CodeSlick Beta - Practice Q&A Script¶

PRIVATE DOCUMENT - For Practice and Role-Playing

Last Updated: November 7, 2025 Purpose: 20 most common questions with detailed answers to practice before beta calls

How to Use This Document¶

Solo Practice (30 mins/day for 3 days):
Read question out loud
Answer WITHOUT looking at the provided answer
Compare your answer to the script
Repeat until you can answer confidently without notes
Role-Play Practice (with friend/colleague):
Have them ask questions in random order
Answer as if they're a real prospect
Get feedback on clarity and confidence
Before Beta Calls:
Skim all 20 questions (10 mins)
Have this document open during call (reference if needed)
Update with new questions after each call

20 Most Common Questions¶

Section 1: Product Basics (Questions 1-5)¶

Q1: What is CodeSlick?¶

Your Answer: "CodeSlick is an automated security analysis tool for GitHub pull requests. When your developers open a PR, CodeSlick automatically scans the code for 79+ security vulnerabilities across three layers:

Static code analysis - SQL injection, XSS, hardcoded secrets
Dependency scanning - Vulnerable npm, pip, or Maven packages
API security - Missing authentication, CORS issues, insecure endpoints

We post results as a PR comment, so your team sees security issues before merging code into production. It's like having a security expert review every PR, but automated and instant."

Key points to emphasize: - Automated (no manual work) - Three layers (unique differentiator) - PR-based (shift-left security)

Q2: What languages do you support?¶

Your Answer: "We currently support JavaScript, TypeScript, Python, and Java. These four languages cover about 80% of modern web applications.

Each language has specialized security checks: - JavaScript/TypeScript: 17 checks (SQL injection, XSS, eval usage, prototype pollution) - Python: 19 checks (command injection, pickle deserialization, path traversal) - Java: 18 checks (XXE, insecure deserialization, LDAP injection)

We're planning to add Go and Rust next based on user demand. What languages does your team use?"

If they use unsupported language: "Which language are you using? If we hear that request from 3+ beta users, we'll prioritize it in our roadmap. In the meantime, you can still use CodeSlick for your JS/TS/Python/Java services."

Q3: How does CodeSlick integrate with GitHub?¶

Your Answer: "CodeSlick installs as a GitHub App - it takes about 5 minutes:

Install the app: Click 'Install' on GitHub, select repositories
Grant permissions: CodeSlick needs read access to PRs and write access to post comments
Automatic scanning: From that moment on, every new or updated PR is automatically scanned
Results as comments: Within 5-10 seconds, CodeSlick posts a comment with security findings

No workflow files to configure, no YAML to write, no CI/CD setup needed. It just works.

You can also uninstall at any time - there's no lock-in."

Key point: Zero configuration compared to GitHub Actions or CodeQL.

Q4: How long does analysis take?¶

Your Answer: "Analysis is very fast - typically 5-10 seconds per PR, depending on code size:

Small PR (1-2 files, <500 lines): 2-3 seconds
Medium PR (5-10 files, 500-2000 lines): 5-8 seconds
Large PR (20+ files, 2000+ lines): 10-15 seconds

This is because we only analyze the files changed in the PR, not your entire codebase. And it's pure static analysis - no need to compile or run your code.

For comparison, a manual security code review takes 30-60 minutes per PR. CodeSlick does it in 10 seconds."

Q5: Can I see an example?¶

Your Answer: "Absolutely! Let me show you a real example.

[Open codeslick.dev/analyze or show screenshot of PR comment]

Here's a PR where CodeSlick found a critical SQL injection vulnerability:

// Vulnerable code
const userId = req.params.id;
const query = `SELECT * FROM users WHERE id = ${userId}`;

CodeSlick flagged this as: - CRITICAL severity - SQL Injection vulnerability - OWASP A03:2021 - Injection - Fix suggestion: Use parameterized queries instead

The developer saw this comment, fixed it before merging, and the bug never made it to production.

Want me to analyze one of your repositories live right now to show you what CodeSlick would find?"

