Skip to content
Findable — Research & Business Plan

Product Vision (Validated)

Vision Statement

Section titled “Vision Statement”

Findable is the platform where AI agent skills are discovered, trusted, and governed. We start as the security and trust layer the ecosystem desperately needs, grow into the cross-platform discovery standard, and earn the right to add commerce only when the market proves ready.

Key revision: The original vision described “npm + Snyk + Stripe” in one platform. The validated view: npm for agent skills is a weak analogy (see Opportunity Analysis), Snyk is literally entering this market ($408M ARR, acquired Invariant Labs), and Stripe-style commerce is premature (<$100K/month total ecosystem revenue). We lead with what’s validated: security and discovery.

Problem Statements (Validated)

Section titled “Problem Statements (Validated)”

For Agent Users (Individuals)

Section titled “For Agent Users (Individuals)”

“There are ~130-150K skills across fragmented registries. I don’t know which ones are safe — 32-41% of MCP servers have critical vulnerabilities, 7.1% of ClawHub skills leak credentials.”

Evidence: Enkrypt AI (32% critical vulns), earezki.com (41% lack auth), Snyk (7.1% credential leaks). See Market Research doc.

For Enterprises

Section titled “For Enterprises”

“We want our teams to use AI agents, but we can’t let them install random skills. 57% of orgs already have agents in production, but there’s no governance infrastructure.”

Evidence: LangChain survey (57% agents in production), Composio ($2M ARR proves enterprise budget exists). CrowdStrike $740M SGNL acquisition proves identity/governance market.

For Skill Developers

Section titled “For Skill Developers”

“I built a great MCP server, but discoverability is terrible. Skills are scattered across Smithery, MCP.so, PulseMCP, Glama, and GitHub with no unified search.”

Evidence: 5+ registries with different catalogs (518 to 17,867 entries). DEV Community articles documenting discovery pain. VS Code issue #286900 requesting skills marketplace.

For SaaS Vendors (DEFERRED — 12-18 months)

Section titled “For SaaS Vendors (DEFERRED — 12-18 months)”

“AI agents are the new distribution channel, but agent-autonomous tool discovery is experimental today.”

Evidence: Agent SEO and agent-autonomous discovery are 18-24 months from mainstream (see Opportunity Analysis timing assessment).

Product Architecture (Revised Sequencing)

Section titled “Product Architecture (Revised Sequencing)”
PHASE 1-4 (Months 1-8): SECURITY SCANNER
┌──────────────────────────────────────────┐
│   Findable Shield (Open Source)           │
│                                          │
│   • Static analysis (API keys, creds)    │
│   • Prompt injection detection           │
│   • Malware signature matching           │
│   • Dependency vulnerability scanning    │
│   • Permission mapping                   │
│   • Trust Score (0-100)                  │
│   • CLI: npx findable scan <path>        │
└──────────────────────────────────────────┘


PHASE 4-8 (Months 4-8): CROSS-PLATFORM DISCOVERY
┌──────────────────────────────────────────┐
│   Findable Search (Free)                 │
│                                          │
│   • Aggregates: MCP Registry, Smithery,  │
│     PulseMCP, Glama, MCP.so, skills.sh,  │
│     GitHub, SkillsMP, ClawHub            │
│   • Trust scores displayed on all results│
│   • Semantic + keyword search            │
│   • Platform compatibility filters       │
│   • Findable MCP Server (agent-facing)   │
└──────────────────────────────────────────┘


PHASE 8-14 (Months 8-14): ENTERPRISE GOVERNANCE
┌──────────────────────────────────────────┐
│   Findable Enterprise (Paid)             │
│                                          │
│   • Private skill registries             │
│   • Policy engine (allowlists/blocklists)│
│   • Approval workflows                  │
│   • SSO/SCIM integration                │
│   • Audit logs                          │
│   • Compliance reports                  │
│   Pricing: $30-80/user/month            │
└──────────────────────────────────────────┘


PHASE 14-24 (Months 14-24): COMMERCE (IF VALIDATED)
┌──────────────────────────────────────────┐
│   Findable Commerce (Conditional)        │
│                                          │
│   ONLY build when:                       │
│   • Ecosystem GMV > $500K/month          │
│   • A paid MCP server hits $100K+ ARR    │
│   • Enterprise customer base established │
└──────────────────────────────────────────┘

Core Products (Detailed)

Section titled “Core Products (Detailed)”

1. Findable Shield (Security/Trust Layer) — PRIMARY WEDGE

Section titled “1. Findable Shield (Security/Trust Layer) — PRIMARY WEDGE”

What: Open-source security scanner + trust scoring for agent skills.

