clawd/drafts/vault1984-market-research.md

vault1984 — Market Research

March 2026

---

Market Context

The global password management market is ~$3.5B in 2026, growing at ~22% CAGR toward $10-27B by 2030-2035 (multiple analyst estimates converge on this range). Growth drivers: AI agent adoption, rising breach frequency, regulatory pressure (NIS2, SOC2, ISO27001), and workforce credential sprawl.

The AI agent angle is newly validated. AgentMail raised $6M in early 2026 for "email inboxes for AI agents" — agent-native infrastructure is becoming a funded category. No incumbent password manager was built for agents. They're bolting on MCP. vault1984 was designed from day one around the agent access model.

---

Consumer — Individuals

The situation

The consumer password manager market is mature but largely untapped by paid products — most people use the free tier of Bitwarden, their browser's built-in manager, or Apple Keychain. The 2022 breach was a wake-up call. Millions of consumers received emails telling them their vault data had been stolen. Most changed their master password and moved on. A smaller number looked for something structurally better.

vault1984's architecture speaks directly to what they feared: that their passwords were stolen and could be cracked. The answer — "your passwords were encrypted with a key derived from your hardware, not a master password we could guess" — is the clearest possible differentiation from every product they've used before.

Market potential

Large but fragmented. The challenge is Apple Keychain and Google Password Manager — both free, deeply integrated, and "good enough" for most consumers. vault1984 competes for the security-conscious subset who have specifically been affected by a breach or who understand why hardware-derived encryption is different.

The AI agent angle is less relevant for consumers today, but grows as agents become mainstream household tools.

Competitors

Player	Pricing	Notes
Apple Keychain	Free	Deeply integrated, no agent support
Google Password Manager	Free	Same
1Password	$3/month ($36/yr)	Strong brand, server can read
Bitwarden	$10/yr premium	Open source, server can read (hosted)
Dashlane	$4/month	Server can read
NordPass	$2.49/month	Server can read

vault1984 advantage: The breach story. WebAuthn-only (no master password to forget or leak). $12/year makes it price-competitive with premium tiers.

vault1984 gap: Mobile — consumers need native iOS/Android apps. UX polish. Browser extension that just works. The consumer market is unforgiving on friction.

Required features to compete

• Native iOS / Android app (critical)
• Polished onboarding for non-technical users
• Family plan (multiple users, shared vault)
• Password health / breach monitoring
• Recovery flow for lost hardware key

TAM

The consumer segment is compressed by free competition. Apple Keychain, Google Password Manager, and browser built-ins are free, deeply integrated, and good enough for most people. The theoretical 300M potential users is not a useful number — most will never pay.

Realistic addressable market: people who actively seek something beyond the built-in (cross-platform, breach-conscious, not locked to one ecosystem).

• ~20M people currently paying for a consumer password manager (1Password, Bitwarden Premium, Dashlane)
• vault1984 price: $12/yr
• Realistic consumer TAM: ~$240–600M
• Near-term trigger: ~5-10M people primed to switch following the 2022 breach — they received the notification, they're looking for something structurally different

Pricing

$12/yr (current) is well-positioned. Family plan at $24/yr (5 users) would follow market norms.

---

Techies — Developers, AI Builders, Security Researchers

The situation

This is vault1984's beachhead. Developers using Claude Code, Codex, Cursor, and Windsurf have the agent credential problem right now. They self-host because they understand the architecture and trust themselves more than any hosted service. They're the ones who read the Orwell quote and immediately understand what it means.

This segment doesn't convert primarily through paid subscriptions — many will self-host for free. Their value is disproportionate: they share on HN and X, bring their teams with them, and validate the product with the technical credibility that makes the rest of the market take notice.

Market potential

Smaller by direct revenue, larger by influence. A single viral HN thread from this segment is worth more than 10,000 consumer signups in terms of top-of-funnel impact across every other segment.

The ones who choose hosted rather than self-hosted are a clean revenue signal: they've evaluated the product, decided it's worth paying for, and are volume-small but highly retentive.

Competitors

None with vault1984's architecture. The closest:

• Bitwarden self-hosted (server-side encryption, not operator-blind)
• HashiCorp Vault (secrets management for infra, not human credentials)
• pass (CLI password manager — no agent integration, no WebAuthn)

vault1984 advantage: This is the natural home audience. The encryption argument is immediately understood. The MCP integration is valued. The one-binary deployment is respected.

vault1984 gap: Self-hosting is free — conversion to paid hosted requires making the hosted experience demonstrably better (uptime, cross-device sync, automatic backups) than the friction of running their own server.

TAM

• ~50M developers globally; ~15M actively paying for a password manager
• vault1984 pricing: $12/yr (hosted)
• Many self-host free — realistically ~30% of techie users would choose hosted
• TAM (hosted revenue): ~$54M — small by market standards
• Strategic value: outsized. This segment is the distribution engine for every other segment.

Pricing

$12/yr stays right. Consider a "power user" tier at $24/yr with higher storage, API access, and additional MCP features. Do not introduce friction for self-hosters.

