$142/month in AWS bills, 9 users, 0 revenue - I built the internet's first multimodal AI hacking game

The strongest part here isn't the game, it's that you've turned curiosity into security testing. Most founders build demos that explain the product. You built one that improves it. Feels like the next move is packaging the exploit data itself into case studies for AI teams.
Have you thought about turning each player-discovered exploit into a short public teardown and using those as outreach assets for teams shipping LLM features?

How many users now?

$142/month for 9 users is the kind of number that would make most people quietly shut the project down. The fact that you're writing about it openly instead says something.

The thing that genuinely surprised me reading this is that the game isn't just marketing, it's doing real security research. Three exploits found, documented, and patched by strangers who were just trying to win a prize. Ethics manipulation, instruction reflection, password reference tricks — none of those came from your test suite, they came from people who were motivated to break things. That's not a demo. That's a red team.

The content is already sitting there waiting. Every exploit is a post. "New injection vector discovered this week in the Castle, here's how it works and how to defend against it" is exactly what an AI developer tabs back to when they're worried about their chatbot getting jailbroken in production. Those are your buyers. They're just not playing the game yet.

The bridge from game to API is shorter than it looks. It just needs a different door.

Nice thinking on the game part of things. I wonder if there's a market for enterprise AI security education with it?, ie. to help companies train and educate their employees.

Anyway, best of luck!

the 95% building 5% distribution confession is painfully relatable. and the part about showing a developer tool to security gamers - right product, wrong room - that's such a clean way to describe a mistake most people take months to even identify.

the game as free red teaming is genuinely clever. you're getting real attack data from players who are motivated to find exploits. that's not just marketing, that's a feedback loop most security companies pay for.

a question about the direct outreach to AI developers you mentioned - are you targeting people building on top of LLMs who need injection protection, or more traditional security teams? feels like those are very different conversations

This is a great example of overbuilding before distribution, but also really smart thinking with the game layer.

The multimodal angle is interesting, especially the document and audio attack surfaces, most tools don’t touch that at all. The fact players are discovering real exploits is probably your strongest signal that the core product has value.

On distribution, one thing that stands out is you’re targeting security through a “fun” entry point, but your actual buyer is likely a dev team or company worried about risk, not individuals playing levels. The game is great for awareness, but you might need a more direct path from “this is cool” → “we should actually use this in production”.

Curious, have you tried reaching out to teams building LLM features directly (instead of forums)? Even a few conversations might validate where this actually fits.

The game-as-marketing idea is genuinely clever. A shareable challenge that also stress-tests the product... that's the kind of growth loop most of us wish we had. The fact that players are finding real exploits you can patch is a moat you couldn't buy.

On what's worked for distribution... writing about the technical depth behind the product, not the product itself. Your 225-attack test suite, the ultrasonic audio detection, the cross-modal pipeline... that's a Dev(to) article or three that the AI security community would actually share. Developers trust developers who show their work. The product sells itself once the right people see the engineering.

The "95% building, 5% distributing" ratio is something I'm actively fighting too. No good answers yet... just the awareness that opening VS Code feels productive but isn't always the right move.

The 95/5 build-to-distribute ratio and “right product, wrong room” are lessons worth pinning. Also the three player-discovered exploits alone probably saved you weeks of manual pen testing. That’s not a game, that’s a crowdsourced R&D pipeline disguised as entertainment. Keep publishing those findings publicly and the API customers will come to you.

Those 3 player-discovered exploits are worth more than the 9 signups. You are accidentally building a proprietary multimodal attack dataset that no text-only competitor can match, and that is the actual defensible asset here. At 18k views and 0.04% conversion though, do you know which specific channel your 9 users actually came from? Because if even 2 found you through the game sharing loop, that channel alone is outperforming every forum post that got you banned.

The "game as free red teaming" loop is genuinely clever. Most indie hackers treat demos as marketing assets — something to show off the product. You've accidentally built a feedback mechanism where every player makes the actual product stronger. Those three exploits (ethics manipulation, instruction reflection, password reference) are the kind of edge cases that would take months to surface through traditional QA or even paid pen testing. The fact that players found them organically is a real moat.

