How to Buy a SaaS Business: What We're Buying & How It Works

From finding targets to closing deals and scaling post-acquisition—a comprehensive playbook based on real acquisitions

By Alex Boyd | January 26, 2026 | 25 min read

Intro: Fair Warning

Building a SaaS to $20k MRR without external investment is no small feat. Bootstrapping (the name for this delightful activity) is hard. Sometimes, buying an existing business is either better than (or something you might want to do in addition to) starting your own tech company.

The math is compelling: while building requires time and tons of mental effort spent being scrappy and looking for validation while you acquire early customers and develop product, acquiring gets you immediate revenue, and at least some degree of product-market fit. But it's risky: the majority of people selling their business are doing so because it's not a good investment, not because it is one. There's fraud risk, AI disruption risks, technical debt, and a host of other things to worry about. Don't take this path lightly. But if you want to tread it, I'll help you!

This guide covers everything you need to know to successfully acquire a SaaS business:

• Due diligence essentials – What to investigate before writing a check
• Risk mitigation strategies – AI disruption, fraud prevention, technical risks
• Deal structuring – Protecting your capital with earn-outs and escrow
• Post-acquisition growth – Scaling MRR and optimizing costs after close
• Real examples – Insights from Wildfront's acquisitions and portfolio experience

Whether you're buying your first micro-SaaS or building a portfolio, this playbook will help you avoid expensive mistakes and set yourself up for success.

When to Buy vs Build

While it may seem 'cool' to acquire a business, this choice has unique risks and isn't always right. Some ideas are better for you to build; others, you're better off buying. For example, do you have more time than cash, or vice versa? How much of a coding background do you have, or not?

At Wildfront, we're a team of both marketers and coders, so there's nothing really we can't handle from either a technical or growth perspective; but, we're busy. We want to pay for valid shortcuts, which are rare, and for leverage on our time, which we don't have a ton of. We don't want to pay for something we could build, better and in our own way, for a few hundred bucks' worth of Claude Code credits and some SEO muscle.

Our goal, which we think you should adopt too, is cash flow.

Finding the Right SaaS Business to Acquire

Deal flow is everything. You need to see enough opportunities to find the rare gem that meets your criteria.

Deal Flow Sources

I look at deals across several channels. Online marketplaces are the obvious starting point: Acquire.com handles premium deals in the $50k-$5M range with decent vetting, Flippa has a wide range but quality varies dramatically so you need to do your homework, and Quiet Light Brokerage offers curated listings with broker assistance.

The best deals often never hit marketplaces, though. I spend time on direct outreach, looking for bootstrapped SaaS founders who might be ready to exit. I search Twitter for founders sharing revenue screenshots, monitor IndieHackers for profitable projects, browse Product Hunt for established products that are 2+ years old, and check LinkedIn for solo founder profiles in the SaaS space. But mostly, we've been building our brand as an acquirer, and people reach out to us directly when they're thinking of selling.

Companies like Wildfront, Tiny, and other aggregators occasionally have inventory they'll sell to individual buyers. It's worth building relationships even if you're not ready to buy today. Brokers can also provide deal flow for a 10-15% commission, but remember: they're incentivized to close, not to protect you as the buyer. Always do your own diligence.

Initial Screening Criteria

Before I dive deep into any opportunity, I quickly screen against some basic criteria. I look for revenue in the $1k-$50k MRR range (the sweet spot for individual buyers), minimum 30% net profit margins (ideally 50%+), a clean modern tech stack with documented code and maintained dependencies, and reasonable customer concentration where no single customer represents more than 20% of revenue. Churn should be under 5% monthly for B2B or under 10% for B2C. I want to see flat or growing MRR—declining businesses are trouble—and I need the seller to commit to at least 30 days of transition support.

Red Flags to Watch For

If you're buying through an aggregator, review our Best SaaS Acquirers Guide to understand who's reputable.

Essential Due Diligence: What to Investigate

Due diligence is where dreams meet reality. Skip this, and you're buying a mystery box. I plan for 2-4 weeks of thorough investigation before closing any deal.

Financial Due Diligence

Revenue Verification: You need to get at least read-only access to Stripe or whatever payment processor is being used, then do three main things: first, make sure there aren't a ton of disputes. Second, make sure the payouts report of Stripe aligns with the bank statement payouts received. Third, check to make sure the seller hasn't "subscribed themselves" as customers to pump up their valuation for a sale - meaning, their mom and cousin etc aren't 'customers'... literally, look at the names on the customers' credit cards to make sure there isn't fishy stuff.

