Zero-trust access firewall for Canvas schools to contain privileged sessions, student-data exposure, and breach response without replacing LMS.

1. Repeat compromise at the category leader makes legacy trust assumptions in LMS admin workflows newly untenable.
2. A paid settlement turns cybersecurity from abstract compliance risk into immediate budgetable loss for school operators and boards.
3. 275 million exposed student records creates a liability scale that justifies an overlay control purchase even if the core LMS stays in place.
4. Exposure of credentials plus academic and personal records shows schools need controls across admins, apps, and data paths, not just stronger passwords.

Catalyst. Instructure's settlement after two breaches exposing 275 million student records makes "overlay security for the LMS we already have" an urgent purchase, not a theoretical roadmap item.

Build a control plane that sits between Canvas, identity providers, and privileged users to discover integrations, classify student-data exposure paths, and gate risky actions. The product would replace shared or persistent admin credentials with just-in-time sessions, step-up approval, and session recording tuned to education workflows and academic calendars. It would continuously score third-party integrations and flag stale OAuth tokens, over-permissioned service accounts, and contractor access that survives project end dates. When incidents happen, it would generate affected-record estimates, access timelines, and notification evidence so schools can move faster with counsel, insurers, and boards. The deployment wedge is an overlay model that works with existing Canvas environments instead of demanding a platform migration.

What's different. Incumbent PAM, IAM, and SSPM tools are not designed around the education stack's mix of LMS admins, SIS sync jobs, outsourced support teams, and FERPA-sensitive data flows. This startup's edge is a purpose-built graph of student-data systems and privileged paths, plus prebuilt policies for academic-term exceptions, contractor offboarding, and breach evidence generation. That makes it both easier to deploy than generic cyber tooling and harder for a single LMS vendor feature to fully replicate.

Jobs to be done

flowchart LR
  Buyer[CIO or CISO] --> Pain[Uncontrolled privileged access around Canvas]
  Pain --> Product[Canvas access firewall]
  Product --> Outcome[Reduced breach blast radius and faster breach evidence]

Executive takeaways

• The strongest purchase wedge is not replacing Canvas; it is containing privileged and third-party access around the Canvas stack after a public repeat breach.
• Urgency is real, but buyers remain budget- and staff-constrained, so the product must land as a low-disruption overlay tied to audits, insurer reviews, and incident drills.
• Generic PAM and identity vendors are credible substitutes, but they optimize for broad IT estates rather than Canvas, SIS, LTI, and FERPA-shaped workflows.
• The durable moat is an education-specific access graph plus reusable evidence for procurement, approvals, and breach response.

Market definition

Security and governance software that overlays a Canvas-centered student-data environment to discover privileged paths, control time-bound access, and produce investigation-ready evidence across LMS, SIS, identity, and third-party tool connections.

Customer and buyer

Economic buyers are usually CIOs and CISOs. Day-to-day champions sit in identity, security, enterprise applications, and privacy/compliance teams that must restrict access without disrupting instruction or term-start operations.

Buying triggers

• A breach, insurer renewal, or board review forces schools to prove MFA, incident response readiness, and tighter vendor access controls. [3][25][28]
• New or renewed edtech procurement increasingly runs through K-12CVAT or HECVAT-style questionnaires, creating a natural point to sell control automation. [44][47][52]
• LTI tools, developer keys, SIS imports, and contractor workflows create visible permission sprawl that generic SSO controls do not map well. [54][56][60][62][64][66][73]

Willingness to pay

Schools already accept per-student software contracts, and ListEdTech reports median LMS pricing of $4.30 per student in school districts and $7.30 in higher ed. A security overlay that is a modest fraction of LMS spend and that shortens vendor review or breach-response labor can be budgetable when tied to K-12CVAT/HECVAT workflows and post-incident scrutiny. [39][44][47][52]

Category dynamics

Growth signal +23% YoY ransomware attacks in education in H1 2025

Validation signals

• Federal Student Aid explicitly urged institutions to apply MFA uniformly across administrative, cloud, vendor, and identity systems after the Canvas incident.
• CISA and K12 SIX both frame MFA, backups, incident-response exercises, and training as the baseline controls buyers should prioritize.
• K-12CVAT is recommended for RFPs and purchase evaluations, proving that third-party risk review is already part of the buying motion.
• Universities are tightening LTI vetting, which supports a wedge around education-specific integration governance.
• Canvas exposes concrete governable surfaces—developer keys, SIS imports, accounts, and external tools—that support a technically narrow first product.

