The Week in Numbers
Here’s where we stand after seven days:
| Metric | Value |
|---|---|
| Revenue | $0.00 |
| Expenses to date | $122.66 |
| Net position | -$122.66 |
| GuardScan unique visitors | 569 |
| CostCovered unique visitors | 568 |
| Total visitors across both sites | 1,137 |
| Total scans run | 92 |
| Unique domains scanned | 47 |
| Scan conversion rate | ~16% |
| Beta codes issued | Growing daily |
No revenue yet. That was expected – we’re running a freemium model and building the product out before charging. The number I’m watching is the scan conversion rate: 16% of visitors who land on GuardScan actually use it. Industry average for free tool trial rates is 3-5%. We’re at 16%. The simple UI helps – there’s literally one input field and one button. No signup wall, no email gate. Just scan.
What We Built
Day 1: Everything from Nothing
We went from an empty Git repository to two live products in a single day:
- GuardScan – a Python/FastAPI security scanner that checks HTTP headers, SSL/TLS certificates, DNS records (SPF, DMARC, DNSSEC), and cookie security. Gives you a letter grade from A+ to F with explanations for every finding.
- CostCovered – this blog, built with Hugo and PaperMod on GitHub Pages.
Both domains registered on Cloudflare. GuardScan deployed on Railway with a PostgreSQL database. Total infrastructure cost: $22.66 for domains.
Day 2: Persistence and Distribution
- Migrated GuardScan from SQLite to PostgreSQL on Railway – scan data now persists across deployments.
- Published the first SEO article: How to Check Your Website’s Security Headers.
- Cross-posted to dev.to with a canonical URL pointing back here.
- Listed GuardScan on AlternativeTo as an alternative to SecurityHeaders.com.
- Attempted Reddit distribution – mostly failed. More on that below.
Day 3: Shareability, SEO, and Reliability
- Added shareable report URLs – every scan now gets a permanent link at
guardscan.dev/report/{id}that anyone can open. - Added a “Share this report” button that copies the permalink.
- Added a scan counter on the homepage.
- Submitted both sites to Google Search Console and requested indexing.
- Dynamic OpenGraph images – when you share a GuardScan report link on Twitter, Slack, or Discord, it shows the domain, grade, and score breakdown in the preview.
- Privacy Policy and Terms of Service published.
- Tightened timeouts and added descriptive error messages for scanner failures.
- Fixed a bunch of edge cases: expired SSL certs, empty DNS records, cookie checks on connection failures.
Day 4: The Paid Tier
This is where it gets interesting. We shipped the entire freemium upgrade path in a single session:
- Beta access codes – self-service registration, stored in localStorage, rate-limited.
- Fix guides – every failing scan check now has detailed remediation instructions with tabs for Nginx, Apache, Cloudflare, and general setups. Free users see a blurred preview; beta users see the full guide.
- PDF report downloads – branded, professional security reports you can hand to a client or your boss.
- Scan history – beta users can see all their past scans and track improvements.
- Email collection – post-feedback opt-in for feature update notifications.
- Auto-unlock flow – get a beta code, and your current scan immediately re-renders with full fix guides. No re-scanning needed.
We also got our first dev.to comment from another developer in the space. Small win, but it’s the first signal of organic community engagement.
What Worked
The product resonated immediately. 92 scans in the first week with near-zero marketing tells me the core concept is right: people want to check their website’s security, and they want it to be simple. Enter a URL, get a grade.
The 16% scan rate is strong. One in six visitors actually runs a scan. That’s a strong signal that the landing page communicates the value proposition clearly and the tool is frictionless enough that people try it on the spot.
SEO content has long-term value. The security headers article targets a keyword people actually search for. It won’t rank for weeks, but once it does, it’ll drive traffic to GuardScan indefinitely. The dev.to cross-post gives us an immediate high-authority backlink.
AlternativeTo listing is passive discovery. People searching for SecurityHeaders.com alternatives (especially after their API shuts down in April) will find us there.
Shipping fast builds momentum. We went from zero to a fully functional freemium product with fix guides, PDF reports, and scan history in four days. Every day we ship something, we have more to talk about and more reasons for people to come back.
What Failed
Reddit was a dead end. We posted to r/artificial, r/coolgithubprojects, r/EntrepreneurRideAlong, and r/AIstartupsIND. Results:
- r/artificial: removed by Reddit’s automated filters
- r/EntrepreneurRideAlong: removed as “not appropriate”
- r/coolgithubprojects: 623 views, 0 upvotes
- r/AIstartupsIND: 199 views, 1 upvote
Reddit aggressively filters self-promotion, especially from new accounts. We’re shelving Reddit until we have organic community credibility. The time spent fighting subreddit rules was time not spent building.
No revenue yet. The beta tier is free by design – we’re building an audience before flipping the switch to paid subscriptions. But the clock is ticking on the $122.66 hole.
The Financials
| Date | Item | Amount |
|---|---|---|
| Feb 21 | Claude Pro subscription | -$100.00 |
| Feb 21 | guardscan.dev domain | -$12.20 |
| Feb 21 | costcovered.com domain | -$10.46 |
| Total expenses | -$122.66 | |
| Total revenue | $0.00 | |
| Net | -$122.66 |
Railway hosting is still within the free tier. That won’t last once we get real traffic, but for now it’s $0.
Week 2 Plan
After a week of data, we’re making a strategic pivot. The priority is not monetization yet – it’s building a product worth paying for.
The free scanner only checks 4 areas right now (headers, SSL, DNS, cookies). That’s too thin to charge for. Reddit distribution failed across every subreddit we tried. Product Hunt feels premature. The honest assessment: we have traction but not enough product depth.
So the plan for the next three weeks is heads-down building:
- Double the scan surface. Add CORS analysis, technology stack detection, mixed content detection, and more. Go from 4 checks to 12+.
- Add user accounts and scan history. Magic link auth, no passwords. Let people track their progress over time.
- SSL expiry monitoring. Email alerts when certificates are about to expire. This is the #1 feature that gives people a reason to come back.
- More SEO content. Two articles per week targeting security-related search terms.
We’ll only flip the switch to paid subscriptions once the free product is genuinely comprehensive – the best free security scanner available. That’s the bet: build something great first, monetize second.
The Honest Assessment
I said in the Day 0 post that this might fail. After one week, I’d put the odds at 65/35 in our favour. Here’s why:
Positive signals:
- People use the tool without being asked (16% conversion)
- 1,137 visitors with almost no marketing spend
- The infrastructure is solid and cheap to run
- We have a clear pricing gap to exploit ($0 free tools vs $39+/month enterprise)
- SecurityHeaders.com API shutdown in April creates urgency
- First organic community engagement on dev.to
Risks:
- We have no audience to sell to yet
- SEO takes months to compound
- Converting free users to paid is the hardest part
- One person + two hours/day is a tight constraint
The next three weeks will tell us a lot. If we can build a scanner that’s genuinely better than what’s free out there and get 50+ registered users by late March, we’ll have a real business to monetize. The SecurityHeaders.com API shutdown in April gives us a natural deadline and a migration audience to capture.
See you next Friday with the Week 2 numbers.