# vu1nz.com — Complete Ad Creative Pack ## 1. Campaign Summary **Product:** vu1nz — GitHub App that scans CI/CD workflows AND new PR packages for supply-chain attacks **Target Verticals:** Developer tools, DevSecOps, open-source security **Primary CTA:** *Scan your public GitHub repo free.* **Secondary CTA:** *Start a 14-day free trial.* **Pricing:** $100/month per GitHub org after 14-day free trial (no credit card required) --- ## 2. Target Audience | Segment | Role | Pain Point | vu1nz Solution | |---|---|---|---| | **Engineers who ship** | Software, DevOps, Platform | "I don't audit CI/CD YAML files or review every new npm package in PRs" | Auto-scans every PR — two scanners, one GitHub App install | | **Security engineers** | AppSec, Security | "Dependabot/CodeQL miss workflow YAML and zero-CVE malware" | Catches CI/CD anti-patterns + typosquats/malicious install scripts | | **CTOs / Tech Leads** | Decision-makers | "The tj-actions/Polyfill.io pattern keeps repeating" | Adds the missing security layer at $100/org/month | | **Open-source maintainers** | OSS | "Free scanning for public repos, no signup" | Paste any public repo URL and get findings in 5 seconds | --- ## 3. Messaging Pillars | Pillar | Tagline | Proof Point | |---|---|---| | **Breach prevention** | "Your code isn't where the breach comes from" | Every major supply-chain attack of the last 3 years had no CVE at install time | | **Developer utility** | "Paste a GitHub repo. Get findings in 5 seconds." | No signup, no email — scan any public repo at vu1nz.com | | **Competitive gap** | "Dependabot misses what actually breaches companies" | Dependabot = known CVEs only. vu1nz = CI/CD checks + new-package malware | | **Fast install** | "One click. No YAML. No secrets." | GitHub App installs once on your org. Every repo protected automatically | | **Open-source trust** | "MIT-licensed. Fork it. Self-host it." | Deterministic scanners run inside your GitHub runner. Source never leaves | --- ## 4. Meta Ads ### Ad Copy Variations **Primary Text (3 variations):** 1. *Dependabot is silent on the two layers that actually get breached: your CI/CD YAML and the packages you merge every Wednesday. vu1nz runs 17 workflow checks + a malware sweep of every new npm/pip/cargo/gem in every PR. One GitHub App install. $100/org/mo after free trial.* 2. *March 2025: tj-actions/changed-files compromised 23,000+ repos. Dependabot: silent. CodeQL: silent. vu1nz caught it — because it scans the CI/CD workflow layer, not just CVE databases. Install once on your org. Every PR scanned automatically.* 3. *Your package-lock.json gets a new entry every week and nobody reads the diff. vu1nz does. It checks every new npm/pip/cargo/gem package against OSV.dev's real-time malware feed, typosquat distances, and install-script fingerprints. 14-day free trial. No card.* **Headlines (3 variations):** 1. Catch CI/CD attacks before they merge 2. One app. Two scanners. Every PR. 3. What Dependabot doesn't see **Descriptions (3 variations):** 1. Scan any public repo free at vu1nz.com → no signup 2. 17 CI/CD checks + package malware per PR. $100/org/mo 3. Install the GitHub App once. Every repo protected. ### Image Ad Concepts **Concept A — "The Two Layers"** - Split-screen visual: top half is a GitHub PR diff showing a YAML workflow file, bottom half is a package-lock.json diff - Overlay text: "Two layers of risk. One scanner." - CTA button: "Scan your public repo free" - Format: 1080×1080, 1080×1350, 1200×628 **Concept B — "The Silent Breach"** - Dev dashboard with all-green status checks, but a red warning overlay: "Dependabot ✅ | CodeQL ✅ | vu1nz: CRITICAL finding" - Stack: PR comment thread showing vu1nz[bot] flagging CWE-829 / malware - CTA button: "Install the GitHub App" - Format: 1080×1080, 1080×1350 ### Short Video Ad Concept (Meta Reels / Stories) **Script (15 seconds):** - [0:00-0:03] Screen recording of a GitHub PR being opened - [0:03-0:06] Red warning overlay: "Dependabot: ✅ No issues" - [0:06-0:09] vu1nz check run posts: "CRITICAL — Malicious package detected" - [0:09-0:12] Cut to static card: "vu1nz catches what they miss" - [0:12-0:15] CTA: "Scan your repo free → vu1nz.com" - Format: 9:16 vertical, 1080×1920 --- ## 5. Reddit Ads ### Promoted Post Titles (3 variations) 1. **Engineers who don't audit their CI/CD YAML — this is for you** *We built an open-source GitHub App that runs 17 CI/CD checks + a malware sweep on every PR. What it caught in the last week will make you install it immediately.