What changed
HYPOTHESIS (input provides no source signals): Let's Encrypt is ending free expiry-notification emails, removing the only safety net for the staff-less manual-renewal tail, while CA/Browser Forum lifetime reductions (toward ~47 days) multiply renewal events per year. Both claims come from the convergence description, not from cited source text in this input β treat as unverified until the evidence step confirms them.
Why now
If the two underlying facts hold, the window is structural: every shortening of max lifetime makes manual renewal exponentially more painful, and the email cutoff creates a discrete moment where thousands of operators silently lose their reminder system and discover it only when a site goes dark. The distress is time-stamped and publicly visible per domain in CT logs.
Converging signals
(1) Removal of free expiry alerts (hypothesis, uncited here); (2) shrinking max cert lifetimes (hypothesis, uncited here); (3) CT logs as a complete, mandated, public enumeration of every obligated party with exact lapse dates (fact about how CT works, checkable on crt.sh). The novel synthesis is GTM: the compliance registry doubles as the prospect list, and issuance-cadence fingerprints (irregular gaps, past expiry overshoots) identify manual-renewal victims specifically.
Customer pain
A site whose cert expires is not fined β it is blocked by every major browser. For a small business, that is outage-level pain with a countdown timer. However, NO demand_evidence was supplied: zero complaints, zero job postings, zero mandate documents in this input. The pain narrative is plausible but currently 100% inference.
Who pays
Hypothesis: small businesses, agencies with legacy client sites, and lone IT admins running self-hosted infrastructure (mail servers, intranets, VPS-hosted sites) where a human renews certs by hand. They are identifiable individually from CT issuance patterns β an unusually precise ICP if the fingerprinting works.
Solved today
Free ACME automation (certbot, Caddy, cPanel AutoSSL), host-bundled TLS (Cloudflare, managed WordPress), and alert-only monitoring SaaS (TrackSSL, Red Sift/Hardenize, StatusCake tiers). The tail this targets is by definition the population all of those failed to reach.
Why current solutions are bad
Monitoring tools only alert β the manual-tail operator still has to do the renewal, which is exactly what they fail at. Free automation requires setup skill/access they demonstrably lack (their CT history shows overshoots). Nobody does outbound: incumbents wait for inbound signups, which the tail never does.
Proposed product
A managed-renewal service: (a) CT-log scanner scoring every domain for manual-renewal fingerprints and expiry proximity; (b) outreach engine contacting operators 7-21 days pre-expiry; (c) done-for-you migration to ACME automation or a proxy/DNS-based renewal we operate, sold as a flat subscription with an expiry guarantee (SLA: your cert never lapses).
MVP version
One-day crt.sh/CT batch query + cadence classifier + hosting-fingerprint check (falsification test built in), a landing page with Stripe, and a manual concierge renewal process for the first 20 customers. No product build needed before demand is proven.
30-day build
Run the testable prediction verbatim: enumerate β₯10k candidate domains, fingerprint hosting to measure how many are already auto-TLS-covered or abandoned (the two falsifiers), then run a 100-domain outreach test with three message framings to fight the phishing-lookalike problem (e.g., postal mail or LinkedIn to the named registrant vs cold email).
60-day build
If β₯2/100 convert: onboard first 20 concierge customers, standardize the three most common renewal situations (cPanel, bare VPS, appliance/load-balancer), build the recurring CT-watch + auto-outreach loop.
90-day revenue plan
50-150 domains under management at $15-40/domain/month or ~$199-399/yr, i.e. roughly $1.5k-4k MRR if conversion holds β modest but recurring and near-zero churn once installed (switching back to manual is irrational).
Distribution path
Mechanical outbound driven by the CT registry itself β no ad spend, no marketplace. Core risk: an unsolicited 'your certificate expires in 9 days' message is the exact template of a well-known scam genre, so deliverability and trust are the real distribution problem, not lead volume.
Pricing hypothesis
Per-domain subscription ($15-40/mo) or annual ($199-399) with expiry-guarantee SLA; optional one-time 'rescue' fee ($149) for already-expired sites, which are the highest-intent moment in the funnel.
Technical difficulty
Low-to-moderate: CT querying and cadence analysis are straightforward; the hard 20% is safely performing renewals across heterogeneous customer environments, which requires credentialed access (DNS delegation is the cleanest wedge: CNAME/NS delegation of _acme-challenge lets us renew forever without server access).
Legal / regulatory risk
Low. CT data is public by design. Outreach must respect CAN-SPAM/GDPR (EU registrants). Handling customer DNS credentials creates ordinary bailment/security liability β mitigated by the delegation model.
Platform dependency
Low: CT logs are mandated public infrastructure; ACME is an open standard with multiple CAs. No app store, no single-vendor API.
Founder fit
Moderate-good (6/10). It rhymes with his proven FMCSA shape β a public registry enumerates obligated parties and he builds the compliance layer β and plays to automation/systems strengths. But it is NOT a government filing mandate (the accumulated lesson about portal-mandate fit applies only by analogy), and done-for-you delivery requires earning access to strangers' infrastructure, which cuts against his demonstrated-value-not-relationship-sales preference.
Breakout potential
Moderate: the CT-fingerprint asset generalizes into an external-ops-hygiene product line (domain expiry, DNS misconfig, mail-auth lapses) sold to the same identified tail; could also white-label the prospect feed to MSPs, which may be the better business.
Final recommendation
CONDITIONAL GO on the falsification test only β do not build product. The input supplies zero demand evidence, so this is currently a well-formed hypothesis with an unusually cheap kill test: one day of crt.sh + hosting-fingerprint work and a 100-domain outreach probe settle it. Spend <$500 and one week; proceed to concierge MVP only if both falsifiers fail and β₯2/100 convert.
Next action
Run the crt.sh batch query today: pull domains with certs expiring in 7-21 days, classify issuance cadence for manual patterns (gaps β 60/90-day ACME rhythm, past overshoots), fingerprint hosting on a 500-domain sample to measure abandonment and bundled-auto-TLS coverage, and verify the Let's Encrypt email-sunset and lifetime-reduction claims against primary sources.