Eight levels of SaaS platform risk: a framework for founders

Executive overview

Most founders treat platform risk as binary — either you have it or you don't. It exists on a spectrum, and conflating "we use SendGrid" with "we built a Shopify app" obscures real strategic decisions.

Three factors drive platform risk: availability of a replacement, customer concentration on the platform, and lead flow dependency. These combine differently at each level.

The riskiest platforms are aggressive ones with no replacement, 100% customer concentration, and 100% lead flow — like Shopify or Twitter.

The three contributing factors

• Replacement: Is an alternative available, how hard is it to switch, and is pricing comparable?
• Customer concentration: Would losing platform access wipe out most of your revenue?
• Lead flow: Are you dependent on this platform for ongoing new customer acquisition?

The eight levels of platform risk

1. Own your infrastructure — Self-hosted servers, own SMTP. Minimal external dependencies. Theoretical; almost no one does this.

2. Commodity APIs — SendGrid, Twilio, Postmark. Easy to switch, competitively priced, no lead flow or customer concentration. Switching takes weeks, not months.

3. Major cloud providers — AWS, GCP, Azure. No lead flow or concentration risk, but switching costs are high once you use multiple services (autoscaling, managed DBs, queues). These platforms don't behave aggressively — their business model depends on keeping you happy.

4. Open-source platforms — WordPress and similar. No lead flow or customer concentration, but switching cost depends entirely on depth of integration. The WP Engine conflict elevated this risk level; WordPress has shown it can behave aggressively.

5. No-code platforms — Airtable, Bubble, Stripe (subscription-heavy). High switching cost because there's no code export — rebuilding means starting from scratch. More existential risk than cloud providers: no-code startups can 10x pricing, go bust, or suffer extended outages.

6. Single marketing channel dependency — 100% of leads from Google SEO. No replacement exists. A single algorithm change can kill the business overnight. This is where business risk overtakes technology risk.

7. Friendly app marketplaces — Heroku, smaller CRM marketplaces. Lead flow and concentration risk exist, but the platform hasn't shown aggression. Risk is latent: every aggressive platform was friendly once.

8. Aggressive app marketplaces — Shopify, Twitter/X, Facebook. No replacement. 100% customer concentration. 100% lead flow. Platform actively works against developers when convenient. Examples: Shopify vs CartHook, Twitter API restrictions post-Musk, Facebook ending Zynga's business.

Applying the framework

• Levels 1–5 are technology risks; levels 6–8 are business risks — and business risks are harder to recover from.
• Diversifying across platforms is harder in practice than it sounds; most attempts fail.
• The "everything has platform risk" argument is technically true but strategically useless without this ordering.
• Position on the list can shift based on integration depth — but rarely by more than one slot.