3
25 Comments

Help me validate my idea and messaging?

One of the biggest struggles that many companies face is a good inventory of IT assets: domains, IP ranges, hosts in the cloud, and the services (ports/banners) that they run and if all of that leads to any cybersecurity flaws or weaknesses.

I would love to get feedback from fellow Indie Hackers on my idea. Any insights into improving my messaging, positioning, and marketing copy while I continue to work on the product itself would be greatly appreciated.

https://www.cyberblitz.it/

  1. 2

    Hi Steve,

    Great site so far. It's structured really well, copy is fairly explanatory and, as far as I'm concerned, it gets the message across effectively. "Automated Attack Surface Analysis" is simple and to the point and I imagine quite googleable. Have you played around with the google keyword planner at all? It's free and is a great tool for analysing what terms people are searching. Google Trends is useful too.

    "IT Asset Data Enumerated" is slightly less clear, however I do like the conciseness. Perhaps don't abandon the 'security' theme entirely here. Instead it could be something along the lines of "Assess Security across all IT Assets"? Some google keyword experimentation, again, may help here.

    "Many companies struggle to maintain accurate cyber asset inventories". The tone shifts here to become slightly less customer facing.

    While I'm not a information security professional, as a developer I haven't found myself reaching for a tool like this as of yet in my career. I'm also aware services like AWS have some excellent security audit offerings if I were to ever need one. Therefore I think I would need to learn more.

    The design isn't bad at all, its comes across clean and professional - As one of the other comments said, the header is a bit old school (serif and red font, gradient background).

    Please do reach out to me if further discussion would be at all useful, I'd be happy to help.

    1. 1

      Great feedback! Thank you.

      I have used tools like Google Keyword Planner, SEMRush, and Ubersuggest in the past. You're right - I should brush those off for this site too.

      I'm not a great website designer. Any ideas on how I can improve the header?

      1. 1

        No problem!

        Regarding the header, I would recommend a simple white background with a 'drop shadow' to differentiate it from the page body. If the drop shadow doesn't show at first, you may have to position the header 'relative' in CSS. Change the font to a sans-serif font like the rest of the site and you're good to go.

        On another note I'd be curious to hear how you are keeping track of any insights you gather from early user testing / feedback? Is this something you are doing yet at all?

        1. 1

          Hi Ric, would you mind taking another look? I've spent a lot of time redoing the header and menu.

          https://www.cyberblitz.it/

          I've shown the site to a company of information security professionals and other IT friends. I'm really just using either their feedback from emails or from their LinkedIn message.

          The feedback really isn't about the website yet so much as trying to answer and build into the product "what makes your app different than existing competitors".

          Right now, in the short term, the answer to that will be price but once I get the application fully completed, I'll start looking at ways to differentiate my offering.

          1. 1

            Good to hear back from you, Steve.

            I'm really liking the improvements to the site. That is one very nice header - much cleaner and modern now, great work. My only suggestion would be to remove one layer of animation on the link hover? I see there's a couple of animations going on and it did lag my browser a little.

            Liking the changes to copy also. Easier to digest.

            Glad to hear you're in conversation with people about the product - if you haven't read the Mom Test, I would highly recommend. A great read on how to extract unbiased, meaningful insight from conversations with users. There's a free audio version here: https://www.audiobookcup.com/the-mom-test-audiobook/

            Best of luck to you! I'm currently in the process of trying to understand how indie hackers go about getting projects off the ground (I work for a start-up accelerator for deep-tech companies), so do keep me updated.

            Perhaps in the coming weeks we could connect for a 10 min intro call and I could ask you a few (casual) questions about your process so far?

            1. 1

              Hi Ric, the newest version of my site is https://www.staging.cyberblitz.it. I'd love to visit with you if you have time. I've participated in Y-Combinator's Startup School and a program by a company in Austin called NewChip. This (cyberblitz.it) is my third effort to bring a software product to market.

              1. 1

                Hi Steve, great, shall we book in a quick introductory call? I can link my Calendly below, but if none of the times work for you, just shout and we can arrange through email or something.

                Would be great to run through your site with you and I'd also be interested in asking a few Qs.

                https://calendly.com/ricbarnes/introductory-call

  2. 1

    Hey @razermuse! Site looks good so far.

    I feel I may be your ideal client persona as I have played the role of CISO or head of compliance in a past life.

    If this is your MVP, then I get you may not want to overkill but from my perspective the first thing I look towards is any relevant certifications or declarations to such certifications and that could be employees with credentials also etc., as well as relevant privacy policies. That gives me confidence.

