01 The 30-second read

The pain is real. Early-stage startups genuinely drown in SOC 2 evidence collection — 100+ controls, 150-item auditor request lists^W2, and no clear starting point^H2. That's a legitimate wedge. The problem isn't whether people suffer; it's whether they'll pay you to fix it.

Here's the blocker: Vanta already owns the mindshare^H4, Shujinko made their audit prep software free^R2, Oneleet bundles compliance into a full-service YC-backed platform^R3, and Bastion covers 30+ frameworks for 300+ companies^W1. You're not entering a gap — you're entering a crowded room where the loudest players are either free or all-in-one. The scorecard shows zero paying signals against five "already free" signals (WTP: 2.0/10). That's not a pricing question — that's a monetization crisis.

The one move that could push this to GREEN: stop selling to "general consumer" and go narrow. The HN evidence is explicit — compliance fails when it's one person's problem and nobody else owns it^H1, and buyers distrust black-box tools that don't show their work^H3. That's your wedge. Target a single auditor-buyer persona (e.g., the solo security lead at a 20-person B2B SaaS company hitting their first enterprise deal), price transparently upfront^R1, and build the audit trail verifiability that Vanta and others skip. Niche beats broad here. Right now this pitch is too generic to act on.

02 Market saturation map

A structured scan turned up 3 competitor / launch signals across 52 pieces of evidence (9 web, 25 reddit, 18 hackernews).

The raw count is modest. The shape of the competition is the real problem.

The named players are already eating the obvious positioning. Vanta is the established incumbent — already cited by practitioners as the default answer for SOC 2 automation^H4. Bastion covers 30+ frameworks beyond SOC 2 and serves 300+ companies^W1. Oneleet (YC S22) bundles security program management with compliance and targets exactly the same B2B SaaS startup segment^R3. Shujinko made its SOC 2 audit prep software free to all users^R2. Regulance launched on HN as an AI-powered automation platform covering GDPR, SOC 2, ISO 27001, PCI DSS, and HIPAA simultaneously^H5. That's five named products, several with real distribution, at least two with free tiers or free pricing outright.

The free signal is the sharpest threat. Five of the evidence items flag "already free" alternatives — that's the 2.0/10 willingness-to-pay score made concrete. When Shujinko goes free and a Reddit post drives meaningful engagement, the ceiling on what a new entrant can charge compresses fast^R2. Buyers in this segment are startups watching spend; they will default to free unless the paid alternative solves something the free tool visibly cannot.

Broader surface area is the second problem. Most competitors aren't just evidence collectors — they're full platforms. Bastion handles documentary, observational, reperformance, and analytical evidence types across disparate systems in one product^W1. Oneleet positions as a team extension, not a tool^R3. A single-function evidence dashboard lands in a market where buyers are already being pitched all-in-one. Narrower scope reads as less value, not sharper focus, unless the pitch articulates a specific wedge the incumbents demonstrably fumble.

One real opening exists, but it's narrow. The HN threads surface a genuine unmet need: buyers distrust black-box compliance tools that don't show their work, making audits slow regardless of automation^H3. Verifiability and transparency — not just collection speed — is what sophisticated buyers actually want. That's a differentiation angle the incumbents haven't fully closed. But it's a positioning bet, not a moat, and the open-source scanner signal^H3 suggests someone is already building toward it for free.

Bottom line: The market is real, the pain is documented, and there's a specific trust-gap angle worth pursuing. But this is not a wide-open space. Five named products, a free-tier pricing norm, and all-in-one incumbents with existing distribution make this a hard entry on execution differentiation alone — which is exactly what a 4.17 composite reflects.

04 Customer archetypes

Three archetypes worth modeling explicitly before writing any code. These are not personas — they are the people who decide whether you get paid. The honest read at 4.17/10: the pain is real, the buyers are identifiable, but willingness to pay is nearly undetectable against a wall of free alternatives.

Archetype 1: The Compliance-Pinned Engineering Lead

Who they are: Senior engineer or DevOps lead at a 20–150-person B2B SaaS startup, 3–8 years in, probably carrying SOC 2 as a side responsibility alongside shipping product. Find them on LinkedIn by filtering "DevOps" or "Platform Engineer" at Series A/B SaaS companies that list "SOC 2" or "ISO 27001" in their job descriptions.