---

SMB — Small & Medium Business (1–250 employees)

The situation

SMBs are the fastest-growing segment for credential management. They lack dedicated security teams, use AI agents actively (Claude Code, Cursor, Codex are mainstream tools in this segment), and make purchase decisions fast. The pain: their current password manager gives agents all-or-nothing access, and nobody has verified whether the operator can read their vault.

Market potential

Largest volume segment. Price-sensitive but willing to pay for something that solves a real problem simply. AI-native companies in this cohort are the early adopters — they feel the agent credential problem acutely.

Competitors

Player	Pricing	AI/Agent story	Encryption
1Password Teams	$4/user/month	MCP plugin (bolted on)	Server can read
Bitwarden Teams	$4/user/month	MCP plugin (bolted on)	Server can read (hosted)
Dashlane Business	$5/user/month	None	Server can read
NordPass Business	$4/user/month	None	Zero-knowledge claim

vault1984 advantage: Designed for agent access. Superior encryption architecture. No master password friction. One binary, self-host option.

vault1984 gap: No team features yet. No multi-user vault management, no user provisioning, no shared vault concept. Must be built before this segment is addressable.

Required features to compete

• Organization accounts (owner + members)
• Shared credential vaults (team-level, not just individual)
• Admin console — invite, remove, view audit log
• Per-user MCP token management
• Basic policy (enforce 2FA, session timeout)
• Email-based onboarding

Pricing opportunity

Market rate is $4–6/user/month. vault1984's strategy is not to match the market — it's to make competition economically irrational.

Target: $2–3/user/month. Same product, fraction of the price. At this level no VC funds a competitor — the market is already priced out. Revenue model is volume, not margin.

---

MME — Mid-Market Enterprise (250–2,000 employees)

The situation

Has a security team. Has procurement. Has compliance requirements. Will ask for SSO, directory sync, and audit exports before signing. AI governance is becoming a real concern here — security teams are starting to question what their AI agents can access and whether the credential store can be compelled.

Market potential

Slower sales cycle than SMB but much higher contract value. vault1984's "operator cannot read your passwords" architecture is a compliance advantage — it reduces the blast radius of a vendor incident and simplifies the data-in-custody conversation with auditors.

Competitors

Player	Pricing	Notable
1Password Business	$7/user/month	SSO, Okta integration
Bitwarden Enterprise	$6/user/month	SSO, SCIM, on-prem option
Keeper Business	$6/user/month	Compliance reporting, SIEM
Dashlane Business	$8/user/month	Dark web monitoring

vault1984 advantage: The encryption architecture is a compliance argument. A vendor that provably cannot read your credentials is easier to pass through legal review than one that promises not to. "Operator-blind" = smaller vendor risk exposure.

vault1984 gap: SSO is table stakes at this size. No SCIM, no Okta/Azure AD integration, no compliance exports. These are hard blockers.

Required features to compete

• SAML 2.0 / OIDC SSO (Okta, Azure AD, Google Workspace)
• SCIM provisioning — automated user lifecycle management
• Compliance exports (audit log export, CSV/SIEM format)
• Policy enforcement at org level
• Dedicated admin console with role-based access
• SLA commitment (99.9%+)
• Custom onboarding support

Pricing opportunity

Market rate is $6–10/user/month. vault1984 target: $2–3/user/month. Same knockout logic — at this price procurement is a no-brainer, not a negotiation. CFOs don't hold meetings about a $3/seat product.

---

Enterprise (2,000+ employees)

The situation

Has a full security team, a PAM (Privileged Access Management) strategy, and will spend 6 months in procurement. Needs SOC 2 Type II certification, custom SLAs, dedicated support, possibly on-prem deployment. AI governance is an active concern — CISO teams are mandating controls on what AI agents can access.

Market potential

Smallest number of deals, largest contract value. A single enterprise contract can be $500k–$2M/year. But the sales cycle is long and the certification requirements are significant. This segment is addressable in 2–3 years, not now.

Competitors

Player	Position	Pricing
CyberArk	PAM market leader	$100k+ contracts
Delinea (Thycotic)	PAM mid-tier	$50k–$200k
HashiCorp Vault	Secrets management (infra)	$19–29/user/month (HCP)
1Password Enterprise	Password manager	Custom ($8–15/user/month typical)
Bitwarden Enterprise	Password manager	Custom

vault1984 advantage: The architecture argument is most compelling here — enterprises care deeply about vendor risk. A credential store the vendor cannot read is structurally better for compliance than one protected by policy. The AI agent credential management gap is also sharpest here: enterprises running large agent infrastructure need granular control.

vault1984 gap: Enormous. No SOC 2, no PAM integration, no SIEM connectors (Splunk, Elastic, Sentinel), no dedicated support, no on-prem option, no custom SLA. This is a 2–3 year roadmap.

