Ideas and Validation February 18, 2021

Help me validate my idea and messaging?

Steve R. Smith @razermuse

One of the biggest struggles that many companies face is a good inventory of IT assets: domains, IP ranges, hosts in the cloud, and the services (ports/banners) that they run and if all of that leads to any cybersecurity flaws or weaknesses.

I would love to get feedback from fellow Indie Hackers on my idea. Any insights into improving my messaging, positioning, and marketing copy while I continue to work on the product itself would be greatly appreciated.

https://www.cyberblitz.it/

  1. 1

    Hi Steve,

    Great site so far. It's structured really well, copy is fairly explanatory and, as far as I'm concerned, it gets the message across effectively. "Automated Attack Surface Analysis" is simple and to the point and I imagine quite googleable. Have you played around with the google keyword planner at all? It's free and is a great tool for analysing what terms people are searching. Google Trends is useful too.

    "IT Asset Data Enumerated" is slightly less clear, however I do like the conciseness. Perhaps don't abandon the 'security' theme entirely here. Instead it could be something along the lines of "Assess Security across all IT Assets"? Some google keyword experimentation, again, may help here.

    "Many companies struggle to maintain accurate cyber asset inventories". The tone shifts here to become slightly less customer facing.

    While I'm not a information security professional, as a developer I haven't found myself reaching for a tool like this as of yet in my career. I'm also aware services like AWS have some excellent security audit offerings if I were to ever need one. Therefore I think I would need to learn more.

    The design isn't bad at all, its comes across clean and professional - As one of the other comments said, the header is a bit old school (serif and red font, gradient background).

    Please do reach out to me if further discussion would be at all useful, I'd be happy to help.

    1. 1

      Great feedback! Thank you.

      I have used tools like Google Keyword Planner, SEMRush, and Ubersuggest in the past. You're right - I should brush those off for this site too.

      I'm not a great website designer. Any ideas on how I can improve the header?

      1. 1

        No problem!

        Regarding the header, I would recommend a simple white background with a 'drop shadow' to differentiate it from the page body. If the drop shadow doesn't show at first, you may have to position the header 'relative' in CSS. Change the font to a sans-serif font like the rest of the site and you're good to go.

        On another note I'd be curious to hear how you are keeping track of any insights you gather from early user testing / feedback? Is this something you are doing yet at all?

        1. 1

          Hi Ric, would you mind taking another look? I've spent a lot of time redoing the header and menu.

          https://www.cyberblitz.it/

          I've shown the site to a company of information security professionals and other IT friends. I'm really just using either their feedback from emails or from their LinkedIn message.

          The feedback really isn't about the website yet so much as trying to answer and build into the product "what makes your app different than existing competitors".

          Right now, in the short term, the answer to that will be price but once I get the application fully completed, I'll start looking at ways to differentiate my offering.

  2. 1

    Thoughts:

    • Based on the description in your IH post:
      • Lots of companies use tools like Ansible, Chef or Puppet to configure servers. Can your service integrate with these tools to automatically create and update the inventory based on the config files?
      • It seems very easy to forget to make changes. A human has to remember doing this.
        • Whenever I've seen someone document things like interactions of different services, another developer made changes a month later and forgot to update the docs.
      • What about integrations with external tools/APIs (e.g. Zendesk)? Can they also be tracked?
    • Website design:
      • I'd try to improve the design of the header. To be honest, it looks like it's from the 2000s and that alone would stop me from giving the product a try.
      • I'd also try to refresh the rest of the site design. You can achieve a far more modern look.
    • Copy:
      • "Information Technology Intelligence within Your Reach" → This doesn't tell me anything about what the project actually does.
      • "Data We Gather About Your Company" → Why "We"? From your IH post I thought it was a self-serve solution for documenting my IT infrastructure.
      • General feeling: Based on your website it looks like you provide a consulting service where you physically go to companies, ask all of their developers to provide you the info you need to document their IT infrastructure, and then try to find a few vulnerabilities. I found the whole language of the page to be very vague and unspecific. It was hard to tell what the service really does.

    Hope this helps. Let me know if you have any questions.