In general, anything that doesn't add up: ask about it. If you don't get a satisfactory answer or anything seems suspicious? Walk away. It's not worth it. Don't accept a dispute rate higher than 0.5% at the absolute max (unless you're buying an adult site or something... but don't do that). Don't accept more than a very small refund rate.

Expense Analysis: I review the P&L statement for 12-24 months and categorize expenses into fixed costs (hosting, tools) versus variable costs (ads, support). I need to identify which founder costs will continue after acquisition (like hosting) versus which will disappear (like founder salary). I check for upcoming renewals on annual SaaS subscriptions, SSL certificates, and domains, and verify there are no outstanding debts, unpaid bills, or tax liabilities. Of course, anything the founder has been doing that you'll need to re-hire for, you need to add back to the P&L, unless you'll take over that job yourself.

Profitability Verification: I calculate true net profit by subtracting all expenses from revenue. I want to understand if growth was funded by unsustainable paid ads and verify that margins are actually sustainable and not artificially inflated right before the sale.

Technical Due Diligence

Code Quality Review: I request GitHub or GitLab access to review the codebase directly. I check for code documentation—is there a README, inline comments, API docs? I review how modern the tech stack is, since outdated dependencies create security risks. I assess technical debt by looking for quick hacks that will need rewriting, and I look for automated tests (unit, integration, end-to-end) which are a sign of quality.

Infrastructure Assessment: I review hosting costs across AWS, Heroku, Digital Ocean, or wherever they're hosted. Often there are over-provisioned resources that represent easy cost savings. I assess scalability—can it handle 2-3x the current load without major changes? I review uptime monitoring to understand historical reliability, and I verify there's no vendor lock-in that would make it difficult to migrate if needed.

Security Audit: I check data handling practices to ensure GDPR and CCPA compliance. I review authentication and authorization mechanisms (password hashing, JWT, OAuth) to make sure they're implemented properly. I verify API security includes rate limiting and input validation, check for known vulnerabilities in outdated dependencies, and review the backup strategy including frequency, retention, and disaster recovery plans.

Third-Party Dependencies: I list all external APIs and services the product relies on. I verify licensing for all dependencies—MIT and Apache are fine, GPL can be problematic. I check whether any APIs are deprecated and might stop working soon, and I assess the switching costs if I want to change providers later.

Customer & Product Due Diligence

Customer Reviews: I look at the reviews for them, and their competitors, online to see if I find anything disturbing. Basically, I'm looking for "Is this a real business people would miss when it's gone, or a sham that has been puffed up by the seller but has nothing underneath?"

Support Ticket Analysis: I review support history for 6-12 months to identify recurring issues, which are really product problems in disguise. I assess the support load in terms of hours per week and whether it's scalable. I check for any major outages or incidents, and I review overall customer sentiment to see if they're happy or frustrated.

Churn Analysis: Review cancellation reasons, either in Stripe or in ChurnZap if they use it, to see why customers are leaving. Are these 'fatal' issues, or opportunities in disguise that we can build post-acquisition to please customers and keep more revenue? I also discount this for any seasonality.

Product Testing: I create a test account and use the product extensively. I test critical user flows like signup, onboarding, and core features. I try to break things by testing edge cases and error handling. I use it on mobile to see if responsive design actually works, and I review feature requests and the roadmap to understand what's been promised to customers.

Competitive Landscape: I identify direct competitors and assess what makes this product different—why do customers choose it over alternatives? I check for existential threats like a large competitor launching a similar feature, and I review the positioning to understand if it's a niche product or trying to be a generalist.

Legal Due Diligence

Ownership Verification: I confirm the seller owns 100% of the IP including code, domain, brand, and content. I verify there are no co-founders or investors with ownership claims. I check domain ownership through WHOIS and confirm transfer authorization is ready. If applicable, I review trademark status.

Contract Review: I review the customer Terms of Service and Privacy Policy. I check for any custom enterprise contracts with special terms. I verify there are no unusual refund commitments or guarantees, and I assess what liability exposure I'm inheriting. If this is a B2B company that uses contracts to sign and renew customers, you need to get copies of literally every single active contract, and review them. Stick 'em into Claude and have it review to make sure there's nothing weird in there, then do a pass yourself. Don't inherit huge liability without realizing it.

