DueDig

Why Technical Due Diligence?

Most early-stage tech risk is invisible in a pitch deck. A short, independent review surfaces the code, cloud, security, and AI risks that decide whether your investment scales - or stalls. Here's the evidence.

The risk is in the code, not the deck

A pitch deck shows traction; it doesn't show the vulnerable dependency, the unfixable security flaw, or the licence that contaminates the IP you're funding. The code almost always carries more risk than the demo suggests.

84%

of codebases contain at least one known open-source vulnerability (Black Duck OSSRA, 2024)

53%

of codebases have open-source licence conflicts (Black Duck OSSRA, 2024)

42%

of applications carry security debt - flaws left unfixed for over a year (Veracode State of Software Security, 2024)

Technical debt is a liability you inherit

Buy into a startup and you buy its engineering shortcuts too. Debt and waste quietly inflate burn and slow every future release - and rarely appear in the model.

20-40%

of a company's technology estate value is technical debt (McKinsey, 2020)

~30%

of cloud spend is wasted on idle or over-provisioned resources (Flexera State of the Cloud, 2024)

'AI' is often neither a moat nor real AI

The AI label is doing a lot of work in 2025 fundraising. Much of it isn't defensible - model access is commoditizing fast, margins trail classic SaaS, and a large share of projects never reach production.

~40%

of European 'AI' startups showed no evidence of material AI use (MMC Ventures, State of AI, 2019)

>80%

of AI projects fail - about twice the rate of non-AI IT projects (RAND Corporation, 2024)

>280x

fall in the cost to run a GPT-3.5-quality query in ~18 months - model access is commoditizing (Stanford AI Index, 2025)

50-60%

typical AI gross margins, vs. 70-90% for classic SaaS (a16z, 2020)

AI brings new, unfamiliar failure modes

Even where the AI is real, it fails in ways traditional review misses: hallucination, prompt injection, and code written faster than it can be trusted.

43%

of developers trust the accuracy of AI coding tools - though 76% use them (Stack Overflow Developer Survey, 2024)

3-12%

hallucination rate of leading LLMs on grounded summarization (Vectara Hallucination Leaderboard, 2026)

#1

Prompt injection is the top security risk for LLM applications (OWASP Top 10 for LLMs, 2025)

The cost of getting it wrong

Technical risk is financial risk. A breach, a forced re-platform, or a training-data lawsuit can erase a seed round - far more than a short review costs to avoid.

$4.88M

average cost of a single data breach (IBM Cost of a Data Breach, 2024)

$1.5B

Anthropic settlement over training data, amid 70+ AI copyright suits (Copyright Alliance, 2025)

Know the tech before you wire the cheque.

We cover this across two services - SaaS Due Diligence for companies that use AI, and Deep AI Due Diligence for companies that build it.