I launched a security SaaS at 21. Here is what the first week actually looked like.

Last weekend I scanned 100 domains. Every single one had security issues. Over 70% had findings rated high severity. Exposed databases. Misconfigurations that would let someone craft a convincing phishing email using a real company's domain. Real businesses. Real risk. None of them knew.

Twelve months of building. That is what it took to get here.

Twelve months of building, one week of everything else

I want to be honest about what this actually looked like. The product did not appear in a weekend. The security tooling under the hood — the scanning engine, the subdomain enumeration, the secrets detection, the plain-English reporting — took a year of work before I was confident enough to put it in front of real companies.

Most of that year was invisible. No posts about it. No audience-building. Just building, testing, breaking things, and fixing them. When I did start talking about it publicly, I had something real to show. That matters more than I initially gave it credit for.

The launch week was not a polished campaign. It was me posting what I was actually doing, running introductory demo scans for companies, and talking to anyone who would engage.

34,000 LinkedIn impressions in week one — and what drove them

The total LinkedIn impressions in the first week hit 34,000. That is not from a viral moment or a single lucky post. It came from posting consistently, every day, with content that was specific and honest rather than promotional.

The post that performed best was not the one announcing the product. It was the one where I wrote about scanning scanme.nmap.org — a server maintained by the people behind one of the most recognised security tools in the world — and finding a real DMARC gap. Then emailing Fyodor, the creator of Nmap, to confirm the findings. And being partially wrong. That post got 27,000 impressions on its own.

The post about a friend scanning a major UK brand with no technical knowledge, getting a full report in 15 minutes, got 4,100. The scheduled scanning feature reveal got 427.

The pattern is obvious in hindsight: LinkedIn rewards stories with a specific outcome and real numbers. It penalises product announcements without context. A post that says "I got something wrong and here is what happened" will beat a product screenshot every time, because people share things that feel human — and they scroll past things that feel like ads. Posted consistently across the week, kept links out of the post body, and opened every post with a specific situation rather than a claim — that is what moved the numbers.

Demo scans, first customers, and why the product does the selling

I offered introductory demo scans to companies during launch week. The model was simple: I scan your domain, you see the report, no commitment required. It was not a free trial in the traditional sense — it was more like showing someone the problem before asking if they wanted the solution.

It worked because the findings were real. When someone sees that their domain has no DMARC record, that a subdomain is vulnerable to takeover, or that a developer accidentally pushed credentials to a public GitHub repo — that is not a sales pitch. That is evidence. The scan closes the conversation that a cold message could never open.

Every first customer came through this kind of organic, direct engagement. No paid ads. No outbound sequences. No discovery calls. The first paying customer signed up within the first week.

A group of curated product testers also came together during this period — people who were willing to use the tool properly and give real feedback. That group has been more valuable than any amount of marketing data. They find the edge cases. They tell you what the report actually means to someone who is not building the product. And some of them became paying customers.

I also received testimonials from experienced professionals in the security and IT space. Not because I asked generically — because I had given them something worth responding to. The scan report, in plain English, with severity rankings and remediation steps, is what earned those responses. If the product had not been good enough, no amount of outreach would have produced them.

What the scan data actually shows

One hundred domains. Every one had at least one security finding. Over 70% had high-severity issues. Exposed databases. Controls that enabled professionally crafted phishing attempts using real company domains. These are not edge cases — this is the baseline for UK small business websites that have never been externally scanned.

Most of the businesses in that scan had no idea. They had a website, an email domain, maybe a developer who set things up a few years ago. Nobody had looked at what was exposed from the outside. That is not negligence — it is just that nobody had made it easy to look.

That is what Olimpio is for. Not to replace a security team, but to give businesses without one the same visibility that larger organisations take for granted. Plain English. Ranked by severity. With the exact fix, not just the problem.

Frequently asked questions

How did you get your first customers without paid ads?

Every early customer came through organic LinkedIn activity and introductory demo scans. The model was to scan their domain first, show them the findings, and let the report do the work. When the findings are real, you do not need a sales pitch.

Do you need to take calls to sell B2B SaaS?

Not for a product at this price point and with this kind of demonstrable output. Every conversation happened in LinkedIn messages or email. A demo scan is a better opener than any discovery call, because the customer sees the problem before they have to commit to anything.

How long does it take for LinkedIn to work for a new SaaS?

Results in week one are possible if the content is specific and honest — 34,000 impressions came from five or six posts over seven days. What matters is posting consistently, leading with real situations rather than product claims, and keeping links out of the post body.

How do you find companies to offer demo scans to?

LinkedIn search by job title — MDs, founders, operations directors at UK SMBs. Spend time engaging with their content before you message them. When you do message, lead with a specific observation about their domain, not a product introduction.

Create your account and scan your domain at olimpio.io — findings are ranked by severity and explained in plain English, so you know exactly what needs fixing.