Every M&A deal depends on due diligence. Financial teams review the numbers. Legal advisers examine contracts. Commercial leaders assess market position. But one major risk is still missed in many deals: M&A cybersecurity due diligence often fails to uncover end-of-life (EOL) assets lurking across the target company’s network.
These unsupported and unpatched systems can sit hidden in plain sight long after vendors stop issuing updates. That means when the deal closes, you do not just acquire the business. You also inherit the cyber risk, the operational exposure, and the hidden attack surface that comes with every forgotten EOL asset.
The Scale of The Problem
RunZero’s research team analysed millions of assets across hundreds of enterprises to understand exactly how widespread EOL exposure really is. The findings should give any M&A team pause.
Across all enterprises studied 8.56% of assets are running an EOL OS, which means they don’t get the usual level of feature work and bug fixes. Worryingly, 5% are already beyond extended support, which means they miss out on even critical security patches.
In the context of a merger or acquisition, they become acute. When you absorb a new organisation’s network, you have no way of knowing what is running on it until you look ,and most organisations look far too late.
You Don't Just Buy the Business. You Buy the Attack Surface.
Traditional M&A cybersecurity due diligence tends to focus on known incidents, data breach history, and regulatory compliance posture. These are important. But they tell you nothing about the shadow IT, the forgotten OT device in a remote warehouse, or the Windows 2012 R2 server that someone’s entire workflow still depends on.
RunZero research highlights that certain sectors carry a disproportionately high concentration of EOL assets. Retail, machinery and electronics manufacturing, professional services, and chemical and biotech companies all exhibit above-average exposure. If your target company sits in any of these sectors, the inherited risk compounds accordingly.
The Winpocalypse Factor
The EOL exposure challenge is about to get considerably worse. As of October 2025, Windows 10 reached end of life. RunZero’s research indicates that roughly one third of Windows assets in enterprise networks became unsupported almost overnight. That effectively tripled the enterprise-wide EOL population.
For organisations in the middle of an acquisition, or planning one, this creates a compounding problem. Target companies may now be carrying significantly more unpatched Windows assets than they even realise, let alone disclosed.
Visibility Before the Deal. Visibility After It.
The organisations that manage EOL risk most effectively are not the ones with the most aggressive patching programmes. They are the ones that know exactly what is on their network at any given moment. You cannot patch what you cannot see. You cannot negotiate on risk you have not quantified.
RunZero’s CAASM platform gives security and IT teams a real-time, comprehensive view of every connected asset ,including the ones that legacy scanners miss. It works without agents, without credentials, and without the weeks-long deployment cycles that make traditional tools impractical during the intense timelines of an M&A process. Customers report seeing their full asset inventory in minutes.
Whether you are running pre-deal due diligence on a target, integrating a newly acquired network, or preparing your own environment ahead of a sale, the starting point is always the same: complete visibility.
