Skip to content

CodeSlick Beta - Founder's Cheat Sheet

PRIVATE DOCUMENT - For Vitor's Reference Only

Last Updated: November 7, 2025 Purpose: Quick reference for beta user conversations, technical questions, and objection handling

Quick Pitch (30 Seconds) - Memorize This

"CodeSlick is an automated security analysis tool for GitHub pull requests. We scan your code for 79+ vulnerabilities across three layers: static code analysis, dependency scanning, and API security detection. When a developer opens a PR, CodeSlick automatically posts a comment with any security issues found - before the code reaches production. We're 80% cheaper than Snyk at €99/month for a 5-person team, and we require zero configuration - just install the GitHub App and you're protected."

Elevator version (10 seconds):

"Automated security reviews for GitHub PRs - 79+ checks, €99/month, zero setup."

Core Value Propositions

1. Three-Layer Security (Unique Selling Point)

  • Layer 1: Static Code Analysis - 74 checks (SQL injection, XSS, command injection, etc.)
  • Layer 2: Dependency Scanning - npm, pip, Maven (using Google OSV database)
  • Layer 3: API Security - 5 checks (insecure HTTP, missing auth, API key exposure, CORS, rate limiting)

Why this matters: Most tools only do one layer. CodeSlick is the only tool that combines all three.

2. GitHub PR Automation (Not Manual)

  • Runs automatically on every PR (no workflow configuration needed)
  • Posts results as PR comment (visible to whole team)
  • Integrates with code review process (catches issues before merge)

Why this matters: Shift-left security - catch bugs before production, not after.

3. 80% Cheaper Than Snyk

  • Snyk Team: $98/developer/month = $490/month for 5 devs
  • CodeSlick Team: €99/month flat (up to 5 devs) = €20/dev/month
  • Savings: €391/month = €4,692/year

Why this matters: Small teams can't afford enterprise security tools. CodeSlick makes security accessible.

Common Questions & Answers

Technical Questions

Q: "How does CodeSlick compare to ESLint?"

A: "ESLint is a linter that catches code style and basic bugs. CodeSlick is a security-focused SAST tool. Think of it this way: - ESLint catches: Missing semicolons, unused variables, code formatting - CodeSlick catches: SQL injection, XSS, hardcoded secrets, vulnerable dependencies

ESLint is great for code quality. CodeSlick is for security. Most teams use both - they complement each other."

Follow-up if pressed: "ESLint has some security plugins (eslint-plugin-security), but they're limited. CodeSlick has 79+ specialized security checks covering OWASP Top 10, while ESLint security plugins cover maybe 10-15 basic patterns."

Q: "What languages do you support?"

A: "Currently: JavaScript, TypeScript, Python, and Java. These cover 80% of modern web applications."

Roadmap (if asked): "We're planning Go and Rust next, based on user demand. Which languages does your team use?"

Q: "How does your JavaScript SQL injection detection work?"

A: "We use AST (Abstract Syntax Tree) parsing to analyze code structure. We look for patterns where user input flows directly into SQL query strings without parameterization. For example:

const query = `SELECT * FROM users WHERE id = ${req.params.id}`;

CodeSlick flags this because req.params.id is untrusted user input concatenated into a SQL string. The fix is to use parameterized queries or an ORM."

If they want more technical details: "I can share our exact detection rules and send you links to the source code. We're also planning to open-source the core analyzers post-beta."

Q: "Do you support custom rules?"

A: "Not yet - that's an Enterprise feature we're planning for Q1 2026. Right now we focus on OWASP Top 10 and common vulnerabilities that affect 95% of teams. What specific custom rules would your team need?"

Note to self: Track requests for custom rules - if 5+ teams ask, prioritize this feature.

Q: "How accurate is your detection? False positive rate?"

A: "Our false positive rate is 5-10%, which is industry-standard for SAST tools. We prioritize catching real vulnerabilities over being overly cautious. Here's how we handle it:

  1. Severity levels: We mark CRITICAL issues with high confidence, MEDIUM/LOW for potential issues
  2. Context-aware: Our analyzers understand common frameworks (Express, Django, Spring)
  3. Continuous improvement: We tune detection rules based on user feedback

If you find false positives during beta, please report them - we'll fix them within 24 hours."

Q: "What about DAST (Dynamic Analysis)?"

A: "CodeSlick is SAST (Static Analysis) - we scan code without running it. DAST tools (like Burp Suite) scan running applications.

