◆ THE GTM LABS Signal Map · May 2026
Prepared for Munawar Hafiz — Founder & CEO

OpenRefactory

SAST is a category buyers have learned to distrust on sight — 50%+ false-positive rates trained them to assume every 'we actually fix it' claim is marketing until proven otherwise.

Your most credible proof already lives outside your funnel: PRs from iCR accepted by maintainers who owed you nothing. That proof is generating buying signals in changelogs and merge histories every time it lands, and almost none of it is wired back to a buyer who'd believe it. Here's the part that's instrumentable today.

The signals you're sitting on
◆ SIGNAL 01

An iCR-authored fix gets accepted and merged upstream by an independent maintainer

Reads as
The category's hardest claim — 'we fix it, with few false positives' — just got proven by someone with no incentive to flatter you. The strongest possible top-of-funnel artifact, created automatically.
Leaks today
Lives in a merge history. Becomes engineering trivia, not a dated, citable proof point in front of buyers who are exactly trained to dismiss the claim.
Wire this
Wire each accepted upstream merge into a proof feed — capture the repo, the bug class, the maintainer's words, the date — and route it to a developer-facing 'proven fixes' page and your case-study pipeline as it happens.
◆ SIGNAL 02

A developer arrives from an accepted PR, that bug class, or the false-positive-rate claim and reads the iCR docs

Reads as
Someone followed the public proof to your product and is checking whether it applies to their stack. Early evaluation, high credibility already established.
Leaks today
Looks like anonymous doc traffic; the path from 'saw a real merged fix' to 'reading my docs' is the highest-intent journey you have and it's untracked.
Wire this
Tag traffic that lands from proof artifacts as 'proof-sourced eval,' map which bug classes pull them in, and open a docs-led nurture that meets them on the exact bug type they followed.
◆ SIGNAL 03

A prospect runs iCR on their own repo and gets a real fix for one of the 71 bug types

Reads as
They moved from believing your OSS proof to seeing it on their own code. This is the buying moment — the claim is no longer external, it's theirs.
Leaks today
Captured as a scan metric, not as the moment a skeptic became a believer on their own codebase. No human is told.
Wire this
Fire a real-time alert when a first real fix lands in a prospect's own repo, and reach out referencing their fix and bug class — pairing it with the upstream merges that prove it's not a fluke.
◆ If you wire one thing

Stop letting accepted upstream merges die in changelogs — wire every one into a dated, citable proof feed that feeds your docs, your outreach, and your case studies the day it lands.