Over 5,500+ deterministic checks plus multi-agent LLM scans, across 14+ frameworks. Including industry-leading Google disciplines — SRE, DORA, SLSA.
Every finding cited to a file:line in your repo, every control mapped to a recognised standard.
The head of a technical-findings artefact — every line cited to the repo. Sample data; not a real customer.
Run it before they do
One evidenced assessment — read from whichever side of the deal you're on.
Eight parts. One due-diligence report.
Every assessment returns the same eight-part report — executive summary through to a schema-validated JSON export, every finding cited to the line. Here's the proforma; your repo fills it in.
Technical & AI Due-Diligence Report
repo a3f9c1e · DD rubric v1 · 14+ framework families · 2026-05-13 · sample data — not a real customerExecutive Summary
Technical Deep-dive
Code Hygiene Report
Security & Compliance
Remediation Guidance
AI Bootstrap Fixes
Audit Log
JSON Output
How it works
Point Firstlight at a repo. It runs the deterministic checks and the LLM dimension analysers against the shared DD rubric. You get eight artefacts — every finding cited to a line of code.
Hand it a repo
A public repo URL — or a fine-grained GitHub token scoped read-only to one repo, alive just long enough to clone and then dropped. On the local backend the source never leaves your environment to begin with.
It runs the rubric
Deterministic checks first — committed secrets, client-trusted tenant IDs, single-maintainer hotspots — then the LLM dimension analysers, all scored against the shared DD rubric across seven dimensions.
You get the artefacts
Eight of them: technical findings with file:line, executive summary, code-quality report, compliance crosswalk, remediation workbook, AI-agent fix scripts, audit trail, JSON export. In minutes, not weeks.
Scored against 14+ framework families
Every finding mapped to a recognised standard — including Google's own SRE and DORA, evaluated the way Google would. And every finding is additionally tagged to SOC 2 Trust Services Criteria and ISO/IEC 27001 Annex A, keyed to your diligence checklist.
Google SRE + DORA
Reliability and delivery performance — error budgets, the four DORA metrics, runbook discipline.
Premium featureGoogle Secure-OSS + SLSA
Software supply-chain integrity — SLSA build provenance, signed artefacts, hardened open-source dependency posture.
Premium featureGoogle SAIF
Secure-AI framework — prompt injection, data poisoning, model and output handling.
Premium featureGoogle Cloud Well-Architected
A GCP-hosted system reviewed on Google's own pillars — operational excellence, security, reliability, cost, performance.
AWS Well-Architected
The six AWS pillars — operational excellence, security, reliability, performance efficiency, cost optimisation, sustainability.
Azure Well-Architected
Microsoft's five pillars — reliability, security, cost optimisation, operational excellence, performance efficiency.
ISO/IEC 25010 (SQuaRE)
Software product quality — maintainability, reliability, security, portability, performance.
OWASP ASVS + SAMM
Application-security verification and maturity — auth, sessions, access control, data handling.
NIST SSDF (SP 800-218)
Secure software development — the pipeline practices a buyer's security team expects.
ISO/IEC 27001
Information-security management — the Annex A controls a security questionnaire and a SOC 2 audit lean on.
PCI DSS
Payment-card data handling — the DSS requirements that apply the moment cardholder data touches the code.
NIST AI RMF 1.0
AI risk management — a governed model, or a wrapper, and documented like one?
OWASP Top 10 for LLMs
The LLM-app attack surface — injection, insecure output handling, training-data and supply-chain risk.
Diátaxis + arc42 / C4
Documentation and architecture maturity — is the system explained the way an acquirer needs?
What's in scope — and what isn't
Firstlight is a fast technical and AI read of the code itself. It's deliberately not a full diligence engagement — so here's the boundary, drawn plainly.
In scope
- ✓Architecture and code quality — how the system is put together, how maintainable it is, and which parts are load-bearing and untested.
- ✓Security posture — secrets that made it into the repo, how auth and access control are wired, dependency CVEs, and whether the team ships with a secure SDLC.
- ✓Multi-tenant isolation — where one customer's data is fenced off from another's, and how much the code trusts identifiers the client supplies.
- ✓AI claims, checked against the code — a real, governed model doing the work, or a thin call wrapped in a loading spinner? With the file:line that settles it.
- ✓Documentation and onboarding maturity — is the system actually explained, the way someone acquiring it would need it explained?
- ✓Operational governance — runbooks, rollback paths, and the kind of audit trail an acquirer expects to already exist.
Out of scope
- —Load, performance, or scalability testing — no synthetic traffic, no benchmarking against a target system.
- —A live attack on a running deployment — no penetration testing, no probing production; Firstlight reads the source, it doesn't poke the server.
- —Patent or prior-art search beyond what the code itself reveals.
- —Financial diligence — revenue, retention, margins, the cap table. Different question, different team.
- —Legal and contract review — MSAs, licensing terms, IP assignment.
- —The verdict on the team and the business — Firstlight hands you a precise technical signal; the investment call stays with you.
Start free — then scale with the deal flow
One free assessment every month. Then Daylight at US$249, Meridian at US$999, or Apex from US$2,499 — all in USD, with AUD shown alongside. No per-seat surprises.
Free
Run the engine on a public repo, in your own environment.
- ✓1 assessment / month
- ✓3 of the 8 artefacts · watermarked
- ✓Local execution — your source never leaves
- ✓≈US$2 inference cap per account
- —Google disciplines (SRE, DORA, SAIF) · paid tiers
Daylight
For an active deal-doer who needs the full report.
- ✓5 assessments / month
- ✓Google disciplines (SRE, DORA, SAIF)
- ✓All 8 artefacts, no watermark
- ✓Local execution
- ✓Email support
Meridian
For a fund running diligence across a pipeline.
- ✓25 assessments / month
- ✓Google disciplines (SRE, DORA, SAIF)
- ✓Multi-seat
- ✓AI-agent fix scripts
- ✓Hosted execution (per-scan approval gate)
Apex
For an acquirer or a high-volume buy-side platform.
- ✓Unlimited assessments
- ✓Google disciplines (SRE, DORA, SAIF)
- ✓SSO / SAML (post-GA)
- ✓Self-host option
- ✓Named customer success manager
