Security teams push configurations and hardening policies that break production systems because there's no way to preview the blast radius.
Agents scan your infrastructure (AD, endpoints, servers, cloud) and let you dry-run a proposed security policy change — showing what breaks, what gets locked out, which workflows are impacted — before anything is applied.
subscription — per-node pricing, ~$5-15/node/month
This is a hair-on-fire problem. Security teams are literally afraid to enforce their own policies because they know it will break production. The Reddit thread confirms this — 97 upvotes and 119 comments of IT/security teams venting about this exact tension. Every sysadmin has a war story about a GPO or firewall rule that took down a department. The pain is acute, recurring, and career-threatening (you can get fired for either the breach OR the outage).
Target is companies with 50+ servers or 200+ endpoints — roughly the mid-market and enterprise segment. There are ~200K companies in the US alone in this range. At $5-15/node/month across 200-10,000 nodes, ACV ranges from $12K to $1.8M. Conservative TAM estimate: $2-5B globally when you include the overlap with GRC, CSPM, and change management budgets. Not a trillion-dollar market, but large enough to build a very significant business.
$5-15/node/month is within the range these buyers already pay for security tooling (comparable to Qualys, CrowdStrike, etc.). Security budgets are growing 10-15% YoY. The ROI story is compelling: one prevented outage easily justifies a year of spend. However, this is a new category — buyers don't have a line item for 'policy simulation' yet, so initial sales cycles will require education. Budget will likely come from existing security or change management budgets rather than net-new.
This is where the idea gets hard. Building agents that accurately scan heterogeneous infrastructure (AD, Windows endpoints, Linux servers, AWS/Azure/GCP, network devices) and model the cascading impact of policy changes is an enormous technical challenge. You need deep domain knowledge of each platform's security model, dependency graphs between services, and user workflow mapping. An MVP scoped to ONE domain (e.g., Active Directory GPO simulation only) is buildable in 8-12 weeks by a domain expert. A cross-platform solution is a 12-18 month engineering effort minimum. Data collection alone (agent deployment, API integrations, credential management) is a significant undertaking.
No one does this well today. The existing tools either scan retrospectively (Qualys/Tenable), simulate only within their narrow domain (RSoP for AD, Tufin for firewalls), or require everything to be codified first (Ansible/Terraform). The specific gap — 'show me the blast radius of this security policy across my real infrastructure before I apply it' — is genuinely unserved. This is a white space that sits at the intersection of compliance, change management, and infrastructure observability.
Extremely strong subscription fit. Infrastructure changes constantly — new servers, new users, new applications, new compliance requirements. Every policy change needs simulation. The agent-based model creates natural lock-in through deployed infrastructure. Usage is continuous, not one-time. Per-node pricing scales naturally with the customer's environment.
- +Genuine white-space opportunity — no one owns 'security policy simulation' as a category yet
- +Intense, validated pain point with career consequences on both sides (breach vs outage)
- +Strong recurring revenue model with natural expansion as customers grow their infrastructure
- +Clear ROI story: cost of one prevented outage >> annual subscription cost
- +Regulatory tailwinds (zero trust mandates, SEC rules, NIS2) are forcing faster hardening cycles
- !Technical complexity is massive — accurate blast-radius modeling across heterogeneous infrastructure is genuinely hard, and inaccurate predictions are worse than no predictions (false confidence)
- !Enterprise sales cycle: security tooling buyers are slow (3-9 month cycles), require SOC2/ISO27001, and want on-prem options — this is capital-intensive to bootstrap
- !Platform risk: Microsoft, CrowdStrike, or Palo Alto could add 'policy simulation' as a feature to their existing agents that are already deployed everywhere
- !Agent deployment is a chicken-and-egg problem: you need deep infrastructure access (privileged credentials) before you can demonstrate value, and security teams are the hardest buyers to convince to install new agents
Built into Active Directory — lets admins simulate what happens when Group Policy Objects are applied to users/computers before deploying them.
Network security policy management platform that automates firewall change requests with risk analysis and simulation of network policy changes across multi-vendor environments.
General-purpose policy engine that lets you write policy-as-code and evaluate decisions before enforcement. Styra provides a commercial management layer on top of OPA.
Infrastructure-as-code dry-run capabilities. Ansible --check shows what would change without applying. Terraform plan previews infrastructure changes before apply.
Scans infrastructure against compliance benchmarks
Scope ruthlessly to Active Directory GPO simulation only. Build a lightweight read-only agent that inventories AD objects, group memberships, applied GPOs, and service dependencies. Let users upload or define a proposed GPO change and generate a report: 'These 47 users lose access to these 3 applications, these 12 service accounts break, these 5 scheduled tasks fail.' AD is the #1 source of policy-change outages, every mid-market+ company has it, and the domain is bounded enough to model accurately. Ship as a SaaS with a single Windows installer for the data collector.
Free tier: scan up to 50 AD objects, 1 simulation/week, basic impact report → Paid ($5/node/month): unlimited simulations, full dependency mapping, historical audit trail, team collaboration → Enterprise ($12-15/node/month): multi-domain AD, cloud IAM integration (AWS IAM, Azure AD/Entra), endpoint policy simulation, API access, SSO/SCIM, on-prem deployment option → Platform: expand to network policies, endpoint hardening (CIS benchmarks), cloud security posture simulation
4-6 months. 8-10 weeks to build the AD-scoped MVP, 2-4 weeks for design partners (find 3-5 from the Reddit thread's commenters), 4-8 weeks to close first paid customers. Enterprise sales cycles will be longer, but mid-market IT teams with acute pain (recently caused an outage from a policy change) can move fast. First revenue likely comes from annual contracts in the $15K-50K range.
- “never locked down or hardened xyz systems”
- “the realization that they have to explain the fall out makes them rethink things”
- “how difficult it is to apply security principles without being overly invasive to worker productivity”