Technical Due Diligence for Enterprise Software: Legacy Systems and High-Stakes Acquisitions

Enterprise software acquisitions are high-stakes and long-tail. The deal closes in months. The integration and modernization work plays out over years. Technical due diligence here is less about "is the code clean" and more about "what will this actually cost to run and improve after we own it."

Enterprise software — whether ERP systems, industry-specific platforms, or long-tenured SaaS with large enterprise contracts — has a different risk profile from modern SaaS. The technology may be old. The customers may have been there for a decade. The customizations may have grown to dwarf the core product.

This guide covers the specific evaluation challenges of enterprise and legacy software acquisitions.

What makes enterprise software different

• Age: Systems with 5–15+ years of history carry accumulated decisions, workarounds, and legacy integrations that aren't documented anywhere
• Customer depth: Enterprise customers have deeply integrated the software into their operations — replacing or modifying it carries enormous switching cost for them, and enormous support risk for you
• Customization layer: Enterprise deals involve customizations. Those customizations are often undocumented, poorly abstracted, and load-bearing
• On-premise deployments: Many enterprise systems still run on customer infrastructure, making upgrades, security patches, and support far more complex
• Data complexity: Decade-old enterprise systems hold enormous, complex datasets with migration costs that are routinely underestimated

Technology stack assessment

Don't evaluate the technology in isolation — evaluate the technology in the context of the team and the customer base.

What "old technology" actually means

Technology concern	Low risk	High risk
PHP 7/8, Java 8+, .NET Framework	Large talent pool, stable	Fine if maintained
PHP 5, Java 6/7, Classic ASP	Limited talent pool, security concerns	Modernization required
Proprietary languages or frameworks	Depends on community	Vendor dependency, hiring risk
End-of-life OS dependencies	Plan to remediate	Active vulnerability surface
On-premise only, no cloud path	Migration planned	Customer lock-in, operational burden

The real question: Can you hire the developers needed to maintain and improve this system? A legacy Java system with a large Java developer community is manageable. A system built in a niche proprietary framework with three people in the world who understand it is not.

Database complexity

Enterprise systems often have massive, complex databases:

• How many tables? How many years of data?
• Are there stored procedures or triggers with business logic? (These are often undocumented and critical)
• Is there referential integrity enforced at the database level or only in application code?
• What is the migration path if the database engine needs to change?
• How long does a full database backup take? A restore?

Ask for the database schema and look specifically for:

• Tables with 100+ columns (often indicates years of ad-hoc additions)
• Nullable columns everywhere (often indicates a schema that was never properly designed)
• Stored procedures — count them and ask what they do
• Data volume: how many rows in the core tables?

The customization audit

This is the most important and most difficult part of enterprise software DD.

Step 1: Map the customization surface

Ask for a list of all customer-specific customizations. Every enterprise vendor has them. If the seller says "we don't do customizations," that's either untrue or it's a significant selling point worth verifying.

Step 2: Classify each customization

Type	Description	Risk
Feature flag	Customer-specific behavior behind a flag	Low — manageable
Separate module	Customer code in a dedicated, isolated module	Medium — maintainable but adds complexity
Core product modification	Customer-specific change in the main product	High — can break other customers
Database schema change	Customer-specific tables or columns	High — migration complexity
Custom integration	One-off integration built for a single customer	High — undocumented dependency

Step 3: Ask the question no one asks

"If your three largest customers cancelled tomorrow, what code would you need to remove?"

The answer reveals how much of the codebase is held hostage by specific customers.

On-premise deployment complexity

Many enterprise systems run on customer infrastructure. This creates:

Support complexity:

• How many unique customer environments are you inheriting?
• What is the version distribution across customers? (Are some on 3-year-old versions?)
• What does an update deployment look like for an on-premise customer?
• Is there a self-service update mechanism or does it require vendor involvement?

Security patch responsibility:

• Who is responsible for applying OS and dependency security patches on customer infrastructure?
• How quickly can a critical vulnerability be patched across all customer environments?
• Are some customers on versions with known, unpatched vulnerabilities?

License and compliance:

• Are on-premise licenses properly tracked and enforced?
• Are there customers running more instances than they've licensed?

Integration dependencies

Enterprise software is the hub of a larger ecosystem. Map all integrations:

• ERP integrations (SAP, Oracle, Microsoft Dynamics)
• CRM integrations (Salesforce, HubSpot)
• Identity providers (Active Directory, LDAP)
• Industry-specific systems (varies by vertical)
• Data warehouse and BI tool connections

For each:

• Is the integration documented?
• Who maintains it?
• What API versions are being used? Are any deprecated?
• What happens if the third-party changes its API?

Red flag: Integrations built by a single engineer who has since left, with no documentation.

The true cost of modernization

Enterprise software acquisitions often come with a modernization narrative: "We're going to move this to the cloud / rewrite it in modern tech / build a proper API."

These plans are almost always more expensive than projected. Before buying into a modernization narrative, evaluate:

1. Can the business function during migration? Enterprise systems typically can't go offline for re-platforming. Migration must be parallel, which doubles the engineering cost.

2. Will customers accept the changes? Enterprise customers who have been using the same UI for 10 years resist change. Modernization can trigger unexpected churn.

3. Are the data migrations scoped? Moving a decade of enterprise data to a new schema is not a weekend project. Get a scoped estimate from engineers who have actually done it.

4. What are the contractual constraints? Customizations may be contractually guaranteed. A modernization that removes a customer-specific feature they paid for can trigger breach of contract.

Rule of thumb: Whatever the internal estimate is for modernization, double it for the first major milestone and triple it for full completion.

Post-acquisition integration planning

Before closing, answer:

• What is the integration architecture? (Acquired as standalone vs. merged with acquiring entity's platform)
• What happens to the existing engineering team? Retaining institutional knowledge from a legacy system is critical — losing key engineers post-acquisition can make the system unmaintainable
• What are the first 90-day technical priorities?
• What customer communications are required for any planned technical changes?

---

Evaluating an enterprise or legacy software acquisition? Contact us — we conduct enterprise software technical due diligence with specific expertise in legacy system assessment, customization audits, and modernization cost estimation. We've reviewed systems ranging from 5-year-old SaaS to 20-year-old on-premise platforms.