Current toolstack and spend: This archetype is most likely running spreadsheets and screenshot folders today — the exact manual workflow the pitch targets. Some have already evaluated Vanta (entry pricing ~$7,500–$15,000/year for small teams) and decided it was too expensive for a first audit, or are using Shujinko's free tier after it opened its audit prep product at no cost.^R2 A minority are on a Drata free trial or a lightweight GRC SaaS. The displacement cost against the free tier is effectively zero for the tool but real in switching behavior: once evidence is organized in a spreadsheet, re-ingesting it feels like extra work. The switch trigger for this archetype is the audit request itself — they move only when an auditor sends the 150-item evidence list and the spreadsheet breaks.^W2

Real concern: They know security. What breaks them is the 100+ controls across multiple frameworks and zero clarity on where to start.^H2 They're not confused about firewalls — they're confused about which evidence maps to which control, and who owns what. Compliance fails when it becomes one person's problem.^H1

Real blocker: Shujinko already went free for SOC 2 audit prep.^R2 Vanta exists and enterprise buyers already know it.^H4 Bastion covers 30+ frameworks and serves 300+ companies.^W1 This archetype has already Googled the space. If your tool isn't obviously better or cheaper in the first 60 seconds, they close the tab. Transparent upfront pricing is non-negotiable — "contact sales" triggers immediate distrust.^R1

Archetype 2: The Startup Founder Blocked on an Enterprise Deal

Who they are: Technical or semi-technical founder at a seed-to-Series A company, 10–50 employees. A prospective enterprise customer has asked for a SOC 2 report. The audit is now blocking revenue, not a future nice-to-have. Find them in r/startups, r/SaaS, or on LinkedIn searching "Founder" + "B2B SaaS" + company size under 50.

Current toolstack and spend: This archetype typically has no prior compliance tooling at all — they are pre-Vanta, pre-Drata, pre-everything. Their current "stack" is a Google Drive folder, a shared Notion doc somebody wrote once, and a Linear board that nobody tagged with control IDs. Spend today: $0 on compliance tooling. That sounds like an open market, but it cuts both ways — zero prior spend means zero budget line to replace, and the first quote they hear shapes the entire category anchor. Oneleet (YC S22) is targeting exactly this moment with an all-in-one security-plus-compliance offering,^R3 and if this founder finds it first — or finds any free-tier tool — the $499/month conversation gets framed as expensive before it starts. The switch trigger is the enterprise deal deadline, which is time-bounded and high-stakes but also one-time in nature.

Real concern: The 150-item evidence request from the auditor is the first time they've seen what SOC 2 actually requires.^W2 They don't have a compliance team. The 6–12 month Type 2 window feels like a revenue death sentence.^W3 They want a map, not a philosophy.

Real blocker: They'll pay — but only once, and only if the ROI is obvious against the deal size. The WTP signal here is the weakest part of this pitch (2.0/10). If this archetype finds Oneleet or a comparable free-tier tool first, they don't come back.^R3

Archetype 3: The IT or Legal Gatekeeper Who Didn't Ask for This

Who they are: IT manager, GRC analyst, or in-house counsel at a mid-market company being pushed toward compliance by a sales team or board. They didn't initiate this project. They're evaluating tools because someone above them said "figure it out." Find them on LinkedIn: "GRC Analyst," "IT Compliance Manager," or "Information Security Manager" at companies with 100–500 employees.

Current toolstack and spend: This archetype is the most likely to already be paying for something — typically Vanta, Drata, or an auditor-provided spreadsheet pack bundled into a $15,000–$30,000 audit engagement. Some are mid-contract with a platform that auto-collects from AWS and GitHub but has become a black box that auditors don't fully trust.^H3 Their displaceability depends entirely on whether their existing tool is under annual renewal: if they signed Vanta 10 months ago, they will not switch regardless of demo quality. The switch trigger is a failed audit cycle, a renewal cliff, or a new compliance initiative that their current tool doesn't cover. At $499/month ($5,988/year), this product lands below most incumbent contracts — a price advantage that only matters if the output is auditor-verifiable, not just aggregated.^H3

