Resources
en
22 June 2026 Security Tips .
You like this content ?
Share it on the networks
When one company acquires another, everyone looks at the same things: the books, the contracts, the synergies. Almost no one looks at what's already exposed on the internet on the target's side. That's usually where the bad surprise is hiding.
Think of an inheritance. You receive a relative's estate: a house, accounts, maybe a business. In the moment, you think windfall. But who's to say that relative wasn't in debt? That the house doesn't have a hidden flaw? In M&A, it's exactly the same. You inherit the target's attack surface, and with it all its invisible liabilities: forgotten assets, never-patched flaws, sometimes an intrusion already in place. The resulting cyber risk is never confined to the target: it becomes yours immediately.
Key takeaways
In M&A, the acquirer inherits the target's entire attack surface, including exposed assets that were never inventoried and any intrusions already underway.
A security rating score isn't enough: it measures reputation, not actual technical exposure.
Patrowl rediscovers on average 30 to 40% more exposed assets than the organization's declared inventory, a figure that can climb to 60% depending on context.
The risk is managed in three phases: passive reconnaissance before signing, exhaustive asset discovery at closing, continuous monitoring during integration.
Marriott-Starwood: an undetected intrusion for four years, roughly 339 million customers exposed, an £18.4 million fine.
Yahoo-Verizon: breaches revealed during the deal cut the price by $350 million.
Two now-famous cases show just how steep that bill can get.
To explore this topic further, we’ve dedicated an entire webinar to the challenges facing CISOs in 2026 (in French), featuring real-world insights and perspectives on how the role is evolving.
In September 2016, Marriott completed its acquisition of Starwood. What the group didn't know was that Starwood's reservation network had been compromised since July 2014. The intrusion wouldn't be detected until September 2018, and made public in November. That's two years after the acquisition, and four years after the initial compromise [1].
The toll: roughly 339 million customers' data exposed worldwide, including 5.25 million unencrypted passport numbers. The UK regulator (ICO) first announced a fine of nearly £99 million, ultimately reduced to £18.4 million [1].
The decisive point isn't the amount, it's the reasoning the regulator gave: Marriott had not conducted sufficient due diligence at the time of the acquisition [1]. The risk it bought didn't show up in any score. It lived in the inherited attack surface: a database Starwood was no longer monitoring properly, and one Marriott had never mapped.
It's the indebted relative whose bank statements you never opened.
Most cyber due diligence today relies on rating tools. They produce a single synthetic score, calculated externally from indirect signals. Useful for comparing several targets, but it answers a reputation question, not a technical reality. A score reassures the investment committee. External attack surface mapping (EASM) protects the information system that results from the deal, something no score can do on its own. Properly conducted cybersecurity due diligence, when context allows, relies on a targeted penetration test rather than a self-reported rating.
The risk doesn't play out at a single point in time. It unfolds across three windows: passive reconnaissance before signing, which includes checking for any data breach already associated with the target, exhaustive asset discovery at the moment of closing, and continuous monitoring during the first hundred days of integration, the most exposed period since the target's security teams are often reduced just as technical complexity peaks. Implementing this monitoring from day one also makes it possible to compare the security levels of both entities.
Across its own deployments, Patrowl rediscovers on average 30 to 40% more exposed assets than the inventory provided by the organization, a figure that can climb to 60% in some cases. The average global time to detect and contain a breach is, moreover, 241 days (IBM Cost of a Data Breach 2025), far longer than the typical post-merger integration window.
The risk window doesn't look the same depending on the acquirer's external growth strategy. Three concrete use cases show just how much the right approach depends on the profile.
This is the most classic scenario: a company identifies a target, runs its due diligence, signs, integrates. Xplor followed this logic in its own external growth operations, relying on attack surface mapping of the target to document what was actually exposed before integration, rather than relying solely on the target's own disclosures. The stakes here are one-off but decisive: a single perimeter to discover, and a single chance to get it right before the systems start talking to each other.
Colas illustrates a different profile: an active external growth strategy, with a high number of acquisitions carried out over time. In this context, attack surface mapping can't remain a one-off exercise repeated for each deal. It becomes a repeatable process, triggered systematically with every new acquisition, to absorb the exposed surface of each newly integrated entity quickly and consistently. For a serial acquirer, the risk isn't just a poorly mapped target: it's the accumulation, deal after deal, of blind spots that never get the same scrutiny as the historical perimeter.
