Subsystems gives investors a full technical picture — codebase health, architectural risk, and organizational fragility — in 72 hours. Every finding is cited to a file, a commit, a person.
Before a human writes a word of the report, our scanners traverse the full repo graph — static analysis, dependency audit, authorship heatmap, test inspection. What you're about to see runs in real time on every engagement.
You hand us a repo URL. We hand back a signed PDF and a 60-minute read-out with your deal team. No portal logins, no “AI insights” dashboards.
NDA, repo access, target-contact intro. Scope is fixed at the start — no surprise line items.
AI agents map the code graph, surface findings, and draft evidence. A senior engineer verifies every critical before it lands in the report.
Live 60-minute session with your deal team, followed by a signed PDF, raw data export, and a Q&A window through close.
Before we touch the repo, subsurface maps what the internet already knows about the target. Leaked credentials, exposed endpoints, forgotten subdomains, SBOM matches against public CVE feeds, employees pasting proprietary code into public gists. What an attacker would find in an afternoon — we find in ten minutes.
subsurface runs in parallel with the code review. It probes 14 public layers — DNS, cert transparency, code hosting, paste sites, container registries, leaked credential dumps — and weights each hit against its blast radius inside the target's stack.
Every finding is cited. Every verdict is one sentence. Hover the sample to see what a critical finding looks like in context.
Blocks clean extraction of billing as an independent service. Price 2–3 engineer-weeks into the transition SOW.
Delivered as a signed PDF your partners can read on a plane. Citations link back to raw evidence — commits, files, authorship graphs — for anyone who wants to dig.
EVOFIT scores a company as an evolving system. Five dimensions derived from Wong et al.'s three modes of selection (PNAS 2023). Not a checklist — an assessment of whether the producing mechanism is strengthening or decaying.
We don't hand you a spreadsheet of 400 metrics. We surface what's material to the deal — and tell you what to do about it.
Complexity, duplication, type coverage, linter debt. Weighted against the codebase's language and age.
Service topology, import cycles, coupling, fan-in/out, and the unphysical connections nobody drew on a whiteboard.
Coverage in the paths that matter, not global averages. Flakiness, CI health, mutation-test viability.
Stale deps, vulnerabilities, unmaintained upstreams, supply-chain exposure. Pinned by severity, not count.
Bus factor, commit concentration, PR hygiene, review latency, on-call load, documented runbooks.
Secrets, auth boundaries, SBOM, OWASP exposure. We read your security docs, then verify them against the code.
They caught a hidden cycle in the payments layer that would have cost us the first two quarters post-close. Repriced the deal by 4%. Paid for itself eight times over.
If yours isn't here, ask it during the intro call — we'll tell you honestly whether we're the right fit.
Ideally yes — read-only repo access, a 30-min call with an engineering lead, and docs access. Where the seller is cautious, we've run productive engagements on repo access alone. We won't proceed on screenshots.
Speed and citability. Traditional DD takes 3–6 weeks and delivers a narrative. We take 72 hours and deliver evidence — every claim traces to a file, a commit, or a contributor.
TypeScript, JavaScript, Python, Go, Rust, Ruby, Java, Kotlin, Swift, C#. If your target is 90% COBOL, we'll tell you at intake.
No. AI agents do the traversal, evidence gathering, and first-pass findings. A senior engineer reviews, verifies, and writes the verdict. Every critical finding is signed off by a named human.
Fixed fee per engagement, scaled to codebase size. Typical deal sits between $18k and $60k. We publish the scope and price before you sign.
Intro call is free. 72-hour turnaround if you're under contract pressure. We'll tell you on the first call whether we can help.