This is our real roadmap: twenty conversations before one line of new feature code. Auditors and the companies selling to banks are telling us what matters.
One hypothesis. Two validation tracks. Clear kill criteria. One deliverable: a memo of what auditors will accept and what companies actually need.
5 conversations with ISO 27001 lead auditors and boutique cert-body assessors.
Closing these questions:
Each auditor sits across ~30 ICP companies/year. This track is validation AND channel.
15 conversations with compliance leads and security engineers at cloud-native fintechs and regulated-adjacent companies.
Closing these questions:
Sources: warm banking-industry introductions, LinkedIn, fintech compliance communities, auditor referrals.
These capabilities are shaped by what discovery conversations tell us matters.
Shared logins, accounts with more power than the job needs, one person approving their own work. The founder watched all three go wrong inside banks.
A dated record of what each server and account was set to. Produced by a plain rule that gives the same answer every time. No AI wrote it.
Keep Vanta or Drata for policy documents and staff training. Enforcer covers what they cannot see — inside your cloud. Nothing to migrate.
Enforcer finds the problem and proposes the fix. A person approves it. The problem, the approval, and the fix are stored together.
41 checks across 13 kinds of resource inside your clusters — access rules, network isolation, resource limits — reported next to your AWS results.
Pick a date range and export everything checked in that period, each line carrying its server, its check, the result, and the date.
Per-trial sandbox instance, pre-seeded demo AWS account, evidence-pack export in auditor-spec format. Convert warmest discovery conversations into 3–5 design partners (discounted year-one + case studies).
≥2 design partners → paid annual. First case study published. Auditor network seeded (2+ auditors become referral relationships). SOC 2 build decision made from discovery data.
Decision made. No ambiguity. No delay.
Path A — Revenue: ≥2 paying pilots (≥$10K each, annual) → keep bootstrapping
Path B — Raisable Proof: written auditor validation, 20+ discovery data points, 3–5 design partners, one measured case number → seed raise
Neither: honest hard conversation with 6 months runway left, not zero.
Launching with less is the right call.
Single-ISO install, no outbound data flow. Architectural moat SaaS competitors cannot copy. But regulated-enterprise procurement will not buy from a solo pre-revenue vendor yet. Year 2 play once references exist.
No SOC 2 control mapping exists yet — the policy engine is framework-agnostic, so it is a mapping rather than a rewrite. Our bet is that ISO 27001 infrastructure evidence is the wedge. SOC 2 gets un-denied and built in Aug–Sep only if discovery demands it.
Azure/GCP adapters are on the roadmap. AWS + Kubernetes MVP focus for now. Multi-cloud story scales once the core wedge is proven.
We are in discovery now. The roadmap shifts based on what auditors and the market tell us — customer signal, not the sales deck.