    I LOVE that you have the pricing available as that is an issue I have with some services in which the price is hidden. So you could potentially leverage a no-nonsense, no hidden costs type of service.

    Finally, again I’d be tempted to hide your blog until you build a small archive in case it draws attention as to why there’s not a lot there. You could potentially use any case-studies/anonymous testimonials instead as a way to build trust until you can get your blog going. Additionally, you could focus on guest blogging to boost your sites DA while building your blog as you tend to get more bang for your buck.

    Long message! Sorry, but hope that’s helpful and more than happy to help wherever I can if you need anything else

    1. 1

      Hi!

      Great reply, thank you so much! I have 24 years of experience in information security and am both a CISSP and CISM. I was the Interim CISO for a large retail org and the acting Director for a large manufacturing/fintech company. I spent 10 years doing work related to penetration testing and application/vulnerability/security assessment.

      There is a little competition in this space. This app will be similar to Bit Discovery or Expanse. Bit Discovery has a pricing page on the Internet (I stumbled across it) and no surprise, it's super expensive.

      I haven't done keyword research yet because I'm still at the idea stage. That being said, I will likely want to hone in on being a sub-process related to vulnerability (and asset) management since those are well-known disciplines with valuable keywords.

      What I'm planning to do is my own lead generation and prospecting but use micro-saas and a self-service purchase model. I do think this business model could be successful. Transparency in pricing, flexibility (ie, no contract; cancel whenever you want), and reduced business complexities (reduced back-office overhead) could be nice wins.

      What you see now is an app I built using DivJoy. I'm redoing the marketing pages before getting back to working on the prototype. I believe that the new marketing pages will do a better job of explaining this service.

      Essentially, Cyberblitz.it will enumerate domains/netblocks and Internet-based assets. It will do analysis on what's live/not live (availability), do periodic screengrabs (integrity, ie web defacements), and open ports/banners/SSL certs (the precursor to vuln management). Lastly, it will provide observations and recommendations (think things like "you're using unencrypted services" or "database found on the Internet!").

      Originally, I was thinking the company data we'd pull might have more value but I've been giving that more thought and I don't think so. I'll essentially keep throwing stuff at the wall and seeing what sticks and what doesn't.

      I think you're right, I think it would be better to remove the blog page until I get to the point where I can start writing again (I've written some of the posts for other stuff I was working on).

      I'd love to talk through some ideas and get your thoughts.

      1. 1

        Hey @razermuse - more than happy to have a call with you to discuss some of this and see where I can help out.
        My email is [email protected]

  3. 1

    Thoughts:

    • Based on the description in your IH post:
      • Lots of companies use tools like Ansible, Chef or Puppet to configure servers. Can your service integrate with these tools to automatically create and update the inventory based on the config files?
      • It seems very easy to forget to make changes. A human has to remember doing this.
        • Whenever I've seen someone document things like interactions of different services, another developer made changes a month later and forgot to update the docs.
      • What about integrations with external tools/APIs (e.g. Zendesk)? Can they also be tracked?
    • Website design:
      • I'd try to improve the design of the header. To be honest, it looks like it's from the 2000s and that alone would stop me from giving the product a try.
      • I'd also try to refresh the rest of the site design. You can achieve a far more modern look.
    • Copy:
      • "Information Technology Intelligence within Your Reach" → This doesn't tell me anything about what the project actually does.
      • "Data We Gather About Your Company" → Why "We"? From your IH post I thought it was a self-serve solution for documenting my IT infrastructure.
      • General feeling: Based on your website it looks like you provide a consulting service where you physically go to companies, ask all of their developers to provide you the info you need to document their IT infrastructure, and then try to find a few vulnerabilities. I found the whole language of the page to be very vague and unspecific. It was hard to tell what the service really does.

    Hope this helps. Let me know if you have any questions.

    1. 2

      Hi, thank you so much for your comments.

      When I talk about IT assets in this context, I'm referring specifically to domains, netblocks, web servers, web applications, and other devices that I would try to use to compromise systems and gain access to data, trade secrets, customer lists, or other valuable information.

      As far as the copy, you're correct I can use "it" or Cyberblitz.it instead of saying "we". I just didn't want to repeat "Cyberblitz.it" a thousand times. I'll look more at this point as it's valid.

      Once I get a functional prototype or MVP working and start bringing on some customers, I can update the look and feel of the app. I'm not used to React apps and this is the first one that I've built.

