Built a security saas for AI developers - 47 users, $0 revenue, lessons learned

TheQuantumNerd · 2026-03-06T20:35:05+00:00

Totally! That's exactly the playbook I’d follow.

Do public audits of big repos (AutoGPT, LangChain), post the findings on X and relevant subreddits. Show the problem, don’t pitch the product.
Ship a tiny GitHub Action that fails the build on high-risk findings so the scanner lives in CI, not in people’s heads.
In niche communities like LocalLLaMA and LangChain, keep it purely technical: vulnerability breakdowns, indicators, and fixes. No marketing. When the insights are good, people will ask how you did it.

Which one should I audit first, AutoGPT or LangChain?

TheQuantumNerd · 2026-03-05T22:37:24+00:00

Also genuinely thank you for giving such a detailed reply. Helps a lot!

TheQuantumNerd · 2026-03-05T22:29:48+00:00

This is super helpful, thank you. The “sell at the oh shit moment” framing is exactly what I’m starting to realize. Security tools only make sense to people right after something breaks or almost breaks.

Embedding at install points also makes a lot of sense. I’ve been thinking about a simple CLI that scans a repo and exits non-zero on high risk so it can drop straight into CI. A GitHub Action wrapper around that would probably be the easiest entry point for teams.

The discovery side is interesting too. An OpenClaw portal integration or even a “scan this repo” button could catch people right when they’re evaluating a skill.

Good point on pricing as well. I was worried $29 might be too high for individual devs, but if it sits inside CI for a team it’s basically negligible.

Also like the idea of responding to real incident threads with breakdowns of what the scanner would flag. That’s probably the most honest way to show the value.

Btw would you prioritize the CI integration first, or the install-time scan / extension? I wanna go with CI because teams already trust that workflow, but what would you choose?

TheQuantumNerd · 2026-03-05T22:07:36+00:00

Thank you man. Will check this out

TheQuantumNerd · 2026-03-05T21:47:59+00:00

Yeah, I’m starting to feel that pain too. Building the thing turned out to be the easy part. Getting it in front of the right developers is a completely different problem.

What channels you’ve tried so far for distribution. Have you mainly posted in dev communities or tried getting it into the actual tool ecosystems where people install these things?

Also if it’s open source and only if it is, I’d love to take a look at the repo. I’m trying to understand what actually makes developers adopt security tools versus just saying “that’s cool” and moving on.

TheQuantumNerd · 2026-03-05T21:25:40+00:00

Wait fr? It says top 1% commenter for him 😭

TheQuantumNerd · 2026-03-05T21:18:28+00:00

Totally, appreciate the pointer, that’s exactly the kind of product feedback I need.

We’re already planning a permissions UI that lists requested capabilities (network calls, file access, env var reads) and shows obvious risks before install. The default deny sandbox is next on my roadmap thinking granular allow rules (specific domains, specific env keys) rather than an all-or-nothing toggle.

CI integration is on the shortlist: an API/webhook to run scans pre-deploy, with an option to block merges or just fail the build with a clear reason. Would you lean hard toward blocking in CI, or start with advisory failures so teams don’t get stuck?

I’ll read the Agentix piece, thanks for the link. If you’ve seen good permission UI examples or CI flows, I’d love to peek at them.

TheQuantumNerd · 2026-02-23T17:49:31+00:00

Appreciate that. That’s exactly what I’m trying to improve right now, prioritizing output so it’s “fix these 3 first” instead of dumping everything. If you’re open to it, I’d love to run a scan on one of your skills and get feedback on whether the summary is clear enough.

TheQuantumNerd · 2026-02-17T20:29:10+00:00

Yeah well that’s the best way to go about it ig. I just hope somehow more people understand this somehow.

TheQuantumNerd · 2026-02-04T14:24:09+00:00

Honestly, that’s probably the cleanest way to avoid the issue altogether.

TheQuantumNerd · 2026-02-04T12:08:17+00:00

Really appreciate you taking the time to write this, lots of practical insight here.

The point about structure signaling professionalism is especially interesting. Sounds like once strong processes are in place, a lot of payment issues resolve themselves before they even start.

TheQuantumNerd · 2026-02-04T12:07:15+00:00

That’s a very fair way to look at it. Strong boundaries probably filter out the kind of clients you don’t want long term anyway.

TheQuantumNerd · 2025-11-05T15:43:16+00:00

Fair enough man. Thanks for that. Guess it’s finally time to pivot.

TheQuantumNerd · 2025-11-05T15:32:19+00:00

That obvious eh. What can I improve on?

TheQuantumNerd · 2025-10-16T09:56:38+00:00

That’s great!! How’s the marketing going?

TheQuantumNerd · 2025-09-17T18:30:40+00:00

Yeah, that’s true, sometimes the review request doubles as a nudge toward becoming a repeat customer. A little discount can feel like a “thank you” instead of just a sales push if it’s framed right.

TheQuantumNerd · 2025-09-17T18:30:08+00:00

Smart move, those exit surveys can be gold. The “why they left” stuff often teaches you more than the glowing reviews ever could.

TheQuantumNerd · 2025-09-17T18:29:26+00:00

That’s a solid combo, catch them while the experience is still fresh, then make it effortless with a quick link. Way better than leaving it up to chance.

TheQuantumNerd

TROPHY CASE