Startups For the Rest of Us
Episode 735 | The 8 Levels of SaaS Platform Risk (A Rob Solo Adventure)
Tue, 15 Oct 2024
In episode 735, join Rob Walling for a solo adventure where he categorizes the different levels of SaaS platform risk. He introduces a framework with three key factors: Replacement, Customer Concentration, and Lead Flow. Rob then defines eight levels of risk according to these factors and other vulnerabilities such as relying on open source – a hot topic with recent news about WordPress, WP Engine, and Automattic. Episode Sponsor: Hiring senior developers can really move the needle in your business, but if you bring on the wrong person, you can quickly burn through your runway. If you need help finding a vetted, senior, results-oriented developer, you should reach out to today’s sponsor, Lemon.io. For years, they’ve been helping our audience find high quality, global talent at competitive rates, and they can help you too. Longtime listener Chaz Yoon, hired a senior developer from Lemon.io and said his hire ”definitely knew his stuff, provided appropriate feedback and pushback, and had great communication, including very fluent English. He really exceeded my expectations.” Chaz said he’d definitely use Lemon.io again when he’s looking for a senior level engineer. To learn more and get a 15% discount on your first four weeks of working with a developer at lemon.io/startups. Topics we cover: 2:32 – Are replacements available for this platform? 4:56 – How concentrated are your customers on this platform? 5:31 – What is your lead or customer flow? 8:54 – Level 1: almost no platform risk 10:04 – Level 2: reliant on a commoditized platform 11:49 – Level 3: using large cloud providers like AWS 15:33 – Level 4: deeply tied to open source software like WordPress 18:11 – Level 5: high switching costs, but replacements exist like in no-code 20:00 – Level 6: 100% lead flow risk 21:44 – Level 7: a friendly app ecosystem 23:24 – Level 8: aggressive platforms, few replacements, customer concentration Links from the Show: Get Tickets for MicroConf US 2025, New Orleans TinySeed Rob Walling (@robwalling) | X Ask a Question on SFTROU How to find and validate business ideas from 75+ SaaS Marketplaces If you have questions about starting or scaling a software business that you’d like for us to cover, please submit your question for an upcoming episode. We’d love to hear from you! Subscribe & Review: iTunes | Spotify
Welcome back to another episode of Startups for the Rest of Us. I am your host, Rob Walling. In this episode, I'm going to talk about the eight levels of platform risk, as well as the three factors that contribute to platform risk. And I'm not just going to talk about the traditional, I have a Shopify app, or heaven forbid, you're WordPress web host this week.
But I'm going to look at platform risk from a sense of any type of reliance on an external platform. So if you use SendGrid to send email, how does that factor in? If you use AWS for your hosting or you use an open source package like WordPress. And honestly, this is a framework I came up with a few months ago and I jotted it down in a Trello board I keep for podcast episode topics.
And I was just going to pull it out at some point, probably put it in a book, I'm sure talk about it on the podcast. And then the WordPress WP Engine kerfuffle flared up. By now that's, you know, a couple weeks old. But it did remind me that I had this and had never really done a full refinement on it.
And so this podcast episode is a way for me to kind of bring that out and talk through my thoughts of platform risk as I see it. Especially it's... Probably any startup, but realistically, there's a little bit of a B2B SaaS bent to it, right? Because that's the 191 investments I've made. And so I've seen different forms of platform risk blindside companies in different ways.
And that is the basis for today's episode. Before I dive into that, tickets for MicroConf New Orleans. And of course, I will be there in New Orleans. And if you want to get together with about 250 speakers, of your favorite bootstrapped founder friends, head to microconf.com slash US. The tickets right now are the least expensive they will ever be.
And they will go up in price, I don't know, in a few weeks or a month or whatever. In addition, we are going to sell out. We sold out our Europe event. I believe we sold out Atlanta last April. So if you want to get a ticket, there is no reason to wait. microconf.com slash US. Let's dive in to platform risk. So I'm going to start with these three factors that contribute or define platform risk.
And each of these you might think of on a scale, you know, whether it's one to 10 or one to 100. there can be a small amount of risk for a specific factor or a large amount. So the first one I think of is a replacement.
So if you are on a platform, whether that is using SendGrid to send email, whether it is hosting on AWS, whether you built a no-code app in Airtable or Bubble, whether you are a Heroku app or Shopify app, is a replacement available for this platform? And how hard is it to switch? And is the pricing approximately the same? So there are more questions than that, but those are kind of the high level.
