PHASE I · ASSESS

Buyside diligencebefore the room.

Technology & AI due diligence — eight evidenced artefacts on any codebase, the way an acquirer's diligence team does it.

01 / 03·Available now
Wherever you are on the journey.
For Founders · Investors · Acquirers

One platform, one rubric, across the lifecycle.

Coverage

Over 5,500+ deterministic checks plus multi-agent LLM scans, across 14+ frameworks. Including industry-leading Google disciplines — SRE, DORA, SLSA.

Every finding cited to a file:line in your repo, every control mapped to a recognised standard.

SAMPLE REPORT
Assessment complete
vexel-health / claims-api
5m 11s · 7 dimensions · 13 framework families referenced · 19 findings · 196 evidence points · DD rubric v1
2 deal killers · 4 material · 8 note · 5 sound
Deal Killer·DET-SEC-1·Security·OWASP ASVS V2.10
AWS access keys committed in an early commit — still active in the account infra/terraform/main.tf:7
Material·LLM-AI-2·AI claims·NIST AI RMF 1.0
the “matching engine” is a single gpt-4o-mini prompt with a hard-coded 1.8s wait before the response renders app/matcher/engine.py:64
Note·DET-TENANT-1·Multi-tenant isolation·ISO/IEC 25010 (SQuaRE)
organisation ID is read straight off a request header with no server-side ownership check api/middleware/org_context.py:22
+ 14 more findings — across 7 dimensions and 13 framework families, keyed to SOC 2 & ISO 27001. The “AI engine” claim doesn't survive contact with the code. Plus a remediation workbook, AI-agent fix scripts, a code-quality report, an audit trail, a compliance crosswalk, and the JSON export.
Assessment complete
lumen-data / ingest-svc
2m 47s · 7 dimensions · 13 framework families referenced · 9 findings · 88 evidence points · DD rubric v1
0 deal killers · 1 material · 4 note · 4 sound
Material·LLM-AI-1·AI claims·Google SAIF
the model layer is genuinely governed — typed prompts, an offline eval set, a deterministic fallback — but that eval suite isn't a required CI check yet .github/workflows/ci.yml:51
Note·DET-DEPS-1·Security·NIST SSDF PW.4
two transitive dependencies carry published CVEs; neither is reachable from any current entry point poetry.lock
Note·DET-QUAL-3·Code quality·ISO/IEC 25010 (SQuaRE)
the dedup path everything funnels through sits under 20% line coverage src/ingest/dedupe.py:1
+ 6 more findings — across 7 dimensions and 13 framework families, keyed to SOC 2 & ISO 27001. The AI claim holds: a real model, governed end to end. Plus a remediation workbook, AI-agent fix scripts, a code-quality report, an audit trail, a compliance crosswalk, and the JSON export.
Sample data — not real customers.

The head of a technical-findings artefact — every line cited to the repo. Sample data; not a real customer.

Three angles

Run it before they do

One evidenced assessment — read from whichever side of the deal you're on.

For builders

See your code the way a buyer will.

Architecture, AI claims, security, ops maturity — scored on the same rubric a diligence team uses, run on your own infra so the source never leaves.

  • Surface the deal-killers while there's still time to fix them
  • A remediation plan that's costed and sequenced — not a list of complaints
Close the gaps on your own clock
For investors

Underwrite the technology, not the deck.

The real-model-or-wrapper verdict, the security posture, the architecture depth — each cited to a file and line, before the capital goes out.

  • A real model, governed end to end — or a gpt-4o-mini call behind a spinner?
  • Track the whole portfolio's scores in one place (Meridian / Apex)
Diligence-grade signal, self-serve
For acquirers

Buyside diligence on any target, on demand.

Eight evidenced artefacts on the codebase you're acquiring — mapped to the framework families and compliance criteria your committee expects.

  • Every finding cross-referenced to SOC 2 TSC and ISO 27001 Annex A
  • A post-close fix plan, phased and owned by role
The diligence report, automated
14+framework families — every finding mapped to one
7dimensions, scored on one versioned rubric
8artefacts in every report
minutesfrom a repo URL to an evidenced report
$0free tier — one assessment, every month
Deliverables

Eight parts. One due-diligence report.