Real concern: They've seen black-box compliance tools that claim to automate everything but can't show their work — and that made the last audit slower, not faster, because auditors didn't trust the outputs.^H3 They want verifiability and transparency, not just aggregation. They also need cross-functional buy-in from IT, legal, and finance before any vendor gets approved — which extends deployment well beyond two weeks regardless of how good the demo looks.^R1

Real blocker: This is the archetype most likely to say no by default. They've seen 10 versions of this pitch. They'll run a vendor assessment, loop in procurement, and ask for a security review of your security tool — the irony is not lost on them. Without a clear moat in the evidence layer (not just the dashboard), they'll wait for Vanta to ship the feature or ask their auditor for a spreadsheet template instead.

05 Pricing reality

Pitched price: $499/workspace/month. WTP signal from evidence: 2.0/10. Zero paying signals · 5 pain mentions · 5 'already free' signals.

Category band: SOC 2 / compliance automation tools — B2B SaaS, 20–50 person companies preparing their first audit. The buyer persona is correctly identified. The pricing problem isn't a mismatch in category; it's what the market has been trained to expect within that category.

What the market actually pays — and what it doesn't:

• Vanta exists and is already the default answer when buyers ask "what tool do you use for SOC 2?"^H4 Vanta prices in the thousands per year for early-stage companies. That's the ceiling-setter and the primary name-brand comp for this exact buyer.
• Shujinko made their SOC 2 audit prep software — including automated evidence collection for major clouds and SaaS platforms — free to all users.^R2 Oneleet (YC S22) competes as an all-in-one platform bundling security program management and compliance, targeting the same B2B SaaS startup segment.^R3 Bastion covers 30+ frameworks and serves 300+ companies on a full-platform model.^W1 The free-tier and bundled-pricing arms race is already underway among direct competitors serving the identical buyer.
• Regulance, an AI-powered compliance automation platform covering SOC 2, GDPR, ISO 27001, PCI DSS, and HIPAA, launched on HN and disclosed no pricing.^H5 When founders in this category avoid publishing prices, it typically signals buyer resistance surfaced during testing — which does not make $499/month easier to defend.

The $499/month ask against a free-tier market:

$499/workspace/month is a defensible price in principle — it sits below Vanta's annual contract value and above the floor of free alternatives, which is theoretically the right positioning. The structural problem is that Shujinko^R2 has already established free automated evidence collection as a credible option for this exact buyer. Users in adjacent compliance communities explicitly demand transparent upfront pricing and reject "contact sales" friction^R1 — the pitch satisfies that requirement by publishing a number, which is a genuine asset. But publishing a price and defending it are different things. With zero paying signals in the evidence, the $499 figure is currently an assertion, not a validated anchor.

What would justify the price — and what's missing:

The wedge is real: 4–6 weeks of manual screenshot collection per audit cycle is a documented, recurring pain^W3, and the integrations (CloudTrail, IAM, GitHub, Notion, Linear, Splunk) plus control-mapped exports represent a concrete time-to-value argument. Evidence from HN confirms first-time preparers find SOC 2 "extremely unclear how to start"^H2 and that audit failure from missing evidence is a genuine risk^W3. Pain exists. The gap is that no evidence in this set shows a buyer in the 20–50 person segment choosing to pay $499/month over either absorbing the manual cost or defaulting to a free alternative. One paying customer at this price point would substantially change the calculus.

The honest read:

$499/month is coherent — it's not obviously mispriced for a B2B SaaS buyer with a real audit deadline and real engineer-hours at stake. The problem is that coherent pricing isn't validated pricing. The free incumbents (Shujinko^R2) and VC-backed platforms (Oneleet^R3, Bastion^W1) have already trained buyers to expect either free tooling or bundled pricing that amortizes the compliance cost across a broader security program. Charging a standalone monthly fee for an evidence dashboard requires a demonstrated wedge — speed, auditor acceptance, integration depth — that the current evidence base doesn't yet confirm. Until at least one paying customer validates willingness to pay at this price point, the WTP score of 2.0/10 is accurate, not pessimistic.

