JFrog Curation costs $300K/year and JFrog Xray didn't block the recent axios exploit in time. Teams need real-time blocking of malicious upstream packages across all ecosystems but existing solutions are either too expensive or too slow.
A proxy/registry mirror that sits between developers and public registries (npm, PyPI, Maven, etc.), enforcing configurable policies like package age minimums, malicious package detection, and behavioral analysis — at a fraction of JFrog Curation's cost. Integrates with existing artifact registries like Artifactory or Nexus as a lightweight policy layer.
subscription — tiered by number of developers or package downloads per month, starting at $500/mo for small teams up to $5K/mo for enterprise
The Reddit thread is a near-perfect pain signal. Real buyer got a $300K quote and is actively shopping alternatives. The axios exploit failure shows existing tools aren't meeting SLAs. Regulatory pressure (SBOM mandates, EU CRA) makes this a must-have, not nice-to-have. Pain is acute, urgent, and budget-backed.
Software supply chain security TAM is $2-3B today, growing to $5-7B by 2028. The specific niche of 'inline blocking proxy' for mid-market (100-2000 engineers) is a subset but still substantial — estimated 15,000-25,000 target companies globally. At $500-$5K/month, even capturing 500 customers yields $3-30M ARR.
The pain signal literally includes a buyer who was quoted $300K and is looking for alternatives — they HAVE budget, they just want a better price point. Security spend is non-discretionary in regulated industries. $500-$5K/month is a sweet spot — expensive enough to signal seriousness, cheap enough to be 10-50x less than JFrog Curation. This is a budget line item that already exists in target companies.
This is the hard part. Building a registry proxy that handles npm, PyPI, AND Maven with zero downtime is non-trivial — it's in the critical path of every build. Behavioral analysis of packages requires significant ML/security research investment. Handling the throughput and reliability requirements of being a registry proxy at enterprise scale is a serious infrastructure challenge. A solo dev could build an MVP for ONE ecosystem (e.g., npm only) in 8 weeks with basic policy rules (age, known-malicious blocklists), but multi-ecosystem + behavioral analysis is a 6-12 month effort with a team.
Clear gap exists: JFrog Curation does inline blocking but costs $300K. Socket does behavioral analysis but doesn't block inline. Sonatype is Nexus-only. Snyk doesn't block at all. Nobody offers an affordable, registry-agnostic inline blocking proxy with behavioral analysis. The gap is real — but it exists partly because it's genuinely hard to build.
Textbook SaaS subscription. Security is always-on, threats are continuous, and the proxy must run 24/7. Once integrated into build pipelines, switching costs are extremely high (touching every developer's workflow). Net revenue retention should be strong as companies grow headcount. Usage-based pricing (package downloads) naturally expands with customer growth.
- +Validated pain with real buyer quotes and active market demand — not speculative
- +Clear pricing gap between $0 (free scanners) and $300K (JFrog Curation) that nobody owns
- +Regulatory tailwinds (SBOM mandates, EU CRA) creating forced buying urgency
- +Extremely high switching costs once embedded in build pipeline — strong moat
- +Usage-based pricing naturally expands with customer growth (land and expand)
- !Being in the critical build path means any downtime = all developers blocked. Reliability bar is 99.99%+ from day one — this is existentially difficult for a startup
- !JFrog or Sonatype could release a cheaper standalone product and crush you with existing distribution
- !Behavioral analysis R&D is expensive and requires ongoing security research investment — this isn't just a CRUD app
- !Multi-ecosystem support (npm + PyPI + Maven + Go + Docker) is a massive surface area; doing one well is hard, doing all is a multi-year effort
- !Enterprise sales cycles in security are 3-6 months with procurement, legal, and security reviews — slow path to revenue
Integrated supply chain security layer within JFrog Platform that blocks malicious/risky OSS packages before they enter Artifactory. Covers npm, PyPI, Maven, Docker, and more. Uses JFrog's proprietary threat intelligence plus CVE data.
Analyzes package behavior
Policy engine that sits in front of Nexus Repository to automatically block components that violate security, license, or quality policies. Uses Sonatype's proprietary vulnerability database
Automated software supply chain risk analysis platform. Analyzes packages across 5 risk domains: vulnerabilities, malware, engineering risk, author risk, and license risk. Offers CI/CD integration and a CLI tool.
SCA tool that scans dependencies for known vulnerabilities and license issues. Integrates with IDEs, CI/CD, and SCM. Large vulnerability database with Snyk Intel.
npm-only transparent proxy (runs as a Docker container or hosted service) that sits between developers and registry.npmjs.org. Three policy rules for MVP: (1) block packages less than 72 hours old, (2) block known-malicious packages via OpenSSF/OSV feed, (3) block packages with install scripts from unknown publishers. Simple web dashboard for policy config and audit log. Deploy as a single binary/container that teams point their .npmrc at. Skip behavioral analysis for MVP — use curated blocklists and simple heuristics. Add PyPI as second ecosystem within 4 weeks of launch.
Free tier: up to 5 developers, npm only, community blocklists → Team ($500/mo): up to 50 devs, npm+PyPI, custom policies, audit logs, Slack alerts → Business ($2K/mo): up to 200 devs, all ecosystems, Artifactory/Nexus integration, SSO, SLA → Enterprise ($5K+/mo): unlimited, behavioral analysis, dedicated support, on-prem option, compliance reports
8-12 weeks to MVP and first design partner. 4-6 months to first paying customer (security tools require trust-building). 6-9 months to $10K MRR if execution is strong and you land 3-5 mid-market teams. Enterprise deals ($5K/mo+) will take 6-9 months from first contact due to procurement cycles.
- “I just got a quote from jfrog a few weeks ago. $300K a year... it's insanely expensive”
- “it didnt block the recent axios exploit in time”
- “I couldn't really see a winner that spans across all package types”
- “still looking for other options”