74% of the codebases we analyse carry high-risk vulnerabilities nobody flagged before we ran TechSignal. Here is the tool, the methodology, and what automated engineering intelligence changes about how Tech DD actually works.
TechSignal is defined as an engineering intelligence platform that scores a codebase across five pillars - Code Quality, Security, Scalability, Stability, and AI Maturity - via a read-only GitHub integration with ephemeral analysis and no stored code. It runs nine agents in parallel and delivers the first signal in under five minutes. The output is a scored baseline across every pillar, plus the Ask the AI CTO capability: direct, specific questions answered by code evidence, not company self-report. This is what we use in every Tech Due Diligence we run.
We built TechSignal because nothing that existed did what we needed. Manual code review at the start of every DD was slow, inconsistent, and impossible to repeat at scale across 80+ engagements. Generic SAST tools produced false positives without business context. What we needed was a tool that read a codebase with the same questions an experienced engineer asks in a DD - and answered them in minutes, not days.
74% of the codebases we have analysed carry high-risk security vulnerabilities that were not flagged before we ran TechSignal. Not edge cases - standard vulnerabilities that any competent review would surface. The gap is not awareness. It is that thorough manual coverage at scale is not economically viable without tooling. That figure has held across industries, funding stages, and team sizes.
The tools available when we started running DDs at scale fell into two categories. Static analysis tools scored individual files for known patterns but had no concept of business context, no AI maturity dimension, and no way to answer the questions an investor actually needs answered. Manual review by an experienced engineer was the most credible option - but it did not scale, it was not repeatable across engagements, and it could not surface cross-portfolio patterns.
We needed something that could do what a senior engineering leader does in a first look at a new codebase: scan the full surface, prioritise real risks, distinguish between technical debt that slows a team and vulnerabilities that threaten the business, and flag what is genuinely alarming versus what is noise.
TechSignal started as an internal tool. Every DD we ran was an opportunity to add a signal it should surface, a question it should be able to answer, a pattern that had appeared across multiple engagements. After 80+ DDs, that accumulated signal is now the tool's core value: it does not just scan. It scans with the questions that matter in an investment context.
Every TechSignal run produces a score across five pillars. Each pillar maps to a category of risk that matters differently depending on where the company is in its lifecycle and what the investor is evaluating.
| Pillar | What it measures | Key DD signal |
|---|---|---|
| Code Quality | Readability, complexity, test coverage, duplication, dead code | High complexity + low coverage = debt that will slow the next 18 months |
| Security | CVEs in dependencies, OWASP Top 10 patterns, secrets in commit history, auth gaps | Most common DD condition - undisclosed findings can block a transaction |
| Scalability | N+1 query patterns, missing indexes, architecture readiness, caching, IaC coverage | Critical for companies expecting 10x growth - gaps are invisible until they cause an outage |
| Stability | DORA metrics, error volume trends, deployment reliability, rollback capability | Elite DORA metrics are a strong positive signal; poor stability predicts operational cost |
| AI Maturity | Agent workflow code, CLAUDE.md, prompt libraries, AI feature integrations - on two axes: product AI and team AI | Distinguishes genuine AI-native operations from individual tool use dressed as a company-wide capability |
The AI Maturity pillar is the most distinctive. We score it on two axes separately: AI embedded in what the company sells (Product AI) and AI systematically embedded in how the team builds (Team AI). A company can score high on one and fail the other - and those represent completely different risk profiles for an investor.
The full four-level framework behind the AI Maturity pillar is documented in detail in The 4 Levels of AI Maturity We See in Every Tech Due Diligence. TechSignal's score maps directly to that ladder.
The first question from founders and legal teams is always: what happens to the code?
TechSignal requests read:code and read:metadata OAuth scopes only. It does not write. It does not store. It does not cache. Code is analysed in memory and the output is scores, findings, and summaries - never the code itself. This design was not made for commercial reasons. It was made because it is the right way to handle a codebase you do not own.
In practice, this means TechSignal can operate on codebases where legal or confidentiality restrictions would block traditional manual access. Portfolio companies under NDA, pre-acquisition targets with complex IP considerations, companies in regulated sectors - all of these are accessible to TechSignal in a way that a standard “please share your repo access” request typically is not.
The output the investor receives is a scored report and specific findings with file-level evidence. Not the code. Never the code.
The gap between what a company believes about its codebase and what is actually in it follows a consistent pattern across our engagements.
Security surface is underestimated, consistently. 74% of the codebases we have analysed carry high-risk vulnerabilities that were not flagged before our engagement. The most common: outdated dependencies with known CVEs at high CVSS scores, hardcoded secrets or API tokens in commit history (often from years ago, before proper secret management was in place), and OWASP Top 10 authentication patterns in flows handling user credentials. None of these are exotic. All of them would appear in any thorough manual review. The gap is not awareness - it is that manual review is not economically viable at the depth required to catch them reliably.
Test coverage is reported as higher than it is. Companies consistently cite overall line coverage without knowing their branch coverage, mutation coverage, or the ratio for highest-risk modules. TechSignal surfaces these distinctions because they matter differently in a DD context: low mutation coverage on a payment flow is a different risk from low mutation coverage on a settings page.
AI maturity is claimed without evidence.This is the most consistent gap we see in 2025-2026. Companies describe themselves as “AI-first” and can demonstrate Copilot usage across the engineering team. TechSignal looks for the structural signals: a CLAUDE.md or equivalent agent context file, prompt libraries versioned in the repo, agent workflow code (orchestrators, skill files, evaluators), AI-generated PR patterns in git history. The difference between individual AI tool use and an AI-native organisation is architectural - and the codebase shows it clearly.
The most dangerous gap in a DD is not the information a company withholds. It is the information they sincerely believe is true but is not.