So it's replacement. So we might think of, well, what is an easy replacement where it's available, it's not that hard to switch, and it's a commodity, so the pricing is the same? Well, that is something like, I would say, SendGrid, Postmark, Mandrel, Mailgun. The switching cost is real. It is a thing. But it's connecting to a new API. And it depends on how deeply you're integrated, obviously.
But that switching cost is not catastrophic. And pricing in that space of sending email or even SMS, you know, I think of Twilio and, you know, the kajillion SMS APIs out there. There are a lot of replacements available. So that's going to be a much easier spot. But what if you are built on Shopify's API and you are in the Shopify app store? Is a replacement available?
How hard is it to switch and is it priced the same? Well, the pricing doesn't necessarily make sense in that context, but is a replacement available? How hard is it to switch? It's kind of like, no, there really isn't a replacement. And switching is basically impossible, right?
Because if you were just a Shopify app and you're like, well, they kicked me out of the app store or they took my API access away. It's like, well, we can go build a BigCommerce, a Magento, a WooCommerce version, right? But it's not the same. It's not a replacement. And that's not really switching costs. That's just building, spinning up a whole new product, right?
So the hard to switch is just astronomical. So when we think about replacement from one to 10 or one to 100, that takes you from easy to hard, at least in my mind. So the first factor was replacement. Second one is customer concentration. And The question here is, are the majority of your customers on this platform?
Meaning that if you were kicked out or the API access were shut off or somehow the platform suddenly said, you know, you're on Twitter's API and they say, we need you to pay us $12,000 a month now to maintain it, are 80%, 90%, even 70, 60% of your customers on this platform in a way that essentially will decimate a huge amount of your revenue?
Now, what's interesting is this is separate from the third factor, which is I'm saying lead flow or customer flow. That's on an ongoing basis receiving new customers, say, from an app store listing or a marketplace listing. And that's different. It's related, but it's different than customer concentration. Because in theory, I could go build a Twitter client.
I could be getting zero lead flow from Twitter, but 100% of my customers could be concentrated on Twitter. or on Facebook's API. You know, again, if I'm an app that, like Postpone, for example, that helps you post to Reddit, Instagram, Facebook, Twitter, and all those, Grant, he's a TinySeed founder, started Postpone, and it was just for Reddit.
And so when we funded him, we said, your customer concentration is basically 100% Reddit. We think you should diversify into other platforms, and he was already on board with that. So now he has a little more diversity, you know, across the different platforms. Now, Great example with Postpone. Does Postpone receive any lead flow from being in a Reddit app marketplace? No.
So you can have concentration and you can have the risk of that concentration without the lead flow and you can have the lead flow. I guess in theory you could have, let's say I was on four platforms. I was like Shopify, BigCommerce, WooCommerce, and Magento. And I had, you know, 90% of my customers on Shopify and, you know, only 10% across the other three.
But let's say the other three were sending me a lot of leads because I just branched into them. And usually this is not the case. Usually actually branching into other platforms is a lot harder than you think. We've seen tiny, I've seen tiny seed companies and non-tiny seed companies try to do it. And It can work, but in the majority of cases I've seen, it hasn't worked.
So the example there, though, was to say you could have lead flow in those three smaller non-Shopify apps, but not very much customer concentration because you're kind of still early, right? So these three of is there a replacement, customer concentration, and lead flow are the three factors that I think of when I try to rank order these levels of platform risk.
Okay, so now that I've defined these three factors, the contributing factors of platform risk, I want to walk through the eight levels of platform risk. And I will talk through the contributing factors and how they relate to each of them. Interesting data point, as of a week or two ago, I had seven levels of platform risk.
And the WordPress WP Engine kerfuffle basically begged the question of, let's say you are built on WordPress, what's the platform risk of that? And there's different things. WP Engine uses WordPress, and they're a web host. But what if you had a B2B SaaS company that was built on WordPress as the core? So it was kind of a no-code thing hacked together with plugins.
It's a related but a different question. And so I added that as another layer. The answer, of course, is always yes. Well, it depends on a lot on the specifics of how you rank these. All of these are valid levels. It's just, you know, comparing being built on WordPress versus being hosted on AWS.
I have ordered those in a certain way and I think in different situations they could be swapped a little bit. But to me, this list is directionally correct and it takes those three factors and applies it to a bunch of different scenarios that I'll give examples of.
So moving from least amount of platform risk, what I consider the least amount up to the most amount of platform risk, basically, you have the most exposure and the most risk of your business being killed. And so I'm going to go one through eight, again, where one is the lowest eight is the highest, the most dangerous. Level one is almost no platform risk.