When to use each: - SAST (CodeSlick): During development, in PR reviews - catches issues before deployment - DAST: In staging/production - finds runtime issues like authentication bypasses

Most teams use both. CodeSlick is your 'shift-left' security tool that catches 70% of issues early when they're cheapest to fix."

Q: "How do you handle dependency scanning?"

A: "We use Google's OSV (Open Source Vulnerabilities) database - the same one GitHub uses. When you open a PR that adds/updates dependencies:

  1. We extract package.json (npm), requirements.txt (pip), or pom.xml (Maven)
  2. Query OSV database for known CVEs
  3. Report any vulnerable packages with severity and fix version

This catches supply chain attacks like Log4Shell before they reach production."

Example to share: "Remember Log4Shell in 2021? That affected millions of Java apps. CodeSlick would have flagged it the moment a developer added the vulnerable log4j version to pom.xml."

Q: "What about runtime protection / WAF?"

A: "CodeSlick doesn't do runtime protection - we're a development-time tool. For runtime protection, you'd use a WAF (Web Application Firewall) like Cloudflare or AWS WAF.

The advantage of CodeSlick: We catch vulnerabilities BEFORE they're deployed, when they're cheap to fix. Fixing a bug in a PR costs €50 in developer time. Fixing it in production after a security incident costs €5,000+."

Pricing Questions

Q: "Why €99/month for Team plan?"

A: "Let me break down the value:

Competitive positioning: - Snyk Team: $98 PER developer = $490/month for 5 devs - SonarQube Cloud: $120/month for 5 devs (100k LOC limit) - CodeSlick: €99/month flat (up to 5 devs, unlimited analyses)

ROI calculation: - Average team hits 2-3 critical security bugs/year - Each incident: 12 hours debugging (€60/hour) = €720 cost - Annual security incident cost: €1,440-€2,160 - CodeSlick annual cost: €1,188 - Savings: €252-€972/year (plus compliance, customer trust)

Bottom line: CodeSlick pays for itself after preventing just 2 critical bugs."

Q: "Can we get a discount for annual payment?"

A: "Yes! We offer 15% discount for annual payment: - Monthly: €99/month = €1,188/year - Annual: €1,010/year (€84/month effective rate) - Savings: €178/year

For beta users, I can offer 20% off annual payment (€950/year). Would that work for your team?"

Q: "What if we have more than 5 developers?"

A: "Great question. Our Team plan covers up to 5 developers. For larger teams:

Option 1: Enterprise plan (€299/month) - Unlimited developers - Unlimited repositories - Custom security rules (coming Q1 2026) - Dedicated support

Option 2: Multiple Team licenses - 10 developers = 2 Team licenses (€198/month) - Still cheaper than Snyk ($980/month for 10 devs)

For beta users with 6-10 devs, I can extend the Team plan to 10 devs at €149/month. Sound fair?"

Q: "Do you offer free plan?"

A: "Yes! Free plan includes: - 20 PR analyses per month - 1 repository - All 79+ security checks - Perfect for individual developers or small hobby projects

Most commercial teams hit 20 analyses in the first week, so they upgrade to Team plan (€99/month, unlimited analyses)."

Objection Handling

Objection: "We already use Snyk"

Response: "That's great! Snyk is excellent for dependency scanning. CodeSlick complements Snyk by adding:

  1. Deeper SAST: Snyk's code analysis is basic. CodeSlick has 74 specialized static analysis checks.
  2. API Security: Snyk doesn't check API security patterns (missing auth, CORS issues). CodeSlick does.
  3. Cost: You can use both tools for less than Snyk alone (Snyk $490/month, CodeSlick €99/month = $590 total vs $980 for Snyk + SonarQube)

Alternative positioning: Many teams use Snyk for dependencies and CodeSlick for code analysis. They integrate seamlessly in your PR workflow."

If they push back: "I totally understand. What's your biggest pain point with Snyk right now? [Listen, then position CodeSlick as solving that specific pain]"

Objection: "GitHub already has security scanning"

Response: "GitHub's security features are excellent, but they're focused on different areas:

GitHub Dependabot: Dependency vulnerabilities (like CodeSlick's dependency scanner) GitHub Code Scanning (CodeQL): Static analysis, but requires complex setup and query writing GitHub Secret Scanning: Detects committed secrets (GitHub Enterprise only)

CodeSlick fills the gaps: 1. Zero setup: GitHub CodeQL requires writing custom queries. CodeSlick works out-of-the-box. 2. API security: GitHub doesn't check for API security issues (missing auth, CORS). CodeSlick does. 3. Unified view: One tool for code + dependencies + APIs instead of 3 separate GitHub features.

