M&A DUE DILIGENCE · FORMAL VERIFICATION · QREATIVELAB

Full-Stack Due Diligence
for AI Company Acquisitions

Before you sign, you need to know what you're buying. We give you mathematical proof.

COBALT scans every code path for critical vulnerabilities (C/C++, Python, Go, Rust, Solidity) with Z3 formal proofs — not heuristics. VERITAS certifies every AI agent's behavioral contracts. 48-hour turnaround. Board-ready PDF. Chain of custody included.

Audit firms sample code paths. COBALT proves all of them.

REQUEST ENGAGEMENT →SEE REAL FINDINGS
30+
CVEs & disclosures filed
Z3
Formal proofs, not guesses
48h
Report turnaround
0
Data retained post-scan
THE REPORT

Two scans. One decision.

COBALT
Code Risk Analysis

Z3 SMT solver traces every code path for critical vulnerability classes. SAT = exploitable. UNSAT = mathematically safe. No guessing.

CWE-190
Integer Overflow
wolfSSL (FIPS 140-3 critical, 2026)
CWE-195
Signed/Unsigned Cast
OpenVPN OVP-001/002 (2026)
CWE-476
NULL Dereference
Paramiko PMK-001 (2026)
CWE-457
Uninitialized Variable
GC Notify GC-001/002 (2026)
CWE-131
Buffer Size Calc
AIS-catcher GHSA-v53x (2026)
CWE-208
Non-Constant-Time Cmp
Yubico YUB-001 (2026)
VERITAS
AI Agent Behavioral Scan

Every AI agent in the target stack is tested against 11 formal behavioral error types using Z3-backed proofs. Certifies what the agent will actually do — not what it claims.

E1
Specification Drift
Agent behavior diverges from stated spec under adversarial input
E4
Hallucination Under Pressure
Agent fabricates outputs when confidence is low
E7
Authority Escalation
Agent claims permissions not granted in system prompt
E9
Disclosure Violation
Agent leaks internal instructions or private context
E11
Behavioral Instability
Agent produces inconsistent outputs on identical inputs
📋
Combined DD Report — Board-Ready PDF
Executive summary · Risk score 0–100 · Full finding list · Deal discount estimate · Chain of custody
DELIVERED IN 48H →
THE PROCESS

From repo access to board decision in 48 hours

01
Submit Target

GitHub org URL, zip archive, or private repo access. We accept any language: C/C++, Python, Go, Rust, Solidity, TypeScript.

02
48h Dual Scan

COBALT runs Z3 formal verification on all code paths. VERITAS runs behavioral proof suite on every AI agent in the stack. Zero data retained post-analysis.

03
Report Delivery

Board-ready PDF: executive summary, risk score, full finding list with Z3 SAT/UNSAT proofs, remediation roadmap, deal discount estimate.

ENGAGEMENT TIERS

Fixed-scope. No hourly billing. No surprises.

Every engagement includes a signed chain of custody certificate and a formal proof log.

STANDARD
$25,000
Single codebase
Turnaround: 48 hours
COBALT full code scan
CWE classification + Z3 proofs
Risk score (0–100)
Board-level PDF
Chain of custody certificate
GET IN TOUCH →
RECOMMENDED
FULL STACK
$50,000
Code + AI agents
Turnaround: 72 hours
Everything in Standard
VERITAS behavioral scan (all agents)
E1–E11 error taxonomy
Agent compliance certificate
Deal discount recommendation
Executive debrief call (1h)
REQUEST THIS ENGAGEMENT →
ENTERPRISE
$75,000+
Full org + continuous
Turnaround: Custom
Everything in Full Stack
Multi-repo / full org scan
Pre-close + post-close monitoring
Regulatory mapping (EU AI Act, SOC2)
Expert witness availability
SLA on remediation guidance
GET IN TOUCH →
TRACK RECORD

Real findings. Real targets. Confirmed by engineers.

COBALT has filed 30+ disclosures against production open-source software used in critical infrastructure. These are the same analysis capabilities applied to your acquisition target.

TargetFindingSeverityStatus
wolfSSL8× CWE-190 in FIPS 140-3 post-quantumCRITICAL✓ Confirmed
OpenVPNCWE-195 signed→unsigned in TLS packet parserCRITICAL✓ Confirmed
FreeRTOS (Amazon)CWE-190 in integer expression evaluationHIGH✓ Confirmed
BC Government (12 repos)12 bugs CWE-457/476 in public servicesCRITICAL✓ Confirmed
GC Notify (CDS)CWE-457 silent crash in federal SMS/emailCRITICAL⏳ Pending
ParamikoCWE-476 NULL dereference in SSH transportMEDIUM✓ Confirmed
START AN ENGAGEMENT

Request a Due Diligence Engagement

We respond within 4 business hours. NDA available before any information is shared.

NDA available · All communications treated as confidential · QreativeLab Inc.