What happens if…

Plain-English walk-throughs of the security moments every indie founder faces. No jargon. Just what actually happens and what to do about it.

My API key leaked on GitHub — what do I do?

Your OpenAI, Stripe, or Supabase key is on GitHub. You just realized. Here's exactly what to do in the next ten minutes — and what the attacker is already doing.

My Supabase database might be public — how do I check?

You built your app with Lovable / Bolt / Cursor and now you're worried your Supabase tables are open to the world. Here's how to check in 30 seconds — and what to do if they are.

My first enterprise deal needs SOC 2 — I've never done one

Your biggest prospect just asked for a SOC 2 report. You have a week. Here's the realistic playbook to close the deal.

Someone tweeted that my app is leaking data — what do I do?

A random security researcher just tweeted that your app has a vulnerability. Your DMs are blowing up. Here's the 60-minute response playbook.

My app just hit Hacker News / Product Hunt — am I about to get breached?

Your app just went viral. Thousands of strangers are testing it right now. Some of them are attackers. Here's what to do in the first 24 hours.

My OpenAI bill hit $12,000 overnight — how?

You woke up to a shockingly large OpenAI bill. Here's how it happened, how to reverse it if possible, and how to make sure it never happens again.

I don't know if my app is safe — where do I start?

You built an app. You don't know if it's secure. You don't know what 'secure' even means. Here's the 20-minute assessment.

All my code was written by AI — how do I trust it?

Your entire codebase came from Lovable / Bolt / Cursor / v0 / Claude. You didn't read most of it. Is that safe? What do you do?