Technical diligence,
grounded in evidence.
Plumbex sends read-only agents into a target’s code, cloud, and security posture, then delivers an investment-committee-ready report with a deterministic remediation-cost estimate mapped to your deal model. Every finding, score, and dollar cites the artifact that supports it.
- 6
- assessment dimensions
- 100%
- cited findings
- 0
- write paths to your target
Authentication tokens are logged in plaintext across three services.
- Remediation estimate
- $41,000–$58,000
- Deal-model bucket
- Must-fix pre-close
- Dimension
- Security posture
- evd_7f21→app/api/auth/session.py:142
- evd_7f0a→logs/collector.yaml · redaction: off
Traditional technical diligence samples. It doesn't measure.
Deal teams inherit engineering risk they can't size and can't defend. In a compressed diligence window, the depth that a technical thesis actually needs is the first thing to get cut.
A few days, a few interviews
Classic tech DD is a handful of expert conversations and a shallow code skim under deal-clock pressure. It samples; it doesn't measure. The findings reflect who was in the room, not what is in the repository.
Risk you can't put a number on
“The architecture needs work” doesn't reach the deal model. Without a defensible remediation cost, technical risk is a footnote in the IC memo instead of a line item in the model.
Conclusions you can't audit
When a vendor hands you a rating, you can't trace it back to the evidence. If a finding is challenged in committee — or in a dispute later — there's no artifact to point to.
From read-only access to a defensible number.
One pipeline, four stages. Provenance is captured at every step, so the final estimate traces cleanly back to the evidence it rests on.
- 01
Connect, read-only
Scoped, time-boxed, read-only connectors into the target's source control and — where available — its cloud and CI. There is no write path into client infrastructure, by construction.
GitHub · GitLab · IaC · least-privilege
- 02
Assess with agents
A multi-agent system evaluates six dimensions in parallel. Each agent has explicit tool and prompt boundaries and must ground every judgment in a stored artifact — no artifact, no finding.
6 dimensions · evidence-bound · reproducible
- 03
Price the remediation
Findings roll up into a deterministic cost estimate — effort tier × blended rate — over an assumption ledger you can see and override. A model may size the work; it never sets the price.
must-fix · first-100-days · roadmap
- 04
Deliver the report
An investment-committee-ready report: executive summary, a severity-ranked risk register, and the cost estimate — every number a click away from the source artifact that supports it.
IC-ready · fully cited · exportable
Six dimensions. One consolidated view of engineering risk.
Each dimension produces evidence-backed findings that fold into a single severity-ranked risk register — and into the cost estimate below it.
Codebase health
Complexity, churn, test coverage, and structural risk — the maintainability the deal thesis assumes.
Security posture
Exposed secrets, injection and auth flaws, and unsafe data handling, each traced to the line that proves it.
Cloud & infrastructure
Architecture and configuration read from infrastructure-as-code — resilience, scalability, and cost posture.
SDLC & DevOps maturity
Branching, review discipline, CI/CD, and release cadence — how reliably the team ships and recovers.
Dependency & supply chain
Known-vulnerable and abandoned dependencies via live advisory data, weighted by how deep they sit.
Documentation & maintainability
Onboarding surface, knowledge concentration, and the key-person risk that survives the transaction.
A remediation-cost estimate that reaches the deal model.
Plumbex prices what it finds — deterministically. Effort tiers meet a blended rate over an assumption ledger you control, rolled into the three buckets that matter to an operating plan: must-fix pre-close, first 100 days, and longer-term roadmap. Change an assumption and every downstream number moves with it.
- Must-fix pre-close
- $186K
- First 100 days
- $240K
- Roadmap
- $310K
Illustrative. Every figure derives from cited findings.
The trust model is the product.
You are pointing an autonomous system at a target's crown jewels during a live deal. Plumbex is built so that decision is defensible — to your IC, to the seller, and to a regulator.
Every claim is cited
Findings, scores, and dollars all reference the source artifact that supports them. Provenance is a first-class data model — unsourced claims are treated as defects, not opinions.
Read-only, least privilege
Connectors are scoped, time-boxed, and read-only. There is no write path into a target's systems, and access is the minimum that produces the finding.
Engagement isolation
Every record is scoped to a single deal. Storage, caches, and logs are partitioned per engagement — no cross-deal data leakage, ever, enforced with explicit tests.
Secrets & PII redacted
Credentials and personal data are redacted across all log output, including stack traces, and encrypted at rest and in transit. Contributor identity is never ingested.
A reconstructable audit trail
Every agent action and data access is logged — who, what, when, which engagement, which artifact — so any conclusion can be replayed and defended later.
Deletion on demand
Right-to-erasure purges a deal's evidence and findings and leaves a non-PII record proving the deletion happened. We never train models on client data.
Priced by engagement, not by seat.
Technical diligence is deal work, so Plumbex is priced like deal work — a defined fee for a defined scope, aligned to the size of the decision it informs. No per-user licensing.
Diligence engagement
Per dealA full six-dimension assessment on a single target, scoped to the deal timeline. Read-only access, IC-ready report, and the remediation-cost estimate mapped to your model.
- Fixed price per engagement
- Turnaround inside the diligence window
- Report + evidence handed over, then erased on request
Portfolio monitoring
ContinuousOngoing, read-only assessment across held companies — so technical risk and remediation progress stay visible between board meetings, not just at entry.
- Priced by portfolio, not per seat
- Re-runs on a cadence you set
- Trend view across the portfolio
See Plumbex on a codebase you know.
We’re working with a small number of buy-side teams. Tell us a little about your firm and we’ll set up a walkthrough — including a retrospective run on a deal you’ve already closed, so you can check our findings against ground truth.
- A working session, not a slide deck
- Your data stays yours — erased on request
- No obligation, no procurement gauntlet