The market just turned in our favor and almost nobody can prove they can do this. We can. Here's exactly who to put the one-pager in front of, in what order, and what to say.
Agents that read, write, and execute in repos are exploding into production faster than anyone is securing them, and 92% of security leaders are already worried about it. The demand is here. What almost no one has is proof they can find these bugs. We have published CVEs in the exact tools. That is the whole edge.
Companies building the agent/MCP infrastructure. They have the exact bug class in their own product, they need a security report to sell to their enterprise customers, they're funded, and you can reach the founder directly. Best odds of a first close.
The maintainers and companies we've responsibly disclosed to. They likely won't buy (they have security teams), but they are references and testimonials, and a warm door for "want a deeper look?" Use them for credibility, not revenue.
Any dev-heavy company whose engineers run Cursor / cline / Copilot. Huge market (that 40% number), but a colder sell, they don't yet know they're at risk. Reach them with the timed wedge below, not a generic pitch.
Pick 10 Tier-1 targets. Founders you can reach (email / LinkedIn / X). Quality over quantity, this is tailored outreach, not spam.
Send the pitch, personalized one line each (name their product + the bug class it's exposed to). The one-pager + the disclosures wall do the convincing.
Offer a free "taster": one quick finding or a 20-minute exposure walkthrough on a call. Proof beats a proposal.
Land one, scope it, deliver it clean. That first logo + testimonial becomes the credibility for the next ten.