Software Investor Services

As an experienced consulting CTO, I’ve been through the due diligence process on both ends multiple times with a broad range of software and technology companies.

I have worked with and supported private equity, VC, individual investors, buyers, and angel groups—both pre and post-LOI. In addition, I have written assessment opinions as a technical and outsourcing expert on various software deals. As a result, I can help you identify issues often deeply embedded within the technology stack and source code repositories that would be difficult for typical teams to uncover. I can also expose software architecture limitations and adherence to best practices and provide benchmarks for the maturity and experience of engineering and product development organizations.

In addition to my own technical and business experience, I can quickly assemble a team of specialized technical experts with the domain experience needed for a specific deal or opportunity. I have long-standing, trust-already-earned relationships with software development outsourcing companies worldwide. My software engineering partnerships in Asia, Latin America, and Eastern Europe also allow me to assemble teams for foreign transactions in many locations. I love talking about these capabilities, so please give me a shout to learn more.

That said, the investors I work with the most are the founders of small and medium-sized software businesses. Founders want to know if their team is on track to deliver quality software and want to avoid being embarrassed by security vulnerabilities and poor technology choices. I offer my clients facilitated engagements with companies I trust that specialize in ethical hacking, code review, application profiling, software security, and quality audits.

I encourage you to read reviews from companies that have worked with me on behalf of investors and founders. Contact me to schedule a meeting and learn more about how I can support you as a software and technology investor.

What to look for in a software investment technology advisor


Ensuring you work with an experienced technical advisor is essential. Having worked on over 120 projects worldwide over the last 30 years, I know the ins-and-outs of software development. I can quickly surface software engineering risks, and help guide you through the technical due diligence process efficiently and cost‑effectively. Learn more about me, my experience, and my background.


It’s the wild west out there, and the internet is full of “experts” with a few years of experience who want to help you with every aspect of your software investment. After more than two decades as a CTO specializing in software development outsourcing, I’ve seen it all. You need someone who can quickly recognize negative and positive patterns in software development. Do your research and make sure your trusted technical advisor has high-quality, relevant, and verifiable testimonials and lots of experience.


I’ve worked with more than 95 software outsourcing companies around the world over the last 30 years. Clients hire me to facilitate engagement with these companies—and get it right the first time. I have extensive experience with teams in Asia, Latin America, and Eastern Europe. I know which companies and cultures are the best fit for specific skills, programming languages, subject domains, and types of projects. I can help you leverage these relationships with highly specialized engineers and code reviewers to complete due diligence projects quickly.

Kung Fu

I’ve led core engineering on dozens of projects, from embedded systems to industrial automation to mobile applications to enterprise systems supporting national telecom infrastructure. There is a good chance that I have experience with the technical domain and technology stack your target company is using. I can also help founders pick investor-approved technologies for your specific product or use case with a successful exit in mind.


A trusted technology advisor who can’t talk for hours about past failures is a red flag. Reviewing past failures helps you ensure you are working with someone who can identify the patterns you need to succeed and the anti-patterns you need to discover and fix issues quickly.


The weak link in many startup Software-as-a-Service businesses is the lack of focus on technical operations and development-to-production workflows. Cloud computing has made launching software products faster and easier than ever, but inadequate operations can limit scaling and company growth. Due diligence and code quality reviews need to pay special attention to infrastructure-as-code and production workflows. My due diligence strategy includes analysis from partner companies that specialize in DevOps and operations support.

Mauricio Gómez - Fluid Attacks

“. . . terrific at establishing understanding across cultures”

Fluid Attacks is an IT security company specializing in information security testing, pen-testing, and ethical hacking. I have known Michael for several years, and my team recently completed a security assessment for one of his clients. To get the most out of our code review and security services, we have to work closely with the application development team. Michael helped to facilitate this process, which involved organizing teams in Ukraine, India, Colombia, and the US to cooperate and communicate. Michael was terrific at establishing understanding across cultures and ensuring that all the diverse global team members understood the importance of fixing the software vulnerabilities we identified. We have a great relationship with Michael, and we know he brings a lot to the table. My team and I look forward to working with him and his clients in the future.

Mauricio Gómez Chairman – Fluid Attacks

Frequently Asked Questions

What kinds of things do code reviewers look for?

If you are a founder, you can think of a code review as an additional set of eyes on your code and a logical extension of your development team. If you are an investor, you can think of a code review as equivalent to an engineering inspection before buying a building.

