Convergence Radar Convergence Engine

← Feed

B

CIRCIA 72-Hour Report Copilot: reportability wizard, compliant report drafting, and supplemental-obligation tracking for small critical-infrastructure entities

67/100

A standby-subscription tool sold through MSPs that tells a small utility, hospital, or school district in minutes whether a cyber incident is CIRCIA-reportable, drafts the compliant 72-hour (or 24-hour ransom) report for the CISA portal, and tracks the ongoing supplemental-report obligation.

Worth deeper research β€” promising but has risk. Β· created 2026-07-11 09:02 UTC

public recordssaasaiagentapilong-termrevisit later

Scorecard

newness 7/10
convergence 8/10
demand evidence 7/10
existing spend 7/10
solo feasibility 7/10
speed to mvp 7/10
speed to revenue 5/10
distribution 6/10
competitive gap 5/10
expansion 8/10
founder fit 8/10

Opportunity brief

What changed
CIRCIA's cyber incident reporting rule is expected to be finalized this fall (FACT from cited headline: expected, not yet final). The underlying statute (CIRCIA of 2022) already compels covered entities across 16 critical-infrastructure sectors to report cyber incidents to CISA within 72 hours and ransom payments within 24 hours, plus supplemental reports (FACT of statute; operative deadlines and covered-entity definition land with the final rule).
Why now
The final rule converts a dormant statutory obligation into an enforceable filing mandate with hard clocks. The proposed rule contemplated roughly 300,000+ covered entities (INFERENCE from rulemaking coverage), a large share of which β€” small/mid utilities, hospitals, school districts, local governments β€” have no compliance staff and no breach counsel on retainer. The window between final-rule publication and the compliance date is exactly when this class shops for a cheap answer, and before GRC incumbents saturate the niche.
Converging signals
Three signals meet at one point: (1) a rule reaching finalization (trigger), (2) a defined compelled filer class spanning 16 sectors including entities too small to have compliance staff, (3) a single federal intake point β€” the CISA incident reporting portal (INFERENCE; portal mechanics unconfirmed until the final rule). Per the system's own heuristic (confidence 0.79), this mandate-portal-filer shape is the founder's highest-fit pattern.
Customer pain
HYPOTHESIS grounded in the mandate structure: a 200-person water utility that gets hit at 2am must decide within 72 hours whether the incident is 'covered', assemble technically specific facts under stress, file in the correct format, and then remember to file supplemental reports as facts change β€” with penalties/subpoena exposure for failure. It has no CISO, no breach counsel, and its MSP is busy doing the actual incident response. No direct complaint evidence was provided; the pain is inferred from the obligation, which the scoring rules treat as legitimate for a forced-filer class.
Who pays
Two-tier: (a) MSPs/MSSPs serving small critical-infrastructure clients, who white-label the tool as a compliance add-on across dozens of clients (primary channel β€” one sale covers many covered entities); (b) covered entities directly (utilities, districts, county governments) buying a standby subscription like a cyber-insurance rider. The buyer is NOT a federal procurement office β€” no enterprise-procurement flag.
Solved today
Large entities: breach counsel + IR retainers (Mandiant, Kroll) + GRC platforms β€” expensive and already spoken for. Small entities: nothing, or a panicked call to their MSP/insurer during the incident. Incident-reporting-obligation platforms exist (e.g. BreachRx) but target enterprise privacy/legal teams, not $2k/yr MSP-channel small entities (competitive positioning is HYPOTHESIS β€” verify pricing).
Why current solutions are bad
Counsel-led reporting costs more per incident than a small entity's annual IT budget line and isn't staffed for 300,000 newly covered entities. GRC suites are priced and designed for organizations with compliance teams. The 72-hour clock punishes any solution that starts with 'schedule a call.' Nobody currently offers a sub-$200/mo 'break glass, answer the wizard, file on time' product for this class.
Proposed product
A web app with three functions: (1) REPORTABILITY WIZARD β€” structured intake maps the incident against the final rule's covered-entity and substantial-incident criteria and outputs a defensible reportable/not-reportable determination with the reasoning documented; (2) REPORT DRAFTER β€” generates the complete CISA-compliant 72-hour or 24-hour ransom report from the intake, formatted to the portal's fields, ready to paste or (if the portal permits) submit on the customer's behalf per the founder's proven ELDT pattern; (3) OBLIGATION TRACKER β€” deadline clocks, supplemental-report triggers when facts change, and an audit trail proving good-faith timely compliance. Standby subscription + per-filing fee.
MVP version
Skip portal automation initially (portal mechanics unknown until final rule β€” INFERENCE). MVP = reportability wizard built directly on the final rule text + report drafter producing a portal-ready document + deadline/supplemental tracker with email/SMS alerts. Claude-assisted build: 4–8 weeks. Add same-regime siblings (state PUC reporting, SEC 8-K materiality prompts, state breach-notification statutes) as data, not code.
30-day build
Day 0–30: build the wizard against the proposed rule's criteria now so the product exists the day the final rule drops (update deltas then). Recruit 5 design-partner MSPs that serve water/power co-ops, rural hospitals, or school districts β€” free pilot in exchange for distribution commitment. Publish a 'Is your organization a CIRCIA covered entity?' checker as the lead magnet.
