A Hacker News thread did the rounds last week arguing that the only moats left are the ones AI cannot replicate. It is a useful prompt, but the framing is a bit too clean. The question is not whether AI ate the work — large chunks of it, clearly, yes. The question is which engineering assets still compound, which ones just got flattened, and which ones were never really moats to begin with.
We have been doing this work in production for clients who care about the answer — fintechs, healthtechs, infrastructure operators — and the picture from the ground is less dramatic than the essays suggest, but more uncomfortable in its details.
What LLMs actually commoditised
Start with the honest list. Foundation models have collapsed the cost of: greenfield CRUD, boilerplate integrations against well-documented APIs, first-pass UI scaffolding, schema translation, most one-off scripts, and a surprising amount of code review on small diffs. They have also commoditised something subtler — the legibility of unfamiliar codebases. A mid-level engineer with Claude or Cursor can now orient inside a 200k-line Rails monolith in an afternoon. That used to be a week.
If your moat was "we know our codebase and nobody else does," it just got thinner. If your moat was "we built a custom admin panel," it is gone. If your moat was that you had ten engineers who could write idiomatic Go, you now compete with three engineers who can write idiomatic Go with model assistance — and the cost curve favours the smaller team.
None of this is news to anyone shipping software in 2024. What is less discussed is what stayed scarce.
Proprietary data is the moat people overclaim
Every deck since 2022 has claimed proprietary data as a moat. Most of those claims do not survive scrutiny. Logs of user clicks are not a moat. Aggregated transaction data is not a moat unless you have exclusive collection rights or a structural reason competitors cannot reach equivalent data.
The data moats that hold up have two properties: they are generated by the product's own operation in a way competitors cannot replicate, and they feed back into model or product quality at a rate faster than competitors can buy or scrape an alternative. Stripe's risk signals qualify. A typical SaaS dashboard's event stream does not.
What we tell clients: if your data moat requires a slide to explain, it is probably not a moat. If it shows up directly in a measurable quality gap that customers pay for, it is.
Integration depth is underrated
The moat that has quietly strengthened in the LLM era is integration depth — being wired into a customer's workflows, data sources, identity systems, and approval chains in ways that take months to undo. This is not the same as switching cost from contractual lock-in. It is the operational reality that ripping out a system touching twelve internal teams is a project nobody volunteers to run.
LLMs make it easier to write an integration. They do not make it easier to get a customer's security team to approve a new vendor, run a SOC 2 review, negotiate a data processing agreement, and migrate three years of historical records. The work that was hard before is still hard. The code was never the bottleneck.
This is why we keep pushing clients toward early, deep integration with customer systems rather than broader shallow surface area. Twenty customers with deep hooks beats two hundred with a Zapier connector, almost every time.
Regulated trust compounds
The second moat that strengthened is regulated trust. If your product touches money movement, health records, identity, critical infrastructure, or anything with a real audit trail requirement, the LLM revolution barely touches your defensibility. Auditors do not accept "the model wrote it." Regulators do not care that your competitor shipped in half the time. A clean compliance posture, a defensible change management process, and a documented model of how decisions get made are now more valuable, not less, because the cost of producing untrusted software fell to zero.
The corollary is uncomfortable for AI-maximalist teams: if you let agents merge to main without human review in a regulated domain, you are accumulating liability faster than you are accumulating velocity. The moat is not the AI tooling. The moat is the discipline around it.
Distribution was always the real moat
Nothing about foundation models changed the fact that distribution is the dominant moat in software. It has just become more obvious. When anyone can build a passable v1 of your product in a weekend, the question of who reaches the customer first, with credibility, in the right channel, becomes the entire game.
This is bad news for the "better mousetrap" school of engineering. It is good news for teams who already invested in developer relations, partnerships, design partners, or category-defining content. The asymmetry between teams who can ship and distribute versus teams who can only ship just widened by an order of magnitude.
Switching cost is a moat with a half-life
Switching cost is real but increasingly time-limited. Migrations that used to take a quarter — schema translation, API rewiring, test backfilling — are now measured in weeks when a customer is motivated. We have watched teams move off legacy vendors in timeframes that would have been laughable two years ago, because the grunt work of translation is no longer grunt work.
The switching costs that hold up are the ones tied to human process, not code: retraining, recertification, internal political capital spent on the original decision. The pure-technical switching costs are eroding fast.
What we tell technical founders
A blunt framework, which we use in our own positioning work:
- Stop counting code as an asset. It is now a liability with a depreciation schedule. The asset is what the code is connected to.
- Audit your moat claims against a hostile reading. If a competent team with three engineers and Claude could replicate your product in eight weeks, you do not have a product moat. You might still have a distribution or trust moat, which is fine — just be honest about which one is doing the work.
- Invest in integration depth before feature breadth. A product wired into a customer's core operations is harder to displace than a product with twice the surface area.
- Treat compliance as a product feature. In regulated domains, the audit trail, the change management, the explainability — these are now load-bearing differentiators.
- Own a distribution channel. Not a marketing strategy. A channel. A list, a community, a partnership, a category position.
The honest conclusion
The HN essay framed this as AI versus moats. We think the framing is wrong. AI did not kill moats. It killed the pretend moats — the ones built on engineering scarcity that was never as scarce as we told ourselves. What remains is the moats that were always the real ones: distribution, trust, integration depth, and a small set of genuinely proprietary data positions.
The teams that will compound over the next five years are the ones who already understood this, and who are now using LLMs to spend less time on the commodity work and more time on the parts of the business that were always the moat. The teams that are in trouble are the ones who mistook engineering effort for engineering defensibility. That mistake is now visible at speed.