What changed
FACT (per convergence input): Let's Encrypt is withdrawing its free certificate-expiry notification emails, removing the default safety net for its entire user base at once. FACT: CT logging is required for Chrome/Safari trust, so every browser-trusted certificate β domain, issuer, expiry β is publicly enumerable. INFERENCE: combining the two yields a self-updating list of prospects whose renewal automation is demonstrably failing (unrenewed at T-14).
Why now
The email shutoff is a one-time discontinuity: holders who relied on those emails lose coverage simultaneously. TIMING RISK (inference): the shutoff was announced well before this scan; the acute 'window' may already be partially consumed, and Let's Encrypt publicly pointed users to free third-party alternatives at shutoff, which blunts the rescue narrative. This must be verified before build.
Converging signals
(1) Mandatory public registry (CT logs) exposing the full buyer universe with expiry dates; (2) removal of the incumbent free alerting layer; (3) a behavioral distress filter (no renewal event in CT at T-14) that pre-qualifies prospects. No corroborating demand signals were supplied in this input (signals and demand_evidence arrays are empty).
Customer pain
An expired cert causes an immediate, visible outage: browser interstitials, dropped API traffic, failed webhooks, app-store review complaints. Pain is real and urgent WHEN it fires β but HYPOTHESIS: the subset detectable as broken-at-T-14 skews toward abandoned sites, hobby projects, and negligent operators, i.e., the segment least likely to pay. The valuable buyers (SaaS, agencies, MSPs) mostly already automated or already monitor.
Who pays
HYPOTHESIS: small SaaS operators, agencies managing client domains, MSPs, and IT generalists who inherited certbot setups they don't understand. Agencies/MSPs are the only multi-seat, recurring-revenue buyer here. No evidence of willingness to pay was provided in demand_evidence β this is unproven.
Solved today
Cron'd certbot/acme.sh auto-renewal (free, works silently for most); free monitors: Red Sift Certificates Lite (explicitly recommended by Let's Encrypt at email shutoff, free for ~250 hosts), UptimeRobot, StatusCake, TrackSSL, Better Stack, plus countless open-source CT watchers. crt.sh gives the same registry data to anyone free.
Why current solutions are bad
For the broken-automation segment, existing tools fail only in that the owner never signed up β the gap is awareness at the moment of failure, not capability. That is a GTM insight, not a product gap. The product itself (expiry alerting) is commoditized with strong free incumbents.
Proposed product
A cert-lifecycle monitor whose acquisition engine is the registry: continuous CT ingestion, a T-14 'renewal missing' detector, automated owner-contact discovery (security.txt, hostmaster@, RDAP/site contact), and a rescue email linking to a free instant expiry report for their domain; upsell to paid monitoring of all their domains ($10β$30/mo) plus agency/MSP multi-domain plans.
MVP version
1-week build (fits founder's proven scraping/automation stack): crt.sh/CT-log poller for LE certs expiring β€30d; renewal-detection diff; contact-discovery pipeline with reachability logging; plain-text rescue email + one-page 'check your cert' report; Stripe checkout for a $15/mo monitor. No dashboard needed for the test.
30-day build
Run the falsification test exactly as the hypothesis specifies: measure (a) volume of LE certs unrenewed at T-14 over one week (target β₯10,000), (b) contact-discoverability rate on a 1,000-domain sample (kill if <30%), (c) 300-contact outreach conversion (kill if 0 paid/trial). Use a dedicated sending domain and strict opt-out hygiene β this outreach is spam-adjacent and deliverability/CAN-SPAM/GDPR care is mandatory, especially for EU-hosted domains.
60-day build
If conversion β₯1%: automate the pipeline end-to-end, add renewal-fix guidance content (certbot debugging playbooks) as SEO/trust collateral, and split-test rescue timing (T-14 vs T-7 vs T-2) and channel (security.txt vs hostmaster@).
90-day revenue plan
Scale outreach within deliverability limits (INFERENCE: a few hundred quality contacts/day max before reputation damage); target agencies/MSPs found managing multiple distressed domains for $50β$200/mo multi-domain plans. Realistic 90-day ceiling at 1% conversion on ~10k contacts: ~100 customers β $1.5β3k MRR β modest, and only if the conversion hypothesis holds.
Distribution path
Registry-driven outbound (the core bet), plus a free public 'is your cert renewal broken?' checker for organic/HN distribution. No marketplace dependency. Weakness: outbound to scraped addresses is the single channel the entire thesis rests on, and it has legal, deliverability, and perception risk.
Pricing hypothesis
$10β15/mo single-org monitor; $49β199/mo agency/MSP tiers. Low ACV means the business only works if acquisition is near-zero-cost β which is exactly what the registry-GTM claims and exactly what the test must prove.
Technical difficulty
Low. CT ingestion, diffing, and contact scraping are squarely inside the founder's demonstrated skills; total infra cost trivial. Hardest part is email deliverability engineering, not code.
Legal / regulatory risk
Moderate and concentrated in the GTM: unsolicited email to scraped contacts implicates CAN-SPAM (manageable) and GDPR/ePrivacy for EU recipients (real exposure; B2B legitimate-interest arguments exist but are not free). Security.txt contacts arguably invite security-relevant notices, which an imminent-expiry warning plausibly is β INFERENCE, not legal advice. Contacting via a good-faith 'your cert expires in 14 days' notice with no attachment and instant opt-out is defensible but must be executed carefully.
Platform dependency
Low. CT logs are structurally guaranteed by browser trust requirements; crt.sh could rate-limit but raw CT logs are directly consumable. No app store, no API gatekeeper.
Founder fit
Moderate (5β6), not the 8β9 tier. Applied lesson (conf 0.80): his best-fit shape is a GOVERNMENT MANDATE forcing filers into a portal with per-filing fees. This mimics that shape β public registry, roster-wide duty β but the 'duty' is negative (loss of a free courtesy email), there is no forced filing, no deadline enforcement, and no per-transaction wedge. His scraping/automation strengths transfer fully; the forced-buyer economics do not. Applied lesson (conf 0.90): capital/runway means the 1-week test cost and 3-month ramp are not penalties. Applied lesson (conf 0.85): the engine is demand-blind, so empty demand_evidence partly reflects source gaps β but per instructions demand is scored on evidence provided, which is none.
Breakout potential
Limited. Best case is a $5β20k MRR micro-SaaS or an acquisition-channel feature bolted onto an existing monitor. The GTM trick, once public, is copyable in days by any incumbent (crt.sh data is free); there is no data, network, or switching-cost moat. Expansion path (domain expiry, DMARC, security-header monitoring for the same contact list) is real but keeps it in commodity territory.
Final recommendation
VALIDATE, DON'T BUILD YET. The idea survives the cheap-kill filters (reachable buyer class exists, real outage pain, trivial build, no platform risk) but fails the evidence bar: demand_evidence is empty, incumbents are free and LE-endorsed, and the differentiator is a GTM tactic without a moat. Because the falsification test is ~1 week and near-zero cost β squarely within the founder's skills β run the specified crt.sh + 300-contact test with pre-committed kill thresholds (<30% reachability or 0 conversions = kill). Do not invest beyond the test until conversion β₯1% is observed. Also verify how long ago the LE email shutoff actually occurred; if the discontinuity is stale, the rescue window argument weakens further.
Next action
Spend 1 day scripting a crt.sh/CT query for Let's Encrypt certs expiring in β€14 days with no successor cert logged; measure weekly volume and contact-discoverability on a 1,000-domain sample. If β₯10k/week and β₯30% reachable, send 300 carefully-crafted rescue notices from a dedicated domain and measure 7-day conversion.