johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/drafts/vault1984-market-research.md

11 KiB
Raw Blame History

vault1984 — Market Research

March 2026

Market Context

The global password management market is ~$3.5B in 2026, growing at ~22% CAGR toward $10-27B by 2030-2035 (multiple analyst estimates converge on this range). Growth drivers: AI agent adoption, rising breach frequency, regulatory pressure (NIS2, SOC2, ISO27001), and workforce credential sprawl.

The AI agent angle is newly validated. AgentMail raised $6M in early 2026 for "email inboxes for AI agents" — agent-native infrastructure is becoming a funded category. No incumbent password manager was built for agents. They're bolting on MCP. vault1984 was designed from day one around the agent access model.

SMB — Small & Medium Business (1250 employees)

The situation

SMBs are the fastest-growing segment for credential management. They lack dedicated security teams, use AI agents actively (Claude Code, Cursor, Codex are mainstream tools in this segment), and make purchase decisions fast. The pain: their current password manager gives agents all-or-nothing access, and nobody has verified whether the operator can read their vault.

Market potential

Largest volume segment. Price-sensitive but willing to pay for something that solves a real problem simply. AI-native companies in this cohort are the early adopters — they feel the agent credential problem acutely.

Competitors

Player Pricing AI/Agent story Encryption
1Password Teams $4/user/month MCP plugin (bolted on) Server can read
Bitwarden Teams $4/user/month MCP plugin (bolted on) Server can read (hosted)
Dashlane Business $5/user/month None Server can read
NordPass Business $4/user/month None Zero-knowledge claim

vault1984 advantage: Designed for agent access. Superior encryption architecture. No master password friction. One binary, self-host option.

vault1984 gap: No team features yet. No multi-user vault management, no user provisioning, no shared vault concept. Must be built before this segment is addressable.

Required features to compete

  • Organization accounts (owner + members)
  • Shared credential vaults (team-level, not just individual)
  • Admin console — invite, remove, view audit log
  • Per-user MCP token management
  • Basic policy (enforce 2FA, session timeout)
  • Email-based onboarding

Pricing opportunity

$46/user/month ($4872/year) is the market rate. vault1984 at current $12/year is priced for individuals. Business pricing needs a per-seat model at market rate. The encryption story supports a small premium over Bitwarden.

Suggested: $5/user/month billed annually ($60/user/year). Free trial, no minimum seats.

MME — Mid-Market Enterprise (2502,000 employees)

The situation

Has a security team. Has procurement. Has compliance requirements. Will ask for SSO, directory sync, and audit exports before signing. AI governance is becoming a real concern here — security teams are starting to question what their AI agents can access and whether the credential store can be compelled.

Market potential

Slower sales cycle than SMB but much higher contract value. vault1984's "operator cannot read your passwords" architecture is a compliance advantage — it reduces the blast radius of a vendor incident and simplifies the data-in-custody conversation with auditors.

Competitors

Player Pricing Notable
1Password Business $7/user/month SSO, Okta integration
Bitwarden Enterprise $6/user/month SSO, SCIM, on-prem option
Keeper Business $6/user/month Compliance reporting, SIEM
Dashlane Business $8/user/month Dark web monitoring

vault1984 advantage: The encryption architecture is a compliance argument. A vendor that provably cannot read your credentials is easier to pass through legal review than one that promises not to. "Operator-blind" = smaller vendor risk exposure.

vault1984 gap: SSO is table stakes at this size. No SCIM, no Okta/Azure AD integration, no compliance exports. These are hard blockers.

Required features to compete

  • SAML 2.0 / OIDC SSO (Okta, Azure AD, Google Workspace)
  • SCIM provisioning — automated user lifecycle management
  • Compliance exports (audit log export, CSV/SIEM format)
  • Policy enforcement at org level
  • Dedicated admin console with role-based access
  • SLA commitment (99.9%+)
  • Custom onboarding support

Pricing opportunity

$610/user/month. SSO parity commands a small premium. The compliance story supports $8/user/month with annual commitment.

Suggested: $8/user/month ($96/user/year), minimum 25 seats. Discount for 100+.

Enterprise (2,000+ employees)

The situation

Has a full security team, a PAM (Privileged Access Management) strategy, and will spend 6 months in procurement. Needs SOC 2 Type II certification, custom SLAs, dedicated support, possibly on-prem deployment. AI governance is an active concern — CISO teams are mandating controls on what AI agents can access.

Market potential

Smallest number of deals, largest contract value. A single enterprise contract can be $500k$2M/year. But the sales cycle is long and the certification requirements are significant. This segment is addressable in 23 years, not now.

Competitors

Player Position Pricing
CyberArk PAM market leader $100k+ contracts
Delinea (Thycotic) PAM mid-tier $50k$200k
HashiCorp Vault Secrets management (infra) $1929/user/month (HCP)
1Password Enterprise Password manager Custom ($815/user/month typical)
Bitwarden Enterprise Password manager Custom

vault1984 advantage: The architecture argument is most compelling here — enterprises care deeply about vendor risk. A credential store the vendor cannot read is structurally better for compliance than one protected by policy. The AI agent credential management gap is also sharpest here: enterprises running large agent infrastructure need granular control.

vault1984 gap: Enormous. No SOC 2, no PAM integration, no SIEM connectors (Splunk, Elastic, Sentinel), no dedicated support, no on-prem option, no custom SLA. This is a 23 year roadmap.