Bottom line: CodeSlick is 'GitHub security on easy mode' - same coverage, 1/10th the setup time."

Objection: "We'll just use free tools (ESLint, OWASP ZAP)"

Response: "Free tools are excellent, and I recommend them! But they have gaps:

What free tools cover: - ESLint: Code quality, basic bugs (NOT security-focused) - OWASP ZAP: DAST (runtime scanning, NOT code analysis) - Semgrep OSS: Good SAST, but requires engineering time to configure rules

What CodeSlick adds: 1. Security-first: 79+ checks specifically for OWASP Top 10 (ESLint has ~15) 2. Three layers: Code + dependencies + APIs (free tools do one layer each) 3. Zero config: Works in 5 minutes. Semgrep takes 2-3 days to set up properly.

Value proposition: CodeSlick saves your team 40+ hours/year in security tool configuration and maintenance. At €60/hour, that's €2,400 in saved developer time. CodeSlick costs €1,188/year. You actually save €1,200/year."

If they're price-sensitive: "I respect that budget is tight. Would you be interested in a 3-month free trial to prove ROI before committing?"

Objection: "This seems too expensive for a small team"

Response: "I understand - €99/month feels like a lot for a 5-person team. Let me reframe it:

Per-developer cost: €99 ÷ 5 devs = €20/dev/month = €0.66/day per developer

Daily cost equivalent: Less than a coffee per developer per day

Alternative framing: What does a security incident cost your team? - Customer data breach: €5,000-€50,000 (GDPR fines, legal fees) - One critical production bug: 12 hours × €60/hour = €720 - Lost customer trust: Priceless

CodeSlick is insurance: €99/month prevents the €5,000+ cost of a single incident.

Offer: For beta users, I can offer first 3 months at 50% off (€49.50/month) to prove value. After 3 months, if you haven't saved at least €150 in avoided bugs, I'll refund the full amount. Sound fair?"

Objection: "We don't have security issues - our team is experienced"

Response: "That's great that you have experienced developers! Even the best teams ship security bugs - it's not about skill, it's about:

1. Human error: Developers are focused on features, not security. A single typo can create SQL injection: 

// Intended: const query = db.query('SELECT * FROM users WHERE id = ?', [id]);
// Typo:    const query = db.query('SELECT * FROM users WHERE id = ' + id);

2. Dependency vulnerabilities: Even if your code is perfect, you use 100+ npm packages. One vulnerable dependency (like Log4Shell) can compromise your entire app.

3. API security: Experienced developers forget to add authentication to new endpoints. CodeSlick catches this before merge.

Real example: Uber had a massive data breach in 2016 because a developer hardcoded AWS credentials. Their team was incredibly experienced, but one mistake cost them $148 million. CodeSlick would have flagged that hardcoded credential in the PR.

Bottom line: CodeSlick is your 'second pair of eyes' - even great teams benefit from automated security review."

Objection: "We need to think about it"

Response: "Absolutely - this is an important decision. To help you evaluate, can I ask:

  1. What's your biggest concern? (Price? Technical fit? Something else?)
  2. What would CodeSlick need to provide to make this a 'yes' for you?
  3. Would a 2-week free trial help you make the decision?

If they're genuinely interested: I can set you up with a free trial today. You'll see real results in your first PR - no commitment required.

If they're not ready: No problem. Can I follow up in 2 weeks? In the meantime, I'll send you our technical documentation and a case study from a similar team."

What I DON'T Know (And How to Handle It)

Technical Deep-Dives I Should Research

Situation: DevOps engineer asks deep technical question I can't answer

Examples: - "How do you detect prototype pollution in JavaScript?" - "What's your approach to Java deserialization attacks?" - "Do you support analysis of Kotlin code?"

Response Template:

"That's a great technical question about [topic]. I want to make sure I give you an accurate answer rather than guessing. Can I research that specific case and send you detailed documentation within 24 hours? In the meantime, let me show you how CodeSlick handles [related topic I DO know]."

Follow-up: 1. Note the question in this document (add to "Questions to Research" section below) 2. Research using CLAUDE.md, ANALYZER_COVERAGE.md, or codebase 3. Email detailed answer within 24 hours 4. Update this cheat sheet with the answer

Custom Enterprise Features

Situation: Enterprise customer asks for feature we don't have yet

Examples: - "Can you integrate with Jira for ticketing?" - "Do you support SSO (SAML)?" - "Can we run CodeSlick on-premise?"