* 2. **Dependabot is great at CVEs. It's terrible at supply-chain attacks.** *vu1nz catches the things that have no CVE yet — typosquats, malicious install scripts, zero-reputation packages. Free for public repos.* 3. **We scanned 50 popular GitHub repos with our free tool. Here's what we found.** *Spoiler: more than half had unpinned actions or risky workflow patterns. Try yours free at vu1nz.com.* ### Body Copy Variations (3) 1. *We built vu1nz after the tj-actions/changed-files breach hit 23,000 repos and neither Dependabot nor CodeQL flagged it. It's a GitHub App: one install, every PR scanned automatically. Two scanners — 17 CI/CD checks + package malware detection across npm, pip, cargo, gem, Go, Composer. MIT-licensed, deterministic checks run inside your runner (source code never leaves). Free 14-day trial, no card. Pay what you want if you self-host the CLI.* 2. *Quick story: last month one of our early users merged a PR with a typosquat of a popular npm package. None of their existing tools flagged it because the package had no CVE. vu1nz caught it via typosquat distance + install-script fingerprinting. That's the gap we're filling. Try the free public repo scanner at vu1nz.com — paste any repo, get findings in 5 seconds.* 3. *If you maintain or contribute to open-source repos, you know the drill: every PR adds packages, nobody audits the diff, Dependabot only checks known CVEs. vu1nz is a free-to-try GitHub App that adds CI/CD workflow checks + package malware detection to every PR. One install. No YAML files to maintain. $100/org/mo after 14-day trial, or MIT-licensed CLI for self-hosters.* ### Reddit-Native / Comment-Style Angles (2) 1. **Comment-style:** *"Post a GitHub repo link and I'll run it through our scanner. We'll reply with what it found."* (Engagement bait — reply with findings from the public scanner at vu1nz.com) 2. **AMA / discussion style:** *"Ask a security engineer: after the Polyfill.io and tj-actions compromises, what are you actually doing about supply-chain CI/CD risk? We built vu1nz specifically for this gap — happy to answer questions."* ### Reddit Image Ad Concepts **Concept A — "Side by Side: Dependabot vs vu1nz"** - Screenshot comparison: same PR, left column = Dependabot saying "No vulnerabilities found", right column = vu1nz bot saying "HIGH — CWE-829 Unpinned action" - Bottom text: "Same PR. Different result." - For r/devops, r/programming, r/netsec **Concept B — "The supply-chain attack timeline"** - 5-item timeline graphic: xz-utils → Polyfill.io → tj-actions → Shai-Hulud → ctx - Each entry: date, impact, "CVE at time? No" - Bottom: "vu1nz catches the layer they all exploited." - For r/cybersecurity, r/opensource --- ## 6. Google Search Ads ### Short Headlines (10, max 30 chars each) 1. CI/CD Security Scanner 2. GitHub Actions Security 3. Supply Chain Malware Scan 4. Dependabot Alternative 5. CI/CD Attack Prevention 6. Package Malware Detector 7. GitHub PR Security Check 8. Free Repo Security Scan 9. npm Malware Scanner 10. CI/CD Vulnerability Tool ### Long Headlines (4, max 90 chars each) 1. Catch CI/CD and Supply-Chain Attacks Before They Merge 2. One GitHub App That Scans Every PR for Malware 3. Why Dependabot and CodeQL Miss the Real Breaches 4. Free Public Repo Scanner — Try It in 5 Seconds ### Descriptions (6, max 90 chars each) 1. Scan your public GitHub repo free. No signup needed. 2. 17 CI/CD checks + malware sweep of every new PR package. 3. Catches typosquats, malicious install scripts, unpinned actions. 4. Installs in 30 seconds. One GitHub App. Every repo protected. 5. $100/month per GitHub org. 14-day free trial. No card needed. 