Required features to compete

  • SOC 2 Type II certification
  • PAM integration (CyberArk, Delinea)
  • SIEM integration (Splunk, Elastic, Microsoft Sentinel)
  • HSM support for key management
  • On-premises / private cloud deployment option
  • Custom SLA (99.99%+, dedicated support)
  • Custom contractual terms (DPA, BAA if applicable)
  • Dedicated customer success manager

Pricing opportunity

Custom. $1020/user/month or six-figure annual deals for large deployments.

MSP — Managed Service Providers

⚠️ License blocker

The Elastic License 2.0 prohibits MSPs from deploying vault1984 for their clients. The ELv2 explicitly bars "providing the software to third parties as a hosted or managed service." An MSP running vault1984 instances for client organizations is exactly this scenario.

This segment requires a separate commercial license from vault1984. This is actually an opportunity — sell commercial MSP licenses at a per-client or per-seat rate. The ELv2 model (free for self-use, paid commercial license for resellers) is a proven business model used by Elastic, HashiCorp, and others.

The situation

MSPs manage IT for 10500 SMB clients each. They need a password manager they can deploy, manage, and bill per client. The segment is poorly served: 1Password MSP is widely considered overpriced ($5/user/month wholesale, complaints on r/msp), Bitwarden MSP exists but lacks multi-tenant management tooling, and most MSP-specific tools (N-able Passportal, CyberFOX) lack the AI agent story entirely.

Market potential

High. An MSP with 100 clients averaging 20 users each represents 2,000 seats. vault1984's architecture is actually perfect for MSPs — they literally cannot read their clients' passwords, which eliminates a significant liability and trust issue. "Your MSP cannot see your passwords" is a strong sales argument for the MSP to their clients.

Competitors

Player Pricing Notable
1Password MSP ~$5/user/month wholesale Widely seen as overpriced
Bitwarden MSP ~$3/user/month Limited multi-tenant tooling
N-able Passportal ~$3/user/month RMM integration, weak encryption
CyberFOX Custom PAM focus, PSA integration
IT Glue (Kaseya) ~$29/tech/month Documentation focus, not password-first

vault1984 advantage: Operator-blind architecture is a legal and trust advantage for MSPs. "We cannot read your clients' passwords" removes the MSP as a liability surface. Strong AI agent story is a differentiator as MSPs start managing agentic workflows for their clients. One binary + SQLite makes per-client deployment trivially simple.

vault1984 gap: No white-label, no PSA/RMM integration (ConnectWise, NinjaRMM, Kaseya, HaloPSA), no multi-tenant management console, and most importantly — needs a commercial MSP license structure.

Required features to compete

  • Commercial MSP license (separate from ELv2)
  • Multi-tenant management console (deploy/manage all client vaults from one pane)
  • White-label (logo, domain, email branding)
  • PSA integration (ConnectWise Manage, Autotask, HaloPSA)
  • RMM integration (NinjaRMM, N-able, Datto)
  • Bulk billing / consolidated invoicing
  • Client-level audit log access
  • MSP technician access (read-only to shared team credentials, no access to Identity layer)

Pricing opportunity

$23/user/month wholesale (MSP pays), resells at $58/user/month to clients. Alternatively, flat fee per client vault instance.

Suggested commercial MSP license: $2/user/month billed to MSP, minimum 5 clients. Volume discounts at 500+ seats.

Summary

Segment Addressable now? Primary gap Revenue potential
SMB 612 months Team features, multi-user High volume, $5/user/month
MME 1218 months SSO, SCIM, compliance Medium volume, $8/user/month
Enterprise 23 years SOC2, PAM, SIEM, SLA Low volume, high value
MSP 612 months (with commercial license) MSP license, white-label, PSA integration High multiplier, $23/user/month wholesale

Recommended sequencing

  1. Now: Lock in SMB early adopters — AI-native companies already running agents. They'll tolerate missing team features if the core product is right. Start building the waitlist.
  2. H2 2026: Ship team features. Launch SMB pricing. Begin MSP commercial license discussions.
  3. 2027: MME features (SSO, SCIM). Begin compliance certification track.
  4. 2028+: Enterprise.

The structural advantage across all segments

vault1984's architecture — operator-blind Credential and Identity encryption — is not just a marketing claim. It reduces vendor risk across every segment:

  • SMB: "even if we get hacked, your passwords are safe"
  • MME: smaller vendor risk surface for compliance reviews
  • Enterprise: structural argument for CISO sign-off
  • MSP: MSP cannot be compelled to hand over client passwords

No incumbent can make this claim. It's the moat that scales.

Draft — George for Johan. Do not publish.