Legal Disputes: I ask about any pending or past litigation. I check for DMCA takedowns or IP disputes. I verify there are no outstanding legal threats, and if there are contractors or employees, I review their employment agreements.

Compliance Verification: I confirm GDPR compliance if the business serves EU customers, check CCPA compliance if serving California customers, verify CAN-SPAM compliance if sending email, and review data retention and deletion policies. If the business has not been compliant in certain respects, you can consider whether it's worth walking away, or just making the seller indemnify the acquiring/acquired entity for certain breaches that happened before you took ownership.

For a more structured approach to post-acquisition audits, see our SaaS Growth Audit methodology.

Will Claude Code do this natively in 3 months?

Here's the question that matters: can I rebuild this software for $500 worth of Claude Code credits and some elbow grease? If yes, don't pay much for it.

Code is not a moat. Code is a commodity. What matters is:

Community: Does this product have a loyal user base that would fight for it? Do users talk about it, recommend it, defend it online? Community is hard to replicate and takes years to build.

Distribution: Does it have strong SEO rankings, a recognizable brand, an email list, or existing partnerships that drive customers? Distribution takes years of consistent work. AI can't shortcut distribution.

Hard-to-get certifications or statuses: Is it HIPAA compliant? SOC 2 certified? An approved vendor in enterprise systems? Does it have regulatory approvals or industry-specific accreditations that take 6-12 months to get? These create real barriers.

If the product has none of these—just code that solves a problem—pay accordingly. I use earnings multiples (not ARR multiples) and discount heavily. If it's generating $50k in annual profit and has no moat? I'll pay maybe 1-2x earnings. If it has all three moats? I'll go up to 4-5x earnings.

The code itself? Worth almost nothing in the AI era. The hard-to-replicate stuff around it? That's where the value is.

You can always use longer-term earnouts or revenue share based deal structure components to hedge against this risk. And if the seller balks at this or says they have another offer that's better: let them take that offer! People lose money *all the time* in acquisitions. Let some other person be an idiot and lose their shirt... but don't be that idiot yourself!

Deal Structure: Protecting Your Capital

By default, don't put the entire purchase price in cash upfront. This is way too trusting for small, privately-held companies that have no transparency requirements, unless it's a small purchase and you have rock solid certainty that the numbers and legal risks you're looking at are very very real.

Common Deal Structures

Payment Schedule Best Practices

Here's a well-structured payment schedule for a $100k acquisition:

Why this works: The seller gets meaningful cash upfront so they're motivated to close. I have protection against fraud since only 30% is at risk initially. The milestones are objective and measurable, and the seller stays involved through month 12 providing transition support.

Fraud Prevention: Escrow & Setoff Clauses

SaaS acquisition fraud is more common than you think. Here's how to protect yourself.

Common Fraud Patterns

Escrow Arrangements

What is Escrow?

A third-party (Escrow.com, lawyer, etc.) holds the buyer's funds until both parties meet their obligations. It protects both sides.

Standard Escrow Flow:

1. Buyer deposits funds to escrow ($50k for example deal)
2. Seller transfers all access (code, domains, customer list, accounts, docs)
3. Buyer verification period (5-10 business days to verify everything matches representations)
4. If verified → Escrow releases funds to seller
5. If issues found → Dispute resolution or refund

Escrow Structure: I use Escrow.com for deals $25k and up (they charge around 1-3% fee). The timeline is typically 5-10 business days for verification, longer for complex deals. The release conditions are defined upfront in the purchase agreement: code repository transferred, revenue verified via payment processor, customer list matches claims, all accounts and domains transferred, and documentation provided.

Example Escrow Release Conditions: The GitHub repository is transferred with full commit history, Stripe revenue matches claimed MRR within 5%, all 87 claimed customers appear in the customer database, the domain is transferred to my registrar account, AWS account access is provided with full admin rights, and documentation is provided including README, deployment guide, and support playbook. If any condition fails, I can dispute and seek a refund or price adjustment.

Setoff Clauses in Purchase Agreement

What is a Setoff Clause?

The right to reduce future payments if the seller misrepresented the business.