CNP illustrates a third scenario: a merger, where it's no longer about absorbing a smaller target but about combining two already mature perimeters, each with its own history, its own tools, its own blind spots. In a merger of this kind, mapping doesn't just serve to uncover the unknown on the target's side: it serves to establish a single, shared view of the combined attack surface, at a moment when both organizations need to quickly align on a shared risk framework rather than continuing to manage two separate views of their exposure.
These three profiles, single acquisition, growth by repeated acquisitions, merger between peers, share the same underlying need: an exhaustive, continuous view of the real attack surface, regardless of deal size.
If Marriott illustrates the cost of an exposure discovered too late, Yahoo illustrates its direct effect on a transaction's price.
In July 2016, Verizon agreed to acquire Yahoo's internet business for $4.8 billion. In the fall, then in December 2016, Yahoo disclosed massive breaches, first affecting 500 million accounts, then more than a billion. In February 2017, the two companies renegotiated: the price dropped by $350 million, down to $4.48 billion, with shared legal liability. The deal closed in June 2017 [2].
Three hundred fifty million dollars. That's what a cyber exposure revealed during the acquisition process cost, in pure valuation terms. The message for any executive or investor is clear: a target's security posture isn't a technical externality, it's a component of the price.
Across each of the three phases of an M&A deal, Patrowl delivers a concrete operational answer:
Before the deal (due diligence): passive mapping of the target's exposed attack surface, with no intrusion and no internal access required, making it compatible with pre-closing legal constraints. You identify hidden risks before signing, not after.
At closing (day one): automated asset discovery, compared against the target's declared inventory. Across Patrowl deployments, the observed gap averages 30 to 60% of unaccounted-for assets: forgotten domains, exposed test environments, undocumented third-party services.
During integration (first 100 days): continuous monitoring of the combined attack surface, to detect in real time the exposures created by infrastructure mergers (migration, network interconnection, new subdomains).
The result: you no longer discover the target's real attack surface after signing. You monitor it at every stage of the deal.
Running an M&A deal and want to assess a target's real attack surface before signing?
Can you audit a target's cybersecurity before signing?
Before signing, without explicit mandate, only passive reconnaissance is legally defensible: open data, external footprint, publicly exposed services, associated leaks. A full active audit requires authorization, usually obtained after an agreement in principle. Passive reconnaissance doesn't replace an audit, it reveals weak signals useful for negotiation.
Why isn't a security rating score enough for due diligence?
A score evaluates reputation from the outside, based on indirect signals. It doesn't provide an inventory of actually exposed assets, exploitable vulnerabilities, or ongoing compromises. Yet that inventory is precisely what determines the risk inherited at closing.
What's the riskiest moment in an M&A deal from a cyber standpoint?
The integration period, often the first hundred days. The target's security teams are frequently reduced just as technical complexity peaks, which favors the persistence of pre-existing intrusions, as in the Marriott-Starwood case.
Can a cyber exposure really affect an acquisition's price? Yes. During Verizon's acquisition of Yahoo, the disclosure of massive breaches led to a $350 million price reduction. Exposure is a component of valuation, not just a technical matter.
Is the right mapping approach the same for a single acquisition and for a growth-by-acquisition strategy?
No. A single acquisition calls for a one-off but rigorous mapping of the target. An active external growth strategy, with a high number of deals carried out over time, calls for a repeatable, standardized process triggered systematically with every new acquisition to avoid the accumulation of unaddressed blind spots.
[1] Information Commissioner's Office (ICO), United Kingdom. Statement regarding the penalty against Marriott International: acquisition of Starwood in 2016, compromise undetected until 2018, due diligence failure noted by the regulator. Intent to fine of £99 million announced in 2019, reduced to £18.4 million in the final 2020 decision (roughly 339 million customers affected, including 5.25 million unencrypted passport numbers). https://www.edpb.europa.eu/news/national-news/2019/ico-statement-intention-fine-marriott-international-inc-more-ps99-million_en
[2] Verizon Communications Inc. and Yahoo! Inc., press release and SEC filing (Form 8-K), February 21, 2017. $350 million reduction in acquisition price, valuation reduced from $4.8 to $4.48 billion, shared legal liability. https://www.sec.gov/Archives/edgar/data/0001011006/000119312517049548/d353690dex991.htm
[3] Vladimir Kolla, co-founder and CTO of Patrowl, "Enjeux RSSI 2026" webinar, May 2026. Statistic on unknown perimeter rediscovered during client deployments (30 to 50%, with peaks up to 60% depending on the organization).
[4] IBM, Cost of a Data Breach Report 2025. Average global time to detect and contain a breach: 241 days.