Every assessment returns the same eight-part report — executive summary through to a schema-validated JSON export, every finding cited to the line. Here's the proforma; your repo fills it in.

vexel-health · claims-api — Firstlight-DD-Report.pdf
Firstlight

Technical & AI Due-Diligence Report

repo a3f9c1e · DD rubric v1 · 14+ framework families · 2026-05-13 · sample data — not a real customer
01

Executive Summary

The verdict, up front — five points a partner can act on, with the AI-claim headline (real model or wrapper) leading. Deal-killers in the first paragraph, material risks in the second, context after. Reads standalone; nobody has to open the rest of the report.

02

Technical Deep-dive

Every finding anchored to a file:line in your repo and scored on the same red-flag taxonomy a white-glove diligence team uses — deal-killers first, then material, then notes. A severity-by-dimension dashboard up top: counts, the three things that matter most, and what to put to the team.

03

Code Hygiene Report

The maintainability roll-up — complexity hot-spots, dead code, test-coverage gaps, dependency freshness, the documentation map. Where the codebase is solid, and where it's load-bearing and untested. Graded per module, with the worst offenders called out by path.

04

Security & Compliance

Secrets in git history, vulnerable dependencies, auth and tenant-isolation gaps, supply-chain exposure — each mapped to SOC 2 Trust Services Criteria and ISO/IEC 27001 Annex A, and cross-walked to your own diligence checklist. Ready to drop into a security questionnaire.

05

Remediation Guidance

Sequenced, costed in USD, owner-by-role: Conditions to close, Phase 1, Phase 2, Phase 3 — and a flag on what's already in the team's hiring plan. Every item links back to the finding that triggered it, so nothing on the list is busywork.

06

AI Bootstrap Fixes

Machine-runnable fixes for the deterministic items — rotate a leaked .env out of git history, pin a CVE'd dependency, add a dependency-scanning CI gate, wire structured logging. Hand the scripts straight to a coding agent; each one is idempotent and reversible.

07

Audit Log

Every run logged — repo hash, tokens, cost, model, start and finish — and nothing customer-identifying. On hosted runs the repo identifier is a hash, never your source. A defensible record of exactly what was assessed, when, and at what cost.

08

JSON Output

The full structured result — every finding, the dimension scores, framework mappings, compliance tags — schema-validated and versioned. Pipe it into your diligence stack, your data room, your own dashboards. The same data the rendered report is built from.

Every section, every citation — the full report ships with each assessment you run.Start free
HOW IT WORKS

How it works

Point Firstlight at a repo. It runs the deterministic checks and the LLM dimension analysers against the shared DD rubric. You get eight artefacts — every finding cited to a line of code.

1

Hand it a repo

A public repo URL — or a fine-grained GitHub token scoped read-only to one repo, alive just long enough to clone and then dropped. On the local backend the source never leaves your environment to begin with.

2

It runs the rubric

Deterministic checks first — committed secrets, client-trusted tenant IDs, single-maintainer hotspots — then the LLM dimension analysers, all scored against the shared DD rubric across seven dimensions.

3

You get the artefacts

Eight of them: technical findings with file:line, executive summary, code-quality report, compliance crosswalk, remediation workbook, AI-agent fix scripts, audit trail, JSON export. In minutes, not weeks.

For developers

Install it. Run it against your code.

One command, then point it at a repo — the deterministic checks and the LLM dimension analysers run locally, against your own AI plan, and you get the eight artefacts back. On local mode your source never leaves your machine.

$ npm install -g firstlight
firstlight — local
$ npm install -g firstlight
added 1 package in 2.4s
$ firstlight assess ./my-repo
deterministic checks · 7 LLM dimension analysers · DD rubric v1
✓ 8 artefacts written to ./firstlight-report
exec_summary.md · findings.md · remediation_workbook.md · …
local mode — your source never left this machine
FRAMEWORKS

Scored against 14+ framework families

Every finding mapped to a recognised standard — including Google's own SRE and DORA, evaluated the way Google would. And every finding is additionally tagged to SOC 2 Trust Services Criteria and ISO/IEC 27001 Annex A, keyed to your diligence checklist.

