johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/docs/MARKET-PLAN.md

194 lines
9.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# clavitor — Market Plan & Pricing Strategy
*Last updated: March 2026*
---
## The Strategic Frame: Ontmoedigende Voorsprong
The goal is not to be better. The goal is to make catching up irrational.
clavitor competes on four dimensions simultaneously — architecture, global infrastructure, price, and agent-native design. No competitor can match all four. The incumbents are structurally trapped by their existing architecture. Copycats face years of infrastructure and trust deficit plus an Elastic license that prohibits commercializing our code.
---
## Product Architecture (affects every market decision)
- Single Go binary + SQLite per POP node
- No credentials cached server-side — ever. Every access is a live fetch.
- Zero shared state between POPs — fully horizontal scaling
- Per-record replication for egress efficiency (not a security feature — egress cost control)
- Operator-blind by cryptographic architecture, not policy
- Open source under Elastic License 2.0 — verifiable, not forkable for commercial use
- Hans (automation bot) deploys a new clavitor POP in ~20 minutes, fully automated
**Why this matters for pricing:** Infrastructure cost per user approaches zero at scale. A sub-1MB SQLite vault on a $4/mo node serves any number of requests. The cost model is POPs × $48/mo, not users × infrastructure.
---
## Market Segments
### 1. Consumer / Individual
**Target:** Developers, privacy-conscious individuals, AI power users, anyone who received a LastPass breach notification.
**The pitch:** "The password manager the host cannot open. Your agents get in. Nobody else does."
**Pricing:**
- Self-hosted: **Free** (Elastic License — cannot be commercially repackaged)
- Hosted: **$12/year** (~$1/month)
**Competitive position:**
- 1Password: $36/year — and they can read your vault
- Bitwarden: $10/year — and they can read your vault
- clavitor: $12/year — and we cannot read your vault. Architecture, not policy.
**Timeline:** Now. This is the launch segment.
**Key features needed:** Browser extension, mobile app, MCP integration for agents.
---
### 2. SMB — Small & Medium Business (150 users)
**Target:** AI-native startups, dev agencies, small teams deploying AI agents. The companies building on Claude Code, Cursor, OpenClaw — where agents are already in production and credential management is a live problem.
**The pitch:** "Your agents are running. Are your credentials in a vault the vendor can read?"
**Pricing:**
- **$5/user/month** (~$60/user/year)
- Volume: small discount at 10+ seats
**Competitive position:**
- 1Password Teams: $7.99/user/month — they can read it
- Bitwarden Teams: $4/user/month — they can read it
- clavitor: $5/user/month — architecturally cannot
**Timeline:** 612 months post-launch. Requires team features: shared vaults, role-based access, admin console.
**Key blocker:** Team/shared vault management UI. Agent-to-agent credential sharing model.
---
### 3. MME — Mid-Market Enterprise (50500 users)
**Target:** Growing companies with a security-conscious IT team. Often have compliance requirements (SOC 2, ISO 27001, GDPR). Starting to deploy AI agents at scale. Procurement involves a security review.
**The pitch:** "The operator-blind architecture makes your vendor risk conversation easy. We cannot produce your vault contents in response to a subpoena. That's not a legal position — it's a cryptographic fact."
**Pricing:**
- **$8/user/month** (~$96/user/year)
- Annual contract discount: ~15%
- Volume: tiered at 100+, 250+, 500+ seats
**Competitive position:**
- 1Password Business: $7.99/user/month — they can read it; compliance exposure
- Okta (for AI Agents, GA April 2026): identity layer, not credential storage — different problem
- clavitor: $8/user/month, operator-blind, agent-native from day one
**Timeline:** 1218 months. Hard blocker: **SSO (SAML/OIDC)** — non-negotiable for enterprise IT. Without SSO, deals don't close above ~50 seats.
**Key features needed:** SSO, audit logs, admin-level vault management, SCIM provisioning, SLA.
---
### 4. Enterprise (500+ users)
**Target:** Large organizations with a CISO, formal vendor risk assessment, compliance requirements (SOC 2 Type II, ISO 27001, potentially FedRAMP). AI agent deployment at scale — hundreds of agents running workflows touching credentials.
**The pitch to the CISO:** "Your current password manager vendor is a liability in your threat model. They can be subpoenaed, breached, or coerced. clavitor removes the vendor from the equation entirely. We hold ciphertext. There is nothing to produce."
**Pricing:**
- **$23/user/month at volume** (negotiated annual contract)
- 1,000 users: ~$2436k/year vs. 1Password at ~$84k/year
- CFO math is trivial — the conversation is about security posture, not price
**Competitive position:**
- 1Password Enterprise: ~$7/user/month + implementation
- CyberArk PAM: $50100/user/month — different category but same budget line
- clavitor: fraction of the cost, stronger architectural guarantee, agent-native
**Timeline:** 23 years minimum. Requires: SOC 2 Type II audit, PAM integration (CyberArk, BeyondTrust), SIEM integration, SLA with penalties, dedicated support, professional services for onboarding.