The most experienced software engineers have a “feel” for good design. The reviewers keep their eyes out for what developers call “code smell,” subtle hints that something may be wrong in the code worth investigating further. Examples include poor code structure, lack of style adherence, failure to remove technical debt, duplicated code, and hundreds of other issues that may indicate deeper and more serious underlying problems.

Some review teams have specialists that focus on compliance with open source licenses and can identify licensing conflicts that may be problematic for commercial products. If you have specific concerns, please reach out to me to discuss custom software reviews and audits.

How do quality auditors and code reviewers have enough context to provide useful reviews?

There are two levels of depth for a typical code review project: surface and comprehensive. A comprehensive review requires a dedicated team that gets to know your application at a business level first, then the system architecture level, and then the detailed code review level. Surface reviews skip right to the code level. A surface-level review can still identify a surprisingly wide range of technical issues, bugs, and security vulnerabilities, even with reduced context.

What technologies, frameworks, and programming languages do you support?

Because I work with a range of specialized security, auditing, and code review companies, I can support almost all languages and frameworks. If you need something unusual, contact me, and we can reach out to multiple companies for a discussion about specific capabilities.

How do you get paid?

I provide services as an independent consultant. My clients engage me either on a project basis or on a retainer basis. Most companies hire me to work on a project-basis initially and then switch to an ongoing retainer model once we have worked together successfully through multiple projects. Projects have fixed fees based on achieving objectives that we agree on in advance. A retainer allows unlimited access to me for advice or consultation by designated people at your organization.

I encourage (and assist) my clients in engaging and paying their outsourced software development firms directly. I do not act as a financial pass-through to outsourcing companies. Companies pay me directly either for specific projects or on retainer.

After many years of consulting, I have stopped accepting work on a time-and-materials basis. Here’s why: I don’t want my clients to feel like they are making an investment decision every time they may need my help, and I don’t want to be seen as self-aggrandizing when I realize that I need to put in more time to get the best outcome. My clients are always best served by a fast improvement or resolution, not a slow one. After completing dozens of time-and-materials-based projects, I have come to realize that pricing by time unit is a fundamental misalignment. So I’ve stopped doing it.

Here is how the process now works: You reach out to me via my contact page. We have a video conference and possibly follow-up calls to determine if we are a good fit for each other. When I have enough information, I’ll make a project proposal that typically has multiple options, each with a fixed fee based on the value delivered. Want to learn more? Give me a shout!

You do a lot of things. What is your core skill set?

Michael Marmor Consulting Services Puzzle Image
I improve software development outcomes by concentrating on a few interrelated services and specialties. The four skill sets illustrated above describe my four areas of expertise and how they connect. A deep grounding in software engineering and development practices are needed to manage software outsourcing successfully. Validation of security and code quality are needed to deliver robust products, provide feedback to developers, and provide objective controls for investors and founders. None of these things matter if you build the wrong product for the market, which is why an understanding of Product Development/Product Management is essential.

Said another way, you can’t select the right technology without understanding the product requirements. You can’t choose the right outsourced development team without knowing the technology stack. You can’t know if your team is implementing your product well without review. Deep technology skills and experience are needed to understand technical reviews and improve the entire process. The skill set I bring to the table includes these four interlocking elements used to improve software development outcomes. Over the years, as one area has become stronger, the others have also strengthened and matured since they are interconnected.

I use these four skill sets to deliver three services on a consulting basis: Outsourcing Guidance for medium to large-sized software businesses, Consulting CTO for software startups, and Software Investor Services (described above), including code reviews and due diligence.

Learn more about me and my background and check out my testimonials to see what my clients think about working with me.

Dan Mateer

“. . . a lot of experience with software development, security by design, and best practices”

I met Michael earlier this year when he engaged PullRequest to conduct a code review for one of his clients. PullRequest offers code review as a service that helps developers deliver high-quality code by providing an extra line of defense to prevent security vulnerabilities and other fatal flaws. We worked with Michael to perform a full project quality review to help secure his client's codebase. Michael has a lot of experience with software development, security by design, and best practices, and our team enjoyed working with him. Michael has the technical and leadership skills to use the feedback from our review to establish development baselines and improve development practices. Our team at PullRequest looks forward to working with Michael and his clients on future projects.

Dan Mateer Chief Operating Officer – PullRequest

Ready to Work Together?

I’d be happy to discuss your project!