What changed
FACT (Federal Register, 2026-07-06): a new rule extends counter-UAS detection/mitigation authority β previously federal-only β to state, local, tribal, and territorial law enforcement and correctional agencies under a certification framework. FACT (Hackster): QuadRF demonstrates open-source RF visualization on ~$100 commodity hardware. HYPOTHESIS: that the certification framework imposes a documentable paperwork/reporting burden β the rule text provided confirms certification exists but not its mechanics.
Why now
The rule published this week (2026-07-06). Agencies will pursue certification over the next budget cycle, and no vendor yet owns the small-agency segment. However, 'next budget cycle' for government buyers means FY2027 money in most jurisdictions β the window is real but it is NOT a 30-90-day window.
Converging signals
(1) Legal authority + certification duty extended to thousands of SLTT agencies (regulation signal 424). (2) RF spectrum sensing cost collapse to ~$100 commodity hardware (industrial signal 504). Together: small agencies can now legally and affordably detect drones, but lack turnkey certification-tracking and incident-documentation software. Caveat: QuadRF is a Wi-Fi/RF AR visualization demo, not a validated drone-detection system β treating it as a detection product is a HYPOTHESIS with real engineering distance.
Customer pain
HYPOTHESIS: small departments and county jails that want C-UAS capability must (a) get certified, (b) document detection events and mitigation actions, and (c) do it without defense-contractor budgets. Pain is plausible but NOT yet evidenced β no complaints, forum posts, or procurement requests were provided showing agencies asking for this. The rule is 4 days old; demand evidence does not exist yet by definition.
Who pays
Small/rural police departments, sheriffs' offices, and correctional facilities, typically via grant money (per convergence input, they buy public-safety SaaS at $5-50k/yr). Government micro-purchase thresholds (~$10k) allow P-card buys without formal procurement β that is the only realistic solo-founder path in. HYPOTHESIS: a $99-299/mo tool could clear that threshold friction.
Solved today
Defense-contractor C-UAS platforms (Dedrone β now owned by Axon, DroneShield, AeroDefense) bundle detection hardware with reporting software at six-figure price points aimed at airports, stadiums, and federal customers. Certification/compliance tracking for this brand-new rule is solved by nobody yet β agencies would use spreadsheets and Word docs.
Why current solutions are bad
Contractor systems are priced 10-100x above small-agency budgets and their sales motion ignores 15-officer departments and 80-bed county jails. Spreadsheets don't produce audit-ready certification records or standardized incident reports. But note: 'bad' is prospective β agencies aren't yet failing audits under a framework that started this week.
Proposed product
A compliance-workflow SaaS (NOT hardware, NOT mitigation): certification-application tracker with document checklists, officer training/credential records, drone-detection incident logging with standardized report generation, and audit-export. Optionally publishes a hardware-agnostic 'log an event' API so cheap RF sensors (commodity SDR/QuadRF-class gear the agency sources itself) can post detections. Deliberately stay OUT of the mitigation/jamming layer β that is where legal exposure lives.
MVP version
A single-tenant web app: certification checklist engine seeded from the actual rule text, personnel/training record vault, incident report form producing a clean PDF matching whatever reporting format the certifying agency specifies, and an evidence-attachment store. Buildable solo in 2-3 weeks with FastAPI/Postgres β the same stack Charles already runs. Blocker: the MVP's core artifact (the required report format) cannot be finalized until the certification mechanics publish.
30-day build
Read the full rule + any implementing guidance; extract every 'shall document/report/certify' clause. Build the checklist/incident-log MVP against those clauses. Identify the 3-5 state POST councils or sheriff associations discussing certification. Land 5 phone conversations with small-agency chiefs/jail administrators (fire-service background is the credibility wedge here) to validate whether they intend to seek certification at all.
60-day build
Pilot free with 2-3 agencies from those conversations in exchange for feedback and a referenceable name. Publish a plain-English 'C-UAS certification guide for small agencies' as the SEO/lead asset β first-mover content on a 4-day-old rule can own the search results. Refine report formats against whatever the certifying federal agency actually requires.
90-day revenue plan
HYPOTHESIS, low confidence: convert pilots to $149-299/mo (under micro-purchase thresholds) and sell the certification guide + templates as a $199-499 one-time digital product to agencies that won't buy SaaS yet. Realistic 90-day ceiling: $1-3k MRR equivalent plus template sales. Government fiscal calendars make even this optimistic β most agencies will 'wait for guidance.' First meaningful revenue more plausibly lands in the FY2027 budget window (Oct 2026+).
Distribution path
Direct outreach to sheriffs/jail administrators (small, flat orgs β the chief IS the buyer), state sheriff/POST association newsletters, SEO on 'C-UAS certification' terms while competition is zero, and the digital-guide funnel. No enterprise sales motion, but this IS government sales β slower and referral-driven even at small scale.
Technical difficulty
Low-moderate for the compliance SaaS (forms, records, PDFs β squarely in Charles's stack). High and out-of-scope if detection hardware is bundled: turning QuadRF-class Wi-Fi visualization into reliable drone detection (many drones don't use Wi-Fi bands; Remote ID is a different protocol) is a real R&D project and should be explicitly excluded.
Legal / regulatory risk
Moderate even for software-only: incident records for law enforcement raise data-handling expectations (CJIS-adjacent scrutiny is a HYPOTHESIS risk that could stall deals). Severe if anything touches mitigation β jamming/takeover intersects FCC and federal criminal statutes; the rule authorizes agencies, not their vendors. Also, certification mechanics could route through mandated federal systems that leave no room for third-party tooling.
Platform dependency
Low software platform risk. High REGULATORY dependency: the entire product tracks a certification framework whose paperwork burden is unconfirmed. If the feds ship their own free portal (as FMCSA did with TPR β which is exactly what created the ELDT opportunity, note), the opportunity mutates; if they require nothing burdensome, it evaporates.
Founder fit
Mixed, honestly assessed. Pattern match to the ELDT edge is PARTIAL: yes, a regulation creates a certification/reporting duty and a solo builder can own the paperwork layer β that's his proven shape. But it diverges on the two things that made ELDT fast: (1) ELDT's compelled filers were PRIVATE businesses paying per-upload with a credit card; here the compelled party is a GOVERNMENT agency with fiscal-year budgets. (2) ELDT had a live federal portal to automate against; here the filing mechanics don't exist yet. Fire-service background gives genuine public-safety credibility for outreach. Net: strong domain fit, weak speed fit.
Breakout potential
If certification does carry recurring reporting duties, the wedge expands to the full small-agency drone-program stack (their own drone fleets also have FAA/COA paperwork β a larger, already-live compliance market). An Axon/Flock-style acquirer exists. But breakout requires surviving a 6-12 month revenue desert first.
Final recommendation
Do not build the SaaS yet. This is a genuine, well-spotted convergence with a fatal timing mismatch: the demand is real-ish but arrives on government fiscal calendars, and the core requirement (reporting mechanics) is still inference. Recommended play: spend β€3 days now producing the definitive plain-English certification guide + document templates as a $199-499 digital product and lead-capture asset β that monetizes first-mover knowledge in 30 days without betting on procurement β and set a tripwire to re-evaluate the full SaaS the moment the certification mechanics publish. Revisit in 60-90 days.
Next action
Pull the full rule text from federalregister.gov today, extract every certification/reporting obligation verbatim, and confirm or kill the core hypothesis (is there a real, recurring paperwork burden, and is there room for third-party tooling?). Everything else depends on that answer.