Product Roadmap (Validated)
Roadmap Philosophy
Section titled “Roadmap Philosophy”Security Wedge → Discovery Funnel → Enterprise Revenue → Commerce (if validated)
Start with the most urgent, most validated pain (security). Use it to build community and brand. Layer on discovery as the free funnel. Monetize through enterprise governance. Only add commerce when the ecosystem GMV justifies it.
Key revision: Original roadmap assumed 5 overlapping phases reaching $63M ARR by Year 5 with 500K registered developers. Validated targets: $10-20M ARR by Year 5, 50K-100K registered developers. Commerce phase is now conditional, not guaranteed.
Phase 1: Open-Source Security Scanner (Months 1-4)
Section titled “Phase 1: Open-Source Security Scanner (Months 1-4)”Theme: Build community and brand through a free, open-source security tool
Deliverables
Section titled “Deliverables”| # | Feature | Priority | Effort |
|---|---|---|---|
| 1.1 | Security scanner v1 (API key detection, malware patterns, prompt injection checks) | P0 | 3 weeks |
| 1.2 | SKILL.md parser (full spec + MCP server manifest support) | P0 | 2 weeks |
| 1.3 | CLI tool (npx findable scan <path>) | P0 | 1 week |
| 1.4 | Trust Score algorithm v1 | P0 | 1 week |
| 1.5 | GitHub repo + open-source (MIT license for scanner) | P0 | 1 week |
| 1.6 | Landing page + docs site | P0 | 1 week |
| 1.7 | ”State of Agent Skills Security” report — scan 10K+ skills, publish findings | P0 | 2 weeks |
| 1.8 | Batch scanning of major registries (Smithery, PulseMCP, MCP.so) | P1 | 2 weeks |
Key Decisions
Section titled “Key Decisions”- Open-source model: Scanner CLI is MIT-licensed (like Snyk CLI was). Trust database and enterprise features are proprietary.
- Scanner approach: Build our own static analyzer + integrate Semgrep for known patterns. LLM-based semantic analysis for prompt injection.
- Database: PostgreSQL + pgvector for semantic search from day one.
Go-to-Market
Section titled “Go-to-Market”- Publish “State of Agent Skills Security” report — drives PR and awareness
- Launch on HN: “Show HN: We scanned 10K MCP servers. 32% have critical vulnerabilities.”
- Open-source the scanner CLI — drives developer adoption
- Active presence in Claude Code, OpenClaw, and MCP communities
Metrics Target
Section titled “Metrics Target”| Metric | Target | Basis |
|---|---|---|
| CLI downloads | 5,000+ | mcp-scan baseline adoption |
| Skills scanned (total) | 10,000+ | Major registries combined |
| GitHub stars | 500+ | Comparable security tool launches |
| Security report mentions | 3+ publications | Data-driven reports get coverage |
Exit Criteria
Section titled “Exit Criteria”- Can scan any SKILL.md or MCP server manifest for security issues
- Trust Score algorithm producing meaningful differentiation
- At least one security finding published that gets community attention
Phase 2: Cross-Platform Discovery (Months 4-8)
Section titled “Phase 2: Cross-Platform Discovery (Months 4-8)”Theme: Become the best place to find any agent skill across all registries
Deliverables
Section titled “Deliverables”| # | Feature | Priority | Effort |
|---|---|---|---|
| 2.1 | Multi-registry ingestion pipeline (Official MCP Registry, Smithery, PulseMCP, Glama, MCP.so, skills.sh, SkillsMP, ClawHub, GitHub) | P0 | 3 weeks |
| 2.2 | Semantic search (intent-based: “I need to automate email follow-ups”) | P0 | 3 weeks |
| 2.3 | Web UI with trust scores displayed on all results | P0 | 3 weeks |
| 2.4 | Findable MCP Server (agents can discover skills through us) | P0 | 2 weeks |
| 2.5 | Category taxonomy (20+ categories) | P1 | 1 week |
| 2.6 | Scanner v2 (deep analysis: dependency scanning, data flow analysis) | P0 | 3 weeks |
| 2.7 | Public Trust Score badges (embeddable — like “Snyk verified”) | P1 | 1 week |
| 2.8 | Scanning API v1 (for platforms to integrate) | P1 | 2 weeks |
| 2.9 | Browser extension (show trust score on Smithery, MCP.so, GitHub) | P2 | 2 weeks |
| 2.10 | Developer accounts (GitHub OAuth) | P1 | 1 week |
Critical Milestone: Findable MCP Server
Section titled “Critical Milestone: Findable MCP Server”Build an MCP server that any agent (Claude, OpenClaw, Codex) can connect to. When a user asks their agent to “find a skill for X,” the agent queries Findable directly. This makes us the discovery layer inside the agent — not just a website.