Your 0.04% view-to-signup conversion rate tells an interesting story though. 18k views and 9 signups suggests the funnel between "this game is fun" and "I need this API for my stack" has a gap. The game attracts security enthusiasts and curious devs — but the people who'll pay $19/mo for prompt injection detection are probably AI teams building customer-facing chatbots or agents who are worried about jailbreaks in production. Those might be two different audiences.

One thing that's worked for dev tools in similar positions: instead of trying to convert game players into API customers, use the game's exploit data as content. Every time a player finds a new injection vector, that's a blog post or Twitter thread waiting to happen — "We discovered a new class of multimodal prompt injection this week. Here's how it works and how to defend against it." That positions you as the authority on multimodal AI security, which is where the API buyers actually hang out.

The 95/5 build-to-distribute ratio resonating hard. Shipping is the comfort zone. Distribution is the actual job.

9 users but $142/month is actually the real signal.
You don’t have a user problem — you have a cost model problem.
Spending money is easy.
Proving someone will pay you is the hard part.

Hey Josh, quick update on this.

I went ahead and set up the full flow for Bordair based on what we discussed (play → reflect → relate → react).

It’s live now, and I structured it specifically around that moment you mentioned — where someone goes from “this is fun” to “I might actually need this in my own product.”

You should be able to find it on Gleyo under “Castle Bordair” (it’s on the landing page).

Once you go through it, I can give you access on your side so you can see responses and tweak things if needed.

No rush, just wanted to let you know it’s ready whenever you want to take a look.

"Josh, this is a wild breakdown. Building a 35-level multimodal game just to red-team your own API is such a high-effort way to validate—Kingdom 4's ultrasonic attacks sound incredibly niche but clever.
That $142/month AWS bill is a classic 'pro infrastructure for an early MVP' hurdle, but the gamification loop you’ve built for distribution is solid. There’s a competition where you can submit this project — entry is $19 and winner gets a Tokyo trip. Prize pool just opened at $0. Your odds are the best right now.
Even if just for the distribution, getting eyes on the 'Castle' could help flip that 0.04% conversion rate. Good luck with the Level 7 bosses!"

This is one of the more self-aware build-in-public posts I’ve seen.

You did not just build a product, you built a mechanism for discovery, testing, and education around the problem. That is much more interesting than “here’s my API, please care.” The game is clever because it turns a hard-to-explain security category into something people can immediately experience.

The most important line here, though, is “right product, wrong room.” That is such a painful but valuable lesson. A lot of early builders mistake engagement for demand, when sometimes they have found attention from the wrong audience segment.

Also, the patched exploits are real proof that users are creating value even before revenue. That does not solve distribution, but it does validate that the interaction model is producing useful signals.

My read is that the game is a strong top-of-funnel asset, but the conversion path to the API probably needs to become much more explicit and role-specific. Security-curious players and teams who actually need multimodal prompt-injection defense are not the same buyer.

Still, this feels like a founder learning the right lessons in public. Expensive? Yes. Overbuilt? Probably. But also genuinely differentiated, which is rarer than people admit.

If I were in your spot, the three player-found exploits are what I'd focus on first. Those are hard content to create in AI safety right now (most of what's out there is theoretical), and you already have real ones sitting in the app.

Writing each one up with the attack, what it bypassed, and how you patched it might travel way better than the game itself. r/LocalLLaMA and the LangChain Discord would probably share that kind of post because AI builders reading "here's an attack that got past a production guard" are more likely to click through than the ones who'd play a hacking challenge.

Could be wrong, but my guess is the Castle works better as a conversion experience than an acquisition channel. Get them in through a case study, then drop them into the game to feel the problem.

so Interesting...

The "free red teaming" angle is genuinely clever. Most people building security products have to pay for penetration testing - you've built a system where users are incentivized to do it for you, and you get the signal for free. The ethics manipulation exploit especially is the kind of thing that never shows up in a test suite because you'd have to think to put it in there. Players don't know what they don't know, which is exactly why they find things you missed.

The 0.04% view-to-signup number is worth sitting with though. 18k views and 9 signups tells you the top-of-funnel is working (people are seeing it) but the message isn't landing fast enough. My guess is the gap is that people watching on Reddit or forums don't immediately connect "fun hacking game" with "I have a prompt injection problem I need to solve." Those are two different audiences.

