Scale · founder · 9 min read

The Defensibility Audit: Run the Bain Clone Test on Your Own Startup

Diligence teams now vibecode clones to test if your code is your moat. Here's a step-by-step audit to find — and fix — your real defensibility first.

Published June 26, 2026 ·

vibe-coding defensibility moat founders strategy due-diligence

Last week we covered the news that Bain is vibecoding rough replicas of software companies in private-equity diligence to test how easily a target can be copied. The takeaway landed with a lot of founders: if a small team can rebuild your core product in a few days, the code was never your moat.

That’s a useful scare. But a scare isn’t a plan. This guide is the plan — a practical audit you can run on your own company this week, before an investor, acquirer, or competitor runs it for you. Think of it as a fire drill. You’d rather find the locked exit during the drill than during the fire.

Why run this on yourself

The instinct after reading the Bain story is to feel either smug (“my product is complex”) or doomed (“anyone could clone this”). Both reactions skip the work. The point of a defensibility audit isn’t to score yourself — it’s to separate the parts of your business that survive a clone from the parts that don’t, so you can pour your remaining energy into the parts that do.

You have the same tools Bain has. The audit costs you a weekend and the price of a few prompts. The alternative is finding out where your value actually sits during a term-sheet negotiation, when it’s too late to do anything about it.

Step 1: Actually clone yourself

Don’t theorize. Open Lovable, Bolt, or Replit and try to rebuild your core product from a cold start. Give yourself one working day. Be honest about what you reach.

Most founders are surprised twice. First, by how much of the front end and basic CRUD an agent reconstructs in an afternoon — the dashboard, the auth, the forms, the happy-path flows. Second, by where it grinds to a halt. The clone stalls at the parts that aren’t really “software”: the integration that took three months to get right, the pricing logic shaped by two years of customer feedback, the data you’ve accumulated that makes the product smart.

Write down two lists as you go. The rebuilt in a day list and the couldn’t touch list. The first list is not your moat. The second list is where you live. If your “couldn’t touch” list is empty, that is the single most important finding of this entire exercise, and the rest of this guide is for you.

Step 2: Score the four un-clonable layers

A vibecoded clone boots up empty and alone. Everything it can’t reproduce falls into four buckets. Rate yourself honestly on each — strong, weak, or nonexistent.

Data and network effects. Does your product get measurably better the more it’s used? Proprietary data, accumulated behavior, a two-sided marketplace where each new user raises the value for the rest. A clone of your UI starts with zero data. If yours runs on data nobody else has, you have a real moat. If your “data advantage” is a database schema anyone could design, you don’t.

Distribution and switching costs. Signed contracts, integrations your customers have wired into their own workflows, a sales motion you’ve spent years tuning, a brand people search for by name. A buyer who clones your software still has to win every customer from scratch. Ask: if a perfect copy of my product appeared tomorrow at half the price, how many of my customers would actually leave? The honest answer is your switching-cost score.

Regulatory position and trust. In healthcare, finance, payments, or anything compliance-heavy, the certifications and the track record are the product. SOC 2, HIPAA posture, audit history, the trust that took years to earn. A prototype with none of that is a demo, not a competitor — regardless of how good the code looks.

Operational depth. The institutional knowledge of running the thing at scale: the edge cases, the failure modes, the on-call wisdom, the six months of context that never made it into the codebase. A clone reproduces the happy path. It does not reproduce knowing why you made each ugly decision that keeps the real thing alive.

If you scored “strong” on at least two of these four, you have something durable. If you scored “weak” or “nonexistent” across the board, your moat is currently a head start — and head starts erode.

Step 3: Make your moat legible

Here’s the trap even strong companies fall into: they have real defensibility but can’t articulate it. In a diligence clone test, the companies that come out looking strong aren’t necessarily the hardest to copy — they’re the ones who can clearly point to where the value sits.

Write a one-page “defensibility memo.” Three sections: what would still be hard for a well-funded team to replicate even with our entire codebase; the evidence for each claim (retention numbers, integration depth, data volume, certifications); and the thing we’re most exposed on. If you can’t fill the first section with at least three concrete, evidenced items, you’ve found your roadmap. The gaps are the work.

This memo is useful far beyond an acquisition. It’s your investor narrative, your prioritization filter, and your honest internal scorecard. Most founders have never written it down, which is exactly why the Bain test catches them off guard.

Step 4: Invest in the layers a prompt can’t shortcut

The audit tells you where to point your effort. The good news is that the un-clonable layers are also the durable ones — they’re hard to build precisely because they can’t be prompted into existence.

If you’re data-light, instrument the product so usage compounds into something proprietary. If switching costs are low, deepen integrations and build the workflows customers can’t easily unplug from. If you’re in a regulated space, get the certification before you need it — it’s a moat that buys itself. And keep documenting operational knowledge as you go, so it lives in the company rather than evaporating into old chat threads.

None of this is fast, which is the whole point. Anything you can build in a weekend, a competitor can too.

The reframe

For two decades, “we built it and it works” was a defensible position because building was hard. Vibe coding broke that. Having built something is no longer proof of anything — the premium has moved to everything that was never about the code.

Run the clone test on yourself. Whatever you can rebuild in a day was never your defensibility. What you can’t rebuild is the business. The sooner you know the difference, the sooner you can stop polishing the part that doesn’t matter and start widening the part that does.