Metrics Target
Section titled “Metrics Target”| Metric | Target | Basis |
|---|---|---|
| Skills indexed | 50,000+ | Major registries aggregated |
| Monthly active searchers | 10,000+ | Conservative; Smithery gets 322K/mo |
| CLI downloads (cumulative) | 15,000+ | Growth from Phase 1 |
| Scanning API integrations | 2-3 platforms | Partnership pipeline |
| Verified publishers | 100+ | Quality over quantity |
Phase 3: Enterprise Governance (Months 8-14)
Section titled “Phase 3: Enterprise Governance (Months 8-14)”Theme: First revenue from enterprise skill management
Deliverables
Section titled “Deliverables”| # | Feature | Priority | Effort |
|---|---|---|---|
| 3.1 | Private skill registries (org-only visibility) | P0 | 4 weeks |
| 3.2 | Policy engine (allowlists, blocklists, trust score thresholds) | P0 | 4 weeks |
| 3.3 | SSO integration (Okta, Azure AD, Google Workspace) | P0 | 3 weeks |
| 3.4 | Approval workflows (request → review → approve → install) | P0 | 3 weeks |
| 3.5 | Audit log (who installed what, when, data accessed) | P0 | 3 weeks |
| 3.6 | Admin console with role-based access | P0 | 3 weeks |
| 3.7 | Verified Publisher program (full identity verification) | P1 | 2 weeks |
| 3.8 | SCIM provisioning | P1 | 2 weeks |
| 3.9 | Compliance report generation (SOC2, GDPR) | P1 | 3 weeks |
| 3.10 | Cost management dashboard | P2 | 2 weeks |
Enterprise GTM
Section titled “Enterprise GTM”- Target: Companies already using Claude Code, Codex, or OpenClaw at scale
- Sales motion: PLG (free scanner users → team adoption → enterprise inquiry → sales)
- Signal triggers: 5+ users from same company domain; enterprise email signups
- Initial verticals: Tech companies, financial services, consulting firms
- Pricing: Team $30/user/mo, Business $60/user/mo, Enterprise custom
Metrics Target
Section titled “Metrics Target”| Metric | Target | Basis |
|---|---|---|
| Enterprise pilot customers | 20-50 | Conservative; Composio has 200+ at $2M ARR |
| Average contract value | $2,000-4,000/mo | 50-100 seats at $30-60/user/mo |
| Enterprise ARR run rate | $200K+ | 20+ customers |
| Net revenue retention | 120%+ | Seat expansion within organizations |
Phase 4: Commerce Layer (Months 14-24) — CONDITIONAL
Section titled “Phase 4: Commerce Layer (Months 14-24) — CONDITIONAL”Theme: Marketplace for paid skills — ONLY IF evidence supports it
Build Triggers (ALL must be met before starting Phase 4)
Section titled “Build Triggers (ALL must be met before starting Phase 4)”| Trigger | Current State | Required State |
|---|---|---|
| Paid MCP server generating $100K+ ARR | No known examples | At least 1 |
| Total ecosystem GMV | <$100K/month | >$500K/month |
| Findable enterprise customers | 0 | 50+ |
| Agent-autonomous tool discovery | Experimental | Early mainstream |
Deliverables (if triggered)
Section titled “Deliverables (if triggered)”| # | Feature | Priority | Effort |
|---|---|---|---|
| 4.1 | Stripe Connect integration (developer payouts) | P0 | 3 weeks |
| 4.2 | Pricing models: subscription, usage-based, freemium | P0 | 4 weeks |
| 4.3 | Developer revenue dashboard | P0 | 3 weeks |
| 4.4 | License key generation and management | P1 | 2 weeks |
| 4.5 | Promoted listings (self-serve) | P1 | 3 weeks |
| 4.6 | In-agent purchasing flow | P1 | 4 weeks |
If NOT triggered by Month 14:
Section titled “If NOT triggered by Month 14:”- Continue deepening enterprise governance features
- Expand scanning capabilities
- Build partnerships with existing commerce players (Apify, MCPize)
- Re-evaluate at Month 18 and Month 24
Roadmap Summary Timeline
Section titled “Roadmap Summary Timeline”Month: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ... 24 ├───────────────┤ Phase 1: Security Scanner (Open Source) ├──────────────────┤ Phase 2: Discovery Engine ├───────────────────┤ Phase 3: Enterprise Governance ├──────────┤ Phase 4: Commerce (CONDITIONAL)Resource Requirements (Realistic)
Section titled “Resource Requirements (Realistic)”| Phase | Engineers | Design | Biz/GTM | Total |
|---|---|---|---|---|
| Phase 1 (Mo 1-4) | 2-3 | 0-1 | 0 | 2-4 |
| Phase 2 (Mo 4-8) | 3-4 | 1 | 1 (DevRel) | 5-6 |
| Phase 3 (Mo 8-14) | 4-5 | 1 | 2 (incl. sales) | 7-8 |
| Phase 4 (Mo 14-24) | 5-6 | 1 | 3 | 9-10 |
Key revision: Prior plan projected 65 headcount by Year 5. Realistic plan keeps team lean (10-15) until revenue justifies expansion. India engineering hub for cost efficiency.
Leading Indicators to Watch
Section titled “Leading Indicators to Watch”These external signals determine whether we accelerate, maintain, or pivot:
| Signal | Watch For | Impact |
|---|---|---|
| Paid MCP server hits $100K+ ARR | Validates commerce layer | Accelerate Phase 4 |
| Snyk launches registry product | Narrows our security positioning | Pivot to governance-first |
| Anthropic expands official registry | Changes discovery landscape | Adjust discovery strategy |
| Composio adds public discovery | Direct competition on our funnel | Differentiate on cross-platform |
| Enterprise RFPs for “agent skill governance” | Proves enterprise budget | Accelerate Phase 3 |
| MCP SDK downloads plateau | Ecosystem growth stalling | Re-evaluate entire thesis |