What changed
CIRCIA's cyber incident reporting rule is expected to be finalized this fall (FACT from cited headline: expected, not yet final). The underlying statute (CIRCIA of 2022) already compels covered entities across 16 critical-infrastructure sectors to report cyber incidents to CISA within 72 hours and ransom payments within 24 hours, plus supplemental reports (FACT of statute; operative deadlines and covered-entity definition land with the final rule).
Why now
The final rule converts a dormant statutory obligation into an enforceable filing mandate with hard clocks. The proposed rule contemplated roughly 300,000+ covered entities (INFERENCE from rulemaking coverage), a large share of which β small/mid utilities, hospitals, school districts, local governments β have no compliance staff and no breach counsel on retainer. The window between final-rule publication and the compliance date is exactly when this class shops for a cheap answer, and before GRC incumbents saturate the niche.
Converging signals
Three signals meet at one point: (1) a rule reaching finalization (trigger), (2) a defined compelled filer class spanning 16 sectors including entities too small to have compliance staff, (3) a single federal intake point β the CISA incident reporting portal (INFERENCE; portal mechanics unconfirmed until the final rule). Per the system's own heuristic (confidence 0.79), this mandate-portal-filer shape is the founder's highest-fit pattern.
Customer pain
HYPOTHESIS grounded in the mandate structure: a 200-person water utility that gets hit at 2am must decide within 72 hours whether the incident is 'covered', assemble technically specific facts under stress, file in the correct format, and then remember to file supplemental reports as facts change β with penalties/subpoena exposure for failure. It has no CISO, no breach counsel, and its MSP is busy doing the actual incident response. No direct complaint evidence was provided; the pain is inferred from the obligation, which the scoring rules treat as legitimate for a forced-filer class.
Who pays
Two-tier: (a) MSPs/MSSPs serving small critical-infrastructure clients, who white-label the tool as a compliance add-on across dozens of clients (primary channel β one sale covers many covered entities); (b) covered entities directly (utilities, districts, county governments) buying a standby subscription like a cyber-insurance rider. The buyer is NOT a federal procurement office β no enterprise-procurement flag.
Solved today
Large entities: breach counsel + IR retainers (Mandiant, Kroll) + GRC platforms β expensive and already spoken for. Small entities: nothing, or a panicked call to their MSP/insurer during the incident. Incident-reporting-obligation platforms exist (e.g. BreachRx) but target enterprise privacy/legal teams, not $2k/yr MSP-channel small entities (competitive positioning is HYPOTHESIS β verify pricing).
Why current solutions are bad
Counsel-led reporting costs more per incident than a small entity's annual IT budget line and isn't staffed for 300,000 newly covered entities. GRC suites are priced and designed for organizations with compliance teams. The 72-hour clock punishes any solution that starts with 'schedule a call.' Nobody currently offers a sub-$200/mo 'break glass, answer the wizard, file on time' product for this class.
Proposed product
A web app with three functions: (1) REPORTABILITY WIZARD β structured intake maps the incident against the final rule's covered-entity and substantial-incident criteria and outputs a defensible reportable/not-reportable determination with the reasoning documented; (2) REPORT DRAFTER β generates the complete CISA-compliant 72-hour or 24-hour ransom report from the intake, formatted to the portal's fields, ready to paste or (if the portal permits) submit on the customer's behalf per the founder's proven ELDT pattern; (3) OBLIGATION TRACKER β deadline clocks, supplemental-report triggers when facts change, and an audit trail proving good-faith timely compliance. Standby subscription + per-filing fee.
MVP version
Skip portal automation initially (portal mechanics unknown until final rule β INFERENCE). MVP = reportability wizard built directly on the final rule text + report drafter producing a portal-ready document + deadline/supplemental tracker with email/SMS alerts. Claude-assisted build: 4β8 weeks. Add same-regime siblings (state PUC reporting, SEC 8-K materiality prompts, state breach-notification statutes) as data, not code.