06 Cost to build, week by week

The pitch is a compliance evidence collector with an unspecified audience and no pricing model. That vagueness is a build risk, not just a positioning risk — you can't scope integrations without knowing whether you're targeting DevOps teams on AWS^R2, early-stage SaaS founders confused by 100+ controls^H2, or someone else entirely. What follows assumes a lean B2B dashboard targeting SOC 2 readiness, because that's where all the evidence points. If the actual target is different, restart the scoping.

Week 1 — Core data model + primary evidence flow

Define your control taxonomy first. SOC 2 evidence spans documentary, observational, reperformance, and analytical types across access logs, change management, incident tickets, and policy docs^W3 — if you try to boil the ocean, Week 1 becomes Week 4. Pick two or three control categories, hardcode the mappings, build the ingestion pipeline for one cloud (AWS or GCP), and produce an internal demo. No auth, no billing, no polish.

Hard part here: evidence collection isn't just API calls. Auditors require proof of continuous collection across a 6–12 month window^W3, which means your data model needs timestamping, versioning, and chain-of-custody logic from day one. Bolt this on later and you'll rebuild it.

Engineering cost: 1 dev, full week. ~$3–5K.

Week 2 — Verifiability layer + second integration

This is the non-obvious hard part. The market doesn't just want automation — it wants to see the work^H3. Black-box tools that aggregate evidence without showing the audit trail lose trust with auditors and compliance leads. Build an explicit evidence-to-control mapping view: user sees why a given log satisfies a specific control. This isn't a nice-to-have; it's what separates you from Vanta^H4 and Bastion^W1 in the pitch, and neither is easy to displace.

Add a second cloud or SaaS integration (GitHub, Okta, or similar). Two integrations is enough to validate the pattern without overbuilding.

Landing page goes live this week. Transparent pricing, upfront — users explicitly reject "contact sales" models^R1. If you don't have a price, publish a waitlist with a price signal ("plans starting at $X").

Engineering cost: 1–2 devs. ~$4–7K.

Week 3 — Auth, billing, beta invite to 10 design partners

Stripe billing, basic telemetry (which controls are being mapped, which integrations are being used), and role-based access (the compliance owner isn't always the engineer). Onboarding complexity is real: enterprise deployments involve IT, legal, and finance sign-off^R1, but your beta partners are early-stage founders who can move faster — target that cohort deliberately.

Compliance automation fails when it becomes one person's problem^H2. Design the beta to test whether a non-engineer can use the tool without hand-holding. If they can't, you'll discover it in Week 3 rather than after launch.

Get 10 design partners committed before this week starts, not during it. Cold outreach during build is a distraction.

Engineering cost: 1–2 devs. ~$3–5K.

Week 4 — Iteration + first paid conversion attempt

Triage beta feedback into three buckets: mapping accuracy, missing integrations, and UX confusion. Only fix the first bucket this week — the others are roadmap. Push for one paid conversion, even at a steep discount. The WTP signal on this pitch is weak (2.0/10) with zero paying signals and five "already free" signals in the evidence^R2H5. A discounted paid commitment still beats a free trial as validation.

Expect deployment friction. Even with a fast-moving beta user, cross-functional onboarding extends timelines well beyond two weeks in practice^R1. Week 4 first-dollar is optimistic — budget for Week 6.

Engineering cost: 1–2 devs. ~$2–4K.

Total estimated build cost: $12–21K over 4 weeks (1–2 devs)

The integrations are the wildcard. Each new cloud or SaaS platform adds 3–5 days of engineering. The hidden complexity isn't the dashboard — it's maintaining evidence integrity over time as APIs change and audit windows span months. That's ongoing engineering cost, not a one-time build. Plan for it.

The path exists, but the monetization case is genuinely unclear at this stage. Build lean enough that you can pivot the audience definition after Week 3 feedback without throwing away the core evidence pipeline.

07 Hidden costs & structural risks

The structural cost story here is worse than it looks at first glance — and it already looks uncertain.

• Support cost per customer will dominate unit economics. Compliance tools aren't self-serve in practice. Evidence from real deployments shows onboarding routinely pulls in IT, legal, and finance teams — extending timelines well beyond initial estimates and generating disproportionate support load per account.^R1 You're not selling a dashboard; you're selling a change-management project. Budget headcount accordingly before month six.