6. MIT-licensed. CLI free forever. Enterprise plans available. ### Suggested Keywords **High intent (exact match negatives on existing brands):** - github actions security scanner - ci/cd security scanner - supply chain security tool - npm malware detection - github pr security check - workflow security scanner - dependency malware scanner - typosquat detector - github actions vulnerability scanner - package supply chain security **Medium intent:** - secure github actions - devsecops github tool - open source security scanner - ci/cd pipeline security - github app security - pr check security - automated security testing github - repository security scanner **Brand adjacent (add as negatives for "vu1nz" brand campaigns):** - dependabot alternative (use with caution — position as complementary) - codeql alternative - snyk alternative ### Suggested Negative Keywords - antivirus - endpoint protection - network security - windows defender - malwarebytes - vpn - firewall - password manager - ssl certificate - web application firewall - penetration testing services (if you don't offer manual pen testing) - siem tool - soc --- ## 7. Google Display Ads ### Display Ad Headline / Body Combinations (3) 1. **H:** Hackers don't target your code anymore. **B:** They target your CI/CD pipelines and package managers. vu1nz catches what Dependabot and CodeQL miss — on every PR. Scan any public repo free. 2. **H:** Your last PR probably added a zero-CVE package. **B:** That's how supply-chain attacks happen. vu1nz runs 17 CI/CD checks + a malware sweep on every pull request. Install once. Protect every repo. 3. **H:** tj-actions hit 23,000 repos. Dependabot missed it. **B:** vu1nz runs two deterministic scanners on every PR — CI/CD workflow checks + package malware detection. No YAML files. No secrets. One GitHub App. ### Banner Concepts (2) **Concept A — "The Gap"** - Visual: Two shields side by side labeled "Dependabot" (covers 30%) and "CodeQL" (covers 40%), with a large gap in between labeled "CI/CD + Supply Chain (vu1nz)" - Tagline: "What your current stack misses" - CTA: "Scan free → vu1nz.com" **Concept B — "One Install"** - Visual: A single puzzle piece labeled "vu1nz" clicking into a GitHub interface - Tagline: "One GitHub App. Two scanners. Every PR." - CTA: "Install free" ### Banner Sizes | Size | Use Case | |---|---| | 300×250 | Medium rectangle — standard placement | | 336×280 | Large rectangle | | 728×90 | Leaderboard | | 970×250 | Billboard | | 160×600 | Wide skyscraper | | 300×600 | Half page | | 320×50 | Mobile banner | | 320×100 | Large mobile banner | --- ## 8. YouTube / Video Concepts ### YouTube Shorts / Vertical Video Concept (9:16) **Title:** "The supply-chain attack your tools miss" **Script (30 seconds):** - [0:00-0:05] Dev opens GitHub PR, scrolls past a new npm package addition - [0:05-0:10] Text overlay: "Dependabot says: ✅ No CVEs found" - [0:10-0:18] Split screen: left shows Dependabot green check, right shows vu1nz red alert — "MALWARE detected — typosquat" - [0:18-0:25] "vu1nz catches packages with no CVE yet. Typosquats. Malicious install scripts." - [0:25-0:30] "Install once on your GitHub org. Every PR scanned. → vu1nz.com" ### 15-Second Pre-Roll Video Script (16:9) **Visual:** Side-by-side PR comments from Dependabot (green check) and vu1nz (red CRITICAL flag) **VO/Text:** "Dependabot checks known CVEs. We check what doesn't have a CVE yet. vu1nz — one install, two scanners, every PR. Start free at vu1nz.com." ### Recommended Video Formats | Format | Size | Platform | |---|---|---| | 9:16 vertical | 1080×1920 | YouTube Shorts, Instagram Reels, TikTok | | 1:1 square | 1080×1080 | Facebook/Instagram feed | | 16:9 landscape | 1920×1080 | YouTube pre-roll, LinkedIn | --- ## 9. Image Creative Briefs ### Brief A — "The Side-by-Side" **Purpose:** Show the competitive gap visually **Elements:** - Left 50%: Green-tinted card labeled "Dependabot" with text "No vulnerabilities found ✅" - Right 50%: Red-tinted card labeled "vu1nz" with text "CRITICAL — Malware detected" - Arrow or divider between them - Bottom CTA: "Scan your repo free →" **Color palette:** Dark mode (matching vu1nz.com aesthetic) — charcoal backgrounds, green/red indicators, white text, accent color (brand cyan/teal) **Tool suggestions:** Canva, DALL·E, Midjourney prompt: *"Split screen UI comparison, left side green security check, right side red critical alert, dark mode developer