Pangolin

What do they actually do

Pangolin is an open-source, self-hostable tool that exposes services on private networks to the internet without opening inbound firewall ports or running a VPN. A small connector runs inside your network and establishes an outbound, encrypted tunnel to Pangolin’s entry servers, so external users can securely reach internal apps or devices pangolin.net, docs: Remote Nodes. It’s identity-aware: access is controlled in a dashboard with rules, SSO integrations, and optional identity headers forwarded to your backend docs, forwarded headers.

You can self-host the Community Edition or use Pangolin’s managed/cloud control plane. The dashboard lets you register resources, choose protocol/hostname/port, manage domains and certificates, set access rules, and monitor health/analytics quick install, install a site. For higher availability, you can run multiple nodes and use Pangolin’s coordination features HA.

A typical workflow is: install the connector on the private network; create a tunnelled “site/resource” in the dashboard; set who can access it; and let authorized users connect through the tunnel. Admins can rotate credentials, review logs, and adjust policies from the dashboard install flow, access control.

Who are their target customer(s)

• Home lab owners and self-hosters: They struggle with port forwarding, NAT, dynamic IPs, and the risk of exposing services directly. They want simple outbound tunnels they can self-host and control quick install.
• Small engineering teams (internal apps, staging, admin tools): They need per-app external access without managing a full VPN, and want straightforward rules for who can reach each service access rules.
• SMB IT/operations teams supporting remote workers and vendors: They lack time/budget to run corporate VPN infrastructure and need easier user provisioning, auditing, and scoped access. Pangolin targets these with team/enterprise controls licensing/EE.
• Developers/SREs needing short-lived external access (demos, troubleshooting): They don’t want to create temporary firewall rules or expose services publicly. They want quick, auditable tunnels they can spin up and revoke easily.
• Operators of distributed devices/IoT fleets behind carrier NATs: They can’t rely on inbound connectivity or public IPs and need authenticated, auditable outbound-only access to each device remote nodes.

How would they acquire their first 10, 50, and 100 customers

• First 10: Founder-led outreach to GitHub stargazers/contributors and active HN/Discord users; offer free managed accounts and hands-on setup to gather feedback and testimonials.
• First 50: Publish marketplace images and a short video walkthrough; run a focused launch on HN and r/selfhosted with pinned step-by-step guides and small referral credits to early community advocates.
• First 100: List in major cloud marketplaces and partner with small IT shops/NAS vendors for prebuilt installers; run webinars for small engineering teams and use early case studies to convert similar buyers via a low-touch managed trial.

What is the rough total addressable market

Top-down context:

Analysts size ZTNA around $7.34B in 2025, with broader zero-trust estimates in the tens of billions depending on scope KuppingerCole, Grand View. VPN/remote-access markets are also multi‑billion PrecedenceResearch, while developer tunneling (e.g., ngrok) shows millions of users and tens of thousands of paying customers ngrok funding summary; home-lab spend adds further billions homelab market.

Bottom-up calculation:

Illustrative near-term SAM: 200k SMB/engineering teams adopting per‑app access at ~$2k/year (~$400M), plus 50k paying developer/SRE users at ~$100/year (~$5M), plus 500k hobbyists converting to managed features at ~$20/year (~$10M), totaling roughly ~$415M, with additional upside from enterprise and IoT segments.

Assumptions:

• There are ~200k globally relevant SMB/engineering teams that could adopt per‑app access in the next few years, with ~$2k/year ARPA.
• ~50k developers/SREs would pay annually for managed tunneling features at ~$100/year.
• ~500k hobbyists would convert to some paid/managed add‑ons at ~$20/year; enterprise/IoT are excluded from this conservative roll-up.

Who are some of their notable competitors

• ngrok: Hosted tunneling with a lightweight agent and dashboard for public URLs, OAuth/SSO, and request inspection; popular with developers and small teams who want a turnkey service docs.
• Cloudflare Tunnel (cloudflared): Outbound daemon connects your origin to Cloudflare’s edge and works with Cloudflare Access for identity/zero‑trust policies; traffic routes through Cloudflare’s network docs.
• Tailscale: A WireGuard‑based mesh VPN that links devices into a private network; often used to reach internal services without opening ports, but it’s device‑level VPN vs. a per‑app identity‑forwarding web tunnel kb.
• Teleport (Gravitational): Identity‑aware access proxy for SSH, databases, and internal apps with short‑lived certs, auditing, and session recording; heavier and compliance‑oriented compared to simple tunnels repo/docs.
• frp: Open‑source server+client reverse proxy for exposing services behind NATs; lightweight but DIY—no built‑in dashboard or identity control plane, so you manage auth/routing/uptime yourself repo.