The Eight Moats and the Critical Path: From Claimed Defensibility to Earned Evidence

Layer 0Cross-cutting LayersStrategyStartups & ScaleupsCompetitive Positioning
Written By Alexandra Najdanovic

TL;DR
Gokul Rajaram's 8 Moats framework, articulated in full on 20VC in March 2026, is the cleanest update to Hamilton Helmer's 7 Powers for the AI era. It is also dangerous if applied to a pre-seed or seed company without staging.

By Rajaram's own admission, only three of the eight (Data, Workflow, Regulatory) are meaningfully assessable before Series A. The other five are post-scale phenomena that founders systematically claim and investors systematically credit. The Critical Path Layers framework supplies the missing discipline: it tells you at which CPL layer each moat earns its evidence, and what counts as evidence rather than intent. Without that overlay, the 8 Moats become moat theatre.

Every founder pitch in 2026 ends the same way. Slide titled "Why We Win." Bullet points titled "Defensibility." Phrases such as "data moat", "network effects", "workflow embedding", and increasingly "compound moat." The deck looks rigorous. The investor nods. Nobody asks the only question that matters: which of those moats has actually been built, and which has merely been designed for?

That is moat theatre. The vocabulary of defensibility deployed on a stage where no defence has yet been tested.

I want to fix that, because the vocabulary itself is useful. Rajaram's eight is the sharpest available articulation of where durable software value will accrue over the next decade. The problem is not the framework. The problem is the absence of a staging discipline. The CPL framework supplies it.

What Rajaram actually said

The canonical articulation is the 20VC episode of 16 March 2026, cross-checked against his own X thread of the same day. Eight moats, named in order: Data, Workflow, Regulatory, Distribution, Ecosystem, Network, Physical Infrastructure, Scale. Each scored on a one-point scale. Four or more, you are durable. Two or three, you are weak. Zero, in his own less-decorous phrasing, you are screwed.

Two editorial choices deserve attention because most second-hand summaries miss them.

Rajaram explicitly removes Brand from the list, and he removes Switching Costs from the version of Helmer he is updating. His reasoning on Brand is verbatim: "too hard to measure, and in many cases the underlying brand strength is due to something more fundamental." On Switching Costs: "Over the next one or two years, ability to port data from any ecosystem to another is going to be very easy. And then people are going to be able to replicate almost pixel by pixel the experience you have with one product in a different product." Two Helmer powers downgraded in a single pass. That is not a translation. It is a thesis.

The thesis is that in an AI era where software is cheap to produce and interfaces are cheap to clone, the only defensible assets are the ones AI cannot vibe-code overnight: proprietary feedback loops (Data), embedded operational dependency (Workflow), legal and capital barriers (Regulatory), and the atoms-and-density moats further out (Distribution, Ecosystem, Network, Physical Infrastructure, Scale).

That thesis is right. The trouble is what happens when a founder picks it up at pre-seed.

The temporal problem

Read the 20VC transcript carefully and Rajaram tells you himself, almost in passing, that the framework is not designed for early stage. Quoting him: "At early stage it's too hard to know what a distribution motor is unless they have some hack. Ecosystem? Too early to say. Network effects? Too early to say. So really, for a pure software company, data and workflow moats are the two things you're really hanging your hat on as a software investor."

Three of the eight are seriously assessable pre-Series A. The other five are not.

Read that line again. Five of the eight moats in Rajaram's own framework are post-scale phenomena. Distribution requires channels with economic dependency on you. Ecosystem requires third-party developers building businesses on top of you. Network requires liquidity and density per geography. Physical Infrastructure requires deployed capex. Scale requires unit-cost decay measured against competitors. A company with twenty customers and a Series Seed has none of those. It may have designed for some of them. It does not yet have evidence of any.

The honest founder collapses Rajaram's eight into three at early stage and pretends to nothing more.

The dishonest founder, or the merely optimistic one, claims all eight. The investor, having nothing better to do, scores the deck.

This is the gap. And it is the same gap CPL was built to expose elsewhere.

Where the moats sit in the Critical Path

The Critical Path Layers framework sequences the work of building a company by dependency. Each layer gates the next.

  • Layer 0 is Foundations and Strategic Thesis.

  • Layer 1 is Market Clarity (ICP, value proposition, pricing).

  • Layer 2 is Validation (pilots, proof, evidence).

  • Layer 3 is the Commercial Engine.

  • Layer 4 is Scale Readiness.

    The same framework runs in a six-layer variant for corporate innovation, starting at Layer -1: Problem Classification.

Defensibility is a Layer 0 question. Strategic thesis is exactly where a founder must declare which moats they are architecting for, why, and by what mechanism. Without that declaration the rest of the company is built on intuition.

But evidence of defensibility sits at every subsequent layer. And the layers are not interchangeable. A moat claim made at Layer 0 must be tested at the layer where evidence becomes possible — not before, not after.

