We built Dilligencer™ as a platform, not a product. But when we talk with VCs or technical founders about how we use the platform to accelerate our advisory and diligence services, they often ask us why we haven’t gone to market as a typical SaaS product. In the beginning, many early conversations came back to the same feedback: target “business-as-usual” use cases, hook it up to a CI/CD ecosystem like GitHub Marketplace, charge monthly per seat, and scale your customer count to get a SaaS valuation on ARR or total customer lifetime value.
It’s not that this isn’t a real business model. Many of Dilligencer’s capabilities can be compared with AppSec, QA, or GRC products like those from Synopsys, Veracode, SecureFrame, and OneTrust. And yes, all of these vendors do go to market primarily through “traditional” delivery models like SaaS or ecosystem plugins. If you look at their market cap or latest fundraise valuations, it’s clearly working for them so far.
Platform vs. Product
Why, then, are we still building a platform instead of a product? Why are we limiting our ability to scale by delivering technology-enabled services instead of building a “pure” tech offering with higher margin?
To be honest, we might be a little crazy. But more importantly, we think that most scalable product models don’t actually solve the problem that most customers have.
Well, there are three reasons:
- Customers want guidance and knowledge, not just data and alerts.
- Most customer needs are event-driven, not recurring.
- All companies and transactions are similar, but no two are the same.
Reason #1 directly acknowledges that no technology in the market today can truly understand a customer’s situation and priorities, educate them, and help them navigate their strategic options. While almost every SCA or SBOM product can identify an AGPL dependency or known-vulnerable service, none of them can actually help the customer contextualize the findings. No matter how slick the API or how rich the SARIF data, no product on the market is going to show up to a board meeting or work with your counsel to accept, remediate, or transfer the risk.
By focusing on platform-enabled services instead of a pure product, we acknowledge that this is the reality for most customers. Furthermore, the few customers who do have personnel with the right knowledge and capabilities often find those personnel too busy to help interpret reports or present to the risk committee. They’re typically in the market because something is urgent and they don’t have the internal resources to meet the timeline.
This last point leads us to Reason #2. Most companies, like individuals, don’t take action or change how they operate when things are “normal.” Instead, old habits are broken and people take action only when some “event” happens – like a strategic customer contract, a financing round, or during a merger or acquisition.
Yes, it would be better if companies were continuously assessing the risk and value of their assets as part of daily business. Yes, it would be better if data models and encryption practices were regularly reviewed for regulatory compliance. Yes, it would be better if companies were actually keeping that contract repository and third-party software license inventory up-to-date in exactly the format that an acquirer would want for diligence and disclosures.
But are they? Do companies who have purchased GRC or CLM systems like these actually have them “fully adopted?” Even if they do, does the customer ever really self-service? Are customer success managers really managing the “perpetual roadmap” problem?
In the business universe we inhabit, companies practically never reach the kind of “business-as-usual maturity” we all talk about.
For vendors, the problem is that an event-driven value proposition rarely turns into predictable, recurring revenue. But because predictable, recurring revenue is what “the market” wants to see when it comes to companies getting top-of-the-line multiples, that’s what vendors offer. Given that most vendors are VC-backed, their next fundraising round probably depends on it.
Similar, but Different
Speaking of fundraising and deals, that brings us to Reason #3. No two deals are the same because no two companies are the same. That said, most companies cluster into a small number of categories, and within these categories, many companies are quite similar.
Imagine that you’re a SaaS product vendor who is translating this idea into requirements for risk management, valuation, and diligence. It means that most of the required activities are shared by most of the companies. Within the context of fundraising or M&A, this is easy to see when you look at the representations and warranties in a securities purchase agreement. Regardless of the industry or stage of a company, many “fundamental” reps and warranties are going to be present in every document. But past these fundamental reps and warranties, things tend to get a little complicated as terms are crafted to address risks specific to the deal.
For the sake of argumentation, let’s say that all deals share 80% of the same common checklist or reps and warranties. For example, every deal is going to require that the sellers actually own the thing that they’re selling and have the right to license or use it. One way or another, a useful diligence product needs to help the customer document or answer that rep.
But what about the other 20% of each deal’s requirements?
