Micro-SaaS Due Diligence: 12 Red Flags That Kill Deals (And How to Spot Them Early)

You found a micro-SaaS doing $8K MRR with 90% margins. The seller wants 3.5x annual revenue. The product looks clean, customers seem happy, and the codebase is on GitHub. Looks like a great deal, right?

Maybe. Or maybe you're about to buy a business that's three months from imploding.

Micro-SaaS acquisitions — typically businesses doing $1K to $50K MRR — have unique risks that don't show up in traditional M&A due diligence frameworks. The numbers are small enough that a single customer churning can tank the business. The code is often written by one person with zero documentation. And the "moat" might be nothing more than a first-mover advantage that's evaporating.

After analyzing hundreds of micro-SaaS deals, here are the 12 red flags that experienced buyers check before wiring money — and the specific thresholds that separate good deals from expensive lessons.

1. Revenue Concentration: The One-Customer Time Bomb

The red flag: Any single customer accounts for more than 20% of MRR.

This is the #1 deal-killer in micro-SaaS, and it's shockingly common. A business doing $10K MRR sounds great until you realize $3K of that comes from one enterprise client on a month-to-month contract.

What to check:

• Get a full customer revenue breakdown (anonymized is fine initially)
• Calculate the Herfindahl index if you want to be rigorous — but honestly, just look at the top 5 customers as a percentage of total revenue
• Ask specifically: "If your largest customer churned tomorrow, what happens?"

Safe threshold: No single customer >15% of MRR, top 5 customers <40% combined. For sub-$5K MRR businesses, these thresholds are harder to meet — factor that into your offer price, don't ignore it.

2. Churn Hiding Behind Growth

The red flag: Net revenue looks flat or growing, but gross churn exceeds 5% monthly.

Sellers love showing net revenue charts. "Look, we've been steady at $12K MRR for 18 months!" But steady net revenue can mask brutal churn if new customers keep replacing lost ones. The moment acquisition slows down (which it will after the sale — you won't have the founder's network), the real churn rate eats you alive.

What to check:

• Request gross churn numbers — both logo churn (customers lost) and revenue churn (dollars lost)
• Calculate cohort retention: of customers who signed up 6/12 months ago, what percentage are still paying?
• Monthly gross revenue churn >5% means you're replacing half your revenue base every year

Safe threshold: Gross monthly revenue churn <3% for B2B SaaS, <7% for B2C/prosumer. Anything above that needs a significant price discount.

3. The Stripe Dashboard Isn't the Full Picture

The red flag: Seller only shares Stripe screenshots or summary data.

Stripe is not an accounting system. It doesn't show refunds cleanly, doesn't account for chargebacks in progress, and definitely doesn't show PayPal/alternative payment revenue. I've seen sellers share Stripe dashboards showing $15K MRR while conveniently omitting $2K in pending disputes and a PayPal account with $500/month in additional refunds.

What to check:

• Request read-only Stripe access (or Baremetrics/ChartMogul/ProfitWell if they use analytics tools)
• Cross-reference with bank statements for at least 3 months
• Check for annual plans that inflate MRR calculations — $1,200 annual plan ≠ $100 MRR if the customer is 10 months in
• Look at the dispute rate: >0.5% is a warning sign

Non-negotiable: If a seller won't give you payment processor access during due diligence (under NDA), walk away. Full stop.

4. Single-Founder Dependency (The Bus Factor)

The red flag: The founder does everything — code, support, marketing, sales — and nothing is documented.

Most micro-SaaS businesses are one-person operations. That's fine when that person is running it. It becomes a problem when you're the new owner and you can't figure out how to deploy a hotfix because the CI/CD pipeline exists entirely in the founder's head.

What to check:

• Is there a README that actually explains how to set up, build, and deploy?
• Are environment variables documented somewhere other than the production server?
• Can you run the test suite (if one exists) and get it passing?
• Are there any manual processes the founder does weekly/monthly? (Newsletter sends, data exports, invoice generation)
• How many customer support tickets mention the founder by name?

What to negotiate: Minimum 30-day transition support, ideally 60-90 days. Get it in the purchase agreement with specific availability commitments (e.g., "10 hours per week for 60 days"). Budget $2K-5K of the purchase price as a holdback released after successful transition.