Here is the mapping (click here) . Each Rajaram moat, the CPL layer at which intent can be declared, and the CPL layer at which evidence becomes assessable.

Two things fall out of this table that founders rarely sit with for long enough.

  • First, only Regulatory and Physical Infrastructure can be demonstrated at pre-seed with anything other than a wave of the hand. Licences either exist or they do not. Fabs and devices either exist or they do not. The other six moats are at best architected-for at the earliest stages, which means the only honest claim is: if our product-market fit thesis is correct, then by Layer 3 we will have evidence of this moat. That is a respectable claim. It is also a much smaller claim than "we have a data moat."

  • Second, Ecosystem and Scale cannot be claimed at all before Series A. Not because Rajaram says so, but because the mechanism by which they form requires post-scale conditions a pre-seed company structurally cannot have produced. A founder claiming Ecosystem on slide 17 is either confused about what the word means or is reaching for vocabulary the audience will not push back on.

The grading overlay

Once moats are placed in the Critical Path, scoring becomes possible without self-deception. Use four grades.

  • Demonstrated. Quantitative evidence at scale. NRR ≥ 120 per cent. Fifty third-party integrations with revenue dependency. Density measured against a defined cluster. Licences in hand.

  • Early Evidence. Leading-indicator metrics with small but real cohorts. Five logos with multi-team usage. First ecosystem partner shipped. First channel partner with exclusivity terms signed.

  • Architected For. Explicit design choices that would produce the moat at scale. Feedback loop documented with the signal-to-model behaviour chain. Multi-tenant data schema. Channel-partner contract template drafted. No evidence yet — but the architecture is real and the evidence is mechanically downstream of work already done.

  • Claimed. No evidence, no architecture, only vocabulary. For scoring purposes, treat as zero.

A pre-seed deck should never present a moat scoring higher than Architected For unless it is Regulatory or Physical Infrastructure. A seed-stage deck might earn an Early Evidence grade on Data or Workflow if the cohort is small but the metrics are honest. Series A is where the Demonstrated grade becomes possible across more than three moats.

The instinct will be to round up. Resist it. The Casado and Lauten critique from a16z ("The Empty Promise of Data Moats", 2019) is seven years old and still right: data volume without a feedback loop is not a moat, it is a storage bill. NFX makes the same point about network effects: most claims of "network effects" with fewer than a hundred users describe viral effects, which is a different mechanism with a different decay curve. The grading discipline forces founders and investors to be specific about which mechanism, and at what stage.

Why this matters in 2026 specifically

There is a particular reason this discipline is more urgent now than it was when Helmer published 7 Powers in 2016.

Rajaram is right that software's traditional defensibility is collapsing. AI coding agents can replicate feature work in days that took human teams quarters. Foundation models commoditise capabilities that used to be proprietary. APIs are being closed defensively, which is a tell that the moats they protected are under attack. The shape of the next decade is that durability accrues to the operators who own data feedback loops, multi-team workflow embedding, regulated channels, and physical assets. Everything else compresses.

The investor response, visible in the Bessemer State of AI 2025 categorisation of Supernovas and Shooting Stars, is to start sorting fast-growth AI companies into two buckets: those whose growth is real and retentive (Shooting Stars, gross margins around 60 per cent, slower to $100M ARR but durable), and those whose growth is hype-funded and retention-fragile (Supernovas, $100M ARR in eighteen months with thin retention). The distinction is exactly the distinction the CPL grading overlay forces. Demonstrated moats correlate with Shooting Stars. Claimed moats correlate with Supernovas that disappear.

In other words: the gap between claim and evidence is widening, not closing. The faster a company can be funded on a claim, the more expensive the eventual reckoning becomes when the claim does not earn its grade. Founders carrying moat theatre into 2027 will pay for it in down-rounds and refused extensions. Investors carrying moat theatre into their portfolios will pay for it in mark-downs.

The CPL diagnostic questions, by moat

Below is the version of the famous diagnostic questions adapted for the 8 Moats. They are organised by moat, stage-graded with CPL layer references, and structured to expose claim-versus-evidence at every step.

Use them on your own deck before an investor uses them on you.

Data Moat — declared at Layer 0, evidenced at Layer 2 onwards.

  • Describe the proprietary dataset your product produces in a single sentence. What specifically can you build that a competitor using only foundation models and public data cannot?

  • Map the feedback loop: which user action generates which data signal, which trains which model behaviour, which improves which user outcome?

  • What is the half-life of this data? How relevant is data generated twelve months ago to a present-day inference?

  • At which CPL layer does the feedback loop start running with real customers, not internal tests?

  • What contract or technical mechanism prevents customers extracting and porting this data on exit?

Workflow Moat — declared at Layer 0, evidenced from Layer 2 into Layer 3.

  • Map the customer workflow you sit inside. Which steps are upstream of you, which are downstream, which are adjacent?

  • How many distinct user roles in a typical customer touch the product weekly?