60-day build
Day 30–60: final rule expected in this window per the headline β€” ship the rule-accurate version within 2 weeks of publication (speed is the whole wedge). Convert the covered-entity checker traffic. Sign 2–3 MSP reseller agreements at $500–1,500/mo per MSP for a client bundle. Run tabletop-exercise webinars with MSPs β€” the natural demo.
90-day revenue plan
Day 60–90: revenue comes from standby subscriptions sold on the compliance-date fear window, not from filings (incidents are episodic). Target: 5 MSP bundles ($500–1,500/mo each) + 20 direct standby seats ($99–199/mo) β‰ˆ $5–12k MRR. Per-filing fees ($250–500) are upside, not the base. If the final rule slips past fall, revenue slips with it β€” this is the honest timing risk.
Distribution path
MSP/MSSP channel first (they own the trust relationship and aggregate small entities), then sector associations (rural water associations, hospital associations, state school-board associations) which exist precisely to push compliance tools to members, then the SEO covered-entity checker. No ad spend required. Founder's fire-service background is real credibility with utility/municipal buyers.
Pricing hypothesis
Standby: $99–199/mo direct, $500–1,500/mo MSP bundle (10–25 clients). Per-filing: $250–500 including supplemental-report management. Anchor against the alternative: breach counsel at $600+/hr or a missed federal deadline.
Technical difficulty
Low-moderate for the MVP (wizard + document generation + scheduler β€” squarely in founder's proven stack). Portal submission automation is unknown until CISA publishes the portal spec; treat as phase 2. The hard part is regulatory fidelity of the wizard logic, which is careful reading, not hard engineering.
Legal / regulatory risk
Real and must be scoped: the reportability determination borders on legal advice. Mitigate the ELDT way β€” position as a drafting/workflow tool executing the customer's determination, with plain 'not legal advice' framing and an optional counsel-review marketplace. Incident data is sensitive; needs solid security posture (SOC 2 eventually) but founder does not need a license to operate β€” no heavy_compliance flag per scoring rules.
Platform dependency
Dependency is on a government intake system with no deplatforming owner β€” per scoring rules, no platform_policy_risk. Risk is spec churn: portal/form changes are maintenance, and actually a moat versus set-and-forget competitors.
Founder fit
This is structurally the ELDT play repeated: read a federal mandate, identify the compelled filer class, build the intake-to-submission layer, charge per transaction/seat. System lesson (confidence 0.79) says this shape scores highest for him. Two honest gaps: cyber is a new domain (mitigated β€” the product is paperwork logic, not threat detection) and the buyer is reached via channel sales to MSPs rather than direct demonstrated value, which is adjacent to but not identical to his ELDT motion.
Breakout potential
High. The same intake feeds every overlapping regime: state breach-notification statutes (50 near-identical markets, matching the state-replication thesis), sector regulators (NERC, TSA directives), SEC 8-K, HIPAA breach reports. The end-state product is 'one incident intake β†’ every mandatory report, drafted and tracked' β€” a multi-regime reporting hub that starts from the CIRCIA wedge.
Final recommendation
CONDITIONAL BUILD β€” start now, lean. The shape is the founder's proven highest-fit pattern with a ~300k compelled-filer class and a statutory clock, and the MVP is cheap relative to his runway. But stage the investment: build the wizard/drafter/tracker and MSP pipeline pre-final-rule, and gate the full push (portal automation, SOC 2, association deals) on the final rule actually publishing with a firm compliance date. Sell standby readiness in the fear window; treat per-filing revenue as upside.
Next action
Pull the CIRCIA proposed rule (NPRM) from the Federal Register and extract the covered-entity criteria and 'substantial cyber incident' definition into the wizard's decision tree this week; simultaneously line up 5 MSPs serving water utilities/rural hospitals/school districts for design-partner calls to validate the $500–1,500/mo bundle price.

Kill arguments (adversarial)

Competitors

β€’ BreachRx (link) β€” Incident-response/reporting-obligation platform β€” closest product shape, but enterprise privacy/legal positioning, not small-entity MSP channel (positioning claim is HYPOTHESIS from general knowledge, not from provided sources).
β€’ GRC platforms (Vanta, Drata, Hyperproof) (link) β€” Will likely add CIRCIA modules post-final-rule and distribute to existing compliance-team customers; historically ignore no-compliance-staff small entities (HYPOTHESIS).
β€’ IR retainers / breach counsel (Kroll, Mandiant, cyber-insurance panels) (link) β€” The incumbent 'solution' for reportable incidents at larger entities; their hourly cost is the pricing anchor the product undercuts, and they are proof spend exists for the adjacent problem (spend is FACT of market structure; applicability to small entities is INFERENCE).

Source citations (facts)

β€’ CIRCIA, other big cyber rules expected to get finalized this fall - Federal News Network β€” CIRCIA cyber incident reporting rule is expected to be finalized this fall (FORCED BUYER trigger; rule expected, not yet final β€” the sole demand-evidence item provided; 300k covered-entity figure, 72h/24h deadlines, and portal identity are statute/rulemaking inferences not contained in this headline).

Actions