It is where you own your own server in a cage with redundant power. You run your own SMTP servers to send emails. The platform risk here is any development language you use, right? Plus your internet service. I mean, basically you are not reliant on a host. You're not reliant on anything to send email. You're not built in no code. I guess you're, oh, and you're risking
is where are you getting leads from? Do you have customer concentration in where you're getting leads from? In this case, I'm assuming there's just almost none, right? You have this great variety of leads coming from all over the place and there's no customer concentration in terms of them being reliant on an external API.
So this one's, it's so unrealistic, I just kind of want to skip by it because none of us are going to do that, right? The second level of platform risk, I think of it as you being reliant on a platform that is a relative commodity and it's easy to switch away from. Again, relatively easy. I know we could make an argument. I'm going to say SendGrid and Twilio, an SMS provider, email provider.
Those are commoditized assets. And they are relatively easy to switch. There's no lead flow. There's no customer concentration, right? It truly is just a replacement decision. And one might say, well, SendGrid integration will take you months to migrate away from. Usually that's not the case. Usually it's a couple weeks.
I believe we did this with Drip because we went from, we had three or four different email providers that we were using that were APIs that sent emails. And it would take us a matter of weeks to switch and we were sending hundreds of millions of emails a month. So Again, this is why it's probably the most realistic one that a lot of us are exposed to. And this is where it always bothers me.
I'll be on X Twitter and someone will say, oh man, you build on Airtable or Bubble and there's platform risk. And some smart aleck comes in and says, oh yeah, well, you host on AWS and that's a platform. And you send emails through SendGrid and so that's also a platform and you have risk too. And it's like, but they're not the same. And that's the point of this list.
is to have them in order of increasing risk or exposure. And I think being reliant on a commodity, whether it's hosting or whether it is, you know, an API of some sort, I think at the same level as like, imagine if you have a VPS or you have like a Docker container and you're on commodity hosting somewhere and you can basically just pull that and spin it up in a
I don't know, half a day, a day, two days, whatever. It's that relatively low switching cost and it is commoditized. I think that fits in this category as well. So the third level of platform risk, which is just a little riskier than the one I just mentioned, is when you're using these large cloud providers, Amazon Web Services, Google Cloud, Azure,
This is where they, you know, you still don't have customer concentration or lead flow. That's irrelevant, right? Obviously, those are more dangerous. And so those are in the, you know, the higher levels of platform risk. But moving away from AWS, GCP, Azure, whoever else, it's not just spinning up a Docker thing and moving the VPS or whatever.
I think the switching cost is significantly more than moving away from an API, you know, like a SendGrid or an SMS, because this is the infrastructure where your entire app is and you start to get reliant on a lot of services. And so this one also has a varying degree. It's a slider of like, well, if I'm only using an EC2 instance and everything's there, then... maybe low-ish switching costs.
But by the time I have auto-scaling and I have six different types of servers because I have the front end and the API and I have a database and I have Redis servers and I have sidekick workers and I'm using Amazon's, not proprietary, but they're more like the Redshift thing and I'm using a bunch of stuff in Amazon. Switching away from that at that point becomes... very, very painful.
And migrating to another platform, again, that's why it's the third level, I think, of platform risk. Now, if it's such a pain to switch, why do I think the risk is relatively low? Because at least to date, AWS, GCP, and Azure are not in the business of being aggressive. They have no motivation whatsoever to, like their business model is selling you stuff for a certain amount of money.
And so they want you to be happy. They keep rolling out new stuff. They keep dropping prices, right? It's the opposite of, you know, I'll get to it in a second, but like the no-code providers, right? Where they keep raising prices and where any of those could go out of business any day and they're not profitable.
For the most part, I think most of the no-code providers have raised a bunch of money and are still not profitable. That's where Judge McCall, AWS, GCP, and Azure I don't think are going to be aggressive and make people want to migrate off unlike other startups that are still in that early monetization or growth phase. So that was the third level, which was medium to higher switching costs.
There are replacements available, again, AWS, GCP, Azure, and others, but there's no lead flow or customer concentration. We'll see you next time. The machine learning engineer they helped me hire was very professional and even learned a new tech stack to set up an environment to train and deploy machine learning models.
He documented his work clearly so I could train it in the future with additional data. I'm super happy with the results. And longtime listener Chaz Yoon hired a senior developer from Lemon.io and said his hire, quote, definitely knew his stuff, provided appropriate feedback and pushback, and had great communication, including very fluent English. He really exceeded my expectations.
Chas said he'd definitely use Lemon.io again when he's looking for a senior level engineer. To learn more and get a 15% discount on your first four weeks of working with a developer, head to Lemon.io slash startups. That's Lemon.io slash startups. The fourth level of platform risk is the one that I added for the WordPress kerfuffle. And here's the interesting thing.