Why this is the wedge:

  • Most validated demand signal (32-41% critical vulns, real incidents)
  • OWASP, CoSAI, NIST all publishing security frameworks NOW
  • Open-source model works (Snyk started open-source, grew to $408M ARR)
  • Creates community + brand before monetizing

Features:

  • Static analysis: API key/credential leak detection
  • Prompt injection detection (LLM-based)
  • Malware signature matching
  • Dependency vulnerability scanning
  • Permission mapping (file access, network calls, system commands)
  • Trust Score (0-100) based on: security scan (30%), publisher reputation (20%), community signals (15%), code quality (15%), age/stability (10%), transparency (10%)
  • Verified Publisher program (identity verification + code signing)
  • Continuous monitoring — re-scan on every update
  • Public trust score badges (embeddable)

Monetization:

  • Free: CLI scanner, basic scanning
  • API tier: $0.01-0.05 per scan (for platforms integrating scanning)
  • Enterprise tier: continuous monitoring, compliance reports ($500-2,000/mo)

Competitive differentiation vs. Snyk/Invariant Labs: Snyk focuses on finding problems. Findable integrates scanning into the discovery flow — scan before install. Trust scores visible at the point of decision, not after deployment.

2. Findable Search (Discovery Layer) — FREE FUNNEL

Section titled “2. Findable Search (Discovery Layer) — FREE FUNNEL”

What: Cross-platform skill discovery engine covering both MCP servers and SKILL.md skills.

Why cross-platform matters: No existing registry covers both MCP and SKILL.md. Smithery is MCP-only. skills.sh is SKILL.md-focused. Official MCP Registry is deliberately minimal (518 servers, metadata feed only). Anthropic explicitly leaves discovery to third parties.

Features:

  • Aggregates from 9+ sources: MCP Registry, Smithery, PulseMCP, Glama, MCP.so, skills.sh, SkillsMP, ClawHub, GitHub
  • Semantic search — “find a skill to manage my calendar” (not just keywords)
  • Filters: platform compatibility, security score, rating, category, protocol (MCP/SKILL.md)
  • Trust scores displayed on all results
  • Categories and curated collections
  • CLI: npx findable search "email automation"
  • Findable MCP Server — agents discover skills through us programmatically

Monetization: Free (acquisition channel for enterprise and future commerce)

3. Findable Enterprise (Governance Layer) — FIRST REVENUE

Section titled “3. Findable Enterprise (Governance Layer) — FIRST REVENUE”

What: Enterprise-grade skill management and governance.

Why this is first revenue:

  • Composio proves $2M ARR is achievable in agent tool governance
  • CrowdStrike’s $740M SGNL acquisition validates identity/governance budget
  • NIST/OWASP publishing compliance frameworks creates enterprise urgency
  • Enterprise governance is where Snyk doesn’t play (they scan, they don’t govern)

Features:

  • Private skill registries (org-only visibility)
  • Policy engine: allowlists/blocklists, category restrictions, trust score thresholds
  • Approval workflows (request → review → approve → install)
  • SSO integration (Okta, Azure AD, Google Workspace)
  • SCIM provisioning
  • Audit log — who installed what, when, data accessed
  • Compliance reports (SOC2, GDPR)
  • Cost management dashboard

Pricing:

  • Team: $30/user/mo (private registry, basic policies, SSO)
  • Business: $60/user/mo (advanced policies, audit logs, compliance)
  • Enterprise: custom ($80+/user/mo, self-hosted option, SLA)

4. Findable Commerce (Monetization Layer) — DEFERRED

Section titled “4. Findable Commerce (Monetization Layer) — DEFERRED”

What: Payment infrastructure for paid skills — but ONLY when the market supports it.

