Merger & Acquisition Security Assessment

Rapid7’s Merger & Acquisition (M&A) Security Assessment engagements are tailored to provide organizations with a cost-efficient, high-value security review during the merger or acquisition process. Capture an asset's cybersecurity capability state pre-merger to aid in the final transaction. Often, this assessment will identify large gaps that when left unmanaged, will put the entire asset at risk.

The base engagement will analyze the risk profile and security posture of an asset across six security domains. That base assessment can also be combined with a validated vulnerability assessment, social engineering, penetration testing, and an in-depth compromise assessment. After the analysis, our team will deliver a report outlining major gaps and consultant observations to help you move forward with your decision. Post-merger, the M&A assessment can be enhanced to provide a go-forward strategic plan, program maturity rating, and/or best practice gap assessment.

The security domains assessed include:


  • Security Awareness
  • IT Staffing
  • IT/Security Budget
  • Executive Support

Technical Self-Awareness

  • Inventory Control (Hardware/Software)
  • Data-maps
  • Network Diagrams and Maps
  • Documentation
  • Logging/SIEM

Incident Response

  • Incident Response Plans
  • Incident Response Table-tops/Practice
  • Ransomware Preparedness
  • Incident Response Staffing and/or IR Retainer
  • Cyber Insurance

Technical Security

  • Firewalls, IDS/IPS
  • Encryption Policies
  • Patching and Vulnerability Management
  • Local Admin Access Policies

Disaster Recovery

  • Backup Encryption
  • Backup Process and Testing
  • DR Site, Plan, Testing

SDLC/Product Security

  • Secure SDLC Policies
  • Software Security Testing
  • Software Acquisition and Vendor Management Process