Skip to content
Findable — Research & Business Plan

Go-to-Market Strategy (Validated)

GTM Philosophy

Section titled “GTM Philosophy”

Open-source wedge → Community-led growth → PLG → Sales-assisted expansion

  1. Win developer trust with a free, open-source security scanner (like early Snyk, Semgrep)
  2. Build community through security reports and thought leadership
  3. Convert to platform with discovery and trust score features
  4. Expand into enterprises through bottom-up adoption
  5. Layer on commerce only when the market supports it

Key revision: Prior GTM assumed launching all layers simultaneously. Validated approach: lead with security (most validated), defer commerce (least validated).

Target Segments & Personas

Section titled “Target Segments & Personas”

Personas (Prioritized by Validation Level)

Section titled “Personas (Prioritized by Validation Level)”
PersonaDescriptionPain PointEntry ProductValidation
Security-Conscious DevSenior dev / team lead evaluating skills”Is this MCP server safe to install? 32% have critical vulns.”Findable Shield (free scanner)HIGH
Discovery-Frustrated DevDeveloper overwhelmed by fragmented registries”Skills are scattered across 9+ registries with no unified search.”Findable Search (free)MEDIUM-HIGH
Enterprise IT AdminIT/Security manager at company using AI agents”We need governance for what agents can discover and use.”Enterprise governanceEMERGING
Skill BuilderIndividual developer building MCP servers”How do I get discovered and build trust?”Free publishing + trust scoresMEDIUM
SaaS VendorProduct manager wanting agent discovery”How do agents find and choose our product?”Agent SEO (DEFERRED)LOW

Segment Sequencing

Section titled “Segment Sequencing”
PhasePrimary SegmentRevenue ModelTimeline
Phase 1 (Mo 1-4)Security-conscious developersFree (community)Now
Phase 2 (Mo 4-8)Discovery-frustrated developersFree (funnel) + API subscriptionsNow
Phase 3 (Mo 8-14)Enterprise IT/SecurityEnterprise license ($30-80/user/mo)6-12 months
Phase 4 (Mo 14-24)Skill builders + SaaS vendorsCommerce + Promote12-24 months

Channel Strategy

Section titled “Channel Strategy”

Developer Channels (Phase 1-2)

Section titled “Developer Channels (Phase 1-2)”
ChannelTacticExpected ImpactBasis
GitHubOpen-source scanner CLI; star the repo; contribute to MCP ecosystemHIGHCore developer channel
Hacker NewsSecurity report launch; “Show HN” postsHIGHViral potential for security data
Developer docs / blog”State of Agent Skills Security” report + tutorialsHIGHSEO + GEO + thought leadership
X/TwitterSecurity findings, ecosystem analysis, developer tipsMEDIUMVisibility + community
DEV CommunityDeep-dive technical articlesMEDIUMLong-tail traffic, developer trust
Discord / SlackActive presence in Claude Code, MCP, OpenClaw communitiesHIGHDirect engagement
Product HuntLaunch day for scannerMEDIUMOne-time boost

Channel ranking (validated): Documentation/Blog > HN > GitHub > X > DEV Community > Discord > Product Hunt. This matches the Resend/Supabase open-source playbook.

Content Strategy

Section titled “Content Strategy”

Content pillars:

  1. Security Reports — Data-driven, publishable findings

    • “We scanned 10,000 MCP servers. Here’s what we found.”
    • Monthly “Agent Skills Security Digest”
    • Quarterly deep-dive reports
    • Purpose: PR, authority, urgency

  2. Developer Tutorials — Practical, hands-on content

    • “How to secure your MCP server”
    • “Building a trust-worthy agent skill”
    • Purpose: Organic traffic, developer acquisition

  3. Ecosystem Analysis — Market intelligence

    • “Skills ecosystem growth report”
    • “Registry comparison: which one should you use?”
    • Purpose: Authority, newsletter-worthy

  4. Enterprise Guides (Phase 3+)

    • “CISO’s guide to AI agent security”
    • “Agent skills governance playbook”
    • Purpose: Enterprise pipeline, lead gen

Partnership Channels

Section titled “Partnership Channels”
Partner TypeTarget PartnersValue ExchangePriority
Agent PlatformsClaude Code team, OpenClaw foundation, Codex teamWe provide scanning → they drive discovery to usP0
Existing RegistriesSmithery, PulseMCP, GlamaWe add trust scores to their listings → they drive trafficP0
Security EcosystemOWASP MCP project, CoSAIStandards participation → credibilityP1
Enterprise SecurityIdentity/governance vendorsCo-marketing → enterprise pipelineP2

Critical note on Snyk partnership: Snyk acquired Invariant Labs. They are a competitor, NOT a partner. Do not pursue Snyk partnership — they will build competing features.