Example Setoff Clause:

"Buyer may setoff any earn-out or tranche payments in the event of discovered misrepresentation, including but not limited to:
- Revenue inflation >10% from claimed MRR
- Undisclosed liabilities or debts
- Code ownership disputes
- Customer concentration >20% (single customer) not disclosed
- Churn rate >5% from historical average during due diligence period"

How Setoff Works (Real Example):

You buy a SaaS for $60k total ($30k upfront, $30k over 12 months).

Month 2: You discover the seller inflated MRR by $2k/month with fake accounts.

Setoff calculation: Monthly loss is $2k. Annual impact is $24k. A reasonable setoff is 3x the monthly loss, which equals $6k.

Action: I reduce the next tranche payment by $6k. The seller has the burden of proving I'm wrong, not vice versa.

Without setoff clause: You'd need to sue the seller for fraud (expensive, time-consuming, uncertain outcome).

With setoff clause: You simply reduce payment and notify seller. They can dispute, but burden is on them.

Other Protective Measures

Due Diligence Red Flags (Trust Your Gut)

🚩 Seller rushes the process ("Let's close this week!")
🚩 Limited access to data ("I'll send you screenshots, but not Stripe access")
🚩 Can't speak with customers ("They're all under NDA")
🚩 No code review allowed ("The code is proprietary")
🚩 Vague about customer acquisition ("Organic traffic, SEO stuff")
🚩 Payment processor access restricted ("I'll send you reports")
🚩 Founder defensiveness about questions ("Don't you trust me?")

If you see 2+ of these red flags, walk away. Remember, your job is not to buy companies, but to AVOID BUYING 98% of the companies that show up on marketplaces, so you can focus on the 2% that are good plus the off market deals, thus getting high quality assets and not fraud/junk.

Real Example: Wildfront Due Diligence

When evaluating inlytics.io for acquisition, we discovered old unmaintained tech, declining MRR, and an owner that was largely focused on other projects rather than this one. This was okay.

And in this case, we certainly did: despite the red flags, we bid an extremely fair amount in cash, spread over the first 60 days with no escrow or condition, and got: excellent transferrable SEO, $2k+ of MRR, good reviews and customer brand, and an email list of enterprise customers that we were able to reach out to.

We bought exactly what we wanted, and the seller was (and continues to be) a team with very high integrity.

Post-Acquisition: Growth & Cost Optimization

Once you've closed, it's time to execute the thesis. Are you going to back burner this and cash flow for a while before getting into it? Keep the lights on. Is this a turnaround you're buying on purpose? Roll up your sleeves.

The First 30 Days: Migration & Learning

Your only goal in month 1: Keep the lights on and learn everything.

Months 2-6: Growth Initiatives

Now that operations are stable, focus on growth. Here are the highest-leverage tactics:

Growth Lever 1: Reduce Churn

Churn is the silent killer. Reducing churn from 10% to 5% monthly doubles your LTV.

Measurement: I track monthly churn rate and aim for under 5% for B2B, under 8% for B2C.

Growth Lever 2: Improve Conversion

More trial-to-paid conversions = more revenue without more traffic.

Tactics: I improve the checkout page to add social proof and testimonials, make annual prepaid plans the default displayed on the pricing page, remove unnecessary friction from the signup process and all lead capture forms, and publish more case studies. If the email list hasn't been emailed regularly, I email them with high-value content. Sometimes, this involves telling them about the new ownership (if there's a good reason to do so); other times, not. Another tidbit: if you want, you can enable Apple Pay and other forms of quick payment in Stripe, to make subscribing an even easier decision.

Measurement: I track trial-to-paid conversion rate and aim for 15-20% for B2B SaaS with no credit card required, and 40-60% when credit card is required.

Growth Lever 3: Customer Expansion

Getting existing customers to pay more is the easiest revenue to generate. I introduce higher-tier plans with premium features for 2-3x the price. I consider usage-based pricing where I charge for API calls, storage, or seats. I cross-sell features by offering add-ons like integrations or priority support.

Measurement: I track expansion MRR and aim for 10-20% of new MRR to come from expansion.

Growth Lever 4: New Acquisition Channels

To scale beyond existing channels, I write SEO content—helpful guides that rank for buyer-intent keywords. I launch referral programs that give existing users credit for referring new users. I list the product on integration marketplaces like Zapier, Make, HubSpot, and Salesforce AppExchange. I restart dormant channels if something like email marketing has stopped. And I test paid ads on Google for high-intent keywords, but only if CAC is less than 3-month LTV.