• The free-tier ceiling is real and closing. Shujinko already made SOC 2 audit prep software free to all users.^R2 Vanta owns significant mindshare at the enterprise tier.^H4 Bastion covers 30+ frameworks and serves 300+ companies.^W1 Oneleet bundles security and compliance as a managed service targeting the same early-stage B2B SaaS buyer.^R3 Every one of these is a structural pricing anchor that makes your "unspecified price model" a liability — not a feature. The market has already trained buyers to expect either free tools or all-inclusive platforms. Landing anywhere in between requires a very precise value justification you haven't yet articulated.

• "Contact sales" is a conversion killer you can't afford. Buyers in this space explicitly demand transparent pricing upfront.^R1 With zero paying signals in the evidence and five "already free" signals, opacity on pricing isn't strategic ambiguity — it's churn before acquisition.

• Verifiability costs aren't optional. The differentiation buyers actually want isn't faster collection — it's auditability and transparency in how the evidence was gathered.^H3 Building "show your work" into the product is not a nice-to-have; it's the feature that determines whether your output survives auditor scrutiny. That's a non-trivial ongoing engineering cost that doesn't get cheaper as frameworks evolve.

• Compliance creep cuts both ways. Your customers' lawyers will ask for your SOC 2 before they sign meaningful contracts. You will need to eat your own cooking — which means paying Vanta or Bastion or a consultant, or building internal controls early. That's a real cash cost that hits before you have revenue to offset it.

• LLM token cost variance — if any evidence parsing or control-mapping logic runs on LLM calls, a single power user with 150-item evidence requests^W2 running continuous collection across a 6–12 month audit window^W3 can spike your per-account cost by 5x or more. Without a pricing model to cap or meter this, it compounds silently.

• Framework proliferation is a treadmill. SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA — the moment you support one, enterprise buyers expect all of them.^H5 Maintaining accurate control mappings across frameworks isn't a one-time build; it's an ongoing content and engineering cost that scales with the number of frameworks, not with revenue.

Bottom line: the structural risks here aren't exotic — they're the standard ones that have already shaped this market into its current form. The incumbents exist because these costs are real. The path forward requires a pricing model, a support model, and a verifiability story before launch, not after.

08 Distribution playbook (or lack thereof)

Distribution moat score: 5.7/10

The evidence shows a crowded space with established players already owning the obvious channels. Vanta is already the default answer when someone asks "how do I handle SOC 2?"^H4 Oneleet (YC S22) is actively recruiting on Reddit threads where your prospects are asking questions.^R3 Shujinko went free to acquire users.^R2 Bastion claims 300+ companies on its platform.^W1 You're not entering a vacuum — you're entering a market where the top of the Google results page and the top HN comment threads are already occupied.

But the deeper problem isn't the crowded digital channels. It's that this entire section, in its original form, ignored the dominant acquisition channel for compliance tooling: CPA firm referral networks and auditor relationships. That omission isn't a stylistic gap — it's a strategic one that needs to be confronted directly.

The channel the evidence forces you to address

SOC 2 Type 2 audits require a licensed CPA firm to conduct the audit. Full stop. That means every single one of your target customers — 20-50 person SaaS companies preparing their first audit — is already in an active relationship with an auditor before they decide which evidence collection tool to use. The auditor frequently recommends, or at minimum approves, the tooling. Lorikeetsecurity.com is a consulting firm already producing SOC 2 prep guides,^W2 and Bastion's evidence collection guide exists specifically to get recommended inside those auditor conversations.^W1 This is not a secondary channel. For compliance tools, it is the primary referral surface.

You have no auditor relationships. That is the honest starting position, and the playbook has to account for it rather than route around it entirely.

What the evidence tells you about channel reality

• "Contact sales" is dead on arrival for this audience. Early-stage startup buyers explicitly demand transparent pricing upfront — no pricing page means no trial.^R1 If your price isn't public and self-serve, you lose the deal before it starts.
• The buyer is confused, not uneducated. The core complaint isn't "we don't care about compliance" — it's "we don't know where to start" and "it becomes one person's problem."^H1H2 That shapes channel: you reach them at the moment of confusion, not via a general awareness campaign.
• Free incumbents set the price anchor. Five separate signals in the evidence point to free or near-free alternatives already in the market.^R2 Willingness to pay is the weakest score in this entire scorecard (2.0/10) — your distribution strategy has to carry a monetization problem it can't fully solve.
• The audit trigger is the acquisition window. Compliance urgency spikes when a prospect enterprise deal requires SOC 2.^H4 That's the moment. Miss it and they either muddle through manually or sign with Vanta.

