Micro-SaaS Due Diligence: 6 Red Flags That Don't Show Up on Standard Checklists

You found a micro-SaaS doing $8K MRR, the seller wants 3.5x annual revenue, and the metrics look clean. Time to wire the money, right?

Not so fast. Micro-SaaS acquisitions under $500K are fundamentally different from larger software deals. There’s no management team to interview, no board minutes to review, and often no one on staff besides the founder. The due diligence process needs to reflect that reality.

After analyzing hundreds of small SaaS transactions, we’ve identified the specific red flags that sink micro-SaaS deals — and most of them won’t show up in a standard due diligence checklist designed for bigger companies.

Why Standard Due Diligence Fails for Micro-SaaS

Traditional M&A due diligence assumes you’re buying a company. With micro-SaaS, you’re usually buying a product — and sometimes just a revenue stream. The difference matters enormously.

A typical small business due diligence checklist covers corporate documents, employee agreements, lease terms, and insurance policies. For a one-person SaaS with no employees, no office, and no corporate structure beyond an LLC, half of that checklist is irrelevant. Meanwhile, the things that actually determine whether the acquisition succeeds — code quality, infrastructure dependencies, churn cohort analysis, and customer concentration — often get superficial treatment.

Here’s what to actually focus on.

Red Flag #1: Revenue That Isn’t What It Looks Like

This is the most common issue we see in micro-SaaS deals. The headline MRR number is technically accurate, but it’s misleading.

What to check:

• Annual vs. monthly mix. A product showing $10K MRR might have $7K of that from annual subscribers who paid months ago. If those annuals are up for renewal in 60 days and the product hasn’t shipped meaningful updates, you could lose 70% of revenue within your first quarter of ownership.
• Cohort-level churn. Overall churn of 3% monthly sounds acceptable. But if your Q3 2025 cohort is churning at 8% while older cohorts churn at 1%, the product may be losing market fit. Ask for Stripe or Baremetrics exports broken down by signup month.
• Expansion revenue masking churn. Net revenue retention of 105% can hide gross churn of 15% if a few customers are upgrading significantly. Always ask for gross churn numbers.
• One-time revenue mixed in. Lifetime deals, consulting income, setup fees, and affiliate revenue sometimes get blended into MRR calculations. Request Stripe transaction-level data for the past 12 months and categorize every dollar.

The test: Export all Stripe/payment processor transactions for 12 months. Rebuild MRR from scratch. If your number differs from the seller’s by more than 10%, that’s a conversation you need to have before proceeding.

Red Flag #2: The Codebase Is a Liability, Not an Asset

With micro-SaaS, the code is the business. A codebase that only the original developer can maintain is a ticking time bomb.

What to check:

• Framework and language currency. Is it built on Rails 4, PHP 5.6, or Angular 1? Outdated frameworks mean security vulnerabilities, difficulty hiring developers, and eventually a forced rewrite. Budget $30K–$80K for a rewrite if the stack is more than two major versions behind.
• Test coverage. Zero tests isn’t uncommon in solo-founder SaaS. It’s not a dealbreaker, but it means every change you make carries higher risk. Factor in 2–3 months of engineering time to add basic test coverage post-acquisition.
• Third-party dependencies. Check for deprecated APIs, SDKs approaching end-of-life, and hard dependencies on services that could change pricing. We’ve seen deals where a Twilio or SendGrid price change would have wiped out margins entirely.
• Deployment complexity. Can you deploy with a single command, or does it require 47 manual steps and a prayer? Ask the seller to do a deploy while you watch. If they hesitate, that tells you something.
• Documentation. Not just code comments — architectural decisions, environment setup, and the “why” behind non-obvious choices. If the seller can’t produce this, negotiate a longer transition period (90 days minimum instead of the standard 30).

The test: Have an independent developer (budget $500–$1,500) review the codebase and provide a written assessment of maintainability, security issues, and estimated technical debt. This is the single highest-ROI due diligence expense in any micro-SaaS deal.

Red Flag #3: Customer Concentration Risk

In a SaaS with 2,000 customers at $15/month, losing any single customer is noise. In a micro-SaaS with 40 customers at $200/month, your top 5 customers might represent 35–50% of revenue.

What to check:

• Top-10 customer revenue share. If your top 10 customers represent more than 40% of revenue, you have concentration risk. Above 60%, it’s a serious concern that should be reflected in the purchase price.
• Contract status of top customers. Are they on month-to-month or annual contracts? When do the annuals renew? Have any indicated they’re evaluating alternatives?
• Customer engagement signals. Login frequency, feature usage, support ticket patterns. A customer paying $500/month who hasn’t logged in for 6 weeks is a churn risk regardless of what the seller tells you.
• Customer communication. Ask to see the last 3 months of support tickets and any customer-facing emails. The tone and content reveal the real health of customer relationships.

