Opportunity Analysis (Validated)
TAM Reality Check
Section titled “TAM Reality Check”Prior Estimates vs. Validated
Section titled “Prior Estimates vs. Validated”| Metric | Prior Claim | Validated | Notes |
|---|---|---|---|
| Total addressable skills | 370,000+ | ~130-150K unique | SkillsMP overstated; ~28% duplicates, ~12% empty |
| TAM Year 5 | $350M-$3B | $28-115M | See breakdown below |
| Revenue Year 5 | $40-63M | $10-20M | Based on comparable revenue benchmarks |
| Marketplace GMV Year 5 | $3.6M/month | $0.5-3M/month | Current ecosystem total: <$100K/month |
Realistic TAM (2028-2030)
Section titled “Realistic TAM (2028-2030)”| Segment | Conservative | Aggressive | Basis |
|---|---|---|---|
| Enterprise governance (private registries + security) | $20M | $80M | 500-2,000 enterprises at $3K-$40K/year. Benchmarked against Docker Business ($24/user/mo) and early Snyk. |
| Security scanning API | $5M | $15M | 20-50 platform integrations at $50K-$300K/year |
| Marketplace commissions | $1M | $10M | Assumes $7-70M GMV at 15%. Highly speculative. |
| Promoted listings / Agent SEO | $2M | $10M | 200-500 SaaS vendors at $1K-$2K/month. Requires agent-autonomous discovery. |
| Total | $28M | $115M |
Why the gap from prior estimates: The $350M-$3B range assumed 5M skills by 2028 with 5-10% monetizable. This requires 25-50x growth from today’s actual numbers and assumes developers will pay for skills — which has almost no evidence today.
Positioning Analogies: Honest Assessment
Section titled “Positioning Analogies: Honest Assessment””npm for agent skills”
Section titled “”npm for agent skills””Verdict: WEAK analogy
npm won because:
- Bundled with Node.js — every Node developer got npm automatically
- Functionally necessary — you literally couldn’t install JS dependencies without it
- Lock-in through dependency trees — switching costs were real
MCP registries today:
- NOT bundled with any platform as the default
- NOT functionally necessary — you configure MCP servers manually via JSON
- NO dependency trees — MCP servers are standalone
The honest comparison: MCP registries are more like “search engine for tools” than package managers. The Official MCP Registry is explicitly designed as a minimal data feed, not npm.
”Snyk for agent skills”
Section titled “”Snyk for agent skills””Verdict: DANGEROUS analogy — because actual Snyk is entering this market
Snyk acquired Invariant Labs (creators of mcp-scan) and has $408M ARR with 5,000 enterprise customers. Claiming to be “the Snyk of agent skills” when Snyk itself is building MCP security is aspirational at best.
What could work: Being the security layer integrated with discovery and commerce — something Snyk doesn’t do. Snyk finds problems. Findable prevents them (trust scores, verified publishers, pre-installation scanning in the discovery flow).
”Stripe for agent skills”
Section titled “”Stripe for agent skills””Verdict: PREMATURE by 12-24 months
Stripe solved acute payment pain for millions of startups. Agent skill commerce barely exists (<$100K/month total ecosystem). Building Stripe Connect integration for this market today is engineering without customers.
When this becomes viable: When a paid MCP server generates $100K+ ARR (proving individual developer monetization works) and total ecosystem GMV exceeds $1M/month.
Timing Assessment
Section titled “Timing Assessment”What’s Ready Now
Section titled “What’s Ready Now”| Area | Readiness | Evidence |
|---|---|---|
| Security scanning demand | HIGH | 32-41% critical vulns, OWASP/CoSAI/NIST publishing, real incidents |
| Discovery pain | MEDIUM-HIGH | Fragmented registries, DEV Community articles documenting pain, VS Code feature requests |
| Enterprise governance | MEDIUM | Composio has $2M ARR; compliance frameworks being published |
| Developer monetization | LOW | <$100K/month total ecosystem; open-source culture dominant |
| Agent-autonomous discovery | LOW | Experimental (Magg, TrueFoundry); humans still configure MCP manually |
Timeline
Section titled “Timeline”| Milestone | Estimated | Evidence |
|---|---|---|
| Security scanning essential | Now | Snyk, Enkrypt, OWASP, real incidents |
| Enterprise governance demand | 6-12 months | Composio revenue, NIST guidance, CrowdStrike $740M SGNL acquisition |
| Paid MCP market hits $1M/mo GMV | 12-18 months | Currently <$100K/mo; needs 10x growth |
| Agent-autonomous tool discovery standard | 18-24 months | Experimental today |
| Agent skill commerce at scale ($100M+ GMV/yr) | 24-36 months | Requires massive agent adoption growth |
Leading Indicators to Watch
Section titled “Leading Indicators to Watch”- A paid MCP server generating $100K+ ARR — proves individual developer monetization
- Anthropic or OpenAI launching a marketplace — validates category (creates competition too)
- Enterprise RFPs for “agent skill governance” — proves enterprise budget exists
- Snyk launching dedicated MCP security tier — validates security revenue model
- Agent platforms building native discovery (not manual config) — proves autonomous discovery
White Space Analysis
Section titled “White Space Analysis”| Category | Who’s Building | Gap for Findable |
|---|---|---|
| Security scanning | Snyk (Invariant), Enkrypt AI, Stacklok, Backslash | Integrated with discovery flow (scan before install) |
| Discovery/search | Smithery, PulseMCP, skills.sh, MCP.so, Glama | Cross-platform (MCP + SKILL.md), trust-scored |
| Commerce | Apify, 21st.dev, MCP Hive, MCPize | Cross-platform marketplace with billing |
| Enterprise governance | Composio, Stacklok | Governance + discovery + security in one platform |
| Verified publishing | Stacklok (Sigstore), Glama (namespace auth) | Publisher verification at scale |
Findable’s unique position: No one combines all five. The question is whether “integrated platform” beats focused players with real revenue and real distribution.
Go / No-Go Recommendation
Section titled “Go / No-Go Recommendation”GO — but with revised scope
Section titled “GO — but with revised scope”Build — with these conditions:
-
Lead with security scanner (open source) — This is the most validated wedge. Build community around it. Compete with mcp-scan. Differentiate by integrating scanning into the discovery flow.
-
Build cross-platform discovery as free infrastructure — Not a revenue center. The funnel. Make it the best place to find any MCP server or skill across all registries.
-
Enterprise governance as first revenue — Private registries, policy engine, audit logs. Price at $30-80/user/month. Target the same enterprises Composio and Stacklok serve.
-
Defer commerce until evidence supports it — Don’t build Stripe Connect integration until ecosystem GMV exceeds $500K/month. Use the time to build the community and trust that makes Findable the natural marketplace when commerce does emerge.
CAUTION — watch for:
Section titled “CAUTION — watch for:”- Snyk launching a registry product (would significantly narrow the opportunity)
- Vercel skills.sh adding trust scores or security scanning
- Composio adding a public discovery layer
- Anthropic expanding the official registry beyond minimal metadata
NO-GO conditions:
Section titled “NO-GO conditions:”- If after 12 months, <500 monthly active users on the discovery platform
- If Snyk launches an integrated registry + security + governance product
- If MCP ecosystem growth stalls (watch SDK downloads quarterly)