**Key blocker:** SOC 2 Type II and formal security audits. Without these, enterprise procurement won't proceed regardless of price or architecture.
---
### 5. MSP — Managed Service Providers
**Target:** IT service providers managing infrastructure and security for multiple client companies. Johan's background: Iaso Backup → Cove (now N-able) → Kaseya/Datto gives direct access to the MSP distribution channel. This is a high-leverage segment.
**The pitch to the MSP:** "Sell your clients a password manager you can prove is safe. Your margin is built in. Your clients pay less than 1Password direct. You never touch their credentials — architecture guarantees it."
**Pricing model:**
- MSP wholesale: **~$2/user/month**
- MSP resell to end client: **~$45/user/month**
- MSP margin: $23/user/month — substantial at scale
- Example: 50 clients × 20 users = 1,000 seats. MSP revenue: $4k/month. MSP cost: $2k/month. $2k/month margin, zero infrastructure ops.
**Competitive position:**
- Most MSPs resell 1Password or Bitwarden — margins are thin, product is generic
- clavitor offers a differentiated story the MSP can sell: "we chose a vault your vendor can't read"
- Johan's existing relationships in the MSP/RMM ecosystem (N-able, Kaseya) are a direct distribution asset
**Key considerations:**
- ⚠️ **Elastic License 2.0 review required** — the license prohibits managed service deployment of the open-source version. MSP model requires either a commercial license exception or a separate MSP licensing tier. Needs legal review before committing to this channel.
- MSP integrations needed: RMM plugins (N-able, Kaseya, ConnectWise), PSA integration, multi-tenant admin console
**Timeline:** Parallel track to SMB. Johan's network makes this accessible early, but the license question must be resolved first.
---
## Pricing Summary
| Segment | Price | Competitor | Competitor price |
|---------|-------|------------|-----------------|
| Consumer (hosted) | $12/year | 1Password | $36/year |
| Consumer (self-hosted) | Free | Bitwarden | $10/year |
| SMB | $5/user/month | 1Password Teams | $7.99/user/month |
| MME | $8/user/month | 1Password Business | $7.99/user/month |
| Enterprise | $23/user/month (volume) | 1Password Enterprise | ~$7/user/month |
| MSP (wholesale) | ~$2/user/month | varies | varies |
---
## Global Infrastructure
23 confirmed POPs today. AWS + is*hosting (verified via Looking Glass). Fully horizontal — adding a POP costs $48/month and 20 minutes of Hans's automated deployment.
**Current coverage:**
- Americas: Virginia, San Francisco, Montréal, Mexico City, Bogotá, São Paulo, Santiago, Buenos Aires
- Europe: London, Zürich, Madrid
- Middle East/Turkey: Istanbul, Dubai
- Africa: Cape Town (black spots: West Africa, East Africa — infrastructure gap, not policy)
- Asia-Pacific: Mumbai, Singapore, Hong Kong, Seoul, Tokyo, Sydney, Almaty (Central Asia — unique)
**Key claim:** clavitor doesn't care who the landlord is. AWS, Azure, is*hosting, a Starlink node in Lusaka — the ciphertext is the same everywhere. No competitor can say that because their architecture requires trusting the infrastructure.
---
## Roadmap Dependencies by Segment
| Feature | Consumer | SMB | MME | Enterprise | MSP |
|---------|----------|-----|-----|------------|-----|
| Browser extension | ✅ needed | ✅ | ✅ | ✅ | ✅ |
| MCP / agent API | ✅ needed | ✅ | ✅ | ✅ | ✅ |
| Team/shared vaults | — | ✅ blocker | ✅ | ✅ | ✅ |
| Admin console | — | ✅ needed | ✅ | ✅ | ✅ |
| SSO (SAML/OIDC) | — | — | ✅ blocker | ✅ | ✅ |
| Audit logs | — | — | ✅ needed | ✅ | ✅ |
| SCIM provisioning | — | — | — | ✅ blocker | ✅ |
| SOC 2 Type II | — | — | recommended | ✅ blocker | ✅ |
| PAM integration | — | — | — | ✅ needed | — |
| Multi-tenant console | — | — | — | — | ✅ blocker |
| Commercial MSP license | — | — | — | — | ✅ blocker |
---
## The Founder Advantage
Johan Jongsma founded Iaso Backup — the same distributed, stateless, horizontal-scaling architecture clavitor uses. Sold to GFI → LogicNow → SolarWinds → N-able (now Cove). Four acquirers, still in production 15+ years later.
This is not an analogy. This is a proven track record with the exact architectural pattern clavitor runs on. The second time is faster, cheaper, and with better tooling.
Reference in New Issue View Git Blame Copy Permalink