That's been my experience as well. What we are doing differently is we are delivering Cyber Risk quantified in Dollars and Cents so that the buyer can use our findings as leverage in their negotiations. And we become a diligence requirement for the deal to move forward just like the QOE guys. We are generally in and out in less than 2 weeks, so we don't slow down deal pace. We also typically fly under the radar as a "routine pen test" that needs to be done for GRC purposes so as not to raise eyebrows in the acquisition target IT teams.

We are flipping cyber diligence around to add value to the buyer (and sellers if they contact us proactively - we can substantiate the addition of valuation by proactively addressing cybersecurity risk and adding it to their valuation). We do this by quantifying the cyber risk in terms of dollars and cents and then advising the buyers to claw back a portion of that money at the deal table through contract mods (seller has to fix the problems on their dime in a specific time frame), added deal insurance and lowered buy price. Think of us as a Home Inspector sent in to evaluate a home before you buy it. We uncover problems that could derail Investment Thesis and VCP's should the company get hacked shortly after the PE firm takes possession .