  • What gross retention and net revenue retention have you observed? At what cohort size?

  • If you turned the product off for forty-eight hours, what specifically would break inside the customer's operation, and who would notice first?

  • Name the customer whose internal process documentation now references your product by name. If you cannot, you do not yet have a Workflow moat.

Regulatory Moat — declared and evidenced at Layer 0.

  • List every licence, registration, or accreditation in your industry. Which do you hold, which are in train, what is the elapsed time and capital cost for a competitor to obtain each?

  • Are there caps on the number of licensed operators in your jurisdiction? Can a new entrant be excluded?

  • Are you on a regulatory roadmap or working group? Provide evidence.

  • Is your regulatory advantage durable across jurisdictions you intend to enter, or is it specific to your home market?

Distribution Moat — declared at Layer 1, evidenced at Layer 3.

  • What is your current customer-acquisition channel mix? Which channels are exclusive to you, contractually or behaviourally?

  • Identify the single channel that drives more than forty per cent of new logos. What is your defensibility in that channel?

  • Where do channel partners have economic dependency on your product, measured in revenue share or referral economics?

  • What is your CAC payback by channel, and how does it change as you scale?

Ecosystem Moat — declared at Layer 1, evidenced from Layer 3 into Layer 4.

  • How many third parties build on or integrate with your product? Of these, how many derive more than ten per cent of their revenue from your platform?

  • What developer-platform mechanisms (APIs, app store, revenue share) do you operate, and what is the average number of third-party integrations per customer?

  • What would happen to those third parties if you closed your API tomorrow? If the answer is "nothing serious," you do not have an Ecosystem moat. You have integrations.

Network Moat — declared at Layer 0 or 1, partially evidenced at Layer 2 (local liquidity), fully evidenced at Layer 3 (density across clusters).

  • Which network-effect sub-type best describes your network: direct, two-sided marketplace, platform, or data scale? (Borrow NFX's taxonomy. Picking one forces specificity.)

  • What is your single most geographically dense or topically dense node cluster? What share of total activity occurs there?

  • Demonstrate the chicken-and-egg playbook you used to seed liquidity, and the current asymmetry between demand and supply.

  • Where is multi-homing happening, and what does that tell you about how soft the network actually is?

Physical Infrastructure Moat — declared and evidenced at Layer 0.

  • Describe the physical assets your product depends on: devices deployed, fibre, fabs, warehouses, data centres.

  • What is the capex and time-to-replicate for a competitor to match your physical footprint?

  • Where do robotics or automation reduce the cost of replicating your footprint, and on what timeline?

Scale Moat — only assessable at Layer 4, and only for the right business types.

  • What unit-cost decay have you measured per doubling of volume? Quote the learning curve or a specific cost-per-unit comparison against competitors.

  • Is your business model one that mechanically produces scale economies (hyperscaler, physical operator, marketplace), or are you a pure-software company in which traditional scale economies are collapsing?

There is one further question, and it sits outside the moat-by-moat structure. It is the one I find founders most reluctant to answer, which is usually a sign it is the right question.

Across the eight, where on the grading scale does each of your claimed moats actually sit?

Not the score Rajaram's rubric would give you. The score the rubric would give you after the A/B/C/D evidence-grade overlay. A founder who answers "Score 5 — but only 1 Demonstrated, 3 Architected For, and 1 Claimed" is a founder who can be coached. A founder who insists on the headline 5 is one who will be repriced.

What this means for the deck on Monday

Rajaram's framework is not the problem. Rajaram is the most honest articulator in the conversation right now. The problem is what happens when an investor's framework lands in a founder's hands and the staging discipline goes missing.

The CPL framework does the staging. It tells you that defensibility is declared at Layer 0 and earned everywhere downstream. It tells you which moats are mechanically possible at your current layer and which are not. It tells you what evidence looks like at each layer, distinct from what intent looks like.

You can still build for an eight-out-of-eight company. Most of the companies that matter most are aimed there. The disciplined version of that aim is: we are architecting for Data, Workflow, and Network; we have not yet earned them; here is the experiment that would prove the first of them at Layer 2; here is the funding ask that buys us the chance to run it.

The undisciplined version is the slide titled "Why We Win." Eight bullet points. No grades. No layer references. No mechanism. No evidence.

Read your deck again with the questions above in hand. Score each claimed moat against the grading scale. Then strike anything that comes out below Architected For. The deck will be shorter. The story will be smaller. The conversation it produces will be the one you needed to have anyway.

Bacon's line is the one I keep coming back to. We must obey the forces we wish to command. The eight moats are the forces. The Critical Path is the discipline of obeying them in sequence. Skip the discipline and the moats become decoration. Apply the discipline and the moats become a roadmap.

Build for the eight. Earn them one layer at a time. Try our MOATS diagnostic companion here.

Alexandra Najdanovic
Previous

Pick the question first
Next

AI & the Future of Org Design and Hierarchy