What would happen if you leaned into the game as the product, not just marketing? Like, what if the game itself had a team mode, where you could invite your dev team to compete? That's the "one person sends it to the whole team" loop you mentioned, but with a structural mechanism rather than organic sharing. Might get you signups from people who just want to play, and then you upsell the API to the ones who turn out to work in AI/security.

Honestly the infrastructure spend doesn't bother me - you've got the foundation. The product clearly works. The question is just finding the right room, as you said. What forums/communities have you tried besides the ones that banned you?

Really cool project Josh! The multimodal approach is smart - most security tools only handle text. $142/month for enterprise infra is actually reasonable if you think of it as an investment in reliability. Have you considered a freemium tier to get early users in? Sometimes giving away a limited free plan helps build word-of-mouth faster than anything. Keep building!

Hey Josh, congrats on a great IH post with actual real user engagements and not just bots! I tried your game and liked it. I got stuck on level 3 and feel kinda dumb for that, but you opened up my eyes for prompt injection so its still a win :D

Important! Your link to Castle in IH bio is wrong. It's an honest typo and people might see it or they might not.

I think your idea of distibuting through the game is brilliant. I really hope it takes off! Well done.

Respect for shipping something this ambitious. 9 users and 0 revenue can feel brutal, but building a weird, technically hard product is often how genuinely new ideas start. The hard part now is probably not the tech, but finding the smallest version people want badly enough to keep coming back to...

The game-as-demo approach is genuinely smart distribution thinking for a security API.

Most developer tools face the same problem: you can explain what they do all day and nobody feels it. But when you make someone try to break a guard and fail, they viscerally understand what your API is protecting against. The experience does the selling that the landing page can't.

The honest building-in-public post about the gap between 'enterprise infrastructure' and '9 users' is also the kind of thing that builds real trust over time. More people will remember this post than a polished launch announcement.

Have you tried reaching out to CTF (capture-the-flag) communities? That audience already loves prompt injection challenges and would probably become your loudest advocates if they found Bordair's Castle.

Welcome, life is truly an unfair GAME most of the time and without any security... good luck for the rest of what's to come.

Update from the trenches - 48 hours since this post.

Numbers first:

• 9 users → 13 users (4 directly from this thread)
• 305 views, 19 likes, 75 comments
• This single IH post has driven more real signups than 18k views across Reddit combined
• Still $0 MRR. Still okay with that for now.

What I shipped based on your feedback:

1. Magic system - multiple people flagged the level 7 drop-off problem. Players now earn magic for clearing levels and spend it on hints that explain what the guard is looking for. Turns frustration into learning instead of quitting. Already live.

2. Skip mechanic - for anyone truly stuck, spend more magic to skip a level. Zero points awarded. The leaderboard knows the difference.

3. Output scanning on the roadmap - a security professional in this thread (edusec) systematically tested levels 1-6 and found that the scanner catches input attacks well, but the model itself can be socially engineered through context manipulation. Two distinct attack surfaces requiring two distinct defences. That finding alone was worth more than weeks of internal testing.

4. Open-sourced a cross-modal attack dataset - 61,875 labeled samples across text, image, document, and audio. Includes PyRIT multi-turn orchestration, GCG adversarial suffixes, Crescendo escalation patterns, and 162 jailbreak template families. github.com/Josh-blythe/bordair-multimodal-v1

What I learned from this thread:

• "Every exploit is a post" (max_flowly_run) - first teardown goes up next week
• "Can your LLM app pass this test" not "play our hacking game" (Link_784) - same product, different buyer
• Infrastructure cost is a trust signal, not an embarrassment (techxeni, Link_784)
• Voice-enabled AI assistants are an untapped ICP with zero tooling for audio injection (techxeni)
• Distribution backlog with hypothesis and kill criterion, not "do stuff and hope" (memolife23)
• Open-source one pipeline as top-of-funnel wedge (memolife23)
• Share mechanic for failed attempts - one tap screenshot to social (KaiShips)

The biggest shift: I joined the OWASP LLM Top 10 Slack this week. 600+ security experts, and a researcher there is working on image-based injection defence. First real peer conversation about multimodal detection with someone approaching it from a different angle (image only).

