I added a $29 tripwire next to my $99 security audit — Hormozi math on solo dev offers

#stripe #startup #webdev #showdev

I added a $29 "sanity check" tier next to my $99 security audit — here's why solo devs leave money on the table without it

I publish 10 free security scanners on the Apify Store — one for Supabase, Firebase, Strapi, Directus, Payload CMS, Convex, Hasura, PocketBase, Appwrite, and Nhost. Each one ends its HTML report with a CTA to my $99 turnkey-fix service: I do the audit + write the fix + verify it, 48-hour turnaround, money-back if I miss anything actionable.

The funnel ran for 48 hours after I planted those CTAs. Zero clicks.

The scanner traffic wasn't zero — I had a few dozen runs across projects — but nobody clicked through to Stripe. I started asking around in dev Slacks why. Three answers kept coming up:

"I don't have a budget for $99 with no relationship."
"I'd want to talk to you first, but $99 feels too high for a 'is this guy real' kind of message."
"What if you don't find anything? Money-back is fine but I don't want the friction of the refund."

That's the classic gap between "free tool" and "high-commit purchase." There's no middle rung.

So I added one.

The $29 tier

I created a new Stripe payment link: $29 quick scan + 1-page written report in 24 hours. I run the scanner on the customer's project, write up a one-page summary of what's leaking and how to fix it (prioritized), email it within 24 hours, full refund if I find nothing actionable.

Crucially: it does NOT include the fix. That's the $99 tier. The $29 tier is the "is this guy legit" transaction — low enough to be a no-brainer, high enough that it filters out tire-kickers, and high enough that the next sale becomes natural conversation rather than cold pitch.

Stripe link took 90 seconds:

# 1. product
curl -X POST https://api.stripe.com/v1/products   -u $STRIPE_SECRET_KEY:   -d "name=BaaS Security Quick Scan (30min review + report)"

# 2. price
curl -X POST https://api.stripe.com/v1/prices   -u $STRIPE_SECRET_KEY:   -d "product=prod_XXX" -d "unit_amount=2900" -d "currency=usd"

# 3. payment link
curl -X POST https://api.stripe.com/v1/payment_links   -u $STRIPE_SECRET_KEY:   -d "line_items[0][price]=price_XXX" -d "line_items[0][quantity]=1"

Done. Plant the URL in every scanner's HTML report next to the $99 link.

Why solo devs underprice this rung

Most solo devs publishing free tools have one paid offering — usually some flavor of "I'll do it for you" priced at $99-$500. The conversion ladder looks like:

free tool → $99 commitment → ???

That single jump is the killer. The conversion rate from "ran the free tool" to "pays $99" hovers somewhere around 0.5-1% for unknown publishers. Most of the people who would happily pay you $29 to talk to you bounce because the only option is the high-commit one.

The Hormozi-flavored framing: every offer should have a tripwire — a deliberately-low-priced first transaction whose only purpose is to convert a stranger into a customer. The unit economics on the tripwire don't have to make sense in isolation. The tripwire is the gateway to the $99 — and then to the $29/mo recurring subscription, which is where the real money is.

What the numbers should look like

For a free tool with light traffic:

100 free runs → 5 expressed interest → 2-3 buy $29 → 1 of those upgrades to $99 → maybe 1 of those signs up for the $29/mo recurring scan

LTV on that single conversion path: $29 + $99 + ($29 × 6 months avg) = $302 per converted lead.

Without the tripwire, the math is:

100 free runs → 5 expressed interest → 0.5 buy $99 → 0.1 sign up for $29/mo recurring

LTV: $99 × 0.5 + $29 × 6 × 0.1 = $66 per 100 runs.

The tripwire turns the same upstream traffic into ~4.5× revenue. The new offer doesn't even need to be profitable — it just needs to filter and credentialize.

The implementation detail nobody talks about

Adding the $29 link to the HTML report wasn't enough. The order matters. Hormozi calls this the "value ladder." I put the $29 CTA on the left, $99 on the right, color the $29 green (positive/accessible), $99 blue (premium/serious), and let the customer feel the choice.

<a class="cta cta-tripwire" href=".../buy/00w4gz9TWef0">
  $29 — Quick scan + 24h report
</a>
<a class="cta cta-primary" href=".../buy/00w9AT9TWdaW">
  $99 — Full audit + permission rewrites (48h, money-back)
</a>

Two CTAs, side by side. The visitor's gaze finds the $29 first and the comparison happens automatically. Most either click $29 (lower friction) or upgrade themselves to $99 by reading the higher-value description.

Try it on your own project

If you ship on Supabase, Firebase, Strapi, Directus, Payload CMS, Convex, Hasura, PocketBase, Appwrite, or Nhost — run my scanner on your project. It's free, 30 seconds, and uses a demo mode if you'd rather see what the report looks like before pasting your own keys.

All 10 scanners: apify.com/renzomacar
Open-source CLI for Supabase: @perufitlife/supabase-security
$29 quick scan: stripe
$99 turnkey audit: stripe

If the tripwire approach lands, I'll write a follow-up in 30 days with the actual conversion numbers — the published math, not the textbook one.

Renzo, solo developer in Lima, Peru. Building supabase-security, 10 Apify security scanners, and other things at the intersection of "I should automate this" and "let me ship it as a product."

If this resonated, a follow on dev.to helps a solo dev keep shipping. Or just leave a review on any of the 10 scanners — reviews are the single biggest lever a new Apify publisher has.