Note: Offering a live demo is powerful - most will say yes.

Section 2: Technical Questions (Questions 6-10)¶

Q6: What's the difference between CodeSlick and ESLint?¶

Your Answer: "Great question. ESLint and CodeSlick serve different purposes:

ESLint: - Purpose: Code quality and style - Checks: Missing semicolons, unused variables, code formatting - Security: Basic (10-15 rules via eslint-plugin-security)

CodeSlick: - Purpose: Security-focused analysis - Checks: 79+ security vulnerabilities (OWASP Top 10) - Scope: Code + dependencies + APIs

Think of it this way: - ESLint says: 'Your code style is inconsistent' - CodeSlick says: 'Your code has a critical SQL injection vulnerability'

Most teams use both. ESLint for code quality, CodeSlick for security. They complement each other perfectly."

Analogy: "ESLint is spell-check. CodeSlick is a security audit."

Q7: How accurate is your detection? False positive rate?¶

Your Answer: "Our false positive rate is 5-10%, which is industry-standard for SAST tools. We prioritize catching real vulnerabilities over being overly cautious.

Here's how we minimize false positives:

Context-aware analysis: We understand common frameworks (Express, Django, Spring) and don't flag safe patterns
Severity levels: CRITICAL issues have high confidence, MEDIUM/LOW indicate potential issues worth investigating
Continuous tuning: We improve detection rules based on user feedback

For comparison: - CodeQL (GitHub): 10-15% false positive rate - SonarQube: 8-12% false positive rate - Semgrep: 5-15% false positive rate (depending on rules)

During beta: If you find a false positive, report it and we'll fix it within 24 hours. Your feedback directly improves the product."

Important: Never claim "zero false positives" - that's impossible for SAST tools.

Q8: Do you support custom rules or configuration?¶

Your Answer: "Not yet - custom rules are an Enterprise feature we're planning for Q1 2026.

Right now, CodeSlick works out-of-the-box with 79+ pre-configured checks covering OWASP Top 10 and common vulnerabilities. This is intentional - we want to provide value without requiring configuration.

Why this matters: 95% of teams need the same security checks (SQL injection, XSS, secrets). Custom rules are only necessary for company-specific policies (like 'never use library X' or 'all API endpoints must have rate limiting').

If you need custom rules now: Can you share your specific use case? If it's common enough, we might add it to our standard ruleset. If it's company-specific, I can prioritize custom rules on our roadmap."

Follow-up: Track custom rule requests - if 5+ teams ask, this becomes Priority 1.

Q9: What about DAST or runtime protection?¶

Your Answer: "CodeSlick is SAST (Static Application Security Testing) - we analyze code without running it. We don't do DAST (Dynamic Analysis) or runtime protection.

Why SAST: - Shift-left: Catches issues during development, before deployment - Cheaper to fix: Fixing a bug in a PR costs €50 in developer time. Fixing it in production costs €5,000+ - Preventative: Stops vulnerabilities from ever reaching production

When to use DAST/WAF: - DAST (like Burp Suite): For finding runtime issues in staging/production - WAF (like Cloudflare): For blocking attacks in real-time

Most security teams use all three: 1. SAST (CodeSlick): Development stage - catch 70% of issues early 2. DAST: Staging - catch runtime issues before production 3. WAF: Production - block attacks in real-time

CodeSlick is your 'first line of defense' in the development phase."

Q10: How do you handle dependency scanning?¶

Your Answer: "We scan dependencies using Google's OSV (Open Source Vulnerabilities) database - the same database GitHub Dependabot uses.

How it works: 1. When a PR adds/updates dependencies, we extract: - package.json and package-lock.json (npm) - requirements.txt (pip) - pom.xml (Maven) 2. Query OSV database for known CVEs in those packages 3. Report vulnerable packages with: - CVE ID (e.g., CVE-2021-44228) - Severity (Critical/High/Medium/Low) - Fixed version (if available) - CVSS score

Example: If you add log4j version 2.14.1 (vulnerable to Log4Shell), CodeSlick reports: - CRITICAL: log4j 2.14.1 has CVE-2021-44228 (Remote Code Execution) - Fix: Upgrade to log4j 2.17.1 or later

Why OSV: It's free, comprehensive (covers npm, PyPI, Maven Central), and actively maintained by Google's security team."