This thread changed how I think about distribution more than anything I've read in six months. The advice here isn't theoretical - it's from people doing the same thing and failing at the same parts. That's rare.

Still replying to every comment. Still building. Week 2 update coming next Wednesday with teardown content and outreach numbers.

castle.bordair.io

The multimodal angle here is what catches my attention most. I work in pre-sales for a software company and we're also building an AI security product (SafeWeave). The conversation you're having with the market is exactly right — prompt injection is no longer a text-only problem, and most enterprise buyers don't realize that yet.

One thing from a pre-sales perspective: your $142/month dual-region AWS infrastructure is actually a trust signal, not a liability. When you're talking to teams building production LLM apps, "we run in two AWS regions with zero false positives on audio and documents" is the kind of statement that ends procurement objections. Most competitors can't say it. Lead with that.

The audio injection vector particularly — ultrasonic attacks above human hearing — is the kind of detail that will make a CISO's eyes go wide. That's not a game gimmick. That's a real attack surface for any AI product with voice input, and most teams building voice agents have no idea it exists yet.

For ICP targeting: I'd look at teams building voice-enabled AI assistants (call centers, customer support bots, voice copilots). They have the most to lose from audio injection and the least tooling available. That's a warm pocket of budget with no solution yet.

Following your build updates. This is one of the more technically differentiated products I've seen on here in a while.

The honesty here is refreshing — most founders would hide the $142/month AWS bill until they hit revenue. The "build a game to prove it works" distribution strategy is smart though. You're turning the product itself into a demo. One question: at 0.04% view-to-signup conversion, have you tried putting the game front and center on the landing page before any explanation of the API? Sometimes leading with the experience converts better than leading with the pitch.

9 users with 0 revenue is actually an interesting spot, feels like people find it valuable enough to try, but not enough to pay.

Curious, have you talked to those 9 users directly about why they’re not converting?

Feels like the answer is probably already there rather than needing more traffic.

The "right product, wrong room" insight is spot on. I've seen the same pattern — building is the fun part, distribution is where it actually gets hard.

One thing that worked for me: instead of cold posting in communities, I started answering questions where people already had the problem my tool solves. Way better conversion than "check out what I built" posts.

For your case — targeting security-focused dev communities (not gamers) and offering free API trials to anyone building with LLMs could be the right move. The game is brilliant for awareness though.

The 95/5 split is painfully familiar. I'm in the same phase with three products on AWS (Lambda + Bedrock + DynamoDB) — Autoreport sends Stripe founders a PDF report every Monday, Valix validates Spanish fiscal IDs via API, and a tech comparison affiliate site. All live. Zero paying customers.
The "right product, wrong room" line is the most honest diagnosis I've read of this problem. I made the same mistake early on — posting about a Stripe analytics tool in places where nobody has a Stripe account.
The game mechanic is smart. It gives people a reason to share something that's otherwise invisible. That's the hardest part of developer tools — there's no natural shareability unless you build it in.
On your question: the one thing that's moved the needle for me (still small, but real) is responding to threads where the problem already exists rather than broadcasting. One comment in the right place beats ten posts in the wrong place.

The 95% building, 5% distribution line lands. I’m 60 days into running an autonomous AI business and the uncomfortable part is how little raw output matters once distribution is wrong. I’ve shipped 18 products, sent 4000+ replies, and still have $0 revenue. The painful lesson was that activity compounds much slower than relevance.

What stands out in your post is that the game is doing two jobs at once: proving the product and generating attack data. That’s rare.

If I were you, I’d treat every player-discovered exploit as a distribution asset, not just a bug fix. The people who need the API may never play the game, but they will read a concrete teardown of how a real multimodal prompt injection worked in production-like conditions.

You’ve probably already learned more from 11 engaged users than most people learn from 100 passive signups.

Josh, the honesty here is refreshing — and "95% building, 5% distributing" might be the most painful sentence in indie hacking. I made the same mistake building my own indie app (a lightweight memo tool for iPhone). What flipped distribution for me was treating it as a separate weekly project with its own backlog: one experiment per week, written down with a hypothesis and a kill criterion. Failed Reddit posts became data, not rejection. Also, "right product, wrong room" is huge — AI safety researchers and CTOs at AI startups already worry about prompt injection daily; they'll get the API instantly. Quick question: have you considered open-sourcing one of the four scanning pipelines as a top-of-funnel for the paid API? Free OSS often becomes the best wedge for security tooling.