      My audience and buyer persona are information security professionals (like myself) that are familiar with terminology, tools, techniques, etc related to vulnerability assessment, penetration testing and may even be familiar with the term attack surface analysis.

      The tool itself will be easy to use. Once a customer signs up for the service, they would just type their company name(s) into the search bar, and then it would do the rest of the discovery work, pulling it from different sources using command-line tools, screen scrapers, and APIs.

      1. 1

        Some ideas:

        • I'd try to contact some IT professionals you know. Let them have a look at the page and ask them to tell you what your product does. Then check if they understand it.
        • For design, you could try Tailwind UI. It will help greatly.
        1. 1

          It is already using Bootstrap.

          1. 1

            Tailwind UI (not Tailwind CSS!) gives you a lot more than Bootstrap.

            1. 1

              I looked at Tailwind UI and it looks pretty awesome. How hard is it to convert an app from Bootstrap to Tailwind UI?

              1. 1

                Personally, I wouldn't call it hard. I'd rather find it pretty boring to redo your HTML + CSS, but it will probably pay off.

    2. 1

      Hi Niklas,

      I've spent a lot of time redoing the header and menu system. I've also tried to address some of your other comments to better define what the app will do.

      Let me know what you think?

      1. 2

        Hi Steve,

        nice one. I like your changes! 👍

        • The above the fold content, especially the header, now communicates the value proposition nicely and clearly.
          • The CTA could still be improved in my opinion: "Start the analysis", "Get your report" or similar CTAs would give me a better reason to click than "Sign up" or "Learn more".
        • "IT Asset Data Enumerated" → not really sure what that means
        • "Simply enter your Company name and Cyberblitz.it will discover and profile your cyber assets for you." → This seems to good to be true. Can you convince me to believe you? I want to but it sounds too much like magic.
        • The header is too big for my taste and contains too many big buttons. I don't know which element in the header is most important.
        • The blur animation in the header is too fancy in my opinion.
          • This is not just visual preference. It makes the site harder to use: While hovering, I cannot read the text of the element until the blur animation is over. And when I visit a site, I'm usually impatient.
        • For almost all of the site, I would try to cut sentence length in half. Landing pages are often only skimmed and I had to read multiple sentences twice to understand them. I wouldn't have been able to understand them while skimming.
        • The "Get Started" CTA at the bottom of the page didn't do what I expected it to. I clicked it and expected to land on the sign up page (similar to the "Sign Up" button in the header) but I landed on the plans page. This is not what I'm used to from other sites.
        • The "Plan & Billing FAQs" confused me as these are not billing questions. These are the questions that I'd like to be answered on the homepage / landing page.

        As I mentioned earlier, I think that you've really improved the page. Good job! 👍

        Going forward, I'd still try to make it more clear. Here are the best resources on landing pages that I know. They've really helped me and they will help you, too:

        1. 3

          Awesome feedback! Thank you again.

          The CTA could still be improved in my opinion: "Start the analysis", "Get your report" or similar CTAs would give me a better reason to click than "Sign up" or "Learn more".

          Spot on! I changed it to "Start the Analysis".

          "IT Asset Data Enumerated" → not really sure what that means

          *The 4 blocks right after the title and text are meant to explain what the app enumerates without going into too much gory detail. I do intend on adding some additional infographics later about how the process works (see below for the gory details). *

          "Simply enter your Company name and Cyberblitz.it will discover and profile your cyber assets for you." → This seems to good to be true. Can you convince me to believe you? I want to but it sounds too much like magic.

          It isn't magic. It's a process that normally humans in my field do manually.

          We start by browsing the company website, Crunchbase, Yahoo Finance to learn things like: how many employees do they have (this helps us understand how complex of a business they have), what locations (can we do social engineering?), who are their business partners (can we attack their attorneys or one of their suppliers), who are their executives (can we do a phishing attack).

          We use websites like whois.com, Hurricane Electric BGP Toolkit, ViewDNS, ARIN, and Shodan.io, to enumerate domains, netblocks, and the ports and banners of servers. Then we use other websites to find vulnerabilities in old software versions or look for things like unencrypted services (FTP, Telnet) and other issues we can make recommendations about.

          We also use common networking tools like whois, nslookup, ping, and traceroute to profile systems. We can also use nmap or other port scanning tools but that's what Shodan does for us without us necessarily having to scan them ourselves.

          None of it is complicated but it is time-consuming. It usually takes me 60-80 hours to manually do all of the information gathering and data analysis. The idea for this came from some BASH shell scripts I wrote to help me reduce the amount of time it took to perform this work.