Google SRE + DORA

Reliability and delivery performance — error budgets, the four DORA metrics, runbook discipline.

Premium feature

Google Secure-OSS + SLSA

Software supply-chain integrity — SLSA build provenance, signed artefacts, hardened open-source dependency posture.

Premium feature

Google SAIF

Secure-AI framework — prompt injection, data poisoning, model and output handling.

Premium feature

Google Cloud Well-Architected

A GCP-hosted system reviewed on Google's own pillars — operational excellence, security, reliability, cost, performance.

AWS Well-Architected

The six AWS pillars — operational excellence, security, reliability, performance efficiency, cost optimisation, sustainability.

Azure Well-Architected

Microsoft's five pillars — reliability, security, cost optimisation, operational excellence, performance efficiency.

ISO/IEC 25010 (SQuaRE)

Software product quality — maintainability, reliability, security, portability, performance.

OWASP ASVS + SAMM

Application-security verification and maturity — auth, sessions, access control, data handling.

NIST SSDF (SP 800-218)

Secure software development — the pipeline practices a buyer's security team expects.

ISO/IEC 27001

Information-security management — the Annex A controls a security questionnaire and a SOC 2 audit lean on.

PCI DSS

Payment-card data handling — the DSS requirements that apply the moment cardholder data touches the code.

NIST AI RMF 1.0

AI risk management — a governed model, or a wrapper, and documented like one?

OWASP Top 10 for LLMs

The LLM-app attack surface — injection, insecure output handling, training-data and supply-chain risk.

Diátaxis + arc42 / C4

Documentation and architecture maturity — is the system explained the way an acquirer needs?

Scope

What's in scope — and what isn't

Firstlight is a fast technical and AI read of the code itself. It's deliberately not a full diligence engagement — so here's the boundary, drawn plainly.

In scope

  • Architecture and code quality — how the system is put together, how maintainable it is, and which parts are load-bearing and untested.
  • Security posture — secrets that made it into the repo, how auth and access control are wired, dependency CVEs, and whether the team ships with a secure SDLC.
  • Multi-tenant isolation — where one customer's data is fenced off from another's, and how much the code trusts identifiers the client supplies.
  • AI claims, checked against the code — a real, governed model doing the work, or a thin call wrapped in a loading spinner? With the file:line that settles it.
  • Documentation and onboarding maturity — is the system actually explained, the way someone acquiring it would need it explained?
  • Operational governance — runbooks, rollback paths, and the kind of audit trail an acquirer expects to already exist.

Out of scope

  • Load, performance, or scalability testing — no synthetic traffic, no benchmarking against a target system.
  • A live attack on a running deployment — no penetration testing, no probing production; Firstlight reads the source, it doesn't poke the server.
  • Patent or prior-art search beyond what the code itself reveals.
  • Financial diligence — revenue, retention, margins, the cap table. Different question, different team.
  • Legal and contract review — MSAs, licensing terms, IP assignment.
  • The verdict on the team and the business — Firstlight hands you a precise technical signal; the investment call stays with you.
PRICING

Start free — then scale with the deal flow

One free assessment every month. Then Daylight at US$249, Meridian at US$999, or Apex from US$2,499 — all in USD, with AUD shown alongside. No per-seat surprises.

Free

$0

Run the engine on a public repo, in your own environment.

  • 1 assessment / month
  • 3 of the 8 artefacts · watermarked
  • Local execution — your source never leaves
  • ≈US$2 inference cap per account
  • Google disciplines (SRE, DORA, SAIF) · paid tiers
Start free

Daylight

US$249 / mo
≈A$380 / mo

For an active deal-doer who needs the full report.