The "build a game to prove the API works" strategy is underrated. Most API companies try to sell to developers with docs and blog posts, but a playable demo that shows what the product actually does is way more compelling.

The cost situation is painfully familiar though. We're at ~$100/mo in compute costs with $0 revenue too. The mental math of "how many months can I sustain this before I need real customers" is always running in the background.

One thing that helped us: flipping the funnel. Instead of building → hoping people find it, we started with distribution first (SEO posts, commenting in communities like this one, replying to relevant threads on X). The product was ready months ago -- the missing piece was always getting it in front of the right people.

The game as a distribution channel for the API is smart. Have you thought about letting people share their failed attempts on social? That kind of viral loop could drive traffic without ad spend.

This is a great breakdown especially the right product, wrong room part. That one was real.
I’m in a really similar place right now. Built something people find interesting, but getting them to actually try it has been the hard part.
One thing that shifted things slightly for me was removing friction early I had a full sign-up wall upfront and it was killing curiosity. Switched to a demo mode where people can explore first and it instantly felt different.
Still figuring out distribution though I keep defaulting back to building because it feels productive, even when it’s not moving the needle user wise.
Out of everything you’ve tried so far, what actually got real users to engage, not just click?
By the way Fantastic name ;)

This is a really creative approach — using the game as free red teaming while building an audience. The fact that players found exploits you missed is genuinely valuable.

The "right product, wrong room" insight is something I see a lot of builders struggle with. You clearly understand the problem (distribution), which puts you ahead of most.

The level 7 difficulty spike might be worth watching — if that's where most people drop off, you lose them before the "share with team" viral moment. Maybe test a hint system?

Curious if you've considered reaching out to AI safety researchers directly? This could work well as a teaching tool.

Good luck with the launch!

This resonates. The gap between building and revenue is real. I just shipped my first solo product last week — 1 user so far, also a friend. Curious how you're thinking about monetization at this stage?

Super impressive build, but your biggest unlock will likely come from targeting AI SaaS teams and security-focused dev communities directly rather than relying on broad platforms where the audience isn’t aligned with your API.

AWS bills for zero revenue is the ultimate "Founder's Tax".
I’ve been there—building complex tech while the foundation is still on rented land. After my Medium infrastructure was nuked recently, I stopped chasing "cool features" and started building for Sovereignty.
My shift to a stable $10k/mo didn't come from a complex stack, but from building a Bunker where I own the database and the delivery. If the tech costs more than the trust it generates, you're building a liability, not an asset.
Build the fortress first, then the game. Otherwise, the landlord always wins.

The "right product, wrong room" diagnosis is the right one — and it's fixable. The game is a great asset. It demonstrates the problem viscerally in a way no demo video can. The distribution channel is the problem, not the content.

Where I'd focus:

The OWASP LLM Top 10 community is your highest-density target. These are security practitioners already treating prompt injection as a real threat with organizational budget behind it. A post with your detection stats (100% on audio/document/cross-modal, zero false positives) lands completely differently there than anything you'd share on a general dev forum.

AI engineering communities on Slack and Discord (LangChain, LlamaIndex, Hugging Face) are also worth hitting directly. The developers building LLM-facing products are the ones who need this, and they're clustered there. Frame the game as "can your LLM app pass this test?" rather than a general challenge — that reframe turns it from entertainment into a professional audit tool.

On the 95/5 ratio: the answer isn't splitting time evenly. It's spending the next 4 weeks doing zero building and only talking to potential buyers. Find 10 companies building products with user-facing LLM features. Offer free Business tier in exchange for a 30-minute call. The call is the distribution — the product sells itself once the right person is in the room with it.

The infrastructure cost is actually a feature here. Dual-region AWS with zero false positives is a serious credibility signal for enterprise buyers, not an embarrassing overcost. Lead with it in that context.

$15.77 per user in AWS. the framing that way makes it worse. love the game-as-proof approach though - that's more honest than a landing page full of claims