Skip to content

Hacker News "Show HN" Post Strategy

Date: November 6, 2025 Target: Front page of HN (500+ points ideal) Expected Reach: 10,000-50,000 views if successful Expected Conversion: 0.5-1% = 50-500 interested people

IMPORTANT: When to Post on Hacker News

Don't post yet! Post on HN AFTER: 1. ✅ You have 5-10 beta testers using it 2. ✅ You have at least 1-2 testimonials 3. ✅ You've fixed major bugs from Reddit feedback 4. ✅ You have a demo video or live demo site

Why wait? - HN audience is highly critical - You only get one shot (reposting = ban) - Better to launch with social proof than without - If it flops, you can't try again

Best timing: 2-4 weeks after Reddit launch (late November)

Show HN Post Version 1: Technical Deep-Dive (Recommended)

Title: (60 characters max, critical for success) 

Show HN: CodeSlick – Automated security analysis for GitHub PRs

Alternative titles: 

Show HN: CodeSlick – Security scanner for GitHub (79+ checks, €99/mo)

Show HN: I built a cheaper Snyk alternative (4 months, solo dev)

Show HN: Security analysis for GitHub PRs (OWASP compliant, AI fixes)

Body: (Keep under 500 words) 

Hi HN,

I'm Vitor, solo developer. I built CodeSlick over the past 4 months - automated security analysis for GitHub PRs.

**Live demo:** https://codeslick.dev
**Example PR analysis:** [link to screenshot/demo]

**What it does:**

When you open a GitHub PR, CodeSlick automatically:
1. Scans for 79+ security vulnerabilities (SQL injection, XSS, command injection, hardcoded credentials, etc.)
2. Checks dependencies for known CVEs (npm, pip, Maven via Google OSV)
3. Analyzes API security (insecure HTTP, missing auth, CORS misconfig)
4. Generates AI-powered fix suggestions
5. Posts a comment with findings + CVSS severity scores

Analysis takes 2-3 seconds per file.

**Why I built it:**

I was consulting for a startup doing Series A due diligence. VCs dinged them for security issues in their codebase.

They asked: "Why didn't you use Snyk?"

Answer: "We have 8 developers. Snyk is $98/month per developer. That's $800/month. We're bootstrapped."

So I built CodeSlick: €99/month for 5 developers (not per seat). Same coverage, 80% cheaper.

**Technical implementation:**

- Custom AST parsers for JavaScript/TypeScript (using Acorn)
- Python AST analysis (regex + pattern matching for security issues)
- Java parser for enterprise security patterns
- Google OSV integration for dependency scanning
- Next.js 15 + TypeScript + Neon Postgres
- GitHub App for PR webhooks
- Vercel hosting (sub-3s cold start)

**Security checks (79+ total):**
- Static analysis: SQL injection, XSS, command injection, eval usage, unsafe deserialization, path traversal, XXE, LDAP/XPath injection, weak crypto, regex DoS
- Dependencies: npm/pip/Maven vulnerability scanning
- API security: insecure HTTP, missing auth, API key exposure, CORS, rate limiting
- Compliance: OWASP Top 10 2021 (100% coverage), CWE mapping, PCI-DSS

**Languages supported:**
JavaScript, TypeScript, Python, Java (Go/Rust on roadmap)

**Current status:**

- A- security rating (OWASP audit)
- 536 passing tests
- 10 beta testers (from Reddit r/devops)
- Average: 12 vulnerabilities found per repo
- False positive rate: ~5-10%

**What I learned:**

1. Writing AST parsers is harder than I expected (especially Java)
2. False positives are the #1 complaint (working on ML-based filtering)
3. Developers want speed (<5s) over perfect accuracy
4. Pricing is hardest part - had 3 different models before settling on this

**Limitations (being honest):**

- GitHub only (no GitLab/Bitbucket yet)
- 4 languages only (no C/Go/Rust yet)
- Solo founder (no 24/7 support)
- EU hosting only (Vercel EU, GDPR compliant)

**Try it:**

Free for HN users - first 30 days free, no credit card.
https://codeslick.dev

**Happy to answer questions about:**
- Static analysis implementation
- AST parsing challenges
- Security pattern detection
- Startup pricing strategy
- GitHub App development

---

Built this solo over 4 months (nights/weekends). Would love feedback from the HN community!

