Due diligence for the asset you can't read.
Software is the largest asset nobody appraises — millions of euros of value and risk signed off on a demo and the founder's word. Assay puts one reproducible 0–100 Codebase Assurance Index in the data room, comparable from LOI to close, that an investment committee or an underwriter can act on.
An appraisal for the line item nobody can value.
The same survey, read three ways.
A data-room appraisal
An independent CAI both sides can cite — not the seller's slide deck — with a C4 architecture map and the rot marked in red.
Software as collateral
A reproducible score a lender or insurer can price — and re-check on a schedule for the life of the facility.
Comparable at every gate
Freeze the rubric at the LOI and the number at close means what it meant at intent — no moving goalposts.
The liability that isn't in the code.
Read from the git history into the same CAI — surfaced at LOI, not the quarter after close.
Off-boarding risk
Which modules depend on one departing founder — whose exit orphans the most significant code in the asset you're buying.
Knowledge freshness
Which core logic everyone who understood it has gone quiet on — the part of the asset nobody can safely change.
The same yardstick from intent to close.
CAI 71 → 71 → 76.
A re-survey on the same commit returns the same number, so any movement is the asset changing — never the ruler. A changelog at each gate itemises what moved: new CVEs, findings closed, components rebuilt, API endpoints added or removed.
The appraisal a counterparty can't tilt.
We build nobody's software and take no success fee. Same commit + frozen rubric → the same score — and your own diligence engineer can re-run the open scorer over the evidence to confirm it at cai.canine.dev/verify.
The compliance liabilities you'd otherwise inherit.
Ten frameworks, measured and gated
The automatable slice of WCAG, NIS2, DORA, SSDF, SLSA, OWASP ASVS and more — and a control caught failing can't be quietly passed before you own it. We measure; the target declares the rest; we never certify.
The supply-chain trail
Every survey issues a CycloneDX SBOM and findings tagged with MITRE CWE ids — the evidence trail CRA, DORA and NIS2 ask about, in the data room before close.
From letter of intent to a number you can underwrite.
Freeze the rubric at the LOI
Pin the rubric version at the letter of intent so every reading from LOI to close is directly comparable — no moving goalposts.
Survey at each gate
A baseline at LOI, a re-survey through diligence, a number at close — the same commit re-scores the same, so movement is the asset, never the ruler.
Underwrite it
Hand the signed Due-Diligence Pack to the committee and the scorecards to your diligence engineer, who re-runs the open scorer to confirm the number.
Price the software like the seven-figure asset it is. Appraise it.
Priced per engagement — depends on the number of targets and code volume.