u/2021start

Been building a B2B SaaS in a pretty niche compliance space. Small TAM, very specific buyer, regulated industry. Product is live. And now I’m just… staring at the wall of “okay, how do I actually reach these people.”

Ads don’t make sense at this scale. My total addressable market is maybe 50-80k companies in the US. Running Google or Meta campaigns feels like overkill and a money pit for something this targeted.

Cold outbound seemed like the obvious answer but getting the infrastructure right as a non-technical solo founder has been its own rabbit hole. Warmup, Apollo limits, sequencing tools - I’ve spent more time on the plumbing than actually talking to anyone.

Content is a longer game and I get that, but I’m at the validation stage. I need conversations now, not in 6 months.
So I’m curious what actually worked for other people in similar situations:
• If your ICP is small and very defined, how did you find and reach them without a big budget or a team?
• Did you do cold outbound, and if so what did your actual stack look like when you were just starting?
• Did you find any communities, forums, or watering holes where your buyers actually hang out?
• Or did you just grind it out manually -LinkedIn DMs, finding emails one by one, showing up in niche Slack groups?

Not looking for a playbook. Just want to hear real stories from people who’ve been through the early distribution grind with a niche product.

Been building a B2B SaaS in a pretty niche compliance space. Small TAM, very specific buyer, regulated industry. Product is live. And now I’m just… staring at the wall of “okay, how do I actually reach these people.”

Ads don’t make sense at this scale. My total addressable market is maybe 50-80k companies in the US. Running Google or Meta campaigns feels like overkill and a money pit for something this targeted.

Cold outbound seemed like the obvious answer but getting the infrastructure right as a non-technical solo founder has been its own rabbit hole. Warmup, Apollo limits, sequencing tools — I’ve spent more time on the plumbing than actually talking to anyone.

Content is a longer game and I get that, but I’m at the validation stage. I need conversations now, not in 6 months.
So I’m curious what actually worked for other people in similar situations:
• If your ICP is small and very defined, how did you find and reach them without a big budget or a team?
• Did you do cold outbound, and if so what did your actual stack look like when you were just starting?
• Did you find any communities, forums, or watering holes where your buyers actually hang out?
• Or did you just grind it out manually — LinkedIn DMs, finding emails one by one, showing up in niche Slack groups?

Not looking for a playbook. Just want to hear real stories from people who’ve been through the early distribution grind with a niche product.

Okay so I’m a solo founder, non-technical, and I just got to the point where my SaaS is live and I need to actually talk to potential customers. Decided to do cold outbound since my niche is small and targeted enough that ads don’t make sense.

Set up a fresh Google Workspace mailbox for outreach. Felt responsible. Was proud of myself.
Then I went to set up the warmup tool I’d researched and it literally shut down while I was onboarding. Got redirected to some new thing, clicked through it, and honestly have no idea if it’s running or not. No confirmation email, no dashboard activity I can clearly read. Just vibes.

So right now my “warmup strategy” is emailing myself from the new address and replying back. Which feels completely made up but I don’t know what else to do.

A few things I’m genuinely confused about:
• Is the manual self-emailing thing doing anything at all, or am I just killing time?
• How long do I realistically need to wait before I can send 20-30 cold emails a day without the domain getting torched?
• I’m on Apollo free and already hit the export limit. Is there any way to make it work at this stage or do I just have to pay?
• My niche is tight — like under 100k total companies in the US. Does that change anything about how I approach this?

I don’t need to send thousands of emails. I just need to reach maybe 30-40 very specific people and get some conversations going. Feels like the infrastructure to do that is weirdly complicated for such a small goal.

Anyone who’s been through this — especially in a compliance or regulated industry niche — would love to hear how you handled it.

After spending the last few weeks digging deep into CMMC Level 2 readiness, one thing became very clear.

Most companies are not failing because they lack security controls.

They are failing because they cannot prove them.

Here’s what I keep seeing across small and mid sized defense contractors:

• Controls are partially implemented but not consistently enforced
• Documentation exists but does not match reality
• Evidence is scattered across systems, folders, and people
• No clear boundary for where CUI actually lives
• Teams assume they are “mostly compliant” but cannot validate it

And this creates a dangerous situation.

You might be doing the work, but under audit conditions, it looks like you are not.

From what I understand, auditors don’t give credit for intent.
They look for proof.

That means things like:

• logs showing activity and monitoring
• MFA enforcement across accounts
• incident response documentation
• access reviews and policies
• proof that controls are actually working

The biggest gap I’ve noticed is that most teams treat evidence as a final step.

But it is actually the system.

If you are not building evidence as you implement controls, you are creating a backlog that becomes very hard to fix later.

A simpler way to think about it:

CMMC is not just about security
It is about defensibility

If you cannot defend your controls with evidence, they don’t exist in the eyes of an auditor

I’ve been experimenting with structuring this in a simpler way and built a small tool to help think through readiness, gaps, and evidence more clearly.

Curious how others are approaching this.
What has been the hardest part so far?

I’ve been building a small SaaS around a regulation most people outside government contracting have never heard of: CMMC.

It’s a cybersecurity requirement tied to U.S. defense contracts. If certain suppliers need it and are not ready, they can lose opportunities or get blocked from future work.

What I noticed is that many smaller companies are not asking for giant enterprise software first. They’re asking basic questions like:

• Does this apply to us?

• Where do we start?

• What would fail us first?

• What evidence do we need?

• How expensive is this going to get?

So instead of building another bloated compliance platform, I built a simple readiness tool focused on clarity:

• likely readiness status

• biggest gaps

• what to fix first

Interesting lesson so far: in niche markets, people often need understanding before they need automation.

Anyone else building in obscure industries with very real pain?