  • 5 assessments / month
  • Google disciplines (SRE, DORA, SAIF)
  • All 8 artefacts, no watermark
  • Local execution
  • Email support
Buy now
Most popular

Meridian

US$999 / mo
≈A$1,520 / mo

For a fund running diligence across a pipeline.

  • 25 assessments / month
  • Google disciplines (SRE, DORA, SAIF)
  • Multi-seat
  • AI-agent fix scripts
  • Hosted execution (per-scan approval gate)
Buy now

Apex

fromUS$2,499 / mo
≈A$3,800 / mo

For an acquirer or a high-volume buy-side platform.

  • Unlimited assessments
  • Google disciplines (SRE, DORA, SAIF)
  • SSO / SAML (post-GA)
  • Self-host option
  • Named customer success manager
Talk to us
TRUST

Built for code you can't risk leaking

How Firstlight handles your source — the short version.

Local mode: nothing leaves

On the free-tier local backend the whole assessment runs inside your own infrastructure, against your own AI plan. Your source never reaches us — there's nothing on our side to leak.

One repo, read-only, then gone

For a hosted run, a private repo is pulled with a fine-grained GitHub token scoped read-only to that single repository — used to clone, then dropped.

Hosted runs: scratch only

A hosted run gets an ephemeral scratch workspace that's destroyed when it finishes. The audit record keeps a hash of the repo — never a byte of the content.

A person waves every hosted run through

A hosted scan provisions cloud resources only after someone signs off on it — nothing spins up on its own, and every approval is logged.

Never training data

Your source is Tier-3 confidential here: it isn't logged in the clear, it isn't used to train any model, and it doesn't go to a third party without you saying so.

TRUST

Built for code you can't risk leaking

How Firstlight handles your source — the short version.

Local mode: nothing leaves

On the free-tier local backend the whole assessment runs inside your own infrastructure, against your own AI plan. Your source never reaches us — there's nothing on our side to leak.

One repo, read-only, then gone

For a hosted run, a private repo is pulled with a fine-grained GitHub token scoped read-only to that single repository — used to clone, then dropped.

Hosted runs: scratch only

A hosted run gets an ephemeral scratch workspace that's destroyed when it finishes. The audit record keeps a hash of the repo — never a byte of the content.

A person waves every hosted run through

A hosted scan provisions cloud resources only after someone signs off on it — nothing spins up on its own, and every approval is logged.

Never training data

Your source is Tier-3 confidential here: it isn't logged in the clear, it isn't used to train any model, and it doesn't go to a third party without you saying so.

TRUST

Built for code you can't risk leaking

How Firstlight handles your source — the short version.

Local mode: nothing leaves

On the free-tier local backend the whole assessment runs inside your own infrastructure, against your own AI plan. Your source never reaches us — there's nothing on our side to leak.

One repo, read-only, then gone

For a hosted run, a private repo is pulled with a fine-grained GitHub token scoped read-only to that single repository — used to clone, then dropped.

Hosted runs: scratch only

A hosted run gets an ephemeral scratch workspace that's destroyed when it finishes. The audit record keeps a hash of the repo — never a byte of the content.

A person waves every hosted run through

A hosted scan provisions cloud resources only after someone signs off on it — nothing spins up on its own, and every approval is logged.

Never training data

Your source is Tier-3 confidential here: it isn't logged in the clear, it isn't used to train any model, and it doesn't go to a third party without you saying so.

FAQ

Common Questions

Everything you'd want to know before running an assessment.

How does Firstlight get access to my code?

Do you train on my code?

What is the difference between local and hosted runs?

How is this different from a hands-on technical-DD engagement?

What do I actually get from a run?

FAQ

Common Questions

Everything you'd want to know before running an assessment.

How does Firstlight get access to my code?

Do you train on my code?

What is the difference between local and hosted runs?

How is this different from a hands-on technical-DD engagement?

What do I actually get from a run?

FAQ

Common Questions

Everything you'd want to know before running an assessment.

How does Firstlight get access to my code?

Do you train on my code?

What is the difference between local and hosted runs?

How is this different from a hands-on technical-DD engagement?

What do I actually get from a run?