Switzerland's new cybersecurity laws just made our product mandatory. 75,000 SMEs. No accessible solution. We are building it.
Switzerland's regulatory landscape has fundamentally shifted — and the mass market of SMEs has no compliant, affordable solution.
Since April 2025, organisations must report cyberattacks to the NCSC within 24 hours. Fines up to CHF 100,000. Knowing your attack surface is the only defensible compliance strategy.
Operative since January 2025. Swiss financial institutions and their suppliers must conduct annual attack surface assessments. Creates indirect obligations for thousands of Swiss SME suppliers.
European clients now audit their Swiss suppliers' cybersecurity posture as a condition of contract. A Swiss SME without evidence of surface monitoring risks losing enterprise customers.
Existing solutions cost CHF 10,000–25,000/year, require internal IT access, and target enterprise clients. 70% of Swiss SMEs have no formal cybersecurity posture — and no tool built for them.
Before company formation, we independently enumerated the entire Swiss .ch domain namespace — over 2.5 million domains. This proprietary dataset is the foundation for every product feature and cannot be easily replicated. No domestic or international player holds this asset.
The dataset enables national-level risk benchmarking against Swiss industry peers, identification of .ch look-alike domains used for phishing, and longitudinal tracking of the Swiss internet attack surface over time. These are capabilities no generic global platform can offer.
"We have performed a complete enumeration of the entire Swiss .ch domain namespace. This is the foundation for a scalable SaaS product — and a moat that grows with every scan."
HELVETISCAN monitors everything an attacker can see from the outside — no agent installation, no IT access, no technical expertise needed by the client.
Expired or weak TLS certificates, missing CT logs, outdated protocol versions — including certificates expiring within 30 days.
Missing CAA records, absence of DNSSEC signing, wildcard exposure, and full subdomain enumeration including forgotten legacy assets.
HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy — scored and benchmarked against Swiss industry peers.
Open database ports, RDP, legacy protocols visible on the public internet — ranked by exploitability and business impact.
Full SPF/DKIM/DMARC policy validation — not just presence detection. Identifies whether a domain can be impersonated today.
LLM-generated plain-language risk reports explaining findings in business terms — structured for ISG, DORA, and FINMA audit requirements.
These are not estimates. Every figure comes from production scans of the full Swiss namespace — the same engine that powers the platform.
76.4% of .ch domains return a live HTTP response. 450,916 domains fail DNS entirely — no active server behind them.
71.7% of live .ch domains end on HTTPS — but over a quarter of Swiss sites transmit data unencrypted in 2025.
Nearly half of scanned .ch domains can be impersonated in a phishing attack today — SPF absent or permissive, DMARC missing or on p=none.
Databases, file shares, and container APIs are directly reachable from the public internet on tens of thousands of Swiss domains.
Data sovereignty is a live compliance issue. A large share of Swiss domains are physically hosted abroad — often under foreign jurisdiction.
Basic browser-enforced protections are absent on nearly half of Swiss domains — HSTS, CSP, X-Frame-Options are the norm in every other developed market.
Every existing player has built upmarket. None of them have incentive to build a CHF 800/year automated tool for the SME mass market.
| Criteria | Swiss Post Cyber | Exeon Analytics | ImmuniWeb | HELVETISCAN |
|---|---|---|---|---|
| Target Market | Enterprise (250+) | Mid-Market | Enterprise | SME (primary) |
| Annual Price | CHF 200k+ | CHF 50k+ | CHF 15k+ | CHF 800 |
| Internal Access Required | ✘ Yes | ✘ Yes | ⚠ Partial | ✔ No |
| Swiss .ch Proprietary Dataset | ✘ No | ✘ No | ✘ No | ✔ 100% namespace |
| AI Risk Narrative | ✘ No | ⚠ Partial | ⚠ Partial | ✔ Yes |
| DORA-Ready Reports | ✔ Yes | ✔ Yes | ⚠ Partial | ✔ Yes |
| Self-Serve / No Sales Required | ✘ No | ✘ No | ✘ No | ✔ Yes |
Three high-priority verticals for go-to-market — each with a direct regulatory trigger.
Roche, Novartis, and 3,000+ Swiss suppliers under GDPR, NIS2, and FDA cybersecurity requirements.
300+ fintechs, 200+ banks, thousands of insurance and asset management firms subject to FINMA and DORA.
Law firms, audit firms, HR tech — increasingly required by enterprise clients to demonstrate cyber hygiene.
80% of Swiss SMEs work with fiduciaries. 10 partnerships unlock access to their entire client base.
Total Swiss SMEs
Serviceable addressable market
Entry price per year
Gross margin at 1,000 subscribers
Subscribers to break-even
Infrastructure costs do not scale linearly with subscribers — enabling rapid margin expansion as the base grows.
Unit economics: CAC CHF 150–400 via LinkedIn outbound + content. LTV CHF 2,400 at 3-year retention. LTV:CAC ratio 6:1–16:1. Marginal cost of new subscriber near zero.
Built by a technical founder. Every core module is operational.
Complete .ch namespace enumeration (2.5M+ domains). Scan engine in Rust — HTTP, DNS, TLS, ports, WHOIS, subdomains. Risk scoring model v1. Swiss Innovation Challenge application submitted.
GmbH incorporation (Basel-Stadt). Compliance report generator. REST API & web dashboard. First 10 paying pilot clients.
Seed round close (CHF 300k). 50 subscribers. First Treuhandpartner partnership signed.
100 subscribers. ISACA Switzerland community launch. First pharma enterprise pilot.
200 subscribers. Break-even approaching. Series A preparation.