Founder checklist · 90 seconds · free

The 9-item security checklist before your first paying customer.

You are a founder, not a CISO. Here is the boring list that actually catches the deadly stuff. Nothing to install. No code access. Plain English.

The checklist

Nine checks every founder should run before launch.

Each item maps to a real scanner that runs on every check. No vapourware.

1. Public credential leaks

We sweep public GitHub for AWS, Stripe, OpenAI, GitHub, SendGrid, and database secrets that match your domain. Leaks here are the single most common reason a founder's first 24 hours go from launch-day to incident-response.

2. WHOIS exposure of personal data

If your domain is not WHOIS-privacy-protected, your name, email, address, and phone are public. Spammers, scammers, and process servers all read this. We tell you in plain English what is exposed and how to redact it.

3. SPF / DKIM / DMARC

Without all three, anyone can send mail that looks like it came from you. We probe 14 DKIM selectors, parse your DMARC policy, count SPF lookups, and surface fixable misconfigurations with the exact DNS record to add.

4. TLS certificate grade

A/B/F grading on your TLS configuration. We flag certificates expiring in under 30 days, weak ciphers, and missing HSTS headers. The fix is usually one click in your hosting provider.

5. DNS hygiene and dangling subdomains

A subdomain that points to a deactivated CDN can be hijacked by anyone who claims the orphan record. We enumerate every subdomain and check whether each one points somewhere you control.

6. Lookalike domains

We generate up to 1,200 typosquat variants of your domain — single-character swaps, Cyrillic homoglyphs, hyphenated forms — and tell you which are already registered, which are still available to grab, and which actively impersonate you.

7. Exposed admin and config paths

Probes about 200 paths your server should never expose: .env, .git, /admin, phpMyAdmin, server-status, deployment configs. A single hit can mean total compromise.

8. Public CVEs in your stack

We fingerprint your tech (CMS, framework, CMS plugins) and cross-reference against OSV, NVD, EPSS, and the CISA KEV catalog so you see exploit-likely vulnerabilities first.

9. Reputation and Safe Browsing flags

Google Safe Browsing, VirusTotal, URLhaus, MXToolbox blacklists. If your domain is flagged, your emails go to spam and your customers see big red warnings. Catch it before traffic does.

Why a checklist works

Founders ship faster than auditors can audit.

You are weeks from your first paying customer. The codebase is changing daily. Hiring a CISO is not on the table. A pentest costs more than your runway and would take a week you do not have.

A boring checklist beats every alternative. Nine items, ninety seconds, fully automated, run on a schedule. It will not catch a sophisticated business-logic attack — but it catches the things that actually take down small startups: leaked keys, expired certs, weak email auth, exposed configs, hijacked subdomains. The deadly mundane.

That is what NoDowntimeShield is built to be. Not the cleverest tool. The most boring tool you cannot afford to skip.

Checklist vs alternatives

Where the checklist fits.

Checklist (this)

Daily automated. Catches operational issues. $0 to start. 90-second scan. No setup.

Pentest

Annual. Catches application-logic flaws. $20k–$100k. Two-week engagement. Findings expire fast as the codebase changes.

Bug bounty

Continuous. Catches creative exploits. Pay-per-finding. Requires a team to triage. Best after PMF, not before.

Use the checklist now. Use pentests once you have revenue. Use bug bounties once you have a security team.

90s
Time to first finding
9
Checklist items per scan
$0
Cost of one domain
We were six days from launch. The checklist surfaced an old AWS key in a deleted commit on a forked repo. Rotated, redeployed, no story to tell — which is the best kind of story.
Alex M.
Founder, productivity SaaS

FAQ

Common founder questions.

When is the right time to run this?
The day before your first customer signs up. After the soft-launch but before the press cycle. The earlier the better — fixing a leaked AWS key while you have 0 users is a 5-minute job; doing it after you have 10,000 users is a multi-day incident.
I'm pre-revenue — is this overkill?
No. The risks the checklist covers do not scale with revenue. A leaked GitHub credential will be exploited the moment it's pushed, whether you have 1 user or 1 million. The free tier covers a single domain, so the cost is your time.
I outsourced development to an agency. Can I run this without them?
Yes. The scan does not require any code change, repository access, or developer involvement. You enter your domain; we scan from the outside. Findings come back with copy your agency can act on directly.
What if I don't understand the findings?
Every finding has two descriptions: a technical one for the engineer, and a plain-English one for you. The plain version explains the actual business impact ("Anyone can send emails pretending to be from you") and the fix ("Add this one DNS record — takes 5 minutes").
Do you need access to my code?
No. The 9-item checklist runs entirely from outside. The optional GitHub App (a separate feature) reads your repos for credential leaks across pull requests, but the founder checklist itself is a black-box scan.

Run the checklist now.

Free for one domain. No credit card. 90 seconds. Bookmark and re-run before every release.

Already past launch? See the pre-launch checklist or pricing.