Regulatory & technical constraints

• Any product touching student-record access must support privacy-oriented notice, investigation, and documentation workflows.
• Deployment cannot break SIS imports, account hierarchies, or external-tool launches during critical academic periods.
• Vendors increasingly face structured HECVAT and K-12CVAT review before purchase, especially in large institutions.
• Time-bound privilege grants still have to preserve approvals, conditions, and audit trails to be usable in real investigations.

The market is fragmented across native Canvas controls, cloud identity suites, enterprise PAM, and consulting-heavy post-breach response. No single incumbent is purpose-built around student-data access paths, district procurement workflows, and FERPA-style evidence generation together.

Why incumbents do not win by default

• Cloud platforms. Microsoft and Google can offer just-in-time access on their own admin surfaces, but they do not natively map Canvas, SIS, and external-tool exposure paths for schools.
• Enterprise PAM. CyberArk, BeyondTrust, and Delinea are strong on privileged sessions and audit, but they are still general-purpose platforms that need customization for education workflows and student-record context.
• Identity suites. Entra and Okta already sit in the auth layer and can satisfy part of the control problem, yet they stop short of a Canvas-native vendor and breach-evidence view.
• LMS vendor. Instructure can harden native controls over time, but the incident and its response still leave customers with cross-environment evidence, vendor-governance, and offboarding work outside the LMS core.

Canvas's repeat breach and settlement turned privileged access around the LMS from abstract compliance work into an immediate purchase trigger for institutions that cannot replace core systems before the next term. The company should start with U.S. public university systems, then larger Canvas districts, that run many SIS, SSO, LTI, and contractor integrations and are already under insurer, board, or procurement scrutiny. The MVP should be a read-first access graph plus just-in-time admin controls and an incident evidence pack, because buyers need proof and containment without risking term start outages. The wedge is stronger than generic IAM or PAM when the actual buyer job is showing who could touch student data across Canvas and adjacent systems, then quarantining that access quickly after an incident or audit drill. Research models the narrow opportunity at about $268.0M TAM, $117.2M SAM, and $2.8M year-3 SOM, so the investment case depends on expanding from Canvas into the broader student-data estate rather than pretending the first wedge alone is venture scale. Go-to-market should be assessment-led direct sales, amplified by insurer-adjacent, incident-response, and education MSP partners that already enter accounts during triggered buying moments. The first contract should be a paid 90-day pilot tied to an upcoming renewal, audit, or tabletop, priced to convert into a $60k-$80k annual subscription based on student count and connected-system complexity. The biggest open question is whether enough institutions will fund the overlay before a breach rather than only after one, so the first year must prove deployment speed, pilot conversion, and credible expansion beyond Canvas-only workflows.

Problem

• Schools and university systems running Canvas cannot easily see every privileged path into student data across admins, contractors, SIS imports, developer keys, and external tools.
• Native LMS controls, generic SSO, and spreadsheet-based vendor reviews do not give CIO and CISO teams a fast way to revoke risky access or produce board-, insurer-, and counsel-ready evidence after an incident.

Solution

• Start with a read-only discovery layer that maps Canvas accounts, roles, developer keys, SIS links, and high-risk integrations into one student-data access graph.
• Add just-in-time admin sessions, step-up approvals, contractor offboarding controls, and incident evidence packs that show affected systems, access timelines, and likely blast radius without requiring an LMS replacement.