Required features to compete

• SOC 2 Type II certification
• PAM integration (CyberArk, Delinea)
• SIEM integration (Splunk, Elastic, Microsoft Sentinel)
• HSM support for key management
• On-premises / private cloud deployment option
• Custom SLA (99.99%+, dedicated support)
• Custom contractual terms (DPA, BAA if applicable)
• Dedicated customer success manager

Pricing opportunity

Target: $2–3/user/month — same as SMB/MME. The differentiation is not price, it's features (SOC2, SLAs, support). Revenue at this price point is pure volume: 100,000 enterprise seats = $2.4–3.6M ARR. 1M seats = $24–36M ARR.

---

MSP — Managed Service Providers

⚠️ License blocker

The Elastic License 2.0 prohibits MSPs from deploying vault1984 for their clients. The ELv2 explicitly bars "providing the software to third parties as a hosted or managed service." An MSP running vault1984 instances for client organizations is exactly this scenario.

This segment requires a separate commercial license from vault1984. This is actually an opportunity — sell commercial MSP licenses at a per-client or per-seat rate. The ELv2 model (free for self-use, paid commercial license for resellers) is a proven business model used by Elastic, HashiCorp, and others.

The situation

MSPs manage IT for 10–500 SMB clients each. They need a password manager they can deploy, manage, and bill per client. The segment is poorly served: 1Password MSP is widely considered overpriced ($5/user/month wholesale, complaints on r/msp), Bitwarden MSP exists but lacks multi-tenant management tooling, and most MSP-specific tools (N-able Passportal, CyberFOX) lack the AI agent story entirely.

Market potential

High. An MSP with 100 clients averaging 20 users each represents 2,000 seats. vault1984's architecture is actually perfect for MSPs — they literally cannot read their clients' passwords, which eliminates a significant liability and trust issue. "Your MSP cannot see your passwords" is a strong sales argument for the MSP to their clients.

Competitors

Player	Pricing	Notable
1Password MSP	~$5/user/month wholesale	Widely seen as overpriced
Bitwarden MSP	~$3/user/month	Limited multi-tenant tooling
N-able Passportal	~$3/user/month	RMM integration, weak encryption
CyberFOX	Custom	PAM focus, PSA integration
IT Glue (Kaseya)	~$29/tech/month	Documentation focus, not password-first

vault1984 advantage: Operator-blind architecture is a legal and trust advantage for MSPs. "We cannot read your clients' passwords" removes the MSP as a liability surface. Strong AI agent story is a differentiator as MSPs start managing agentic workflows for their clients. One binary + SQLite makes per-client deployment trivially simple.

vault1984 gap: No white-label, no PSA/RMM integration (ConnectWise, NinjaRMM, Kaseya, HaloPSA), no multi-tenant management console, and most importantly — needs a commercial MSP license structure.

Required features to compete

• Commercial MSP license (separate from ELv2)
• Multi-tenant management console (deploy/manage all client vaults from one pane)
• White-label (logo, domain, email branding)
• PSA integration (ConnectWise Manage, Autotask, HaloPSA)
• RMM integration (NinjaRMM, N-able, Datto)
• Bulk billing / consolidated invoicing
• Client-level audit log access
• MSP technician access (read-only to shared team credentials, no access to Identity layer)

Pricing opportunity

$2–3/user/month wholesale (MSP pays), resells at $5–8/user/month to clients. Alternatively, flat fee per client vault instance.

Target: $1–1.50/user/month wholesale. MSPs resell at $3–5. They make margin. Their clients pay less than 1Password direct. Nobody competes.

---

Summary

Segment	Addressable now?	TAM	Primary gap	Revenue potential
Consumer	Now	$240–600M	Mobile apps, UX polish	Medium volume, $12/yr
Techies	Now	$54M direct	Make hosted better than self-host	Low volume, high strategic value
SMB	6–12 months	$18B	Team features, multi-user	High volume, $5/user/month
MME	12–18 months	$19B	SSO, SCIM, compliance	Medium volume, $8/user/month
Enterprise	2–3 years	$15–20B	SOC2, PAM, SIEM, SLA	Low volume, high value
MSP	6–12 months (commercial license)	$1.4B wholesale	MSP license, white-label, PSA	High multiplier, $2–3/user/month wholesale

Recommended sequencing

1. Now: Lock in techies and consumers — the beachhead is already warm. Techies validate the product and drive top-of-funnel. Consumers convert on the breach story. They'll tolerate missing team features if the core product is right. Start building the waitlist.
2. H2 2026: Ship team features. Launch SMB pricing. Begin MSP commercial license discussions.
3. 2027: MME features (SSO, SCIM). Begin compliance certification track.
4. 2028+: Enterprise.

The structural advantage across all segments

vault1984's architecture — operator-blind Credential and Identity encryption — is not just a marketing claim. It reduces vendor risk across every segment:

• SMB: "even if we get hacked, your passwords are safe"
• MME: smaller vendor risk surface for compliance reviews
• Enterprise: structural argument for CISO sign-off
• MSP: MSP cannot be compelled to hand over client passwords

No incumbent can make this claim. It's the moat that scales.

---

Draft — George for Johan. Do not publish.