Is The Firmware
An Asset Or A Liability?

Before you buy a hardware company, you find out whether its financials, its IP, and its contracts hold up. Its firmware almost never gets the same scrutiny — and that's where the expensive surprises hide.

CLI Systems provides engineering-led technical due diligence on embedded firmware and Linux products, written for a deal team. We tell you what you're actually buying, what it will cost to keep it alive, and where the red flags are — before they become your problem.

What We Assess

Six dimensions of firmware risk, each translated into what it means for the deal.

1. Buildability & Reproducibility

Can the product actually be rebuilt from source today, by someone other than the person who last built it? A build that only exists on one machine, or can't be reproduced at all, is a hidden liability that surfaces the first time the new owner needs to ship a fix.

2. Bus Factor & Maintainability

How much of the working knowledge lives in people rather than documentation, and what happens when those people are gone after the acquisition? We assess how fragile the team-to-code relationship is, and what it would take to onboard a new team.

3. Component & License Inventory

What third-party and open-source code is inside the product, and does the company have the right to ship it the way it does? GPL/LGPL exposure, unmet attribution, and modified copyleft components are real liabilities that can require rework or re-licensing to clear.

4. Silicon Supply Risk

Are the core parts — the MCU, the SoC, key ICs — still in production, multi-sourced, and available at volume? A single-source or end-of-life critical component is a future redesign cost hiding inside a currently-shipping product.

5. Security & Compliance Posture

Known-CVE exposure in the shipped image, the ability to deploy a signed update at all, and readiness for regimes like the EU Cyber Resilience Act or FDA premarket cybersecurity. Gaps here can block sales, trigger recalls, or demand investment the seller never made.

6. Red-Flag Summary, Mapped To The Deal

Was the firmware engineered well, or is it riddled with the kind of debt that becomes the buyer's problem? Every finding above is rolled up into a prioritized red-flag list and framed in deal terms: what's minor, what's a negotiation lever, and what's a walk-away.

The Deliverable

A written report structured for a deal team, not an engineering backlog.

An Overall Verdict

A single, clearly-stated judgment on the firmware — asset, fixable liability, or deal-breaker — on the first page, before any technical detail. It reflects the entire assessment, so a partner can read one line and know where the firmware sits in the deal.

An Executive Summary

A one-page, plain-language summary of the three or four things that actually matter to this deal: the material risks, what each means in cost or time, and what we would do about it. Written for a non-technical decision-maker and ready to drop into an investment memo.

A Prioritized Red-Flag List

Every material finding sorted by what it means for the transaction: walk-away issues, price-negotiation levers, and routine items you can accept. Each flag carries a severity and a short note on why it lands where it does, so nothing is left as an open question.

Findings Across Six Dimensions

The full detail behind the summary, covering all six areas we assess: buildability, bus factor, component and license inventory, silicon supply, and security and compliance posture. Each finding is rated by severity and likelihood, with the estimated cost or time impact if it goes unaddressed.

A Remediation Menu

For each material issue, what it would take to resolve it after close — the work involved, the rough investment, and the effort and time. This turns "the firmware has problems" into concrete, costed options you can price into the deal or a post-close plan.

Component & License Inventory (SBOM)

A software bill of materials (SPDX or CycloneDX) of the third-party and open-source code in the shipped firmware, listing each component's version and license, with known CVEs and open-source obligations flagged. The evidence base your counsel needs to confirm compliance.

Scope & legal boundary. This is an engineering-led identification of technical risk and open-source obligation, written to inform a transaction. It is not a legal opinion, and CLI Systems is not a law firm. Licensing and compliance findings flag where obligation likely exists and should be confirmed with qualified IP and regulatory counsel — we identify the exposure so your legal team knows exactly where to look.

Contact CLI Systems

Tell us about the target and the deal timeline, and we'll scope a firmware due-diligence engagement to fit it.
Engagements typically run $7,500–$20,000 depending on scope.