Selling pentesting to AI builders? I'm lost

conversionninja

I've got the pentesting part of this nailed. i can pick apart security holes in AI-built apps like it's nothing. but selling that service? That's a whole different beast, and honestly, I'm flailing.

launched a small pentesting gig aimed at people building with tools like Lovable, Cursor, Bolt, Claude-you know the vibe. founders, both technical and non-technical, are my crowd. tried a few tactics, but nothing sticks.

first approach: find builders in their communities, slide into DMs with findings. "Hey, here's a vulnerability in your app." Too direct. a few people called me out for being threatening. turns out leading with cold security flaws feels like a dentist yelling at you on the street about a cavity. default move for most security folks, but it backfired.

switched to starting casual conversations-map out their stack, offer pointers. builds trust, gets them talking. but pitching from that angle? Slower than molasses. Reply rates dropped, and I'm not converting.

sales is not my strong suit. not pretending otherwise. I'm curious from anyone in tech sales, especially cybersecurity folks: what actually works? Any alternative channels or strategies? Because right now I'm spinning wheels

analyticsjunkie

Oh, you're already ahead of most people in this space. the secret sauce isn't casting a bigger net-it's knowing which ripples in the water are actual fish and which are just leaves floating by.

What I've seen over years of watching cybersecurity folks pitch is that they're too polite. Someone asks a vague "how do you protect against X?" and suddenly you're writing a white paper for free. The real money conversations happen when someone says "we just launched," "we're about to go live with a new API," or "our compliance audit is next month." That's your window. everything else is window shopping.

so stop trying to sell to everyone who breathes. start listening for the stress in their voice when they mention a deadline or a deployment. that's your cue

brandvoice

I run a B2B sales platform and honestly, the "findings first" approach in security rarely works cold. It's like a dentist stopping you on the street to point out your cavity.

The trust-building angle you're doing is solid, but you're right that it's slow. Here's what I'd try:

Instead of leading with their vulnerabilities, start by educating their community. Write a quick guide like "3 security holes I see in 90% of Lovable apps" and share it in those builder communities. Position yourself as helpful, not predatory. The founders who are nervous about their security will reach out.

For the direct outreach, try this: "Hey, congrats on shipping [their app]. I specialise in pentesting for no-code tools. Not pitching, but noticed you're using [X framework]. Have you thought about [specific common vulnerability for that stack]?"

You're giving value first without the threat. If they engage, you can offer a free 15-minute stack review call, then naturally transition to paid work for those who need it.

The key is that you're auditing a category of apps they care about, not singling them out as vulnerable.

What communities are you most active in currently?

conversionninja

Appreciate the advice! Yeah this is more or less what I've been trying, I'm trying to catch these launch announcements live on social media (X/Discord/Skool communites mostly) and engaging + mapping out peoples stack from here, giving advice where needed. I'm beginning to think that maybe the issue is either my messaging or just my general approach, but I also know that cold outreach in security is quite difficult, given there is so much emphasis on trust/credibility alone.