Skip to content
For acquirers, investors & insurers

Due diligence for the asset you can't read.

Software is the largest asset nobody appraises — millions of euros of value and risk signed off on a demo and the founder's word. Assay puts one reproducible 0–100 Codebase Assurance Index in the data room, comparable from LOI to close, that an investment committee or an underwriter can act on.

What the index gives the deal

An appraisal for the line item nobody can value.

The same survey, read three ways.

A data-room appraisal

An independent CAI both sides can cite — not the seller's slide deck — with a C4 architecture map and the rot marked in red.

Software as collateral

A reproducible score a lender or insurer can price — and re-check on a schedule for the life of the facility.

Comparable at every gate

Freeze the rubric at the LOI and the number at close means what it meant at intent — no moving goalposts.

Continuity risk, quantified

The liability that isn't in the code.

Read from the git history into the same CAI — surfaced at LOI, not the quarter after close.

Off-boarding risk

Which modules depend on one departing founder — whose exit orphans the most significant code in the asset you're buying.

Knowledge freshness

Which core logic everyone who understood it has gone quiet on — the part of the asset nobody can safely change.

One rubric, frozen at LOI

The same yardstick from intent to close.

Deterministic

CAI 71 → 71 → 76.

A re-survey on the same commit returns the same number, so any movement is the asset changing — never the ruler. A changelog at each gate itemises what moved: new CVEs, findings closed, components rebuilt, API endpoints added or removed.

Why a third party, not the seller

The appraisal a counterparty can't tilt.

We build nobody's software and take no success fee. Same commit + frozen rubric → the same score — and your own diligence engineer can re-run the open scorer over the evidence to confirm it at cai.canine.dev/verify.

Regulatory exposure, surfaced early

The compliance liabilities you'd otherwise inherit.

Ten frameworks, measured and gated

The automatable slice of WCAG, NIS2, DORA, SSDF, SLSA, OWASP ASVS and more — and a control caught failing can't be quietly passed before you own it. We measure; the target declares the rest; we never certify.

The supply-chain trail

Every survey issues a CycloneDX SBOM and findings tagged with MITRE CWE ids — the evidence trail CRA, DORA and NIS2 ask about, in the data room before close.

How it runs

From letter of intent to a number you can underwrite.

Freeze the rubric at the LOI

Pin the rubric version at the letter of intent so every reading from LOI to close is directly comparable — no moving goalposts.

Survey at each gate

A baseline at LOI, a re-survey through diligence, a number at close — the same commit re-scores the same, so movement is the asset, never the ruler.

Underwrite it

Hand the signed Due-Diligence Pack to the committee and the scorecards to your diligence engineer, who re-runs the open scorer to confirm the number.

Price the software like the seven-figure asset it is. Appraise it.

Priced per engagement — depends on the number of targets and code volume.