    1. 2

      Hi, thank you so much for your comments.

      When I talk about IT assets in this context, I'm referring specifically to domains, netblocks, web servers, web applications, and other devices that I would try to use to compromise systems and gain access to data, trade secrets, customer lists, or other valuable information.

      As far as the copy, you're correct I can use "it" or Cyberblitz.it instead of saying "we". I just didn't want to repeat "Cyberblitz.it" a thousand times. I'll look more at this point as it's valid.

      Once I get a functional prototype or MVP working and start bringing on some customers, I can update the look and feel of the app. I'm not used to React apps and this is the first one that I've built.

      My audience and buyer persona are information security professionals (like myself) that are familiar with terminology, tools, techniques, etc related to vulnerability assessment, penetration testing and may even be familiar with the term attack surface analysis.

      The tool itself will be easy to use. Once a customer signs up for the service, they would just type their company name(s) into the search bar, and then it would do the rest of the discovery work, pulling it from different sources using command-line tools, screen scrapers, and APIs.

      1. 1

        Some ideas:

        • I'd try to contact some IT professionals you know. Let them have a look at the page and ask them to tell you what your product does. Then check if they understand it.
        • For design, you could try Tailwind UI. It will help greatly.
        1. 1

          It is already using Bootstrap.

          1. 1

            Tailwind UI (not Tailwind CSS!) gives you a lot more than Bootstrap.

            1. 1

              I looked at Tailwind UI and it looks pretty awesome. How hard is it to convert an app from Bootstrap to Tailwind UI?

              1. 1

                Personally, I wouldn't call it hard. I'd rather find it pretty boring to redo your HTML + CSS, but it will probably pay off.

    2. 1

      Hi Niklas,

      I've spent a lot of time redoing the header and menu system. I've also tried to address some of your other comments to better define what the app will do.

      Let me know what you think?

      1. 2

        Hi Steve,

        nice one. I like your changes! 👍

        • The above the fold content, especially the header, now communicates the value proposition nicely and clearly.
          • The CTA could still be improved in my opinion: "Start the analysis", "Get your report" or similar CTAs would give me a better reason to click than "Sign up" or "Learn more".
        • "IT Asset Data Enumerated" → not really sure what that means
        • "Simply enter your Company name and Cyberblitz.it will discover and profile your cyber assets for you." → This seems to good to be true. Can you convince me to believe you? I want to but it sounds too much like magic.
        • The header is too big for my taste and contains too many big buttons. I don't know which element in the header is most important.
        • The blur animation in the header is too fancy in my opinion.
          • This is not just visual preference. It makes the site harder to use: While hovering, I cannot read the text of the element until the blur animation is over. And when I visit a site, I'm usually impatient.
        • For almost all of the site, I would try to cut sentence length in half. Landing pages are often only skimmed and I had to read multiple sentences twice to understand them. I wouldn't have been able to understand them while skimming.
        • The "Get Started" CTA at the bottom of the page didn't do what I expected it to. I clicked it and expected to land on the sign up page (similar to the "Sign Up" button in the header) but I landed on the plans page. This is not what I'm used to from other sites.
        • The "Plan & Billing FAQs" confused me as these are not billing questions. These are the questions that I'd like to be answered on the homepage / landing page.

        As I mentioned earlier, I think that you've really improved the page. Good job! 👍

        Going forward, I'd still try to make it more clear. Here are the best resources on landing pages that I know. They've really helped me and they will help you, too:

        1. 2

          Awesome feedback! Thank you again.

          The CTA could still be improved in my opinion: "Start the analysis", "Get your report" or similar CTAs would give me a better reason to click than "Sign up" or "Learn more".

          Spot on! I changed it to "Start the Analysis".

          "IT Asset Data Enumerated" → not really sure what that means

          *The 4 blocks right after the title and text are meant to explain what the app enumerates without going into too much gory detail. I do intend on adding some additional infographics later about how the process works (see below for the gory details). *

          "Simply enter your Company name and Cyberblitz.it will discover and profile your cyber assets for you." → This seems to good to be true. Can you convince me to believe you? I want to but it sounds too much like magic.

