Chris DaltonChris Dalton

We Stress Tested Our Whole Software Stack Like a Lender Would and Found Some Things

February 11, 2026

Here is something nobody tells you when you're building out a business: the software situation gets weird quietly. You add a tool in March because someone at a conference mentioned it. You add another one in July because the old one didn't do one specific thing. By December you have fourteen subscriptions, three of which do the same job, and nobody knows who set up the one that sends emails on Saturdays. That last part isn't hypothetical. I don't know why it sent things on Saturdays. I unchecked a box and it stopped.

What finally made us look at all of it - actually look at it - was a conversation about what would happen if we applied for a line of credit. Not that we needed one immediately. Tory brought it up. He's been in a fairly optimistic rebuilding phase since things went sideways with his lease and his car situation, and somehow that energy landed on "we should make the business bulletproof from every angle." So we ran the exercise. We went through our stack the way an underwriter would. What do we actually run? What does each thing cost? Who owns it? What happens if it goes down? What's holding data we actually care about?

What we found was instructive in a way I was not fully prepared for.

Why Lenders Look at Software Now

This is the part that surprised me most when I started digging into it. Lenders - real lenders, not the hypothetical kind we were pretending to be - have started caring about tech stacks as part of underwriting. Not in an obvious way. They're not asking "what's your CRM" on the loan application. But the scrutiny is embedded in how they read your operations. Acquirers and institutional lenders look at your software environment to assess cost efficiencies, security exposure, and what a post-deal integration would actually look like. The tech you run is a signal about how the business is run.

CXOs are actively being evaluated when their systems fail audits, delay reporting, or increase regulatory exposure. Investors don't just diligence numbers anymore - they diligence systems. That sentence hit me harder than it probably should have. Because when I looked at our stack through that lens, parts of it looked fine. And parts of it looked like a bag of cables in a closet that nobody's touched since 2021.

Acquirers scrutinize SaaS stacks to assess cost efficiencies, security risks, and post-merger integration complexity. Being well-prepared can accelerate deal negotiations, reduce risks, and even enhance a company's valuation. That's M&A language, but the logic scales down. Whether someone is buying you or lending to you or just deciding whether you're a reliable vendor partner, the question is the same: does the technology you depend on reflect a business that actually has its act together?

We did not fully have our act together. I am saying that clearly.

The Scale of the Problem Is Bigger Than You Think

I want to put some numbers here because I think most people reading this will assume they're in slightly better shape than they are.

According to a 2024 Productiv report, 48% of enterprise applications are unmanaged, with nobody specifically assigned to monitor and audit usage, security, licenses, renewals, vulnerabilities, or other particulars. Nearly half. And that's enterprise. Small businesses are not more organized about this - they're less organized, they just have fewer tools, which makes the chaos more concentrated.

Organizations typically overspend 25 to 30 percent annually on unused or underutilized IT assets. At the same time, most companies only see about 60 percent of the SaaS tools actually in use. Sixty percent. The other 40 is what I've started calling the shadow stack - things someone signed up for with a card from their personal account, or a free trial that converted, or an integration that got set up and then the person who set it up left and now nobody knows what it does or whether it's doing anything.

With an average of 7.6 applications entering the tech environment each month, software portfolios could see growth upwards of 33 percent. Per year. Without anyone making a deliberate decision to grow the stack. Just... accumulation.

Stephanie saw these numbers and genuinely did not understand why they were alarming. She said something like "surely you can just cancel whatever you're not using" which is technically correct but also revealed a total absence of familiarity with vendor contracts, auto-renewals, and the three days of notices you get before a $4,000 annual renewal hits your card. Due to contractual obligations, organizations often can't simply stop paying for SaaS apps and licenses they don't use. That's the part. That's the whole part.

A cluttered wooden shelf holding many mismatched jars, tins, and containers of different sizes, each meant to store the same type of small object, with some nearly empty, one upside down, and a lid sitting on the wrong container, bathed in warm golden light
Wanted something that showed the feeling of having too many containers all doing the same job - came back with this shelf situation where one of the lids is clearly on the wrong jar and nobody has said anything about it. Showed it to Stephanie and she said it looked organized to her, which honestly tracks.

What Our Audit Actually Found

I'm not going to name every tool. That's not the point. But the categories of what we found were: tools we use daily and couldn't function without, tools we use occasionally and know we pay for, tools we think we use but actually one person does and everyone else forgot about, tools that were set up to solve a problem that no longer exists, and one tool that appeared to be doing something related to email scheduling that none of us initiated and we are still not entirely sure about.

The one that genuinely embarrassed me was the CRM situation. We had two separate CRM tools running simultaneously. One was the "official" one. One was something someone set up as a workaround when the official one was having issues in 2023, and then... it just kept running. Both were pulling data from the same contacts. Neither had complete records. The data in each was slightly different in ways that were hard to reconcile. A lender looking at our customer list would have seen a mess.

Employees aren't sure which tools to use for specific tasks, leading to wasted time and effort. Different teams use separate tools that achieve the same outcomes. That was us. That is probably also you, if you're honest about it.

