Stop renting lead lists. Build buying-window radar instead.

The context

Compliance and cybersecurity is one of the worst categories in B2B for lead generation, and it's worst in two specific ways.

Inbound is priced out. Audit-related keywords are some of the most expensive in paid search, and the buyer cycle is annual. You can't run an ad strategy against a customer who buys once every twelve months and doesn't know they need you until two weeks before they do.

Outbound is dressed-up guessing. Apollo, Clay, and ZoomInfo sell access to contact databases enriched with signals like "they have a security team" or "they raised a Series B." Those are tells, not triggers. They tell you who might be a buyer. They don't tell you who is about to buy.

For three years I ran the full TrustNet sales cycle solo. I needed a third option.

The constraint

The hard part of this build was never the code.

The hard part was knowing where the buying-window signal lives in compliance specifically. A renewing SOC 2 audit leaves traces in specific places, weeks before the buyer starts shopping. So does a HITRUST renewal, an ISO 27001 surveillance audit, a PCI re-attestation. The traces are different per vertical, per framework, and per company size.

This is industry knowledge, not a scraping problem. Anyone can write the scraper. Almost no one knows where to point it.

That knowledge doesn't transfer cleanly. The signals that surface a SOC 2 renewal in a fintech don't surface a HITRUST renewal in a hospital network. Each vertical needs its own map.

The decision

I built a one-shot, per-vertical signal harvester instead of a continuous monitoring pipeline.

Margin note: most builders default to daily cron + dashboard. That shape matches their tools, not the buyer's behavior.

The architecture is deliberately boring. TypeScript on Node, Firecrawl for the scraping layer, OpenAI for the scoring layer, Trigger.dev to run the harvests as discrete async jobs, n8n to route outputs to Sheets, CRM, and Slack.

What's interesting isn't any of those choices. It's the cadence. Compliance audits are annual. Buying windows open and close on a calendar a quarter wide. There's no value in running a system 24/7 to catch a signal that updates once a year per company. So the system runs as expeditions: open a vertical, harvest the signal, score the list, work the list, close the harvest. Move to the next vertical.

System cadence matches buyer cadence. Not the other way around.

The tradeoff

This is the part I want hiring managers and prospective clients to read twice.

The code in this system is commodity. The intake question is the moat.

I built a pipeline where forking the repo gets you nothing without the per-vertical playbook that feeds it. The hard-won asset is the answer to "where does a buying window leak for this kind of company?" not the orchestration that processes the answer.

Most builders would hide this. They'd want the code to be the impressive thing because code is the part you can show. I'm calling it out on purpose. If you're hiring me or buying time from me, the build isn't what you're paying for. The build is reproducible in a weekend. The playbook is what makes the build matter.

Annotation (arrow pointing at the "vertical inputs" box in the diagram): "this is where the moat lives, not in the code"

The result

The system replaced $500 to $2,000 a month in Apollo, Clay, and ZoomInfo spend at TrustNet. That's the easy number.

The harder, more important shift is what changed in the sales motion. Before the system, every outbound conversation opened with "do you need a SOC 2 audit?" and hoped the answer was yes. After the system, the opener became "I noticed [a job posting for a compliance lead, a published trust-center update, a new audit attestation on your site]. That usually means a renewal is in the next planning cycle. Worth a conversation?"

Same product. Same buyer. Completely different conversation. The discovery call conversion rate doesn't just go up, the kind of call you're having changes.

Pipeline attribution is still early. The system is recent enough that the audits it surfaced haven't all closed their renewal windows. The qualitative shift in the sales motion is the proof point for now. The dollar attribution comes in the next version of this case study, in a quarter or two.

What I'd do differently

If I rebuilt this tomorrow, the change isn't technical. It's structural.

The current system requires me to be in the loop on every vertical setup. That's fine for one or two industries, untenable past five. The next version turns the per-vertical playbook itself into a structured product: a guided intake where someone (eventually an agent, currently me) walks through "what does a buying window look like in this industry, what frameworks apply, where do the signals leak" and produces a configured harvester at the end.

Productize the playbook so I'm not the bottleneck. The build was always going to be easy. The intake is the work.