Section 3: Pricing & Business (Questions 11-15)¶

Q11: How much does CodeSlick cost?¶

Your Answer: "We have three pricing tiers:

FREE: - 20 PR analyses per month - 1 repository - All 79+ security checks - Perfect for individual developers or hobby projects

TEAM (€99/month): - Unlimited PR analyses - Up to 5 team members - 5 repositories - All security features - Email support

ENTERPRISE (€299/month): - Unlimited team members - Unlimited repositories - Custom security rules (Q1 2026) - Dedicated support - SLA guarantees

Per-developer cost: Team plan = €20/dev/month (€99 ÷ 5 devs)

For beta users: 50% off for first 3 months (€49.50/month Team, €149.50/month Enterprise)

What size is your team?"

Q12: Why not just use free tools?¶

Your Answer: "Free tools are excellent, and I recommend them! But they have gaps:

Free tools landscape: - ESLint: Code quality (not security-focused) - ~15 security rules - GitHub Dependabot: Dependency scanning (good, but no code analysis) - Semgrep OSS: Good SAST, but requires 2-3 days to configure rules - OWASP ZAP: DAST (runtime scanning, not code analysis)

What CodeSlick adds: 1. Comprehensive: 79+ checks vs ESLint's 15 2. Zero config: Works in 5 minutes vs Semgrep's 2-3 day setup 3. Three layers: Code + dependencies + APIs (free tools do one layer each)

Time savings calculation: - Configuring Semgrep: 16 hours × €60/hour = €960 - Maintaining rules: 2 hours/month × €60 × 12 months = €1,440/year - Total annual cost of 'free' Semgrep: €2,400 - CodeSlick annual cost: €1,188

CodeSlick is actually cheaper than free tools when you factor in engineering time."

Q13: How does CodeSlick compare to Snyk?¶

Your Answer: "Snyk is excellent - it's the market leader in dependency scanning. Here's how we compare:

Feature	Snyk Team	CodeSlick Team
Price (5 devs)	$490/month	€99/month
Dependency Scanning	Excellent	Good (OSV)
Static Code Analysis	Basic	Strong (74 checks)
API Security	No	Yes (5 checks)
Setup Complexity	Medium	Low (GitHub App)

When to use Snyk: If you need container scanning, Infrastructure-as-Code scanning, or advanced dependency management

When to use CodeSlick: If you want deeper code analysis at ⅕th the cost

Can you use both?: Yes! Many teams use Snyk for dependencies and CodeSlick for code analysis. Total cost: $490 + €99 = ~$600/month, which is still cheaper than Snyk + SonarQube ($490 + $120 = $610+)

Positioning: We're not competing with Snyk - we complement it. If you're already using Snyk, CodeSlick adds the code analysis layer Snyk doesn't do deeply."

Q14: What's the ROI?¶

Your Answer: "Let me walk you through a real ROI calculation for a 5-person team:

Without CodeSlick: - Average team hits 2-3 critical security bugs per year - Each incident: 12 hours debugging + fixing (€60/hour = €720) - Annual cost of security incidents: €1,440-€2,160 - Plus: Customer trust damage, GDPR fines (€5,000-€50,000), downtime

With CodeSlick: - Annual cost: €1,188 (€99/month × 12) - Catches bugs BEFORE production (saves debugging time) - Net savings: €252-€972/year (security incidents avoided)

Time savings: - Manual security code review: 30 mins/PR × 20 PRs/month = 10 hours/month - CodeSlick review: 10 seconds/PR (automated) - Saved time: 10 hours/month × €60/hour = €600/month = €7,200/year

Total annual value: €7,200 (time) + €1,800 (incident prevention) = €9,000

Total annual cost: €1,188

ROI: 657% return on investment

Does that math make sense for your team?"

