Product & tech due diligence, explained

Deep insight into your product & tech. In one business day.

A read-only scan turns your codebase into a clear, prioritised picture: what is strong, what to fix, and how you compare to the 250+ companies we have X-Rayed. Under 30 minutes of your team's time.

See how it worksSee a real example report

How it works

From first call to final report.

Your only active steps are the call, the NDA, and granting access. The rest runs on our side.

1

Intro call

15 min

A short call to scope what matters and answer your questions.

2

Sign the NDA

Same day

Confidential from minute one. Our template or yours.

3

Grant access

15 min

Scoped, read-only access to your repositories. Revocable anytime.

4

Scan & review

Same day

250+ checks run, then operators verify every finding.

5

Access closed

After scan

As soon as the scan is done, read-only access is revoked, confirmed in writing.

6

Reports delivered

1 business day

Three reports in a secure system you download from.

7

Data wiped

After delivery

Your dataroom is deleted, with written confirmation it is gone.

What you receive

Three reports, one for every audience.

From your investors to your engineers, everyone reads it in their own language. Download all three from a secure system.

For investors & non-technical readers

Executive Summary

The big picture in plain language, for your investors, founders and non-technical leadership.

  • What is strong, and what needs work
  • The five things that matter most
  • No technical background required
For technical leadership

Technical Leadership

Scored areas, architecture and priorities, for your CT(P)O and technical leadership.

  • Six areas, scored and benchmarked
  • Architecture and security posture
  • Prioritised by impact
For your product & tech team

Full Findings & Actions

Every finding with code references and a clear remediation path, for the people who build.

  • 250+ checks, in full detail
  • Exact file and line references
  • A roadmap your team can act on
See a real, full example report →

A complete X-Ray of GitLab's open-source codebase.

What we assess

Six areas, benchmarked to your stage.

Architecture

System design, scalability, data model and infrastructure.

Security & Compliance

Vulnerability surface, auth, data privacy and compliance posture.

Code & Delivery

Test coverage, CI/CD cadence and tech debt, quantified.

Team & Organisation

Key-person risk, engineering culture and hiring gaps.

AI Readiness

Real IP versus wrapper, model governance, build versus buy.

Product & Strategy

Product-market-fit signals, roadmap quality and commercial alignment.

What the scan surfaces, beyond the score

Over-engineering vs fit-for-purposeDelivery velocity over timeContributor & key-person mappingProprietary IP & non-trivial engineeringTest coverage across layersDependency & CVE exposure

Security comes first

Your code is treated like it is our own.

Read-only, encrypted, and gone when we are done, with confirmation in writing at every step.

Your code stays only briefly

It lives in a secure, isolated dataroom for the engagement, and only for that. Encrypted, scoped to this engagement alone.

Read-only and revocable

Access reads only what it needs and is fully auditable. The instant access is closed, we confirm it to you in writing.

Zero storage, confirmed

Nothing is kept or shared once we are done. When the dataroom is wiped, you get written confirmation it is gone.

Secure delivery of your reports

Your three reports arrive in a secure, access-controlled system. You download them yourself, nothing over email.

Watch it live

Your team can observe the analysis as it runs. Want a walkthrough call while it happens? Just ask.

NDA by design

Confidential from the first minute. Our template or yours, signed the same day, before anything is connected.

Independently verified standards, actively in progress:

ISO 27001
In progress
SOC 2 Type II
In progress
GDPR
In progress

How your code reaches us, your call.

Three ways to share, from granting temporary access to keeping your code entirely in your own hands.

A temporary access handle

Grant our reviewer read-only access for a short while, the same way you would onboard an engineer. Revoke it the moment the scan starts.

A read-only app

Install a scoped GitHub or GitLab app with read access to only the repositories you choose. Nothing more.

Upload it yourself

Rather we never touch your systems? Push your code to a single-use, encrypted bucket yourself. We pull nothing, you control exactly what goes in and when.

Whichever route you choose, your code runs in a locked-down AWS environment in the EU, is never executed and never read line by line, and is processed only within the EU, nothing is sent to the US. The environment is more controlled than a typical engineer's laptop, and every action is logged.

Benchmarked, not guessed

See how you run, and how you compare.

We have X-Rayed 250+ companies across 11+ verticals, so every area is measured against companies at your stage, in your space.

250+
Companies assessed
11+
Verticals covered
6
Areas, scored & ranked

Who runs your X-Ray

Real operators sign off every finding.

Not analysts, and not just the AI. The people reading your code have built and scaled software companies themselves, and review every finding before it reaches you.

Wilco Van Duinkerken

Wilco Van Duinkerken

Founder & CTO

Wouter Neyndorff

Wouter Neyndorff

Founder & CEO

Jurrie Spoelstra

Jurrie Spoelstra

VP Customer Success

Thijs Jung

Thijs Jung

Tech Lead EMEA

Indroneel Ray

Indroneel Ray

Tech Lead Asia

More about the team →

Common questions

What your leadership will ask.

Under 30 minutes, total. One person grants read-only access to your repositories and signs the NDA. After that, the scan and review run on our side. There are no interviews or questionnaires required.

No. Many companies run an X-Ray on their own, to get an objective read before a raise, a board cycle, or a key hire. Investors often initiate it too. Either way, the process and the reports you receive are exactly the same.

To run the automated scan, your code does need to be read in our secure environment, but you control how it gets there: upload it yourself to a single-use, encrypted bucket, grant temporary read-only access, or install a read-only app. Wherever it runs, it stays in a locked-down EU environment, is never executed or read line by line, and is deleted afterwards with written confirmation. If you genuinely cannot share code at all, we can do a guided remote walkthrough instead, where it stays on your screen, though that is a more limited, manual review.

It runs in a locked-down AWS environment in the EU, inside an isolated network with outbound traffic blocked except for a handful of EU-only endpoints. Any model analysis runs in an EU inference region. Nothing is sent to the US, and every action is captured in an audit log.

No. Your code is analyzed in-context inside a secure, isolated dataroom and retained only for the engagement. When the dataroom is wiped, you receive written confirmation that all of your data is gone. Access is read-only, encrypted, scoped, fully auditable, and revocable at any time.

ISO 27001, SOC 2 Type II and GDPR alignment are all in progress. In the meantime, every engagement is NDA-covered, read-only, encrypted, and operates on a zero-retention basis with written confirmation once your data is wiped.

Ready when you are.

No pre-work required. Whether you run an X-Ray yourself or your investor initiates it, the process and your reports are the same.

Get in touch →See an example report
15 min intro callRead-only · NDA-coveredZero storage, confirmed1 business day