Beyond the five pillar scores, TechSignal enables a different kind of question - direct, specific, answered by the actual code rather than the company's narrative about the code.
Questions we answer routinely before a DD management meeting:
Each answer arrives in under five minutes, with the specific files, functions, and patterns cited as evidence. Not a framework applied generically - evidence from this specific codebase.
This is what changes the DD interview. When we know before the first management meeting exactly where the security surface is weakest, exactly which claims in the pitch materials are not supported by the code, and exactly which technical decisions will constrain the company in the next growth phase - we ask very different questions. The conversation moves from discovery to validation.
A traditional DD report describes where the company is today. It has a shelf life of six to twelve months before the underlying reality has changed enough to make it unreliable.
TechSignal is designed to run continuously. After an initial DD, the same five pillars can be scored weekly. The delta between week one and week twelve is a different story from the point-in-time score: not where the company is, but whether it is improving or deteriorating, and at what rate.
For portfolio companies post-investment, this changes what oversight looks like. Instead of an annual technical review, investors can track a weekly pillar delta that surfaces when code quality drops two weeks running, or when a new security finding appears without a corresponding fix PR. The signal arrives before the problem compounds.
We run TechSignal as the measurement layer in our AI Transformation Sprints: a baseline scan in week one, a re-scan in week six. The pillar delta is the objective measure of sprint impact. The score before and after is what separates “we feel like we improved” from “the AI Maturity pillar moved from L2 to L4 in six weeks.”
TechSignal is the automated intelligence layer. It is not a substitute for practitioner judgment - it is what allows practitioner judgment to go deeper.
Automated intelligence without practitioner judgment is noise. Practitioner judgment without automated intelligence is slow.
In practice, a DD engagement using TechSignal works like this. TechSignal runs first - under five minutes for the initial read. The practitioner reviews the pillar scores and priority findings. Ask the AI CTO answers the questions most likely to surface in a management interview before that interview happens. The practitioner then knows exactly where to look manually, which findings to probe in conversation, and which claims from the pitch materials to verify against what the code actually shows.
The result is a credible assessment in two to seven days - not because corners are being cut, but because the signal extraction that used to take two days of manual work now takes five minutes, leaving the practitioner to focus entirely on interpretation, context, and judgment.
The full DD methodology - how we structure the six assessment dimensions, what weight each carries, and how findings translate into investor decisions - is in The Tech Due Diligence Manifesto. TechSignal is the intelligence layer that feeds into that methodology - not a replacement for it.
For founders, TechSignal has a parallel application: as the week-one baseline of an AI Transformation Sprint. The same five pillars, the same scoring methodology, the same “Ask the AI CTO” capability - applied to a company that wants to understand where it is before deciding where to go. The result is a clear map of exactly which technical debts are blocking agent operations, and a prioritised roadmap for removing them.
| Manual code review | Generic SAST tool | TechSignal | |
|---|---|---|---|
| Time to first signal | 1-3 days | Hours (high noise) | <5 minutes |
| Business context | Yes (with experienced practitioner) | No | Yes (investment-grade questions) |
| AI maturity scoring | Depends on reviewer | No | Yes (two-axis model) |
| Cross-portfolio patterns | No | No | Yes (80+ DDs baseline) |
| Repeatable / continuous | No | Partially | Yes (weekly delta) |
| Code confidentiality | Depends on process | Often stored | Ephemeral - never stored |
| Investor-facing report | Yes | No | Yes |
The combination is what makes the methodology work: TechSignal handles the surface coverage and pattern detection, the practitioner handles the interpretation and investment-grade judgment. Neither alone produces a credible DD in the AI-native era - together, they do.
TechSignal is an engineering intelligence platform defined as a nine-agent pipeline that scores a codebase across five pillars - Code Quality, Security, Scalability, Stability, and AI Maturity - via a read-only GitHub integration with ephemeral analysis and no stored code. It delivers the first signal in under five minutes and enables the Ask the AI CTO capability: direct questions answered by code evidence rather than company self-report. It is available at techsignal.app.
TechSignal scores Code Quality (readability, complexity, test coverage, duplication), Security (CVEs, OWASP Top 10, secrets in commit history), Scalability (N+1 patterns, missing indexes, architecture readiness), Stability (DORA metrics, error rates, deployment reliability), and AI Maturity (agents in production, shared playbook, CLAUDE.md, prompt libraries). The AI Maturity pillar is scored on two axes separately: AI in the product vs AI in how the team builds - because a company can score high on one and fail the other.
TechSignal requests read:code and read:metadata OAuth scopes only. Code is analysed in memory and never stored. The output is scores, findings, and summaries - not the code itself. This ephemeral-by-design approach means TechSignal can operate on codebases where legal or confidentiality constraints would block traditional DD access.
Ask the AI CTO is a TechSignal capability that answers direct, specific questions about a codebase using code evidence rather than company narrative. Questions like “what breaks first if users double in six months?” or “is the AI maturity claimed in the pitch deck visible in the code?” are answered in under five minutes, with specific file paths and patterns cited as evidence. It changes the DD interview from discovery to validation.
In 74% of codebases we have analysed, TechSignal surfaces high-risk security vulnerabilities that were not flagged before our engagement - typically outdated dependencies with known CVEs, secrets in commit history, and OWASP Top 10 patterns in authentication flows. It also consistently catches AI maturity claims not supported by the code: companies describing themselves as AI-first with no agent workflow code, no shared prompt library, and no CLAUDE.md equivalent in the repository. The codebase does not lie - the narrative sometimes does.
Above The Clouds runs Tech Due Diligences and AI Transformation Sprints across Europe. TechSignal powers the intelligence layer in both - from the baseline scan that opens every DD to the weekly delta that measures transformation progress. Get in touch to discuss your company or portfolio.