30-day build
Day 0β30: build the wizard against the proposed rule's criteria now so the product exists the day the final rule drops (update deltas then). Recruit 5 design-partner MSPs that serve water/power co-ops, rural hospitals, or school districts β free pilot in exchange for distribution commitment. Publish a 'Is your organization a CIRCIA covered entity?' checker as the lead magnet.
60-day build
Day 30β60: final rule expected in this window per the headline β ship the rule-accurate version within 2 weeks of publication (speed is the whole wedge). Convert the covered-entity checker traffic. Sign 2β3 MSP reseller agreements at $500β1,500/mo per MSP for a client bundle. Run tabletop-exercise webinars with MSPs β the natural demo.
90-day revenue plan
Day 60β90: revenue comes from standby subscriptions sold on the compliance-date fear window, not from filings (incidents are episodic). Target: 5 MSP bundles ($500β1,500/mo each) + 20 direct standby seats ($99β199/mo) β $5β12k MRR. Per-filing fees ($250β500) are upside, not the base. If the final rule slips past fall, revenue slips with it β this is the honest timing risk.
Distribution path
MSP/MSSP channel first (they own the trust relationship and aggregate small entities), then sector associations (rural water associations, hospital associations, state school-board associations) which exist precisely to push compliance tools to members, then the SEO covered-entity checker. No ad spend required. Founder's fire-service background is real credibility with utility/municipal buyers.
Pricing hypothesis
Standby: $99β199/mo direct, $500β1,500/mo MSP bundle (10β25 clients). Per-filing: $250β500 including supplemental-report management. Anchor against the alternative: breach counsel at $600+/hr or a missed federal deadline.
Technical difficulty
Low-moderate for the MVP (wizard + document generation + scheduler β squarely in founder's proven stack). Portal submission automation is unknown until CISA publishes the portal spec; treat as phase 2. The hard part is regulatory fidelity of the wizard logic, which is careful reading, not hard engineering.
Legal / regulatory risk
Real and must be scoped: the reportability determination borders on legal advice. Mitigate the ELDT way β position as a drafting/workflow tool executing the customer's determination, with plain 'not legal advice' framing and an optional counsel-review marketplace. Incident data is sensitive; needs solid security posture (SOC 2 eventually) but founder does not need a license to operate β no heavy_compliance flag per scoring rules.
Platform dependency
Dependency is on a government intake system with no deplatforming owner β per scoring rules, no platform_policy_risk. Risk is spec churn: portal/form changes are maintenance, and actually a moat versus set-and-forget competitors.
Founder fit
This is structurally the ELDT play repeated: read a federal mandate, identify the compelled filer class, build the intake-to-submission layer, charge per transaction/seat. System lesson (confidence 0.79) says this shape scores highest for him. Two honest gaps: cyber is a new domain (mitigated β the product is paperwork logic, not threat detection) and the buyer is reached via channel sales to MSPs rather than direct demonstrated value, which is adjacent to but not identical to his ELDT motion.
Breakout potential
High. The same intake feeds every overlapping regime: state breach-notification statutes (50 near-identical markets, matching the state-replication thesis), sector regulators (NERC, TSA directives), SEC 8-K, HIPAA breach reports. The end-state product is 'one incident intake β every mandatory report, drafted and tracked' β a multi-regime reporting hub that starts from the CIRCIA wedge.
Final recommendation
CONDITIONAL BUILD β start now, lean. The shape is the founder's proven highest-fit pattern with a ~300k compelled-filer class and a statutory clock, and the MVP is cheap relative to his runway. But stage the investment: build the wizard/drafter/tracker and MSP pipeline pre-final-rule, and gate the full push (portal automation, SOC 2, association deals) on the final rule actually publishing with a firm compliance date. Sell standby readiness in the fear window; treat per-filing revenue as upside.
Next action
Pull the CIRCIA proposed rule (NPRM) from the Federal Register and extract the covered-entity criteria and 'substantial cyber incident' definition into the wizard's decision tree this week; simultaneously line up 5 MSPs serving water utilities/rural hospitals/school districts for design-partner calls to validate the $500β1,500/mo bundle price.