I just have, I have open source software like WordPress. And so that's kind of vague as the fourth level. Here's the thing. There's no customer concentration. There's no lead flow. The question is, is there a replacement? Is it easy to switch? And is it priced the same? Well, you know, open source software doesn't have to be free as in price, free as in beer, but most of it is, right?
I think the majority of it is. So price is probably less relevant. The question is, how hard is it to switch and is a replacement available? And the further question that begs is, well, how deeply are you integrated? Because if we look at WP Engine, that is obviously reliant on WordPress, couldn't WP Engine just fork the WordPress code? Because I believe it's GPL, right? They fork it.
Now, I guess then there's a whole plugin ecosystem. I don't know what happened with there. So that's an I don't know. It feels like there's risk there, but they have options.
If you were a SaaS company and you had built your entire SaaS or your, I guess, no low-code SaaS or your entire productized service, say, around WordPress, and suddenly WordPress changed their licensing or they, I don't know, broke all the plugins that you use and they just broke your business. What would be the replacement for that? Well, you'd have to go and build it somewhere else, right?
You'd have to go build it in no code, have code written, do it manually. I don't think a replacement in this case, it's the job to be done. I know Ghost is similar to WordPress, but the job to be done of what you've built in WordPress, I don't know that it translates so well to just another CMS.
And so this one's interesting in that longer term, I have this at four right now, meaning it's higher risk than, say, your AWS GCP or cloud provider. This would have been probably down around two or three before the WP Engine WordPress kerfuffle.
And this is how weird these things are, is that given that WordPress has shown that they are going to be aggressive, not making themselves out to be a friendly platform right now. And so I think that is why, for sure, I kicked them up in terms of the actual risk. The big question is, if you had a business built on WordPress, how hard would it really be to switch?
And if, oh, in a week or two we could build it in Bubble, then this really should probably be down more around SendGrid, you know, the number two, right? SendGrid SMS providers are where it's a commodity and it's easy to switch. That's more of how I would feel about it.
But if your business is a $2 billion business that completely relies on the plugin ecosystem and you're at the mercy of WordPress, then I do think that there is a significant level of platform risk. So level five is high switching cost, but there are replacements. And there's no lead flow or customer concentration. The best examples I can think of here are no code.
It's building on air table bubble. I was putting Stripe in there. I don't know if I don't know that Stripe fits or doesn't. I guess switching from Stripe is kind of a pain. And I guess it depends on, you know, are you in their subscription ecosystem as to whether it's like a medium or, you know, a high switching cost.
But in any case, this is where in order to switch, you kind of have to rebuild everything from scratch, right? There is no export your code from any no-code platform I've heard of. And if you could, how do you import it into a different platform where it's all just proprietary tech, right?
And this, again, is where the argument that some no-coders make or just some people make is like, everything has platform risk. And it's like, Yeah, but they're not all the same. It gets worse. If you're a Shopify app, it's a super aggressive platform. That's worse than all the ones I've mentioned so far, you know, and we'll get to that one in a minute.
And so the idea here is that if you've built a million dollar business and it's a bubble app, how long would it take you to completely rebuild that in another platform? if Bubble 10x their pricing, if Bubble went out of business, if Bubble had two weeks of outages. And one might say, well, couldn't AWS 10x their pricing? Yeah, highly, highly unlikely. I just don't see it.
That's not been the pattern. But what about AWS going out of business? Highly, highly unlikely. And that's why I put them down at the two level. And is AWS going to have a two-week outage? Again, highly, highly unlikely. A small no-code startup is more likely to have any of those, you know, black swan-ish events happen. And that's why I have them at number five.
Coming in at number six, I have all your leads coming from a single marketing channel such as Google. So basically it's 100% lead flow risk. Now, I'm not including app stores in this, like app marketplaces. I will get to those. Those are seven and eight. But in this case, I'm thinking of being solely reliant on a single flow of leads. And I think, is that a platform risk?
I do think there is risk there. There is no replacement. usually, right? There's no direct replacement. If you rank in Google and you get amazing organic search, trying to replace that with something else, switching costs is irrelevant because you just can't do it, right?
Customer concentration is irrelevant because they're not reliant on Google, you know, once they come through SEO, but your lead flow and your growth plateauing feasibly, it could kill the business. And here's what's interesting is you'll notice in these eight levels, the lower end ones are all kind of technology based.
And it's the business factors, it's the growth and new customers and customer concentration that I've put at the six, seven, and eight spot. Because those are the ones that are so hard to replace. And I've seen several businesses killed. You talk about Google changing their algorithm every, what, three, six, nine months?