Channels that don't work here

• Paid social / broad B2C acquisition: Wrong audience, wrong context. Consumer/social platform CAC will eat you alive against a 2.0/10 willingness-to-pay score.
• SEO at launch: Bastion, Vanta, and consulting firms like Lorrikeet Security^W2 already own the "SOC 2 evidence collection checklist" queries. You won't rank in time to matter.
• Top-down enterprise outreach: Deployment timelines stretch well beyond two weeks once IT, legal, and finance get involved.^R1 Long sales cycles require capital you shouldn't burn before proving the unit economics.
• Founder community outreach as a primary channel: This is the tactic Oneleet is already executing in the same Reddit threads.^R3 You can participate there, but it cannot be your primary bet — you are arriving late into a channel a YC-backed competitor is already working.

First-move sequence (be honest: this is the only realistic path)

1. Months 1–2 — 20 customers by hand, sourced through auditor proximity. Your initial customers should come from direct outreach to small CPA firms that conduct SOC 2 audits for early-stage SaaS — the two- to five-partner regional firms, not the Big Four. Not to sell them the tool. To understand what evidence formats they actually accept, which controls they flag most often, and what makes an evidence package easy versus painful to review. This is intelligence gathering with a relationship byproduct. If even one firm agrees to informally refer a client your way, that is a more durable signal than twenty cold Reddit signups.

2. Month 2 — Build auditor-legible outputs before building founder-legible ones. The verifiability problem is the core trust gap in this market.^H3 Buyers distrust black-box tools that don't show their work. The fastest way to address that isn't founder content — it's producing export formats that a CPA reviewer recognizes as complete and properly structured. Every auditor-friendly PDF you ship is also a referral asset: the auditor who receives a clean package remembers which tool generated it.

3. Month 3 — Inhabit the confusion moment in founder communities, but as a credible secondary channel. The HN and Reddit threads in the evidence^H1H2 are where confused first-timers congregate. Participate genuinely, not promotionally. Answer "where do I start" questions with specificity. This is where Oneleet is already operating.^R3 You should be present, but this channel alone cannot carry acquisition against an entrenched competitor working it harder.

4. Only after a free channel clears a $200 CAC ceiling — consider narrow paid distribution. Not before. With WTP this uncertain, you cannot afford to discover your conversion rate through paid spend.

The honest constraint

The auditor-relationship channel is not skipped because it's a bad idea — it's structurally difficult for a pre-revenue product with no track record. CPA firms recommend tools they trust, and trust requires audit outcomes they can point to. That's a chicken-and-egg problem you cannot engineer around in month one. The sequencing above is the minimum viable path to building the credibility that referral channel requires — but it needs to be named as the destination, not omitted as though founder-community tactics are a substitute. Distribution isn't the core problem here — willingness to pay is. A 2.0/10 WTP score means even a perfectly executed distribution play lands prospects who won't convert. The sequencing above is designed to surface that truth cheaply, not to paper over it.

09 Failure modes

• Vanta already solved this for the buyers who will pay. Vanta is the named incumbent^H4 — established, audit-proven, and already trusted by enterprise buyers who mandate SOC 2 for vendor onboarding. Competing on evidence collection as a feature against a funded platform with auditor relationships is not a positioning strategy; it's a slow loss.

• The free tier has already arrived. Shujinko made their SOC 2 audit prep software free to all users^R2, and Oneleet (YC S22) bundles compliance tooling with managed security services^R3. When the floor price is zero, a general-consumer audience — already flagged as low WTP — has no reason to pay. The willingness-to-pay score is 2.0/10 for a reason: five separate signals in the evidence show users already expect this for free.

• "Unspecified audience" is the real product problem. The pitch says general consumer. SOC 2 evidence collection is a B2B workflow — it involves IT, legal, and finance sign-off, with deployment timelines well beyond two weeks^R1. If the target is actually consumers, the compliance framing is wrong. If the target is startups, the go-to-market is wrong. The ambiguity isn't a pitch flaw; it's a signal the problem hasn't been scoped.