Why we win

• The company is built around Canvas, SIS, LTI, and FERPA-shaped workflows instead of treating schools as a generic PAM account that must customize everything from scratch.
• A read-first deployment lowers adoption risk during academic peaks, while later enforcement creates measurable proof points around standing privilege reduction and investigation speed.
• Over time the access graph, approval history, and procurement-ready evidence package can become harder to replicate than any single control feature.

Milestones

flowchart LR
  Wedge[Triggered Canvas access assessment] --> MVP[Read-only graph and JIT controls]
  MVP --> Proof[Reduced standing privilege and faster incident evidence]
  Proof --> Expansion[Cross-system student-data governance]

Founding team

Experiment roadmap

Risk assessment

What must be true

• At least 30% of target public university systems have a current audit, insurer, or incident-response trigger that can fund a pilot this year.
• A read-only deployment can map enough Canvas, identity, and SIS exposure to produce a credible first-week report without breaking academic workflows.
• CIO or CISO buyers will pay roughly $60k-$80k annually for this overlay instead of expanding Microsoft, Okta, or consultant spend.
• Paid pilots that start with discovery will convert to production enforcement at 40% or better.
• Expansion into non-Canvas student-data systems can at least triple the practical market from the initial wedge.

Open diligence questions

• Which specific control gap fails current HECVAT, K-12CVAT, insurer, or board reviews most often today
• How many institutions can show a recent delayed investigation or manual evidence scramble after a suspected incident
• What first-week report is compelling enough to convert discovery into a paid pilot
• In live deals, does the budget come from security, enterprise applications, compliance, or post-incident remediation funds
• What product surface would make Microsoft, Okta, or CyberArk a good-enough substitute

Model sanity

• Revenue engine. Base-case revenue grows from 5 paying institutions at Y1 end to 35 by Q4Y3 while realized ARPU moves from pilot-heavy $48K in Y1 to $80K in Y3.
• Must go right. The company must keep assessment-to-pilot and pilot-to-production conversion near the BP targets so a 9-person team can reach 15 paying institutions by the end of Y2 without hiring ahead of revenue.
• Model breaks if. If procurement stretches and realized ARPU settles closer to $70K, downside cash falls toward roughly $120K before the next round case is proven.
• Next-round proof. The next financing is justified if the company exits Y2 with 15 paying institutions, over 70% gross margin, two active referral partners, and one production deployment expanded beyond Canvas.

Scenarios

Sensitivity

flowchart LR
  Leads[Triggered assessments] --> Pilots[Paid pilots]
  Pilots --> Customers[Paying institutions]
  Customers --> Revenue[Subscriptions and modules]
  Revenue --> GrossProfit[Gross profit]
  GrossProfit --> Cash[Runway and buffer]
  Customers --> Expansion[Adjacent systems and premium evidence]
  Expansion --> Revenue

Flags: The Y3 customer target of 35 institutions effectively fills the research-modeled beachhead SOM, so the next round still depends on proving expansion beyond Canvas. · Revenue per exit FTE is only modestly above the low end of SaaS benchmarks because deployment and evidence work remain high-touch through Y3. · Cash low point arrives in Q3Y3 at about $331K, so a one-to-two quarter delay in partner-assisted conversion would likely force fundraising earlier than the base case assumes.

• Integration friction. School IT teams may resist another control layer if it risks breaking SIS syncs, term-start workflows, or vendor integrations. Mitigation: Start with read-only discovery and session-based controls on privileged users, then expand to enforcement once the institution validates critical workflows.
• Slow education procurement. District and university buying cycles can be long unless the product is tied to an immediate audit, insurance, or incident event. Mitigation: Sell through breach tabletop exercises, insurer questionnaires, and cyber-renewal deadlines, and use MSP and broker partners to compress trust-building.
• Incumbent security catch-up. Canvas or generic IAM vendors could add pieces of privileged access or reporting functionality over time. Mitigation: Own the cross-system student-data access graph and incident evidence workflow across LMS, SIS, identity, and vendor environments rather than a single product surface.