Show HN Post Version 2: Story-First (More Engaging)

Title: 

Show HN: I spent 4 months building a $99/mo alternative to Snyk ($800/mo)

Body: 

Hi HN,

4 months ago, I was helping a startup with Series A due diligence. The VCs found security vulnerabilities in their code.

VC: "Why aren't you using automated security scanning?"

Founder: "Snyk wants $98/month per developer. We have 8 devs. That's $800/month."

I thought: there has to be a cheaper way.

So I built CodeSlick.

**What it is:**
Automated security analysis for GitHub PRs. Scan for 79+ vulnerabilities (SQL injection, XSS, hardcoded secrets, etc.). €99/month for 5 developers.

**Live demo:** https://codeslick.dev

**How it works:**
1. Install GitHub App (5 mins)
2. Open a PR
3. CodeSlick comments with security findings (2-3 second analysis)
4. Click "Generate Fix" for AI-powered suggestions

**Tech stack:**
- Next.js 15 + TypeScript
- Custom AST parsers (Acorn for JS/TS, custom for Python/Java)
- Google OSV for dependency vulnerabilities
- Neon Postgres + Vercel hosting
- Sub-3s analysis time

**What I learned (the hard way):**

1. **False positives are brutal** - First version had 30% false positive rate. Now ~5-10%. Still working on this.

2. **Pricing is hard** - Tried per-repo pricing ($29/mo), per-analysis pricing ($0.50/analysis), and per-seat pricing ($19/dev). All failed. Finally settled on flat team pricing (€99 for 5 devs).

3. **Developers want fast >> perfect** - I spent 2 weeks optimizing accuracy from 85% to 92%. Users didn't care. They cared that it was fast (<5s).

4. **Building for startups != building for enterprises** - Startups want simple pricing, fast setup, no sales calls. Enterprises want custom contracts, compliance docs, SOC 2. I'm targeting startups.

**Current status:**
- 10 beta testers (from Reddit)
- Average: 12 vulnerabilities found per codebase
- A- OWASP security rating
- 536 passing tests

**Limitations:**
- GitHub only (no GitLab yet)
- JS/TS/Python/Java only (no Go/Rust yet)
- Solo founder (just me)
- EU hosting only

**Try it free (HN discount):**
https://codeslick.dev

First 30 days free for HN users. No credit card required.

**Questions welcome!** Happy to discuss static analysis, AST parsing, security patterns, or startup pricing strategy.

---

Solo dev, 4 months, nights & weekends. Feedback appreciated!

Hacker News Posting Strategy

1. Title is 80% of Success

Good titles: - ✅ "Show HN: CodeSlick – Automated security analysis for GitHub PRs" - ✅ "Show HN: I built a cheaper alternative to Snyk (4 months, solo)" - ✅ "Show HN: Security scanner for GitHub PRs (79+ checks, €99/mo)"

Bad titles: - ❌ "Show HN: CodeSlick" (too vague) - ❌ "Show HN: The best security tool for developers" (superlatives = downvotes) - ❌ "Show HN: Snyk killer" (negative framing)

Title formula: 

Show HN: [Product Name] – [Clear value prop in 4-6 words]

2. Best Time to Post

Optimal posting times: - Monday-Thursday, 8-10 AM EST (when US tech workers arrive at office) - NOT Friday (low engagement) - NOT weekends (HN traffic drops 50%)

Why timing matters: - First 30 minutes determine if post gets traction - Need 5-10 upvotes in first 30 mins to hit front page - If no early traction, post dies quickly

3. Be Present for First 2 Hours

Critical first 2 hours: - Answer every comment within 5 minutes - Be helpful, not defensive - Admit limitations honestly - Ask follow-up questions - Thank people for feedback

Example responses: - "Great question! Here's how we handle that..." - "You're right, that's a limitation. Here's why..." - "I hadn't thought of that - adding to roadmap. Thanks!"

