User Research & Validation Plan
Key Assumptions to Validate
| Assumption | Risk | Validation Method | Target Evidence |
|---|---|---|---|
| Security teams spend 40+ hours per vendor on manual assessments | High | Customer interviews | 80% of target users confirm spending >40 hours |
| Current questionnaires are ineffective (60% of breaches involve vendors) | Critical | Industry data + user interviews | 75% of users report vendor breaches from unreliable questionnaires |
| Security teams are overwhelmed by average 5,800 vendor relationships | High | Interviews + competitive analysis | 70% confirm >500 vendors with no monitoring system |
| Security teams will adopt continuous risk scoring over spreadsheets | High | Landing page test + prototype | 10% waitlist signup rate for security-focused landing page |
| AI risk scoring will be accurate enough (80%+ accuracy) | Critical | Expert testing with security professionals | 80% of security experts rate accuracy as "accurate" |
| Customers will pay $499/month for Starter tier (50 vendors) | Critical | Pricing tests + pre-orders | 10+ pre-orders at $499/month |
| CAC will be <$500 for security-first acquisition | High | Paid ad tests (LinkedIn/Google) | CAC < $400 in test campaigns |
Customer Discovery Interview Guide
Target Participants: Security managers/CISOs at 500-5,000 employee companies
Duration: 60-75 minutes
Incentive: $50 gift card
Part 1: Background & Context (10 min)
- Walk me through your vendor risk management process at your current company
- How many vendors do you currently monitor, and how do you categorize them?
- What's your biggest headache with vendor risk right now?
Part 2: Problem Exploration (20 min)
- Describe the last time a vendor caused you a security or compliance issue
- How much time do you spend on vendor assessments each month?
- What tools do you currently use for vendor risk? What do you hate about them?
- What's the worst part about relying on vendor self-reported questionnaires?
- How often do you need to update vendor risk assessments?
Part 3: Solution Exploration (20 min)
- What would "perfect" vendor risk monitoring look like to you?
- If I offered a tool that automatically scored vendors for security, financial, and compliance risks, what would be most valuable?
- How much would you pay monthly for continuous monitoring of 50 vendors?
- What would make you switch from your current solution (e.g., spreadsheets, GRC tools)?
- Who else would need to approve this purchase (procurement, legal, leadership)?
Part 4: Wrap-up (10 min)
- On a scale of 1-10, how painful is vendor risk management for you right now?
- What's the one thing you'd change about vendor risk today?
- Would you be interested in a 30-minute demo of a prototype? (Offer $50 gift card)
Validation Experiment Timeline
Weeks 1-2: Problem Validation
Phase 1
- Conduct 15 security team interviews
- Run screening survey (target: 200+ responses)
- Validate pain points with data (e.g., 60% breach statistic)
Weeks 3-4: Solution Validation
Phase 2
- Create landing page with 3 headlines: "Continuous Vendor Risk Scoring", "Stop Spreadsheets, Start Security", "Real-Time Vendor Risk for $499"
- Run $750 ad test (LinkedIn/Google) targeting security roles
- Target: 1,200 visitors, 5%+ signup rate (60+ emails)
Weeks 5-6: Willingness to Pay
Phase 3
- Run Van Westendorp pricing survey with 25 target users
- Test fake door: "Get Started" button with pricing tiers
- Target: 2%+ fake door click rate, 5+ pre-orders at $499
Weeks 7-8: Prototype Validation
Phase 4
- Implement Wizard of Oz MVP: Manual risk scoring via Google Form → AI analysis → email delivery
- Deliver to 15 early users, collect NPS and feature feedback
- Target: NPS >40, 80% say "would pay for this"
Go/No-Go Decision Criteria
| Metric | Target | Actual | Pass? |
|---|---|---|---|
| Interview problem validation | 80%+ confirm pain | ☐ | |
| Landing page signup rate | >5% | ☐ | |
| Price acceptance | 60%+ at $499/month | ☐ | |
| Pre-orders | 10+ customers | ☐ | |
| Prototype NPS | >40 | ☐ |
Critical Validation Insight
"Security teams don't need another tool—they need a solution that replaces spreadsheets and provides continuous value. Validation must prove we solve the time-to-value problem (not just feature list). If we can't get 5% landing page conversion for a security-focused solution, the market isn't ready for our approach."