Derek spent about twenty minutes explaining to me that the whole situation was like how the Star Wars prequels introduced redundant Force lore that contradicted the originals. I nodded a lot. I didn't fully follow it but the spirit of what he was saying - that layered systems create contradictions that eventually require someone to sit down and reconcile them - that part tracked.

The Security Piece Is the One That Should Keep You Up

I'll be honest: I thought the money waste was the main story. It's not. The security exposure from an unaudited stack is worse.

56% of organizations say employees upload sensitive data to unauthorized SaaS apps, often without sufficient visibility or enforcement. 60% or more of end-user accounts have Multi-Factor Authentication either disabled or inactive. Inactive MFA on accounts that have access to customer data, payment processors, email lists, analytics - that's an exposure that no lender, acquirer, or enterprise client is going to feel good about if they ever ask.

Nearly one in two cyberattacks stem from shadow IT, and the costs to fix them average more than $4.2 million. We are not a company that could absorb $4.2 million in breach response costs. Most of the companies reading this are not either. And the shadow IT is the part of the stack that's hardest to see because, by definition, nobody told IT about it.

I had a side conversation with our email platform during this whole process. I'd been trying to set up a re-engagement sequence and thought I had it configured correctly. I did not have it configured correctly. I had it set to trigger on new contacts instead of dormant ones, so for about two weeks we were sending a "we've missed you" email to people who had just signed up. Email tools have a lot of settings. Anyway. The point is that access controls and configurations inside individual tools are their own audit problem, separate from which tools you have. You can have the right tool, set up wrong, and it becomes a liability instead of an asset.

The Lender Framework Is Actually a Good One

Here's my actual take on this, and I want to be direct about it: the lender framework is more useful than the typical "software audit" framing, and businesses should steal it.

A standard internal audit asks: what do we have? What does it cost? Are we using it? Those are fine questions. The lender framework asks something sharper: if someone with nothing to lose looked at this stack from the outside and had to bet money on whether this business is well-run, what would they conclude? That's a harder question. It forces you to look at single points of failure. It forces you to look at what happens if a vendor goes down, raises prices, or gets acquired. Vendor stability is a real concern right now, and a stack that's built on three tools from companies with questionable runway is a risk exposure.

Choosing a lending platform today is no longer a technology decision, it's a business architecture decision. As digital lending volumes grow and regulatory scrutiny tightens, lenders are under pressure to adopt systems that can scale without breaking unit economics or compliance. Swap "lending" for whatever your business does. The logic is the same. Your software stack is your business architecture. It should be auditable, explainable, and defensible to someone who isn't already inside it.

The other thing the lender framework does: it forces you to think about continuity. Compliance is non-negotiable. A strong system should help you meet regulations with automated processes, audit trails, and quality-control tools. For businesses that aren't in lending, the equivalent is: can you show someone your data chain? Can you demonstrate that your CRM and your sales engagement tools and your reporting layer are all pulling from the same source of truth? If you can't, you have a continuity problem, even if you never apply for a loan.

What Happened When We Actually Fixed Some of It

We're still in the middle of this. I'm not going to pretend we've emerged from the other side with a pristine, beautifully documented stack. We haven't. Linda took one look at the spreadsheet we made of all our tools and said Gerald had done something similar with their garage once - just pulled everything out and stared at it - and that sometimes the first step is just knowing what you have. She's right. That's the first step.

What we've done so far: collapsed the duplicate CRM situation into one system and made someone accountable for it. Identified six tools we're paying for that nobody is actively using. Canceled three of them. Put two on a one-month review. The sixth one we kept because it turned out two people were using it and just hadn't told anyone. Found two more tools with MFA disabled and fixed that. Wrote down, for the first time, what would happen operationally if each of our five most-critical tools went down tomorrow.

That last exercise was unpleasant. We've been adding complexity to our stack without adding redundancy, which is exactly the kind of thing a lender would notice and hate. If the thing that powers our affiliate tracking goes down, we have no manual fallback documented. If our project management tool goes offline for a day, we have no agreed-upon alternative. We just stop. That's not a stack. That's a house of cards with a Slack channel on top.

The Conclusion Is That You Should Do This Before Someone Makes You

I think most businesses do this audit reactively - when they're applying for funding, when a security incident happens, when an acquisition conversation forces them to get organized. That's backwards. The whole point of the lender framework is that it surfaces the things you're too close to the day-to-day to see.

CFOs are pushing to retire duplicative apps, standardize suites, and control renewals. Reporting shows enterprises juggling more vendors than ever and rebalancing governance to rein in sprawl; consolidation reduces risk and cost. That's a trend at the enterprise level that small and mid-size businesses are behind on. And being behind on it means that the first time anyone external looks closely at how your operations are held together, they're going to find what we found. Which is, fine, manageable, survivable - but not impressive.

A woman told me a few months ago that I have kind eyes. I thought about it for an embarrassingly long time. I think what I eventually landed on is that kind eyes are about paying attention to people in a way that's genuine. I think the same logic applies to your software stack, which sounds ridiculous but hear me out: the way you look at your tools - whether you're paying attention, whether you know what they're actually doing, whether you've thought about what happens when one of them stops working - that's a signal about how you run your business. And someone will eventually notice.

Run the audit. Do it like a lender would. Find the things before the things find you.