how we score SaaS moats.
rubric version v15 - last updated 2026-05-02
Tier (SOFT / CONTESTED / FORTRESS) tells you how attackable the incumbent is. SOFT means the walls are thin. CONTESTED means the fight is real but not absurd. FORTRESS means you are not cloning head-on; you are looking for a narrow crack.
The score under each tier is a weighted aggregate of seven moat axes, each 0-10. Higher = thicker walls. Lower = wedgeable. The evidence layer is deterministic where it should be: homepage fetch, stack detection, cost parsing, and a Serper SERP call for distribution. The six fuzzy moat axes use LLM judgment against those receipts. Normalized capabilities still power similarity and compare pages, but they are not part of the public score.
the seven axes.
Capital
What the incumbent had to invest to build the thing. Audits, licensing, banking relationships, training infrastructure - capex you cannot shortcut around.
how it's scored: LLM-scored from the verdict, cost lines, challenges, and detected evidence. Real non-software investment pushes this up; normal SaaS hosting spend does not.
Technical
Depth of the incumbent's underlying engineering. The R&D you cannot recreate by gluing OSS libraries together.
how it's scored: LLM-scored from the challenge list, stack, and product evidence. Realtime/collab depth, security-sensitive systems, AI/data pipelines, hard integrations, and research-grade work push it up; ordinary CRUD does not.
Network
Users compound users: the product gets more valuable as more people use it.
how it's scored: LLM-scored from the verdict, challenges, pricing, and site evidence. High scores need real marketplace liquidity, UGC, social graph, partner/app ecosystem, viral loop, or multi-sided dynamics.
Switching
How sticky customer data and workflow state are once they are in.
how it's scored: LLM-scored from evidence of trapped customer state, migration pain, approval chains, workflow lock-in, and deep integrations. Exportable CSV-and-leave products stay low.
Data
Proprietary data that accumulates with use, and would be expensive or impossible for a wedge entrant to recreate.
how it's scored: LLM-scored from evidence of proprietary corpus, behavioral flywheel, training data, fraud/risk models, or accumulated non-exportable datasets. Generic analytics and off-the-shelf APIs do not count.
Regulatory
Real licenses, audits, or regulatory exposure that legally bars indie hackers from operating.
how it's scored: LLM-scored from the verdict and evidence. High scores need HIPAA, FINRA, KYC/AML, money transmission, clinical/EHR data, payment obligations, or comparable regulated duties. SOC 2 alone deliberately stays low.
Distribution
How firmly the incumbent owns the SERP and brand-recognition surface for its own name.
how it's scored: Deterministic weighted aggregate from a single Serper SERP call: sitelinks, compressed organic results, authoritative third-party domains, Knowledge Graph presence, top organic owned, and own-domain count in top 10. Returns null when the SERP call fails entirely.
the aggregate.
Weighted root-mean-square across the seven axes. Equal weights by default. RMS is intentional: real moats are often specialist. Stripe can be fortress-grade because of capital, technical, regulatory, and distribution walls even if network, switching, and data are not all maxed out.
The distribution axis can return null when the SERP call fails. In that case the aggregate skips it from both numerator and denominator and computes over the six axes we could score.
what we do not score.
Brand is not directly modeled. The closest proxy is in the distribution axis: Knowledge Graph, sitelinks, owned SERP results, and authoritative third-party coverage. Emotional resonance, founder following, and design taste are real, but we do not pretend to measure them precisely from a homepage scan.
Capability of the team behind the product is not modeled. A brilliant engineering org can hold a moat the structural axes do not see.
why this hybrid.
The point of the score is to be honest. Pure regex math is repeatable, but moat depth is semantic: "users can export and leave" should lower switching cost, while "years of fraud model data" should raise data moat. The LLM makes that judgment; the deterministic layer supplies measured facts and computes the final aggregate.
Tool detection, normalization, distribution scoring, aggregation, comparison, and similarity stay deterministic. The six judgment axes are LLM-scored because that is the more honest rubric for the question users are actually asking: where are the walls thin?
Source-of-truth: lib/normalization/moat_llm.ts / lib/normalization/moat.ts / lib/scanner/distribution.ts / lib/normalization/taxonomy/