Shipping fast without shipping holes
A founder's playbook for catching this before your first user does.
You shipped your MVP this weekend. What did you leave exposed?
The speed that got your MVP live is the same speed that left things open. The handful of holes a stranger finds first, and how to close them.
The 10-minute security pass every solo founder should run before launch
The cheapest time to find a hole is before your first user does. Ten minutes, no tools, the exact checks that catch what gets launches hit.
Does "vibe coding" leave security holes? (Yes, here's where)
The AI wrote the feature. It did not check what it exposed. The specific holes vibe-coded apps ship, and how to find them from outside.
What a security scan can and can't tell you (we're honest about it)
We tell you what an attacker sees from outside. We don't pretend to be a pentest. Exactly what a passive external scan covers, and what it can't.
Security.txt: the 30-second file that tells researchers how to reach you
When someone finds a bug, do they have a way to tell you, or do they tell the internet? What security.txt does and how to add it in 30 seconds.
Free website security scanners: what each one checks, and what they all miss
The good free website security scanners are real, and each checks one narrow thing. Here's what SSL Labs, Observatory, SiteCheck, and the rest cover, and the gap between them.
Find it before someone else does.
Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.