And entire affiliate businesses that were doing millions of dollars basically go to zero overnight. So the reason I have this as number six is is that if Bubble 10x their pricing or had a big outage, you could rebuild that. And if you're hosted on AWS or using SendGrid or using WordPress, you can rebuild it.
The risks are there, but they're lower than if you lose Google where there is no replacement and you lose all your organic rankings, it can be existential to the business. The seventh level of platform risk, I've put a friendly app ecosystem. So an example of this is Heroku. Like Heroku apps in general thrive.
Heroku has not, at least to date, and this could change, but they have not screwed their developers. Unlike number eight level of platform risk or aggressive platforms, but... Heroku is one example. I'm sure there are many, many others. In fact, we have a list of, I think, 80 SaaS marketplaces. And it's microconf.com slash latest slash SaaS dash marketplaces. We'll link it up in the show notes.
But there's Salesforce, AppExchange, Zoho Marketplace, HubSpot App Marketplace, Pipedrive, Less Annoying CRM, Microsoft App Store, Slack App Directory, on and on and on. There are 80 of them. I won't read them here. And look, here's the thing. Can I name all of the ones that are friendly and all the ones that are aggressive? No, because I don't know enough about them.
I would guess that big companies like Salesforce and now Slack, because it's owned by Salesforce, are kind of a pain in the ass. And if they're not yet, that they will become that. And I would guess that smaller companies and those that have not yet been acquired by a bigger player or a public company or private equity are going to be... likely more friendly, but those are just guidelines.
If you think about this, it's theoretical in a way of like, well, a friendly platform is friendly until it's not. And that's really what platform risk is, is when we think about the aggressive platforms that I'll name in level eight, they all were friendly at one point.
And so that really is the scary part of being built on in that marketplace and why being in a marketplace holds the seventh and eighth spot in terms of platform risk. Yeah. And the eighth and final level of platform risk is, of course, an aggressive platform. This is where there is no replacement. You basically have 100% customer concentration. You have 100% of your lead flow from this platform.
and the platform is not developer-friendly. So this is Shopify, Twitter, Facebook. I'm sure there are more that I could pontificate about. I'm naming these because they have completely decimated companies that we've heard about or that I've invested in. You hear Jordan Gall talk about Shopify coming after Cart Hook, and that's not the first nor the last time that Shopify will do that.
We heard Twitter jerk around anyone using their API once Elon Musk bought it, and I think they did this, didn't they do this about eight or ten years ago with Twitter clients? I actually don't remember, but they did something big back then.
Facebook, do you remember, I think it was Zynga, right, that was doing tens of millions of dollars on the Facebook app marketplace, and Facebook just pulled the rug out from under them because they don't give a shit. about their developers. I mean, they've been pretty obvious about that. They care about Facebook and no one else. And so there are other aggressive platforms.
Again, I do not have an exhaustive list because I just don't have experience with all of the 80 platforms that we've listed at that microconf link I said earlier. And so this is where there's just an existential risk.
If you have a Shopify app that's doing millions of dollars a year and they come a-knocking, you're getting all your leads from them, your customers are concentrated on their platform, and there just literally is no replacement. There's nowhere to switch. Again, we can say, oh, you can go to BigCommerce, WooCommerce, and these other things, but it's not the same.
That's starting a brand new business. And that risk that we've seen play out many times, and that's why these... app marketplaces are number eight in my list of eight levels of platform risk. Hope you enjoyed this episode. I think the list is directionally correct and I could see either there being another one added.
You know, if someone were to email in questions at startupsfortherestofus.com or you hit me up on ex-Twitter at Rob Walling, I think there might be another one that I've maybe not thinking about or I could see them gently reordering, because there is a little bit of an it depends, right?
I said it's like if you're built completely under WordPress and completely in it, it depends on is your switching cost low, medium, or high to rebuild it somewhere else. Like that could move that one up or down by one, but it's not going to move it to three slots, right? It's not going to suddenly become as bad as having a Shopify app where they are just known to be really aggressive with it.
So that's what I mean when I say, I think the factors are in line and I think the list is pretty tight. And again, directional correctness, such that next time someone on ex-Twitter says, everyone has platform risk, you can chime in with, well, there's different levels of it. And here are eight of them in this podcast episode. They'll obviously be listed out in the show notes.
And I'm certainly going to be referring back to this in the future, probably included in a book or course at some point, because I do think it's helpful for us all to have a paradigm and a framework around it. So thanks so much for listening this week and every week. It's great to have you here. This is Rob Walling signing off from episode 735.