u/Inside_Army_5960

I’m doing research on security practices at SMBs (20-300 employees) and trying to understand real-world challenges.

For those managing IT at companies without dedicated security teams:

1- What’s your biggest headache around employee security behavior?

Phishing clicks, weak passwords, credential sharing, something else?

2- What tools/processes do you currently use?

Email filters, password managers, training, nothing specific?

3- What would actually help that doesn’t exist yet?

Or is this just not a priority compared to other IT fires?

Any insight will helpful.

After you build your prototype / MVP you realise that now you actually have to go find real users to validate your idea, and it’s definitely not as easy as you expect.
I’ve been grinding on my product for months and finally have something worth showing, but now I’m hitting the hardest part, actually getting people to use it. Cold outreach gets ignored, posting in communities feels spammy, and my personal network is already tapped out.

I see other founders talking about their “first 10 customers” like it just happened naturally, but I’m struggling to get even one person to take it seriously. The product solves a real problem (at least I think it does), but without users, I can’t validate if I’m building the right thing or just wasting time.

For those who’ve been through this, what actually worked for you? Did you do something specific that got traction, or is it just a numbers game of grinding through rejection until something clicks?​​​​​​​​​​​​​​​​

I’m a final year cyber security student who’s built a behavioural security tool that detects phishing and risky credential behavior in real-time. It’s working technically, but I’m hitting a wall finding UK SMBs (20-300 employees) willing to pilot it for 30 days free.

The main objections I’m getting:
- “We already have security tools” (even when they’re just antivirus)
- “We’re too busy to onboard new tools”
- Decision makers are hard to reach (IT managers say they’re interested, but need CISO/CFO approval)

For those who’ve successfully piloted B2B security tools or worked in SMB IT/security:
\- How did you get past the “we’re too busy” objection?
\- What’s the best way to reach actual decision makers at 20-100 person companies?
\- Is offering free pilots even the right approach, or does “free” signal low value?
Not looking for paying customers here, genuinely trying to figure out if my go-to-market approach is fundamentally broken or if this is just the normal grind of early-stage B2B.
Any feedback is appreciated.