12 Red Flags to Watch for in Any SaaS Acquisition

After delivering over 100 due diligence reports, we've seen patterns emerge. Certain red flags appear with surprising frequency, and some are far more damaging to deal outcomes than others.

1. Revenue misrepresentation. This is the most common issue we find, present in roughly 35% of deals. Sellers often include one-time fees, annual prepayments, or affiliate revenue in their MRR figures. Always verify recurring revenue against the payment processor directly.

2. Single-customer concentration. When one customer accounts for more than 15% of revenue, you're effectively buying a contract, not a business. We flag this in about 28% of reports. The risk compounds when that customer is on a monthly plan.

3. Declining organic traffic. Sellers typically share revenue screenshots but not traffic data. In 24% of reports, we find organic traffic is declining while MRR hasn't yet reflected the drop. This lag can be 3-6 months, meaning you're buying into a future revenue decline.

4. Outdated dependencies with known vulnerabilities. Nearly 40% of codebases we audit have at least one high-severity CVE in their dependency tree. While not always immediately dangerous, this represents technical debt and potential compliance risk.

5. No test coverage. About 45% of micro-SaaS products have zero automated tests. This makes post-acquisition changes risky and expensive. Factor 2-3 months of engineering time into your budget if you plan to actively develop the product.

6. Blended churn metrics. Sellers often blend annual and monthly customer cohorts to produce a more favorable churn number. Always ask for monthly churn on the monthly cohort specifically.

7. Single traffic source dependency. If 60%+ of traffic comes from one source (usually Google organic), you're one algorithm update away from a significant revenue impact. We see this in about 30% of reports.

8. Missing or outdated legal compliance. Privacy policies that predate current regulations, missing cookie consent, no data processing agreements with subprocessors. Common in small SaaS but increasingly risky.

9. No IP assignment from contractors. Many SaaS products were partially built by freelancers with no formal IP transfer. This creates ownership ambiguity that can surface during resale or funding.

10. API dependency on a single provider. When the core product depends on one external API (like OpenAI, Twilio, or SendGrid) with no fallback, pricing changes or outages directly impact the business.

11. Churned enterprise clients hidden in metrics. Some sellers focus on active MRR growth while omitting recently churned large accounts. Looking at net revenue change over 6 months reveals this.

12. Seasonal revenue presented as growth. A SaaS that peaks in Q4 might look like it's growing rapidly if you only see October-December data. Always request at least 12 months of history.

The good news: most of these flags don't kill deals. They inform negotiation. A product with 3-4 moderate flags typically sells for 15-25% below asking price, which often makes it a better deal for informed buyers.