Q15: Can we get a discount?¶

Your Answer: "Yes! Here are the discounts available:

Annual payment discount: - Monthly: €99/month = €1,188/year - Annual: €1,010/year (15% off = €84/month effective) - Savings: €178/year

Beta user discount: - First 3 months: 50% off (€49.50/month) - After 3 months: Return to full price or cancel (no commitment)

Combined (beta + annual): - First year annual: €950 (20% off) - Savings: €238 vs monthly payment

Startup/non-profit discount: If you're an early-stage startup (<10 employees) or non-profit, I can offer 30% off permanently (€69.30/month). Do you qualify?

What works best for your budget?"

Section 4: Objections & Concerns (Questions 16-20)¶

Q16: We're already using [competitor]. Why switch?¶

Your Answer (adjust based on competitor):

If Snyk: "Snyk is excellent! We're not asking you to switch - we complement Snyk. Use Snyk for dependency/container scanning, CodeSlick for deeper code analysis. Together, they're still cheaper than Snyk alone for a larger team."

If SonarQube: "SonarQube is the gold standard for SAST. How's your experience with it? [Listen]. CodeSlick's advantage is simpler setup (no self-hosting, no configuration) and API security detection, which SonarQube doesn't do. We're positioned as 'SonarQube made easy' for teams that don't have time for complex setup."

If GitHub Advanced Security: "GitHub Advanced Security is powerful if you have the engineering resources to write CodeQL queries. CodeSlick is for teams that want the same security coverage but can't invest 40+ hours in setup. We're 'GitHub security on easy mode.'"

General response: "I'm not asking you to switch. I'm offering a free 2-week trial to see if CodeSlick finds issues your current tool missed. If we don't add value, you cancel - no commitment. Fair?"

Q17: This seems too expensive for our budget.¶

Your Answer: "I understand budget is tight. Let me reframe the cost:

Daily cost per developer: - €99/month ÷ 5 devs ÷ 30 days = €0.66/day per developer - Less than a coffee per day

Alternative framing - Insurance: What's the cost of NOT having security scanning? - One data breach: €5,000-€50,000 (GDPR, legal, customer trust) - One critical production bug: 12 hours × €60 = €720

CodeSlick prevents the €5,000 incident for €1,188/year.

Options if budget is constrained: 1. Free plan: 20 analyses/month - try this first, upgrade when you need more 2. Beta discount: €49.50/month for 3 months (50% off) 3. Annual payment: €1,010 upfront (15% off = 2 months free) 4. Startup discount: If you're <10 employees, I can do €69/month permanently

What would make this work for your budget?"

Q18: We don't have time to set this up right now.¶

Your Answer: "I completely understand - everyone's slammed. That's exactly why CodeSlick exists.

Setup time: 5 minutes total 1. Click 'Install GitHub App' (1 min) 2. Select repositories (1 min) 3. Grant permissions (1 min) 4. Wait for first PR to be analyzed (automatic)

No additional work required: - No CI/CD configuration - No workflow files to write - No training needed - No ongoing maintenance

Total time investment: 5 minutes once, then it's hands-off forever.

Comparison: - Configuring SonarQube: 2-3 days - Setting up Semgrep rules: 16+ hours - Writing CodeQL queries: 40+ hours

Question: Do you have 5 minutes this week for setup? I can walk you through it on a call right now if that helps."

Q19: How do I know you won't shut down in 6 months?¶

Your Answer: "That's a fair concern - startup risk is real. Here's why CodeSlick is built to last:

Business fundamentals: 1. Profitable unit economics: €99/month revenue, ~€10/month infrastructure cost = 90% gross margin 2. Sustainable growth: We're targeting 50-100 paying customers in Year 1 (€5,000-€10,000 MRR) 3. Low burn rate: I'm the solo founder, no VC pressure, no huge burn rate

Technical independence: - CodeSlick is a GitHub App - even if we shut down, your GitHub workflow isn't affected - You can uninstall anytime (no lock-in) - We don't store your code (just analysis results)

Commitment: - I've invested 4 months building this (15,000+ lines of code) - I'm personally committed to running CodeSlick for at least 3 years - Beta users will get 6 months notice if we ever shut down

Risk mitigation for you: - Start with monthly plan (no long-term commitment) - If you're concerned, we can discuss an annual plan with a 'shutdown refund' clause

Does that address your concern?"

