PlumbexRequest access
Technical due diligence · Buy-side

Technical diligence,
grounded in evidence.

Plumbex sends read-only agents into a target’s code, cloud, and security posture, then delivers an investment-committee-ready report with a deterministic remediation-cost estimate mapped to your deal model. Every finding, score, and dollar cites the artifact that supports it.

6
assessment dimensions
100%
cited findings
0
write paths to your target
IC report · excerptHigh severity

Authentication tokens are logged in plaintext across three services.

Remediation estimate
$41,000–$58,000
Deal-model bucket
Must-fix pre-close
Dimension
Security posture
Citation lineage
  1. evd_7f21app/api/auth/session.py:142
  2. evd_7f0alogs/collector.yaml · redaction: off
Built for trustRead-only accessEvery finding citedEngagement-isolatedSecrets & PII redactedRight-to-erasureNever trained on client data
01The problem

Traditional technical diligence samples. It doesn't measure.

Deal teams inherit engineering risk they can't size and can't defend. In a compressed diligence window, the depth that a technical thesis actually needs is the first thing to get cut.

01

A few days, a few interviews

Classic tech DD is a handful of expert conversations and a shallow code skim under deal-clock pressure. It samples; it doesn't measure. The findings reflect who was in the room, not what is in the repository.

02

Risk you can't put a number on

“The architecture needs work” doesn't reach the deal model. Without a defensible remediation cost, technical risk is a footnote in the IC memo instead of a line item in the model.

03

Conclusions you can't audit

When a vendor hands you a rating, you can't trace it back to the evidence. If a finding is challenged in committee — or in a dispute later — there's no artifact to point to.

02How it works

From read-only access to a defensible number.

One pipeline, four stages. Provenance is captured at every step, so the final estimate traces cleanly back to the evidence it rests on.

  1. 01

    Connect, read-only

    Scoped, time-boxed, read-only connectors into the target's source control and — where available — its cloud and CI. There is no write path into client infrastructure, by construction.

    GitHub · GitLab · IaC · least-privilege

  2. 02

    Assess with agents

    A multi-agent system evaluates six dimensions in parallel. Each agent has explicit tool and prompt boundaries and must ground every judgment in a stored artifact — no artifact, no finding.

    6 dimensions · evidence-bound · reproducible

  3. 03

    Price the remediation

    Findings roll up into a deterministic cost estimate — effort tier × blended rate — over an assumption ledger you can see and override. A model may size the work; it never sets the price.

    must-fix · first-100-days · roadmap

  4. 04

    Deliver the report

    An investment-committee-ready report: executive summary, a severity-ranked risk register, and the cost estimate — every number a click away from the source artifact that supports it.

    IC-ready · fully cited · exportable

03Capabilities

Six dimensions. One consolidated view of engineering risk.

Each dimension produces evidence-backed findings that fold into a single severity-ranked risk register — and into the cost estimate below it.

01

Codebase health

Complexity, churn, test coverage, and structural risk — the maintainability the deal thesis assumes.

02

Security posture

Exposed secrets, injection and auth flaws, and unsafe data handling, each traced to the line that proves it.

03

Cloud & infrastructure

Architecture and configuration read from infrastructure-as-code — resilience, scalability, and cost posture.

04

SDLC & DevOps maturity

Branching, review discipline, CI/CD, and release cadence — how reliably the team ships and recovers.

05

Dependency & supply chain

Known-vulnerable and abandoned dependencies via live advisory data, weighted by how deep they sit.

06

Documentation & maintainability

Onboarding surface, knowledge concentration, and the key-person risk that survives the transaction.

The headline output

A remediation-cost estimate that reaches the deal model.

Plumbex prices what it finds — deterministically. Effort tiers meet a blended rate over an assumption ledger you control, rolled into the three buckets that matter to an operating plan: must-fix pre-close, first 100 days, and longer-term roadmap. Change an assumption and every downstream number moves with it.

Remediation rollup
Must-fix pre-close
$186K
First 100 days
$240K
Roadmap
$310K

Illustrative. Every figure derives from cited findings.

04Trust & security

The trust model is the product.

You are pointing an autonomous system at a target's crown jewels during a live deal. Plumbex is built so that decision is defensible — to your IC, to the seller, and to a regulator.

Every claim is cited

Findings, scores, and dollars all reference the source artifact that supports them. Provenance is a first-class data model — unsourced claims are treated as defects, not opinions.

Read-only, least privilege

Connectors are scoped, time-boxed, and read-only. There is no write path into a target's systems, and access is the minimum that produces the finding.

Engagement isolation

Every record is scoped to a single deal. Storage, caches, and logs are partitioned per engagement — no cross-deal data leakage, ever, enforced with explicit tests.

Secrets & PII redacted

Credentials and personal data are redacted across all log output, including stack traces, and encrypted at rest and in transit. Contributor identity is never ingested.

A reconstructable audit trail

Every agent action and data access is logged — who, what, when, which engagement, which artifact — so any conclusion can be replayed and defended later.

Deletion on demand

Right-to-erasure purges a deal's evidence and findings and leaves a non-PII record proving the deletion happened. We never train models on client data.

05Pricing

Priced by engagement, not by seat.

Technical diligence is deal work, so Plumbex is priced like deal work — a defined fee for a defined scope, aligned to the size of the decision it informs. No per-user licensing.

Diligence engagement

Per deal

A full six-dimension assessment on a single target, scoped to the deal timeline. Read-only access, IC-ready report, and the remediation-cost estimate mapped to your model.

  • Fixed price per engagement
  • Turnaround inside the diligence window
  • Report + evidence handed over, then erased on request
Request a scoped quote

Portfolio monitoring

Continuous

Ongoing, read-only assessment across held companies — so technical risk and remediation progress stay visible between board meetings, not just at entry.

  • Priced by portfolio, not per seat
  • Re-runs on a cadence you set
  • Trend view across the portfolio
Talk to us
Request access

See Plumbex on a codebase you know.

We’re working with a small number of buy-side teams. Tell us a little about your firm and we’ll set up a walkthrough — including a retrospective run on a deal you’ve already closed, so you can check our findings against ground truth.

  • A working session, not a slide deck
  • Your data stays yours — erased on request
  • No obligation, no procurement gauntlet

We’ll only use your details to arrange a walkthrough. No list, no spam.