5. Technical Debt That's Actually Technical Bankruptcy

The red flag: The codebase runs on deprecated frameworks, has no tests, or requires a specific (old) runtime version.

Technical debt in a micro-SaaS is normal. Technical bankruptcy is when fixing the debt costs more than the business is worth. I've seen businesses running on PHP 5.6, Rails 3, or Python 2.7 — all of which have known security vulnerabilities and no community support.

What to check:

• What language/framework version? Is it still actively maintained?
• Run a dependency audit (npm audit, bundle audit, pip-audit) — how many critical vulnerabilities?
• Is the app deployed on infrastructure you can manage? (Heroku, AWS, Vercel) Or is it on a random VPS with no documentation?
• Are there any hard dependencies on deprecated APIs or services?

Pricing adjustment: Budget 80-160 hours of developer time ($8K-$25K) for any codebase that needs a major framework upgrade. Factor this directly into your offer price.

6. SEO-Dependent Traffic With No Diversification

The red flag: >70% of signups come from organic search, and ranking is concentrated on <5 keywords.

SEO is a wonderful customer acquisition channel — until Google ships a core update and your traffic drops 60% overnight. This happened to hundreds of SaaS businesses in the 2025 helpful content updates. If the business depends on ranking for "free invoice generator" and Google decides to surface its own tool, you're done.

What to check:

• Traffic source breakdown for the last 12 months (Google Analytics or whatever they use)
• Which specific keywords drive signups? How many keywords, and how concentrated?
• Has traffic been stable, growing, or declining? (Check month-over-month, not just the trend line)
• Any traffic drops that correlate with known Google algorithm updates?

Safe threshold: No single traffic source >60% of signups. If SEO-heavy, the business should rank for at least 20+ keywords driving meaningful traffic.

7. Terms of Service and Platform Risk

The red flag: The business depends entirely on a third-party platform (API, marketplace, app store) that could change terms or cut access.

A Shopify app that does $20K MRR is not a standalone SaaS — it's a feature that Shopify tolerates. Same goes for Chrome extensions, WordPress plugins, Slack apps, and anything built on a social media API. These businesses can be great investments, but you need to price in platform risk.

What to check:

• Read the platform's developer TOS — can they clone your functionality natively?
• Has the platform already announced features that overlap with this product?
• What's the platform's history of developer relations? (Spoiler: Twitter/X, Meta, and Reddit have terrible track records)
• Is the product on a single platform or multi-platform?

Pricing adjustment: Platform-dependent businesses should trade at 1-2x lower multiples than standalone SaaS. A $20K MRR Shopify app at 4x is actually a $20K MRR business with platform risk at 2-3x.

8. The "Lifestyle Business" With Hidden Costs

The red flag: The seller claims 90%+ profit margins but isn't accounting for their own time.

A solo founder running a micro-SaaS will often say "I spend 5 hours a week on this." Then you buy it and discover those 5 hours are actually 15, plus the founder was also doing free customer development through their personal Twitter audience, plus they have a friend who fixes server issues "as a favor."

What to check:

• Ask the seller to track their time for 2-4 weeks during due diligence
• Get the full list of tools/services and their costs (many founders use personal accounts)
• Identify all "free" labor — friends, spouse, open-source maintainers who provide custom support
• Calculate true SDE (Seller's Discretionary Earnings) including a market-rate salary for the founder's time

Rule of thumb: Take the seller's time estimate and multiply by 2.5x for the first 6 months post-acquisition. You'll be slower at everything until you learn the business.

9. Declining or Stagnant MRR Disguised as "Stable"

The red flag: MRR has been flat for 6+ months with no clear growth lever.

Flat MRR in a growing market is actually decline. If the overall SaaS market is expanding 15-20% annually and your target business is flat, it's losing relative market share. The question is why — and whether you can fix it.

What to check:

• Plot MRR on a chart for the last 24 months. Is the trend genuinely flat, or is it a slow decline masked by month-to-month noise?
• What has the seller tried to grow the business? What worked, what didn't?
• Is the product in a growing, stable, or shrinking market?
• Are competitors eating their lunch? Check G2, Capterra, and Product Hunt for alternatives launched in the last 12 months

Opportunity or risk: Flat MRR can be an opportunity if the seller simply stopped investing in growth (common with lifestyle businesses). But you need a concrete, testable growth hypothesis before closing — not just "I'll do more marketing."

