Most diligence answers one of them well. The deals that create enterprise value answer all three.
Every cybersecurity investment runs through three questions. They sound similar. They are not, and the people who can answer each one rarely sit in the same room.
This is traditional diligence: financials, legal, compliance, contracts. It is necessary, and it is the part of the process that is best resourced. Accountants and lawyers do it well.
But a clean bill of financial health describes where a company has been. It does not tell you whether the next phase of the plan is achievable. A cyber business can look healthy on the numbers and still be one renewal cycle, one platform shift, or one founder departure away from a very different trajectory.
This is operator diligence, and it is where most processes go thin. Is the product actually defensible, or is it riding a category that is moving underneath it? Does the go-to-market motion that worked at this size survive the next one? Is revenue concentrated in a handful of relationships that walk out with one person? Is the leadership team the one that gets the business to the outcome being underwritten?
These are not questions you answer from a data room. You answer them by having built and run the thing being evaluated. An operator reads a target the way the people inside it do: where the product really sits, what integration will actually cost, and where the value is hiding.
This is investor diligence: the thesis, the value-creation levers, and the path to exit. It ties the operating reality back to the return. A risk only matters to the extent it changes the model, and an upside only matters if it can be captured inside the hold.
Diligence firms tend to know finance. Security consultants tend to know technology. Very few advisors combine deep operating experience in cybersecurity and identity with the investor's question of whether the deal makes money.
That intersection is exactly where a cyber deal is won or lost, and it is where we work. Operator judgment most diligence teams do not have, applied to the question that matters to the people writing the check.