4. HN Community Expectations

What HN Upvotes: - ✅ Technical depth (show your code, explain algorithms) - ✅ Honesty (admit limitations, share failures) - ✅ Solo founder story (HN loves indie hackers) - ✅ Open to feedback (respond to all comments) - ✅ Pricing transparency (no "contact us for pricing")

What HN Downvotes: - ❌ Marketing speak ("revolutionize", "disrupt", "game-changer") - ❌ Hiding limitations - ❌ No live demo/code samples - ❌ Defensive responses to criticism - ❌ Not engaging in comments

5. Have These Ready Before Posting

  • Live demo site (https://codeslick.dev)
  • Example PR with CodeSlick comment (screenshot)
  • 2-min demo video (optional but helps)
  • Testimonial from 1-2 beta users
  • Architecture diagram (HN loves technical details)
  • GitHub repo (even if private, show something)

Comment Response Templates for HN

"How is this different from [competitor]?"

Good question.

Snyk: Primarily dependency scanning, per-seat pricing ($98/dev/mo)
SonarQube: Code quality focused, self-hosted, complex setup
Semgrep: OSS but limited rules, enterprise = expensive

CodeSlick: Static analysis + deps, flat team pricing (€99 for 5 devs), GitHub-native, 5-min setup

Not trying to replace enterprise tools. Targeting bootstrapped startups that can't afford $800/mo.

What would make this more useful for your use case?

"Why not just use ESLint plugins?"

You're right - ESLint covers some of this (especially for JS/TS).

CodeSlick adds:
1. Cross-language (Python, Java, not just JS)
2. Dependency CVE scanning (ESLint doesn't do this)
3. AI-powered fix suggestions
4. OWASP compliance reporting
5. Works for non-JS devs on the team

Think of it as "ESLint + Snyk + auto-fix" in one GitHub App.

Fair point though - if you're JS-only, ESLint might be enough.

"This seems expensive for what it does"

Appreciate the feedback.

Breakdown:
- €99/month = €1,188/year for 5 developers
- That's €237.60 per developer per year
- Or €19.80/dev/month

Snyk: $98/dev/month = $588/dev/year

For context, competitors:
- Snyk: $98/dev/mo ($5,880/year for 5 devs)
- Veracode: $20k-50k/year
- Checkmarx: $30k+/year

I'm trying to find the sweet spot between "free" (ESLint) and "enterprise" ($$$).

What price point would make sense for your team?

"Can I see the code?"

Not open source (yet), but I can show:
- Architecture diagram: [link]
- Example security rules: [link]
- Technical deep-dive blog post: [link]

Considering open-sourcing the static analysis rules (similar to Semgrep's rules).

What specifically would you want to see? Happy to walk through on a call.

"False positive rate seems high (5-10%)"

You're right - 5-10% is not great.

For context:
- Semgrep: ~15-20% false positive rate
- SonarQube: ~10-15%
- Snyk Code: ~5-8%

Working on improving this with:
1. ML-based filtering (learning codebase patterns)
2. User feedback loop (mark as false positive → retrain)
3. Context-aware analysis (understanding framework patterns)

Current bottleneck: I'm solo, limited ML expertise.

What's your tolerance for false positives? Would 2-3% be acceptable?

"Why should I trust a solo founder with security?"

Fair concern. Security is critical.

Here's my credibility:
- A- OWASP security rating (public audit)
- 536 passing tests (including security tests)
- GDPR compliant (EU-hosted)
- 10 beta testers (no security incidents)
- Only reads PRs (not entire repos)
- Nothing stored long-term (24h cache max)

That said - I'm not trying to replace enterprise security teams.

Target: Startups with 0 security tools (better than nothing) until they can afford enterprise solutions.

What would make you trust this more?

Technical Deep-Dive Questions

Great question! Let me explain the implementation:

[Provide detailed technical answer with code examples, links to docs, architecture diagrams]

I learned [specific lesson] building this part.

Have you worked on similar problems? Would love to hear your approach.

Expected Results from Show HN

Success Scenario (Front Page):

  • 200+ points (upvotes)
  • 100+ comments
  • 20,000-50,000 views
  • 50-200 signups
  • ProductHunt/Twitter pickup (viral effect)

Moderate Success:

  • 50-100 points
  • 30-50 comments
  • 5,000-10,000 views
  • 20-50 signups

Minimal Success:

  • 20-50 points
  • 10-20 comments
  • 1,000-3,000 views
  • 5-15 signups

Even minimal success = Worth it!