aesthetic, clean modern design"* ### Brief B — "The Timeline" **Purpose:** Show the urgency/pattern **Elements:** - Horizontal timeline with 5 attack logos/badges: xz-utils → Polyfill.io → tj-actions → Shai-Hulud → ctx - Each badge: name + date + "no CVE" watermark - Below timeline: "vu1nz catches the layer they all exploited" - CTA: "Start free trial" **Tool suggestions:** Canva, Midjourney: *"Horizontal timeline infographic, cybersecurity supply chain attacks 2022-2025, dark theme, red alert markers, developer aesthetic"* ### Brief C — "One Install, Every PR" **Purpose:** Show simplicity of setup **Elements:** - GitHub interface mockup with a single click / "Install App" button highlighted - Below: three PRs each showing a vu1nz check run - Tagline: "One click. No YAML. Every repo." - CTA: "Install the GitHub App" --- ## 10. Recommended Ad Sizes (Summary) | Platform | Primary Sizes | |---|---| | **Meta (FB/IG)** | 1080×1080 (feed), 1080×1350 (mobile), 1200×628 (link), 1080×1920 (stories/reels) | | **Reddit** | 1200×628 (promoted posts), native text/comment ads | | **Google Search** | Text only — RSA format | | **Google Display** | 300×250, 336×280, 728×90, 970×250, 160×600, 300×600, 320×50, 320×100 | | **YouTube** | 1920×1080 (pre-roll), 1080×1920 (shorts) | --- ## 11. Suggested Keywords (Expanded) ### Search Campaign — "CI/CD Security" - github actions security, ci/cd security scanner, github workflow security, secure github actions, github actions vulnerability, ci/cd pipeline security, github action scan ### Search Campaign — "Supply Chain Security" - supply chain security tool, dependency security scanner, npm malware scanner, package supply chain security, open source supply chain security, software supply chain attacks ### Search Campaign — "Dependabot Alternative" - dependabot alternative, beyond dependabot, codeql alternative, what dependabot misses, supplement dependabot, snyk alternative for ci/cd ### Search Campaign — "PR Security" - pull request security check, automated pr security, github pr scan, pr vulnerability scanner, pr check security ### Search Campaign — "Free Security Scanner" - free github security scanner, free repo scanner, free ci/cd scanner, public repo security check --- ## 12. Suggested Negative Keywords - antivirus software, endpoint protection, network firewall, windows defender - malwarebytes, norton, mcafee, kaspersky - web application firewall, waf, cdn security, ddos protection - ssl certificate, https, tls, encryption - password manager, 2fa, mfa, authentication - vpn service, proxy, dns filtering - cloud security posture management (CSPM) — unless you expand there - saas security posture management (SSPM) - bug bounty platform - soc 2 compliance tool (unless you offer compliance features) - Brand negatives: *dependabot* (if running defensive campaign), *snyk* (if not competing directly), *github advanced security* (complimentary, not competitive) --- ## 13. Best 3 Ads to Test First ### Test #1 — Google Search Ad (Highest intent traffic) **Headline:** CI/CD Security Scanner — Free Trial **Description:** Scan every PR for workflow vulnerabilities + package malware. 17 CI/CD checks. One GitHub App install. 14-day free trial. No card needed. **Landing page:** vu1nz.com (hero section with live scanner) ### Test #2 — Meta/Instagram Feed Ad (Visual, awareness) **Creative:** Split-screen image (Concept A — Dependabot green vs vu1nz red) **Copy:** *"Same PR. Same diff. One tool said ✅, the other said 🚨. vu1nz catches what Dependabot and CodeQL miss — CI/CD workflow risks and zero-CVE malware. One GitHub App install. Every PR scanned automatically. → Scan your repo free"* **Targeting:** Interests = GitHub, DevOps, Cybersecurity, Software Development, Node.js, Python ### Test #3 — Reddit Promoted Post (Community-driven, high engagement) **Title:** *We scanned 50 popular GitHub repos. Here's what we found about CI/CD security.* **Body:** Genuine findings post listing stats (X% had unpinned actions, Y had secrets in workflows, Z typosquatable packages), then introduce vu1nz as the tool that caught them. Finish with free public scanner link. **Subreddits:** r/devops, r/programming, r/netsec, r/github