I was thinking the same while building a SaaS that uses external AI APIs and wondering "what am I really building?". Can't anybody just piece everything together and recreate my tool? The answer is no. I spent really long time searchjnf the right APIs, testing, refining prompts, that it's much more convenient for anybody to buy my product than trying to reproduce the same outcomes.
Vertical SaaS is the way... I just signed a deal with a local truck body builder. They refuse to answer Salesforce calls and I took the opportunity to build them a rules engine to integrate their sales to production workflows. More than just a standard CPQ.
The “sliver” framing is exactly right, and I think it explains why compliance tooling is one of the few SaaS categories that might hold up differently.
Most compliance buyers — especially in fintech and B2B SaaS — aren’t buying GRC platforms because they love the feature set. They’re buying because the audit requires evidence of a process, and the tool creates that paper trail. The moment composable alternatives can produce equally auditor-acceptable evidence, the monolithic GRC argument collapses fast.
What I’m watching is whether the Vanta/Drata model survives this shift. Right now they’re selling the bundle — controls, monitoring, audit prep, integrations — and it works because the startup just wants the certification. But as founders get more comfortable with agents and composable tooling, the question becomes: why pay for the whole platform when I can wire together the pieces that cover my actual control gaps?
The companies that survive are probably the ones that take the WorkOS/Stripe approach — become the compliance infrastructure layer that other tools build on, not the tool that tries to own the whole workflow.
API-first compliance infrastructure is underbuilt. That’s where I’d be placing bets.
Eh, everybody likes to build exciting new apps. Nobody likes to maintain them. Or even worse, budget for maintaining them after that smart tech person who built it leaves the company and goes somewhere else. Just try explaining to your CFO why the sales team is spending time installing npm packages for routine security fixes instead of selling.
SaaS companies will become more nimble and SaaS in general is becoming less monolithic, but most companies aren't exactly great at building and maintaining production software, even with modern AI coding tools.
I was thinking the same while building a SaaS that uses external AI APIs and wondering "what am I really building?". Can't anybody just piece everything together and recreate my tool? The answer is no. I spent really long time searchjnf the right APIs, testing, refining prompts, that it's much more convenient for anybody to buy my product than trying to reproduce the same outcomes.
Giuseppe
Vertical SaaS is the way... I just signed a deal with a local truck body builder. They refuse to answer Salesforce calls and I took the opportunity to build them a rules engine to integrate their sales to production workflows. More than just a standard CPQ.
I’d love to learn more!
Hey Tom! Thanks for the follow, you will get more on this in my upcoming issue of Renew Your Mind 🫡
The “sliver” framing is exactly right, and I think it explains why compliance tooling is one of the few SaaS categories that might hold up differently.
Most compliance buyers — especially in fintech and B2B SaaS — aren’t buying GRC platforms because they love the feature set. They’re buying because the audit requires evidence of a process, and the tool creates that paper trail. The moment composable alternatives can produce equally auditor-acceptable evidence, the monolithic GRC argument collapses fast.
What I’m watching is whether the Vanta/Drata model survives this shift. Right now they’re selling the bundle — controls, monitoring, audit prep, integrations — and it works because the startup just wants the certification. But as founders get more comfortable with agents and composable tooling, the question becomes: why pay for the whole platform when I can wire together the pieces that cover my actual control gaps?
The companies that survive are probably the ones that take the WorkOS/Stripe approach — become the compliance infrastructure layer that other tools build on, not the tool that tries to own the whole workflow.
API-first compliance infrastructure is underbuilt. That’s where I’d be placing bets.
Eh, everybody likes to build exciting new apps. Nobody likes to maintain them. Or even worse, budget for maintaining them after that smart tech person who built it leaves the company and goes somewhere else. Just try explaining to your CFO why the sales team is spending time installing npm packages for routine security fixes instead of selling.
SaaS companies will become more nimble and SaaS in general is becoming less monolithic, but most companies aren't exactly great at building and maintaining production software, even with modern AI coding tools.