          It isn't magic. It's a process that normally humans in my field do manually.

          We start by browsing the company website, Crunchbase, Yahoo Finance to learn things like: how many employees do they have (this helps us understand how complex of a business they have), what locations (can we do social engineering?), who are their business partners (can we attack their attorneys or one of their suppliers), who are their executives (can we do a phishing attack).

          We use websites like whois.com, Hurricane Electric BGP Toolkit, ViewDNS, ARIN, and Shodan.io, to enumerate domains, netblocks, and the ports and banners of servers. Then we use other websites to find vulnerabilities in old software versions or look for things like unencrypted services (FTP, Telnet) and other issues we can make recommendations about.

          We also use common networking tools like whois, nslookup, ping, and traceroute to profile systems. We can also use nmap or other port scanning tools but that's what Shodan does for us without us necessarily having to scan them ourselves.

          None of it is complicated but it is time-consuming. It usually takes me 60-80 hours to manually do all of the information gathering and data analysis. The idea for this came from some BASH shell scripts I wrote to help me reduce the amount of time it took to perform this work.

          The header is too big for my taste and contains too many big buttons. I don't know which element in the header is most important.

          I was unsure of that myself but thought they might be too large. I reduced the size of both the text and icons.

          The blur animation in the header is too fancy in my opinion. This is not just visual preference. It makes the site harder to use: While hovering, I cannot read the text of the element until the blur animation is over. And when I visit a site, I'm usually impatient.

          I can understand that. I significantly decreased the time it takes for the blur effect. It still applies the animation but it's nearly instantaneous.

          For almost all of the site, I would try to cut sentence length in half. Landing pages are often only skimmed and I had to read multiple sentences twice to understand them. I wouldn't have been able to understand them while skimming.

          Agreed. The site and the marketing copy are certainly works in progress. Your feedback has been very useful. At some point, I'll pay for and host an explainer video. I think if it's successful, most of my sales will come from the traditional method: prospecting, giving a presentation with a demo, and then pursuing the lead until I close a deal.

          I think I'll also learn a lot more once I truly start prospecting.

          Good resources on writing:
          https://www.artlapinsch.com/writing-for-founders/ (by @qnd)
          https://dilbertblog.typepad.com/the_dilbert_blog/2007/06/the_day_you_bec.html (recommended to me by @qnd)

          Thanks! I'll start reading.

          The "Get Started" CTA at the bottom of the page didn't do what I expected it to. I clicked it and expected to land on the sign up page (similar to the "Sign Up" button in the header) but I landed on the plans page. This is not what I'm used to from other sites.

          *Excellent point! It now takes the visitor to the sign up page instead of the pricing page. *

          The "Plan & Billing FAQs" confused me as these are not billing questions. These are the questions that I'd like to be answered on the homepage / landing page.

          You're right. It was a mistake I made when I was initially creating the app in DivJoy. I've fixed it and created a few true plan/billing questions and answers.

          I had no previous experience with React, Codesandbox, Vercel, or even GitLab before this so there has been quite a learning curve.

          I really do appreciate your feedback. If there's anything I can do for you in return, please let me know.

        2. 1

          Ok, great. Thanks!

          By the way, the intention of the "How it Works" or "How" page is to go into more of the gory details in order to demystify Cyberblitz so people believe that it's possible and know what they're getting when they signup. Again, this is and will continue to be a work in progress.

          So far, of the two or three people I've had discussions with, the biggest question they wanted to be answered (and I think that most people will asks) is how is my solution different from competitors like Expanse and Bit Discovery.

          Right now, it's really price. Bit Discovery charges $75,000 for 3 user accounts and 2,500-5,000 assets. In comparison, we would charge $17,964 (3x $499 per month for 12 months) for an unlimited number of assets. Once we start (hopefully) selling it, I'll look at how we can add more valuable features like maybe scanning insecure S3 buckets, testing FTP for Anonymous, brute forcing some Telnet accounts, some web application scanning... I don't know - TBD.

          https://bitdiscovery.com/pricing

          My pricing tiers are more about how many users and operating companies or divisions they have instead of # of assets).

Recommended Posts