Response Template:

"That's on our roadmap for [timeframe if known, otherwise say 'Q1-Q2 2026']. Can you tell me more about your specific use case? If this is a critical requirement for your team, I can prioritize it in our development queue. We're a small team, so early beta customers help shape our roadmap."

Follow-up: 1. Note the feature request 2. If 3+ customers ask for same feature → prioritize it 3. Email them when feature is ready

Pricing Edge Cases

Situation: Customer has unique pricing requirement

Examples: - "We have 12 developers but only 8 actively use GitHub - can we pay for 8?" - "Can we pay in USD instead of EUR?" - "We need monthly invoicing, not credit card"

Response:

"Let me check with our billing system and get back to you within 24 hours with options. I want to make sure we can accommodate your needs."

Follow-up: 1. Check if Stripe supports this (it probably does) 2. Email them solution 3. Update this cheat sheet if it's a common request

Questions to Research (Add Here During Beta)

Technical Questions I Couldn't Answer:

  1. [Question from beta user] - [Date]
  2. [Question from beta user] - [Date]

Feature Requests (Track for Roadmap):

  1. [Feature request] - [Requested by] - [Date]
  2. [Feature request] - [Requested by] - [Date]

Beta Call Checklist

Before the call: - [ ] Review this cheat sheet (5 mins) - [ ] Open ANALYZER_COVERAGE.md (technical reference) - [ ] Have pricing page open (€99 Team, €299 Enterprise) - [ ] Have competitor comparison handy (Snyk, SonarQube)

During the call: - [ ] Ask: "What's your current security tooling setup?" - [ ] Ask: "What's your biggest security pain point?" - [ ] Demonstrate: Show actual PR comment with security findings - [ ] Offer: "Would you like to try a 2-week free trial?"

After the call: - [ ] Send follow-up email with: - Summary of conversation - Links to documentation - Trial signup link (if interested) - Answers to any questions I couldn't answer live - [ ] Update this cheat sheet with new questions/objections - [ ] Note in CRM/spreadsheet: Interest level (Hot/Warm/Cold)

Competitor Quick Reference

Snyk

Pricing: $98/dev/month (Team), $399/dev/month (Enterprise) Strengths: Dependency scanning (excellent), container security Weaknesses: SAST is basic, expensive for small teams CodeSlick differentiation: 80% cheaper, better SAST, simpler pricing

SonarQube

Pricing: $120/month (5 devs, 100k LOC limit), $2,000+/year (unlimited) Strengths: Comprehensive SAST, mature product Weaknesses: Complex setup (self-hosted or cloud), no dependency scanning CodeSlick differentiation: Zero setup, includes dependency + API security

Semgrep

Pricing: Free (OSS), $40/dev/month (Team), $80/dev/month (Enterprise) Strengths: Powerful custom rules, open-source Weaknesses: Requires engineering effort to configure rules CodeSlick differentiation: Works out-of-the-box, no rule configuration needed

GitHub Advanced Security

Pricing: $49/committer/month (GitHub Enterprise only) Strengths: Native GitHub integration, CodeQL is powerful Weaknesses: Requires Enterprise license, complex query language CodeSlick differentiation: Works with any GitHub plan, no query writing needed

Confidence Boosters (Read Before Calls)

You don't need to know everything. Your job is to: 1. ✅ Understand the customer's pain point 2. ✅ Explain how CodeSlick solves it 3. ✅ Demonstrate value (ROI, time savings) 4. ✅ Be honest when you don't know something

DevOps engineers respect honesty. Saying "Great question, let me research that and get back to you" is better than guessing.

You've built something valuable. CodeSlick has: - 79+ security checks - Three-layer coverage (unique in the market) - 80% cheaper than Snyk - Zero-configuration setup

You're offering a fair deal. Beta users get: - 50% off for 3 months (€49.50/month) - Direct access to you (founder) - Influence on product roadmap - Priority support (bugs fixed within 24 hours)

Emergency Contact (For Technical Questions)

If a beta call goes deeply technical and I'm stuck: 1. Pause politely: "This is getting into implementation details I want to get exactly right. Can I bring in our technical lead for 5 minutes?" 2. Option A: Message Claude Code (use CLAUDE.md context) 3. Option B: Check codebase (src/lib/analyzers/) for exact implementation 4. Option C: Schedule follow-up call: "Let me research this thoroughly and schedule a technical deep-dive call with you tomorrow"

Never: Guess or make up technical details. Always verify.

Last Updated: November 7, 2025 Next Review: After first 5 beta calls (update with real questions)