valuation opinion. A reasonable negotiation posture is a focused escrow or holdback tied to privileged access, AWS configuration, incident response testing, and aerospace compliance documentation.
CISO / Engineering Summary
Prioritize privileged access review, centralized AWS logging, configuration baselines, incident response validation, and critical vendor evidence. The technical debt is not unusual for a $50 million target, but it should be sequenced deliberately in the first 90 days.
Deal Impact
Cyber risk does not block the transaction, but it shifts deal mechanics: pre-close evidence conditions, a targeted escrow sized from the FAIR range, and a defined post-close hardening budget. Integration timelines should assume identity and logging consolidation in the first quarter.
Investment Thesis Impact
The aerospace growth thesis holds. Security maturity is behind the revenue story by roughly one budget cycle, which is priceable. The main thesis risk is compliance: export-controlled data handling must be evidenced before expanding government-adjacent contracts.
Risk Areas
Coverage across every report section
Security Posture
Core controls exist; admin MFA coverage attestation still pending.
Privacy / Compliance
Export-controlled aerospace data flows are not fully mapped.
Integration Risks
Identity-stack consolidation required in the first 90 days.
Technical Debt
Build pipeline lacks automated security scanning gates.
Architecture Scalability
Single-region AWS footprint; failover untested at scale.
AI/ML Considerations
No AI governance policy covering engineering copilots and data retention.
FAIR Financial Risk and Deal Economics
Monetary values are analytical estimates requiring qualified risk, legal, financial, and deal advisor review.
Current Total Annualized Loss Expectancy (ALE)
$1.4M
Total Inherent Annualized Loss Expectancy (ALE)
$3.6M
Total Residual Annualized Loss Expectancy (ALE)
$820K
Achieved Risk Reduction
$2.2M
Max Risk Reduction
$2.8M
Uncertainty Premium
25.4%
Deal Economics
$3.1M - $4.8M
Suggested analytical range for price adjustment, escrow holdback, special indemnity, or closing condition discussion. This is not a guaranteed loss or final valuation opinion.
Remediation budget: $420K - $775K
Escrow recommendation: Targeted escrow with pre-close evidence conditions
Price adjustment rationale: Medium posture with unresolved high-impact evidence gaps
Top Monetary Risks
Where the deal economics move
Privileged access controls need stronger evidence
Elevated blast radius for AWS control-plane compromise.
Evidence: IAM questionnaire, AWS account inventory, MFA attestation
Current Annualized Loss Expectancy (ALE)
$420K
Require pre-close evidence of privileged access governance.
AWS security posture is adequate but not acquisition-ready
Misconfigured storage or weak network segmentation could expose regulated aerospace data.
Evidence: AWS architecture notes, vulnerability response answers
Current Annualized Loss Expectancy (ALE)
$310K
Run a buyer-directed cloud configuration review before signing.
Incident response evidence is incomplete
Operational resilience is plausible, but response maturity is not yet defensible.
Evidence: Incident response questionnaire, backup policy summary
Current Annualized Loss Expectancy (ALE)
$260K
Request incident tabletop records and restore-test results.
Category Financial Breakdown
Current annualized loss exposure across the 8 Master DD Matrix categories, with evidence coverage per category.
Infrastructure & Cloud Security
$300K
AWS architecture is workable, but security baselines need independent review.
Identity, Access, & Asset Control
$400K
Privileged access and MFA evidence drive the largest current loss exposure.
Vulnerability & Software Lifecycle
$90K
Patch SLAs are defined; pipeline security gates are still manual.
Incident Response & Continuity
$250K
Plans exist, but tabletop and restore-test evidence is thin.
AI Data & Model Engineering
$30K
Limited production AI today, so exposure is small but unmonitored.
AI Governance, Trust, & Safety
$45K
No formal AI policy yet; copilot usage is growing unmanaged.
Governance, Risk, & Compliance
$175K
Aerospace customer obligations are understood but not fully mapped.
Vendor, Corporate, & Deal Risk
$110K
Critical supplier diligence is tracked but inconsistently evidenced.
Evidence Gaps
Missing items that would improve valuation confidence.
Current AWS privileged account inventory with owner and MFA status.
Identity, Access, & Asset Control
Recent penetration test report or buyer-directed cloud security assessment.
Vulnerability & Software Lifecycle
Incident response tabletop evidence and post-exercise action log.
Incident Response & Continuity
Aerospace customer data handling matrix, including export-controlled data flows.
Governance, Risk, & Compliance
Vendor risk register for critical engineering, hosting, and support providers.
Vendor, Corporate, & Deal Risk
Source Coverage
Every report section traces back to questionnaire responses and classified evidence files.
24 / 28
Questions answered
14
Evidence items
11
Evidence items reviewed
9
Findings traced
5
Evidence items missing
Recommended Follow-Ups
Diligence actions before terms are finalized.
- Make privileged access evidence a pre-close diligence condition.
- Confirm aerospace compliance obligations before final representations and warranties.
- Use a modest escrow or holdback to cover unresolved cloud and response evidence gaps.
- Stand up an AI usage and governance policy review with the target's engineering leads.
Remediation Roadmap
Sequenced from pre-close conditions through post-close hardening.
- Pre-close: privileged access inventory, MFA attestation, and quarterly access review evidence.
- Day 1: joint incident response tabletop and verified backup restore test.
- First 30 days: buyer-directed AWS configuration review — IAM, logging, segmentation.
- First 90 days: consolidate identity stack and enable centralized security logging.
- Post-close: AI governance policy, vendor evidence refresh, and compliance mapping.
Report Limitations
What the buyer should know before using this in negotiations.
Report confidence is moderate. Apex Corp supplied enough questionnaire detail and evidence to support a directional view, but several buyer-grade artifacts remain missing or unreviewed.
FAIR outputs are analytical estimates for diligence planning. They require qualified human review before use in price negotiations, escrow structuring, indemnity design, legal drafting, or representations and warranties.