The pre-LOI OSINT checklist for M&A diligence
Twelve items every diligence team should run before signing a letter of intent. Sanctions, litigation, key-person liability, cyber exposure, IP risk, and the rest.
Most diligence shops have an internal OSINT checklist their senior analysts run before LOI. Most are 30% incomplete and undocumented. Here's the version that captures the items that actually matter — based on watching diligence shops use Tracelight across roughly 200 deals.
On the entity
**1. Sanctions screening.** OFAC SDN + EU consolidated + UK HMT + UN. The entity itself + every named subsidiary + every disclosed officer. Zero matches is the only acceptable answer; one match is a deal-killer.
**2. Politically exposed persons (PEP).** World-Check / Dow Jones for every named principal. PEP status isn't a deal-killer but materially affects compliance posture.
**3. Active + recent litigation.** PACER + state court records for the entity. Class actions, regulatory enforcement, IP disputes, wage-and-hour. Material findings shift deal pricing and disclosure schedule.
**4. Bankruptcy + UCC enforcement filings.** Last 7 years. Establishes financial-distress posture; affects working capital adjustments.
**5. Corporate registry chain.** OpenCorporates + Companies House + state SOS. Walk the ownership chain. Cross-check against management's disclosed cap table. Discrepancies are signal.
On the executives
**6. Per-officer sanctions + PEP + adverse-media screen.** Same as entity, individual scope.
**7. Per-officer litigation history.** Personal capacity + officer-capacity. Trust + estate disputes surface here too.
**8. Per-officer board + advisor roles at other entities.** OpenCorporates + Companies House. Reveals undisclosed conflicts of interest with adverse parties.
**9. Per-officer dark-web + breach exposure.** HIBP + Dehashed for personal emails. Doesn't affect the deal directly but informs the integration security posture — recommend forced credential rotation + step-up MFA on the executive team prior to close.
On the cyber + IP posture
**10. Domain + infrastructure scan.** Shodan + VirusTotal on entity domains. Open ports, CVE exposure, prior compromise indicators.
**11. Lookalike-domain + phishing-kit check.** Brand-abuse exposure. Pre-close takedown is a cheap risk-reduction move.
**12. Patent + trademark portfolio audit.** USPTO + foreign equivalents. Validates IP assertions in the data room.
What's not on this list
This is the OSINT layer of M&A diligence, not the full diligence. Financial diligence (QofE, working capital), commercial diligence (customer interviews, churn analysis), legal diligence (contract review, employment matters), tech diligence (code quality, infrastructure) all sit alongside OSINT. The OSINT layer is the highest-leverage piece for the cost — typically 3-5 hours of senior-analyst time per deal, vs hundreds of hours for the other diligence streams.
Running it in Tracelight
The first 11 items above are automated by a single Tracelight enrichment per subject. The 12th (patent + trademark) is a separate workflow we don't currently cover; we recommend pairing with a specialty IP-diligence vendor.
Time savings vs manual: roughly 4-6 hours per executive, 6-8 hours per entity. On a 6-executive deal that's the difference between a 4-day diligence sprint and a 1-day sprint, with substantially better citation discipline as a side effect.