Q20: Can you handle our scale? (We have 50 repositories / 100 developers)¶

Your Answer: "Great question. Let me be transparent about where we are:

Current capacity (proven): - Up to 50 repositories per team - Up to 20 developers per team - 1,000 PR analyses per month per team - 99.9% uptime (Vercel infrastructure)

Your scale (50 repos, 100 devs): - This is beyond our current Team plan (designed for 5 devs, 5 repos) - But Enterprise plan supports this

Honest assessment: I'd want to test with your workload before committing. Here's what I propose:

Pilot phase (2 weeks):
Start with 5-10 highest-priority repositories
Monitor performance and analysis quality
I'll personally monitor for any issues
If pilot succeeds:
Roll out to all 50 repositories
Enterprise plan: €299/month (unlimited devs/repos)
Dedicated support (I'll be your point of contact)
If we can't handle the scale:
No charge for pilot period
I'll help you find an alternative solution

Infrastructure confidence: - Vercel (our hosting) handles billion-request apps - Neon Postgres scales to 100M+ rows - Bottleneck would be GitHub API rate limits (5,000 requests/hour)

For 100 devs opening ~50 PRs/day: We should be fine, but let's prove it with a pilot.

Sound reasonable?"

Practice Schedule¶

Week 1 Before Beta Launch:¶

Day 1 (1 hour): - Read all 20 questions - Practice answering Q1-Q5 (Product Basics) out loud - Record yourself and listen back

Day 2 (1 hour): - Practice Q6-Q10 (Technical Questions) - Role-play with friend/colleague - Get feedback on clarity

Day 3 (1 hour): - Practice Q11-Q15 (Pricing & Business) - Focus on ROI calculation (memorize the numbers)

Day 4 (1 hour): - Practice Q16-Q20 (Objections) - These are the hardest - practice until confident

Day 5 (30 mins): - Random rapid-fire practice - Have someone ask questions in random order - Goal: Answer confidently without looking at notes

Before Each Beta Call:¶

10 minutes before call: - Skim all 20 questions - Review FOUNDER_CHEAT_SHEET.md - Open ANALYZER_COVERAGE.md (technical reference) - Have pricing page ready

During call: - Have this document open (reference if needed) - Take notes on questions you struggled to answer - Note any NEW questions not in this list

After call: - Update this document with new questions - Practice the questions you struggled with - Add to "Questions to Research" section

Questions Asked During Beta (Track Here)¶

Beta Call #1 - [Date] - [Company Name]¶

New questions asked: [List]
Questions I struggled with: [List]
Follow-up needed: [List]

Beta Call #2 - [Date] - [Company Name]¶

New questions asked: [List]
Questions I struggled with: [List]
Follow-up needed: [List]

Confidence Tips¶

Before answering: 1. Pause 2 seconds (shows you're thinking, not scripted) 2. Restate the question: "You're asking about [topic], right?" 3. Answer clearly and concisely 4. Ask: "Does that answer your question, or would you like me to dive deeper?"

If you don't know: - ✅ "That's a great question. Let me research that and get back to you within 24 hours." - ❌ "I don't know" (sounds unprepared) - ❌ Guessing (destroys credibility)

Body language (video calls): - Smile when answering - Make eye contact with camera - Nod to show you're listening - Use hand gestures (shows confidence)

Tone: - Enthusiastic but not salesy - Helpful, not pushy - Confident, not arrogant - Honest about limitations

Last Updated: November 7, 2025 Next Review: After first 5 beta calls