Current state of agent skill commerce:

  • Total ecosystem: <$100K/month revenue
  • Only documented individual success: 21st.dev at ~$400/mo MRR
  • Best model: Apify (80% developer payout, pay-per-event)
  • Open-source culture dominates

Build triggers (ALL must be met):

  1. A paid MCP server generating $100K+ ARR (proves individual monetization)
  2. Total ecosystem GMV exceeds $500K/month (10x from today)
  3. Findable has 500+ enterprise users on governance tier

When built, features will include:

  • Stripe Connect integration
  • Multiple pricing models (subscription, usage-based, freemium)
  • Developer revenue dashboard
  • 15% commission (individual developers), 20% (SaaS-connected skills)

User Journeys (Validated)

Section titled “User Journeys (Validated)”

Journey 1: Security-Conscious Developer (PRIMARY — NOW)

Section titled “Journey 1: Security-Conscious Developer (PRIMARY — NOW)”
1. Discovers Findable Scanner via GitHub / HN post / security report
2. Runs `npx findable scan ./my-mcp-server/`
3. Gets trust score + security findings
4. Fixes issues, re-scans, achieves 90+ score
5. Publishes trust score badge on GitHub README
6. Uses Findable Search to evaluate other skills before installing

Journey 2: Enterprise IT Admin (MONTHS 8-14)

Section titled “Journey 2: Enterprise IT Admin (MONTHS 8-14)”
1. Multiple developers at the company already use Findable Scanner
2. IT admin sees need for governance (Gartner/NIST guidance triggers RFP)
3. Signs up for Findable Enterprise
4. Creates policy: "Only skills with trust score > 80, verified publisher"
5. Curates approved skill catalog
6. Employees install from approved catalog
7. All installations logged with audit trail

Journey 3: Skill Developer Seeking Discovery (MONTHS 4-8)

Section titled “Journey 3: Skill Developer Seeking Discovery (MONTHS 4-8)”
1. Has an MCP server on Smithery with low visibility
2. Searches Findable, sees their skill indexed with a trust score
3. Optimizes their skill based on trust score recommendations
4. Skill appears higher in Findable Search results
5. Install count grows via cross-platform discovery

Design Principles

Section titled “Design Principles”
  1. Security-first — Every skill scanned. Trust is the product, not a feature.
  2. Open-source wedge — Scanner CLI is open-source. Proprietary value in trust database, enterprise governance, and platform integrations.
  3. Platform-neutral — Support every agent platform equally. We’re Switzerland. MCP + SKILL.md + future protocols.
  4. Earn the right to monetize — Free discovery and security first. Commerce only when the ecosystem supports it.
  5. Enterprise-ready by design — Don’t bolt on security and compliance later.

Success Metrics (Revised)

Section titled “Success Metrics (Revised)”
PhasePrimary MetricTargetBasis
Phase 1 (0-4 mo)CLI downloads5,000+Comparable: mcp-scan open-source adoption
Phase 2 (4-8 mo)Monthly active searchers10,000+Conservative; Smithery gets 322K monthly visits
Phase 3 (8-14 mo)Enterprise pilot customers20-50Composio has 200+ at $2M ARR
Phase 4 (14-24 mo)Enterprise ARR$200K+50-100 customers at $30-80/user/mo

Note: Prior targets (100K monthly searchers by Month 12, $1M GMV/month by Month 18) were aspirational. These targets are calibrated against comparable companies’ actual traction.

What We Are NOT Building

Section titled “What We Are NOT Building”
  • An agent platform — We don’t compete with Claude, Codex, or OpenClaw
  • A skills framework — We don’t define SKILL.md or MCP specs
  • A Stripe clone (yet) — Commerce is deferred until market proves ready
  • A Snyk clone — We’re integrated trust + discovery + governance. Snyk does scanning only.
  • A hosting platform — We don’t run MCP servers (Smithery and Apify do that)