10. Intellectual Property Landmines

The red flag: Unclear IP ownership, open-source license violations, or code written by contractors without proper assignments.

In micro-SaaS, IP issues are usually sins of omission rather than commission. The founder used a GPL library and didn't realize their entire codebase is now technically GPL. Or they hired a freelancer on Upwork who technically owns the code they wrote because there's no IP assignment clause.

What to check:

• Run a license scan on all dependencies (license-checker for npm, pip-licenses for Python)
• Check for GPL/AGPL dependencies in a closed-source product — this is a legal time bomb
• Were any contractors used? Get copies of all contractor agreements and verify IP assignment clauses
• Is the product name trademarked? Check USPTO, even informally
• Does the domain name have any trademark issues?

Deal structure protection: Include IP representations and warranties in your purchase agreement. The seller should warrant they own all IP and that there are no known infringement claims. Hold back 10-15% of the purchase price for 6 months against IP claims.

11. Security Vulnerabilities and Compliance Gaps

The red flag: No SSL on sensitive pages, passwords stored in plain text, no GDPR compliance, or PCI violations.

Most micro-SaaS founders are developers, not security engineers. The code works, but it might also be storing user passwords in plain text, transmitting data over HTTP, or logging credit card numbers to a debug file. One security incident post-acquisition and you're dealing with a PR disaster, potential fines, and customer exodus.

What to check:

• How are passwords stored? (bcrypt/argon2 = good, MD5/SHA1/plaintext = run)
• Is all data transmitted over HTTPS?
• What personal data is collected, and is there a privacy policy?
• If serving EU customers: GDPR basics (data deletion capability, consent tracking, DPA with processors)
• If handling payments: PCI compliance (hopefully they use Stripe and don't touch card data directly)
• Run a basic vulnerability scan (OWASP ZAP is free) on the live application

Cost to fix: Basic security hardening runs $3K-$10K. GDPR compliance from scratch: $5K-$15K. Factor these into your offer if gaps exist.

12. The Seller's Motivation (The Most Underrated Signal)

The red flag: The seller can't clearly articulate why they're selling, or their story doesn't add up.

"I want to focus on other projects" is the most common reason sellers give. Sometimes it's true. Sometimes the seller knows something you don't — a major competitor launching, a key API being deprecated, a big customer about to leave.

What to check:

• Ask why now specifically. What changed in the last 3-6 months that triggered the decision to sell?
• How long has the business been listed? If it's been on Acquire/Flippa for 6+ months with price drops, ask why others passed
• Does the seller's timeline make sense? Someone "focusing on a new project" who hasn't started anything yet is suspicious
• Would the seller consider an earnout or seller financing? If they refuse any post-sale involvement, ask yourself why they're so eager to cut ties completely

Best signal: Sellers who accept earnouts or seller financing are telling you they believe in the business's future. Sellers who want all-cash-at-close might be telling you something else entirely.

Your Due Diligence Checklist

Before you close on any micro-SaaS acquisition, run through this quick-reference checklist:

• ☐ Customer concentration: no single customer >15% of MRR
• ☐ Gross monthly churn <3% (B2B) or <7% (B2C)
• ☐ Payment processor access verified (Stripe, not screenshots)
• ☐ Codebase reviewed, deployable, on supported frameworks
• ☐ Transition plan: 60-90 days of founder support committed
• ☐ Traffic sources diversified (no single source >60%)
• ☐ Platform dependency risk assessed and priced in
• ☐ True SDE calculated (founder time x 2.5x for first 6 months)
• ☐ MRR trend analyzed over 24 months
• ☐ IP ownership verified, contractor agreements collected
• ☐ Basic security audit passed
• ☐ Seller motivation story verified and makes sense

The Bottom Line

Micro-SaaS acquisitions are one of the best wealth-building opportunities available to individual buyers right now. Businesses with $5K-$50K MRR, solid retention, and clean codebases trade at 3-5x annual revenue — fractions of what larger SaaS businesses command.

But the deals that look too good to be true usually are. The difference between a life-changing acquisition and an expensive mistake is the work you do before you wire the money.

Take the time. Check the boxes. And when in doubt, walk away — there will always be another deal.

Exit Street helps founders buy and sell micro-SaaS businesses with confidence. Browse current listings or list your business today.