Launch Plan (Security-First)

Section titled “Launch Plan (Security-First)”

Pre-Launch (Month 1-2)

Section titled “Pre-Launch (Month 1-2)”
WeekActivity
Week 1-2Build scanner MVP; start batch scanning major registries
Week 3-4Private alpha with 30-50 developers from MCP/Claude communities
Week 5-6Iterate on scanner based on feedback; compile security report
Week 7-8Prepare launch materials; seed report with tech journalists

Launch (Month 3)

Section titled “Launch (Month 3)”
DayActivityChannel
Day -7Tease security findings on X/TwitterSocial
Day -3Send embargoed report to tech journalistsPR
Day 0Publish “State of Agent Skills Security” reportBlog
Day 0Open-source scanner CLI on GitHubGitHub
Day 0Post on HN: “Show HN: We scanned 10K MCP servers for security”HN
Day 0Post in MCP, Claude Code, OpenClaw communitiesDiscord/Slack
Day +1Launch on Product HuntPH
Day +3Deep-dive article on DEV CommunityDEV
Day +7Follow-up: “What we learned from our first 1,000 community scans”Blog

Realistic launch targets:

MetricTargetBasis
CLI downloads (first week)1,000-3,000Conservative; mcp-scan baseline
GitHub stars (first month)300-500Security tools with data-driven launches
Press mentions2-3Security data stories get coverage
Community engagementActive discussionValidated by recent MCP security discourse

Prior targets revised: Prior plan assumed 5,000+ CLI downloads in first week and 3+ TechCrunch-level mentions. Those are aspirational, not expected.

Post-Launch Growth (Month 3-8)

Section titled “Post-Launch Growth (Month 3-8)”
ActivityCadenceGoal
Security Digest newsletterMonthlyBuild email list, establish authority
New feature announcementsBi-weeklyMomentum
Batch scanning new registriesMonthlyGrow indexed skills
Partnership announcementsAs landedCredibility + distribution
Conference talks / meetupsQuarterlyAI security conferences

Pricing & Packaging GTM

Section titled “Pricing & Packaging GTM”

Free Tier (Acquisition — generous)

Section titled “Free Tier (Acquisition — generous)”
  • Unlimited free skill searching
  • 10 security scans per month (CLI)
  • Basic search across all registries
  • Public developer profile
  • Trust score viewing

Upgrade Triggers

Section titled “Upgrade Triggers”
TriggerUpgrade Path
Developer wants unlimited scanningPro ($29/mo)
Developer wants verified publisher badgePro ($29/mo)
Team wants private registryTeam ($30/user/mo)
Company needs policy engineBusiness ($60/user/mo)
Company needs compliance reports + SLAEnterprise (custom)

Geographic Strategy

Section titled “Geographic Strategy”

Phase 1: US + India (Months 1-12)

Section titled “Phase 1: US + India (Months 1-12)”
  • US: Largest AI developer concentration; VC ecosystem; enterprise budgets
  • India: 2nd largest developer population; engineering hub; cost advantage

Phase 2: + EU (Months 12-24)

Section titled “Phase 2: + EU (Months 12-24)”
  • GDPR compliance creates demand for governance tools
  • Large enterprise market

Metrics & KPIs

Section titled “Metrics & KPIs”

North Star Metric

Section titled “North Star Metric”

Monthly Active Skill Consumers — unique users (humans or agents) who discover, evaluate, or scan a skill through Findable each month.

Funnel Metrics (Realistic)

Section titled “Funnel Metrics (Realistic)”
StageMetricMonth 6 TargetMonth 12 Target
AwarenessMonthly website visitors10K50K
AcquisitionNew signups1K/mo5K/mo
ActivationFirst scan completed500/mo2K/mo
RevenuePaying customers0-2050-100
RetentionMonthly active users (30-day)2K10K

Prior targets revised: Month 6 was 50K visitors / 5K signups. Month 12 was 200K / 20K. These assumed viral distribution that isn’t guaranteed.

Competitive Response Playbook (Updated)

Section titled “Competitive Response Playbook (Updated)”

If Snyk launches a registry/discovery product:

Section titled “If Snyk launches a registry/discovery product:”
  • They’ve already acquired Invariant Labs — this is likely
  • Response: Double down on cross-platform (Snyk is enterprise security, not discovery). Emphasize integrated trust + discovery + governance vs. scanning-only. Position as the “developer-friendly” alternative.

If Vercel skills.sh adds trust scores / security:

Section titled “If Vercel skills.sh adds trust scores / security:”
  • 110K installs in 4 days shows their distribution power
  • Response: Differentiate on cross-platform (they’re SKILL.md/Mastra-focused). Emphasize MCP + SKILL.md coverage. Go deeper on enterprise governance.

If Composio adds a public discovery layer:

Section titled “If Composio adds a public discovery layer:”
  • They have $2M ARR and 200+ enterprise customers
  • Response: Emphasize open/cross-platform vs. their managed infra approach. They’re platform-specific; we’re neutral.

If Anthropic expands the official registry:

Section titled “If Anthropic expands the official registry:”
  • Currently “deliberately minimal” — but could change
  • Response: Position as the independent, cross-platform layer that works with ALL platforms including Anthropic’s. Enterprise governance and trust scores are differentiators Anthropic won’t build.

If the market doesn’t grow as expected:

Section titled “If the market doesn’t grow as expected:”
  • 40% of agentic AI projects may be canceled by 2027 (Gartner)
  • Response: Reduce burn; focus on profitable enterprise governance segment. Consider becoming the security scanning layer that integrates into existing platforms (B2B2B model).