After Show HN Success

1. Collect Testimonials

DM top commenters: 

Hey [name], thanks for the positive feedback on HN!

Would you be willing to provide a short testimonial quote?

Something like: "[CodeSlick] saved us X hours / found Y vulnerabilities / etc."

I'll feature it on the landing page (with your permission).

2. Write Follow-Up Posts

  • "What I learned launching on Hacker News" (meta post)
  • "How CodeSlick works under the hood" (technical deep-dive)
  • "Show HN: CodeSlick v2.0 - Added [features from feedback]"

3. Track HN Referrals

Add to your landing page analytics: - UTM params: ?ref=hackernews - Track conversion rate from HN - Compare to Reddit, LinkedIn, etc.

4. Engage with Critics

If someone points out a real limitation: - Thank them publicly - Add to roadmap - Email them when it's fixed - Turn critic into advocate

Pro Tips for HN Success

1. Engage Deeply in Comments

Don't just reply "thanks!" Ask follow-up questions: 

Interesting point about [topic].

How do you currently handle [problem]?

Would [solution] work for your use case?

2. Show Vulnerability

HN respects honesty: 

"I'm a solo dev with limited ML expertise. False positive rate is 5-10% and I'm working to improve it. Open to advice from the HN community."

3. Provide Technical Value Beyond Product

Share learnings: 

"For anyone building AST parsers, here's what I learned:

1. [Technical insight]
2. [Code example]
3. [Resource link]

Happy to elaborate on any of these."

4. Don't Argue with Critics

If someone says your tool sucks: 

"Appreciate the feedback.

What would make this more useful for you?

Not trying to build a perfect tool - just trying to solve a problem I saw."

5. Update Post with Edits

After 2-3 hours, edit your post: 

Edit: Wow, front page! Thanks HN.

Quick updates based on feedback:
- Added [feature] to roadmap
- Fixed [bug] someone mentioned
- Clarified [confusion]

Still answering questions!

Warning Signs (Don't Post If...)

Don't post on HN if: - [ ] You can't be online for 2-3 hours after posting - [ ] Your product is buggy and crashes frequently - [ ] You have no testimonials or beta users yet - [ ] You're not ready for 1,000+ signups (server capacity) - [ ] You can't handle harsh criticism professionally - [ ] Your demo site is down or slow

Fix these first, then post.

Your HN Posting Timeline

Week 1-2 (Now): Don't Post Yet

  • Get 10 beta testers from Reddit
  • Fix major bugs
  • Get 2-3 testimonials
  • Prepare demo video

Week 3 (Late November): Prepare

  • Write Show HN post (use Version 1 or 2 above)
  • Screenshot example PR analysis
  • Create architecture diagram
  • Test demo site under load

Week 4 (Early December): Post

  • Monday-Thursday, 8-10 AM EST
  • Clear your calendar (next 3 hours)
  • Be ready to answer questions

Week 5: Follow Up

  • Thank everyone who commented
  • Write follow-up blog post
  • Engage with ProductHunt (if you want)

Backup Plan: If HN Post Flops

If you post and get <20 upvotes:

Don't panic. Try again in 3-6 months with: 1. More traction (50+ users) 2. Better demo (video showing real results) 3. Case study ("How [Company] found 50 vulnerabilities") 4. Open-source angle ("Open-sourcing our security rules")

One-time failure ≠ product failure. HN is unpredictable.

Success Metrics

Minimum Success:

  • 20+ upvotes (post visible on front page)
  • 10+ comments (engagement)
  • 5+ signups (conversions)

Good Success:

  • 100+ upvotes (top 10 front page)
  • 50+ comments (high engagement)
  • 30+ signups (strong conversions)

Exceptional Success:

  • 200+ upvotes (top 3 front page)
  • 100+ comments (viral)
  • 100+ signups (hockey stick)

Next Steps

  1. Post on Reddit first (this week)
  2. Get 10 beta testers (next 2 weeks)
  3. Collect testimonials (week 3)
  4. Post on HN (week 4 - late November)

Don't rush HN. You only get one shot. Make it count.

I'll help you prepare when you're ready!