• Black-box automation won't close auditors. The market has moved past "we collect evidence" as a value prop. Buyers now distrust tools that don't show their work — verifiability and transparency are the actual purchase criteria^H3. A dashboard that aggregates without explaining its control mappings will get flagged in vendor assessments, not purchased.

• The wedge collapses on first customer call. HN threads confirm the real pain isn't collection — it's knowing which controls map to which work, and who owns each one^H1H2. A compliance evidence collector that doesn't solve the confusion-about-where-to-start problem will see users churn back to spreadsheets after the first audit cycle, not renew.

• Pricing opacity kills the sales cycle before it starts. Users in adjacent compliance tools explicitly demand transparent pricing upfront and reject "contact sales" models^R1. This pitch lists price model as unspecified. In a category where buyers are already skeptical and deployment involves multiple stakeholders, no visible price is a conversion killer.

• Bastion covers 30+ frameworks and is already in market. Bastion serves 300+ companies with an all-in-one platform^W1. Regulance is also live, targeting the same early-stage startup segment with AI-powered evidence collection across GDPR, SOC 2, ISO 27001, PCI DSS, and HIPAA^H5. Three or more entrants are visible in the evidence — distribution headroom is already compressing, and none of these competitors are standing still.

• Consumer CAC will eat the margin before revenue arrives. The market size score is 4.0/10 precisely because consumer and social-platform tools carry small WTP and large CAC. Without a defined acquisition channel, the path to first dollar stretches — and the time-to-revenue score of 5.0/10 assumes a normal dashboard build cycle, not one fighting for attention against free incumbents in a low-intent audience.

10 Adjacent opportunities worth chasing

The core pitch — compliance evidence collector for "general consumers" — sits in an awkward middle ground. WTP is 2.0/10, free tools already exist^R2, and Vanta^H4, Oneleet^R3, and Bastion^W1 have staked out the obvious territory. But the evidence points to three adjacent angles worth serious consideration:

1. Narrow to the paying moment: pre-audit B2B SaaS startups under enterprise sales pressure

General consumer is the wrong frame. The actual buyer is a 10–50 person B2B SaaS company that just got a SOC 2 request from an enterprise prospect. That's a specific, high-urgency moment with real budget. The HN threads confirm these teams find the starting point "extremely unclear"^H2 and that compliance fails when it becomes one person's burden^H1 — not that they refuse to pay, but that nothing is positioned for them specifically. Vanta solved this at the high end; a leaner, transparent-pricing version aimed at seed-stage startups (where Vanta's pricing feels heavy) could find traction. Evidence from Reddit explicitly shows buyers reject "contact sales" models and want pricing upfront^R1 — that alone is a product decision that incumbents often fumble.

2. Sell the audit outcome, not the dashboard

The market distrust isn't about collection — it's about verifiability. Auditors and companies distrust black-box tools that don't show their work^H3. A productized "audit-ready package" — where you handle evidence collection and produce auditor-legible artifacts with a clear chain of custody — is higher ACV than a dashboard subscription and maps to what actually unblocks a SOC 2 Type 2^W3. Bundle in policy templates, auditor liaison, and a readiness guarantee. This is closer to what Oneleet sells^R3 than what a generic dashboard delivers. Margin is in the outcome, not the infrastructure.

3. Build the evidence infrastructure layer, not the UI

The real defensibility question is what sits under the dashboard. Bastion covers 30+ frameworks from a single integration layer^W1; Regulance is doing similar work across GDPR, SOC 2, ISO 27001, PCI DSS, and HIPAA^H5. If you've built reliable, auditor-accepted connectors to cloud environments and SaaS tools, that integration layer is the asset — not the front-end. Licensing it to consultancies and auditing firms (who have the customer relationships and the billing authority) could be faster to revenue than selling direct to startups who expect free tools.

The honest filter: None of these adjacencies fix the WTP problem overnight. They reframe who is being asked to pay and why the moment of payment feels justified. The path to revenue runs through specificity — one framework (SOC 2), one buyer type (seed-stage B2B SaaS), one urgent trigger (first enterprise deal) — not a general-consumer compliance dashboard competing against free.