If deals cluster into a small number of very standardized types, then the economics might work for you as the hypothetical product vendor. For example, if there are three types of deals, then you end up needing to build the “other 20%” three times, for a total of “60%” more requirements. The total size of your product’s requirements is then the original 80% plus the 60% in the tail. Under this highly-simplified model, that works out to 14 product requirements for every 10 deal requirements.
But what if the number of clusters is larger? Or what if there’s always at least one or two unique requirements for each deal, like an adjusted financial metric or a patent-specific software issue? Well, if that’s the case, the number of product requirements might be much larger – and therefore, the size of your product team either needs to be much larger or your addressable market needs to be smaller or sequenced over a longer window. Both cases lead to lower valuations or more risk for product vendors.
And what about the customer? With our product vendor thought experiment complete, let’s turn back to your needs. If the product only solves 80% of your needs, do you simply ignore the other 20%? Or do you find yourself having to rebuild the entire solution to meet your requirements? At a minimum, you’re probably cobbling together a solution to address the 20% gap between their “one size fits all” offering and the full coverage that you need.
For example, many of the GRC vendors focused on “audit support” provide SaaS products that are intended to help increase the efficiency of obtaining a SOC 2 attestation or ISO 27K certification. And many of these products do help collect evidence and centralize the evidence in one location. But some of these vendors market unrealistic expectations, set unsustainable prices, design inflexible systems, or make some tasks *harder* than if the customer were using no system at all.
What’s the end result? Well, these audit support products do create efficiencies – but they don’t solve the whole problem and they don’t allow customers to customize or implement the remaining requirements inside the product. As a result, most auditors don’t end up accepting these systems as the single repository of evidence, and the customer ends up building parallel capabilities anyway.
At some price, these audit support products might be good buys for some customers. But at current market prices for these SaaS products, it’s not clear that most customers benefit. And if these prices don’t work or the market is smaller than expected, that’s not a good sign for those valuations.
Do you really want to get locked in to a vendor with 6-12 months of runway?
In our experience, most customers – and auditors – fall back on simple tools like spreadsheets and documents. Policies and procedures are managed in Word or Google Docs, not some WYSIWYG (What You See Is What You Get) interface in a walled SaaS garden. Asset inventories and risk registers almost always end up in spreadsheets – or even slides – not modal popups in Angular or React.
We all know that Office 365 and Google Workspaces aren’t the ideal technical solution for compliance management – but these simple technologies are the sustainable, cost-efficient solution that most customers end up using. This is even more true for M&A, where deal rooms are often just Dropbox folders.
So What Do Customers Really Want?
Well, they want something that solves their problem when they have that problem. When the problem is ongoing, like compliance, this means that it needs to be something they can sustain and afford. Sometimes, that’s assistance through good old-fashioned labor – you know, the kind of consulting or staffing revenue that doesn’t get a 5-10x multiple. Other times, they want to use software to do it themselves, but they want it to work from a price, flexibility, and integration perspective. This typically looks more like a toolkit they can configure, not like a slick one-size-fits-all web app.
When the need is one-time or project-based, like fundraising or M&A, then the ask is even less aligned with the typical SaaS vendor. They don’t want a three-year contract and a roadmap; they want your strategic and operational help to close the round or deal – and that’s it.
If technology can be efficiently used to solve the operational aspects of diligence or valuation, then great! But don’t ask them for a license or subscription. And for 9 out of 10 customers, scalable self-service SaaS isn’t going to be a thing. They want you to do the work so they don’t have to learn or because they don’t have the time in the first place.
And that’s why we built a platform focused on hybrid delivery, not a self-service product.
Because the platform is based on integrating into other data sources, it’s easy to import findings or export to systems people actually use, like Office 365 and Google Workspace.
Because the platform is meant to be used by consultants with data science experience, the analysis and reporting can quickly be adapted and customized to each customer’s needs.
And because we didn’t have to raise to get where we are today, we don’t have to lock you into a multi-year recurring revenue contract with a walled-garden experience. You can get the benefits of the platform for a two-day valuation or a two-week audit without paying for the next 12 months.
We understand that this makes us less valuable in the eyes of many potential investors or acquirers. But the truth is that this is exactly what makes us more valuable to customers. The truth is that this is exactly what makes us more valuable to customers. And when the dust settles, maybe some investors or acquirers will appreciate that in some markets, the customer, not capital, is king.