The test: Calculate a “concentration-adjusted MRR” by applying a 50% haircut to any revenue from customers representing more than 5% of total MRR. If the adjusted number still supports your acquisition price, you’re in a safer position.

Red Flag #4: SEO-Dependent Growth With No Moat

Many micro-SaaS products acquire customers almost entirely through organic search. That’s fine — until it isn’t.

What to check:

• Traffic source breakdown. If more than 70% of signups come from organic search, one algorithm update could devastate the business. Ask for Google Search Console access covering the past 16 months.
• Keyword concentration. Is 80% of organic traffic coming from 3–5 keywords? That’s fragile. Look at keyword diversity and the depth of ranking pages.
• AI overview exposure. As of 2026, Google’s AI Overviews are absorbing clicks from informational queries at an accelerating rate. If the product relies on “how to” or “what is” keyword traffic for top-of-funnel, that channel may be declining. Check Search Console for click-through rate trends on key terms over the past 12 months.
• Backlink profile quality. Run the domain through Ahrefs or Semrush. Are the backlinks from real sites or PBN spam? Toxic backlinks can be a liability you inherit.
• Paid acquisition economics. Even if the current owner doesn’t run ads, test what CAC would be via Google Ads. If you can’t profitably acquire customers through paid channels, you’re entirely dependent on organic — and that’s a risk.

The test: Model what happens to unit economics if organic traffic drops 40%. If the business is still viable (perhaps with reduced margins), the growth channel risk is manageable. If a 40% traffic drop makes the acquisition unprofitable, you’re paying for a marketing channel, not a product.

Red Flag #5: Infrastructure and Vendor Lock-in

Micro-SaaS founders optimize for speed and simplicity, which often means deep coupling to specific platforms.

What to check:

• Hosting costs trajectory. A product on Heroku or Vercel might be paying $50/month today but could need $500/month at 2x the current load. Understand the cost scaling curve.
• Platform dependency. Is it a Shopify app? A WordPress plugin? A Slack integration? Platform-dependent products live and die by that platform’s rules. Shopify has changed its app store policies three times in the past two years. That’s existential risk.
• Data portability. Can you export all customer data and migrate to a different infrastructure provider if needed? If the answer is “it would take 6 months of engineering,” factor that into your price.
• Domain and account ownership. Verify that the seller actually owns (and can transfer) all domains, cloud accounts, API keys, and service accounts. We’ve seen deals stall because a domain was registered under a co-founder who left three years ago.

Red Flag #6: The Seller’s Motivation Doesn’t Add Up

This is the softest due diligence item, but arguably the most important. Why is someone selling a profitable, growing micro-SaaS?

Legitimate reasons:

• Burnout from solo operation (very common and very real)
• Moving on to a new project with higher ambition
• Personal life changes requiring liquidity
• The product needs investment the founder can’t or won’t make

Reasons that should make you dig deeper:

• “I want to focus on my other projects” — which other projects? Are they competitive?
• “The business is doing great, I just need cash” — if it’s doing great, why not take a loan against it?
• Vague answers about recent churn trends
• Reluctance to share analytics access before LOI
• Pushing for a fast close without adequate diligence period

The test: Ask the seller to keep 10–20% equity or accept an earnout tied to 12-month retention. Sellers who believe in the business will consider it. Those who know something you don’t will resist aggressively.

Your Micro-SaaS Due Diligence Timeline

For deals under $500K, here’s a realistic timeline:

• Week 1: Financial verification — rebuild MRR from payment processor data, analyze churn cohorts, verify expenses
• Week 2: Technical review — code audit, infrastructure assessment, security scan, deployment test
• Week 3: Customer and market analysis — concentration risk, growth channel audit, competitive landscape
• Week 4: Legal and structural — IP ownership, contracts, transfer logistics, transition planning

Total out-of-pocket cost for thorough due diligence: $2,000–$5,000 (primarily the independent code review and a few hours of legal time). That’s 0.5–1% of deal value on a $500K acquisition — cheap insurance.

The Bottom Line

Micro-SaaS acquisitions can be exceptional investments. The best ones generate 30–50% annual cash-on-cash returns with minimal ongoing time commitment. But the difference between a great deal and a money pit often comes down to the due diligence you do — or skip — before wiring funds.

Focus your diligence on what actually matters for small software businesses: revenue quality, code maintainability, customer concentration, growth channel durability, and seller motivation. Skip the generic corporate DD checklist and apply the micro-SaaS-specific framework above.

Your future self (and your bank account) will thank you.

Thinking about acquiring a micro-SaaS? Exit Street helps buyers find and evaluate small software businesses. Browse current listings or list your own SaaS for sale.