Measurement: I track MRR by acquisition channel and double down on what works.

Cost Optimization: The Other Side of Profit

Growth gets the glory, but cost cuts are instant profit.

Cost Audit Checklist:

✅ Infrastructure – AWS/hosting is often over-provisioned by 30-50%
✅ SaaS subscriptions – Turn off all the virtual CCs, put CC spend onto Ramp, and see what breaks
✅ Support overhead – Can you automate common support questions?
✅ Marketing spend – Facebook ads that don't convert are burning cash
✅ Payment processing – Stripe charges 2.9% plus extra, but you don't always need the extras

Real Cost Savings Examples:

💰 Reduced AWS costs 40% – Rightsized EC2 instances, moved to reserved instances
💰 Canceled $500/mo in unused tools – Found 5 SaaS subscriptions nobody used
💰 Negotiated Stripe fees from 2.9% to 2.7% – At $10k MRR, saves $20/month
💰 Automated support with chatbot – Reduced support hours from 20/wk to 10/wk

When to Cut vs. Invest:

Cut when: The cost doesn't drive a measurable outcome (vanity metrics), the infrastructure is over-provisioned (paying for capacity you don't need), you have duplicate tools (using both Intercom and Zendesk), or paid ads have a CAC greater than 6-month LTV.

Invest when: There's clear ROI (like customer success reducing churn by 20%), it builds a strategic moat (integrations, proprietary data), or it creates compounding assets (SEO content, marketplace presence).

Setting Realistic Growth Goals

For detailed growth tactics and case studies, see our SaaS Growth Strategy Guide.

Common Lies Sellers Tell

Sellers will tell you the churn is temporary, that the code is "well-documented and modern," that growth is organic when it's paid ads, that "this just needs a little marketing" when the product is fundamentally broken, that MRR is $10k when half of it is prepaid annual deals about to cancel, that there are "tons of inbound leads" when the pipeline is dry, that "customers love it" when NPS is 20 and support tickets are piling up, that the tech stack is current when it's running on deprecated libraries about to break, that traffic is "mostly organic" when it's 80% paid or bot traffic, and that "this only takes 5 hours a week" when it actually needs 20+ hours of firefighting. Some of these are intentional fraud.

Most are sellers who've convinced themselves of a rosier picture than reality. Either way, your job is to verify everything, trust nothing, and walk away the moment something doesn't add up. There are always more deals, but you only get one reputation and one bank account.

Getting Started: Your Next Steps

Still want to take a swing at this? Here's how.

If You're Ready to Buy

Step 1: Define Your Criteria

Write down your requirements before looking at deals. Figure out your budget—how much capital do you have? $25k? $100k? Define your MRR range and what size business you're targeting. Pick your industries: B2B, B2C, or vertical SaaS? Understand your time commitment and how many hours per week you can dedicate. Know your risk tolerance—do you want a low-risk established product or a higher-risk growth opportunity?

Step 2: Set Up Deal Flow

Don't wait for the perfect deal to appear. Build a pipeline. Create accounts on Acquire.com, MicroAcquire, and Flippa. Set up Google Alerts for "saas for sale" and related terms. Follow SaaS founders on Twitter who share revenue. Join acquisition-focused communities.

Step 3: Create Your Due Diligence Checklist

Use the framework from this guide and customize it for your needs. Have it ready before you start looking at deals seriously.

Step 4: Start Small

Your first acquisition should be under $50k. Treat it as tuition. You'll learn the process, you'll make mistakes (better to make them on a small deal), and you'll build confidence for bigger acquisitions.

Step 5: Join Buyer Communities

Learn from other buyers. Join the Wildfront Community where SaaS founders and buyers share insights. Check out IndieHackers acquisition threads. On Twitter, follow @alexcboyd, @thesamparr, and @ajsharp for acquisition and growth insights.

Resources to Bookmark

📚 SaaS Acquisition Multiples Guide – Understand what businesses sell for
📚 Best SaaS Acquirers Guide – Where to find deals
📚 SaaS Growth Strategy Guide – Post-acquisition growth tactics
📚 Wildfront Community – Connect with other founders and buyers