Resource Library
Free guides, templates, and checklists.
The playbooks behind every web, software, iOS, and security SKU — packaged into one-pagers, not 200-page PDFs. Most are free to grab.
18 ready now · 16 free with email · 2 more shipping this month
Built on tools you trust
← swipe · 12 tools →
Featured
HIPAA Technical Safeguards checklist (45 CFR § 164.312, mapped to your stack)
Latest drop
HIPAA Technical Safeguards checklist (45 CFR § 164.312, mapped to your stack)
23 specific checks against the HIPAA Security Rule's Technical Safeguards — encryption at rest + in transit, access control + RBAC, audit log integrity, transmission security. Mapped to common stacks (Postgres, S3, Auth0, Cognito) so engineering can act on it.
Library
All resources
Trading-platform pentest checklist (the order-flow attack paths)
31 specific tests for order tampering, market-data feed integrity, FIX protocol session takeover, settlement-window race conditions, and fat-finger control bypass. Built for retail brokers and prop trading platforms.
Multi-tenant SaaS pentest checklist (the gaps OWASP doesn't list)
27 specific tests for cross-tenant IDOR, broken RLS predicates, JWT scope leaks, shared S3 paths, and leaky webhook payloads. The SaaS-specific failure modes a generic external pentest misses.
Make any POST endpoint safe to retry
Idempotency keys, retry semantics, replay protection. Express + Postgres reference implementation you can drop into a new service.
47 controls insurers ask about before they'll quote you
What evidence each control requires, which ones are cheap to fix, and which ones are silently raising your premium. Built from real underwriting questionnaires.
Price a productized SKU in one afternoon
The spreadsheet we use to size SKUs against real delivery cost, plus the four pricing rules that keep margin above 40%.
38 web-perf checks before you ship to production
The exact LCP, CLS, and INP fixes we run on every B2B SaaS project, grouped by impact. Skip the ones that don't move Core Web Vitals.
Every App Store reject reason we've hit (and the fix)
Privacy manifest, screenshots, review notes, IDFA disclosure. The traps Apple actually rejects on, with the exact code or copy that gets you approved.
OWASP Top 10, annotated with the bugs agencies keep shipping
The real vulnerable patterns we find on agency-built apps, mapped to OWASP. Each item includes a broken code sample and the patched version.
12 risk controls to wire in before your trading system goes live
Position sizing, stop-loss, max drawdown, kill switches. The controls we never deploy without — pseudocode and config thresholds included.
Ship a production RAG pipeline without rewriting it twice
End-to-end architecture diagram plus a Terraform-ready stack: Pinecone, embedding worker, eval harness. The shape we wish we'd started with.
Fixed-price MSA: source-code-yours, refund-on-slip
The lawyer-reviewed contract template we sign with every Founders' Deal client. Fork it, swap the names, ship it to your own clients.
Find dangling DNS records before an attacker does
Open-source Python script. Point it at a domain, get back every CNAME pointing at a deprovisioned cloud resource — the entry vector for subdomain takeover.
Stripe Connect for marketplaces, without the support tickets
Payout schedules, KYC handoff, refund flows, dispute routing — the patterns we ship to production, with the code that handles the edges.
Scope an MVP onto one page in 30 calendar days
The one-page spec we hand engineering before kickoff. Three filled-in examples from real Founders' Deal projects, so you can see what we cut.
Get a vendor to read your vulnerability report
First-contact and escalation templates that route past the support queue. Same shape used on disclosure submissions to Fortune 500 security teams (templates, not customer engagements).
Pass App Store privacy review on the first try
Required-reason APIs, third-party SDK manifests, and the exact reject reasons we've hit. One page per category, no Apple-doc spelunking.
Land a Lighthouse 95+ on every Next.js project
Image, font, analytics, and route-segment config — the exact next.config.js patterns we ship. Score on a fresh build, not a cached one.
Our own brand guidelines, fork-able
Colors, type stack, voice rules, do/don't. Useful as a working reference if you're writing yours — or want to see what we held ourselves to.
60 discovery questions to ask before you write code
Categorized by stage — problem, willingness-to-pay, workflow, churn. The bank we run on every new product engagement, anti-leading-question.
New resources weekly
Get every new drop, the day it lands.
We publish a new template, checklist, or guide most weeks. Subscribe and we’ll send each one to you directly. No spam, no upsell.
Want a resource on a specific topic?
Tell us what would actually help. If five people ask for the same one, we usually write it that month.