How to Find Companies That Switched Tech Stack (Displacement Signal Prospecting)

A company that just ripped out Salesforce after 15 years is, for the next three months, the warmest account in your pipeline - assuming you sell anything that touches a CRM. The rip-out is the signal; the buying window is the budget that didn't quite get spent on the migration, the integrations that broke, and the adjacent tools whose contracts are now up for review. The tricky part is finding the rip-out before the new vendor's marketing team puts up a victory-lap case study six months later.

The default answer is to pay BuiltWith $495/month for the Pro plan or $995/month for Team, or Wappalyzer $250-$850/month, and let them tell you which sites added or dropped a given technology last week. That works. It also costs the price of a junior SDR's quota in tooling alone, and the data you're paying for is largely re-derivable from public sources if you're willing to do the forensic work.

I want to lay out the cheaper path, but first the case study. Checkwriters - a payroll software vendor - left Salesforce for HubSpot in 2025 after a fifteen-year relationship. Here's the operative quote from their CMO:

It was almost impossible for our admins to get a Salesforce support specialist on the phone, and they had no chat functionality. [...] Without HubSpot, Checkwriters would be back in the Dark Ages.

- Dakota Hebert, CMO, Checkwriters

Two things to notice. First: the migration is permanent and public, which means every Salesforce-adjacent vendor (Pardot integrations, Salesforce-only billing connectors, Salesforce-flavored Outreach seats) just lost a tether at Checkwriters and has to either pivot or churn. Second: by the time HubSpot publishes a case study, the buying window for those adjacent vendors has been open for several months and is closing. The actually-warm prospects are the companies currently in the rip-out - the ones whose case study is six months from now.

So how do you find them without writing a $495 check? The detection sources are unglamorous and individually unreliable. Wappalyzer's free tier gives you 50 lookups a month and is fine for sanity checks. The HTTP Archive's BigQuery dataset runs Wappalyzer detection across millions of sites monthly and is queryable for free if you can write SQL - this is the closest thing to a free BuiltWith for historical comparisons. CSP response headers (curl -I, or SecurityHeaders.com) leak the entire whitelist of third-party domains a site loads scripts from. MX records reveal the email infrastructure. /humans.txt and /security.txt, when they exist, sometimes name internal tooling. Sub-processor lists on DPA pages enumerate every third-party that touches customer data. Job postings ask for skills in the new tool by name. Vendor case-study indexes - HubSpot's, Klaviyo's, RudderStack's - publish migrations chronologically and are RSS-scrapeable.

None of these is a full picture on its own. A CSP whitelist that includes *.hubspot.com could mean HubSpot is the CRM, or it could mean someone embedded a single HubSpot form on a marketing page in 2022 and forgot. An MX record pointing at salesforce.com means Salesforce is the routing destination for some aliases, not that the company runs sales on Salesforce. A job ad for "Klaviyo experience preferred" might mean the company runs Klaviyo, or that one PM read a blog post and added it to a wishlist. I think the only honest framing is that each of these is a 30-50% confidence signal, and the trick is stacking them.

This is exactly the kind of work that sits at the seam between discovery and enrichment - the seam Leadex is built to close. You describe the ICP in plain English ("companies whose careers page added 'HubSpot Admin' in the last 60 days, whose CSP whitelists hubspot.com, and who don't appear in HubSpot's published customer list yet"), the agent browses the open web, pulls the corroborating signals, dedupes, and pushes to your CRM with a URL and timestamp per row. No BuiltWith subscription, no proprietary technographic database to license, no per-contact markup. The browser-agent piece is the part that scales: pulling CSP headers and parsing job ads is trivial code, but doing it across a 5,000-account universe with deduplication is where the hour-vs-week gap opens up.

The counter-take is that even three corroborating signals is not enough if you act on the raw detection without thinking about why the switch happened. Checkwriters left Salesforce because they couldn't get support on the phone. Marq left Marketo because their stack was too expensive. A startup leaves Mailchimp for Klaviyo because their list crossed 50,000 subscribers and Mailchimp's segmentation broke. The triggering pain is the message you actually want in cold outreach, not the trivia that the rip-out happened. This is the same point I've been making about signal stacking - one trigger is data, two is a pattern, three is the start of a pitch. Stack displacement is one entry in a longer catalogue of 30+ buying-signal triggers worth tracking, and it pairs especially well with new exec hires, because a new CRO or CMO is the single biggest predictor of stack consolidation, and with funding events, where the budget for the consolidation gets approved.

For the curious, three workflows that work without paying for a technographics tool:

One: pick a vendor whose competitor you sell, scrape their public customer/case-study page weekly, and treat any company added in the last 30 days as a fresh displacement candidate. The case study itself often names the displaced tool - Marq's HubSpot page explicitly lists Salesforce, Marketo, Zendesk, and Workato as replaced. That's four prospect lists from one page.

Two: build a job-ad keyword diff. Pull each target company's careers page (or LinkedIn job listings) on a weekly cadence, and flag any week where a tool name appears for the first time, or disappears entirely. A "Klaviyo Admin" listing showing up on a Mailchimp shop is a stronger signal than the CSP scan, because hiring requires budget approval and budget approval requires a decision. TheirStack's own pitch is essentially this workflow, indexed at scale; if you only need a hundred accounts a week, you can run it yourself.

Three: for companies with public repos, watch the dependency manifests. A commit on package.json that removes mailchimp-marketing and adds klaviyo-api, with a timestamp, is the cleanest displacement signal you can find - the engineer who made the change has effectively published a press release. GitHub's search syntax handles this directly ("klaviyo-api" path:package.json), and the dates are real.

The honest caveat: detection is the easy half. The hard half is that most companies do not telegraph their stack changes publicly, and the ones that do are over-indexed with vendors who already saw the same signal. I think the right read is that these methods produce a seed list of fifty or a hundred high-confidence accounts per category per quarter - not a thousand-account fountain - and that's fine, because fifty accounts in a real 30-day buying window is more pipeline than a thousand cold ones. As of 2026, with BuiltWith priced at $495/month and the alt-data sources increasingly accessible via free tiers and public datasets, the case for paying the technographics tax is weaker than it's been in years. If you have a competitor whose customers leak, you have a prospect list - you just have to read the leaks.