          The header is too big for my taste and contains too many big buttons. I don't know which element in the header is most important.

          I was unsure of that myself but thought they might be too large. I reduced the size of both the text and icons.

          The blur animation in the header is too fancy in my opinion. This is not just visual preference. It makes the site harder to use: While hovering, I cannot read the text of the element until the blur animation is over. And when I visit a site, I'm usually impatient.

          I can understand that. I significantly decreased the time it takes for the blur effect. It still applies the animation but it's nearly instantaneous.

          For almost all of the site, I would try to cut sentence length in half. Landing pages are often only skimmed and I had to read multiple sentences twice to understand them. I wouldn't have been able to understand them while skimming.

          Agreed. The site and the marketing copy are certainly works in progress. Your feedback has been very useful. At some point, I'll pay for and host an explainer video. I think if it's successful, most of my sales will come from the traditional method: prospecting, giving a presentation with a demo, and then pursuing the lead until I close a deal.

          I think I'll also learn a lot more once I truly start prospecting.

          Good resources on writing:
          https://www.artlapinsch.com/writing-for-founders/ (by @qnd)
          https://dilbertblog.typepad.com/the_dilbert_blog/2007/06/the_day_you_bec.html (recommended to me by @qnd)

          Thanks! I'll start reading.

          The "Get Started" CTA at the bottom of the page didn't do what I expected it to. I clicked it and expected to land on the sign up page (similar to the "Sign Up" button in the header) but I landed on the plans page. This is not what I'm used to from other sites.

          *Excellent point! It now takes the visitor to the sign up page instead of the pricing page. *

          The "Plan & Billing FAQs" confused me as these are not billing questions. These are the questions that I'd like to be answered on the homepage / landing page.

          You're right. It was a mistake I made when I was initially creating the app in DivJoy. I've fixed it and created a few true plan/billing questions and answers.

          I had no previous experience with React, Codesandbox, Vercel, or even GitLab before this so there has been quite a learning curve.

          I really do appreciate your feedback. If there's anything I can do for you in return, please let me know.

          1. 1

            Hi Steve,

            I haven't had time to go through your messages yet. Should we schedule a Zoom call later this week to discuss the open points? That sounds more efficient to me. Just send me an email via the address on my profile and we can schedule a call.

            1. 1

              @razermuse Have you tried contacting me anywhere? So far, I haven't received anything.

              I'd love to meet you and talk with you about your project. Based on all of your helpful comments that I've seen on IH over the last few months, you seem like a cool guy.

              (Not trying to sell you anything if you're worried about that. Just trying to make friends.)

              1. 2

                Hey there! No, I'm not worried about that, and even if you were, honestly that's okay. I think being a mutually beneficial friendship or a relationship could potentially lead to doing business together under the right circumstances.

                I can't tell you how many times I get totally unsolicited pitches via LinkedIn messages and email. Some people I talk to but 98% of the time, I simply don't respond. The crazy stuff is when I get people that send me 5 or 6 messages and that get indignant that I'm not paying attention to them.

                My email address is [email protected]. Propose some days and a couple of times and we'll get something on our calendars. I can do mornings to accommodate European time zones.

                By the way, I'm currently redoing the site using Tailwind CSS/UI.

                1. 1

                  Thanks, Steve! Just sent you an email with some suggestions.

                  Totally get what you mean with the unsolicited pitches. They can be really annoying.

                  Re Tailwind UI: That sounds awesome. I'm looking forward to seeing what you build. 🎉

        2. 2

          Ok, great. Thanks!

          By the way, the intention of the "How it Works" or "How" page is to go into more of the gory details in order to demystify Cyberblitz so people believe that it's possible and know what they're getting when they signup. Again, this is and will continue to be a work in progress.

          So far, of the two or three people I've had discussions with, the biggest question they wanted to be answered (and I think that most people will asks) is how is my solution different from competitors like Expanse and Bit Discovery.

          Right now, it's really price. Bit Discovery charges $75,000 for 3 user accounts and 2,500-5,000 assets. In comparison, we would charge $17,964 (3x $499 per month for 12 months) for an unlimited number of assets. Once we start (hopefully) selling it, I'll look at how we can add more valuable features like maybe scanning insecure S3 buckets, testing FTP for Anonymous, brute forcing some Telnet accounts, some web application scanning... I don't know - TBD.

          https://bitdiscovery.com/pricing

          My pricing tiers are more about how many users and operating companies or divisions they have instead of # of assets).

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 47 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 27 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments How I Launched FrontendEase 13 comments