u/International_Lack45

Solo founder here, recently launched my first SaaS after years of unfinished side projects.

I have a working product and a small waitlist. What I don't have is a clear direction on where to focus for user acquisition.

Honestly, I feel completely paralyzed by the sheer number of options. I catch myself changing strategy almost every week : Monday I'm convinced SEO is the answer, by friday I'm planning a Tiktok content calendar, and the next week I'm reading about cold outreach instead.

The problem isn't a lack of options. It's the OVERLOAD of options that every founder swears by :

→ SEO (long-term but slow to compound)
→ Instagram / TikTok (visual content, daily posting)
→ YouTube (high effort, high reward)
→ Build in public (Twitter/X, LinkedIn)
→ Reddit and niche communities
→ Cold outreach (email, DMs)
→ Personal brand
→ Paid ads (Google, Meta)
→ Partnerships and collaborations
→ Affiliate or referral programs

Every founder I read claims theirs is "the one that worked". And they're all probably right in their own context. But I can't realistically execute on all of them solo without burning out or doing all of them poorly. And constantly switching strategies is making me move forward on nothing.

So my question to those of you who've been through the "first 100 users" phase :

How did you actually CHOOSE your first channel ?
Did you go deep on one channel, or spread thin across two or three at once ?
Looking back, what would you do differently in your first 90 days post-launch ?
Were there channels you tried that turned out to be a complete waste of time given your stage ?

I'm not looking for a magic answer. I'm looking for honest patterns from people who've actually shipped and grown something.

A few days ago, I launched Supadrop, a static site hosting platform for non-technical users. First real launch ever, after years of abandoned side projects. I was already nervous about the launch. What I wasn't ready for was the next 24 hours.

The "first users" moment Day 1.
I check my dashboard. Two new sites are live. I genuinely smiled. First users. Ever.
Then I looked at the slug of one of them : "bankswift". My smile faded. I opened the site. Fake cPanel login page. Captures credentials, sends them to an external server. Classic phishing kit, deployed on my brand new platform.
The second site ? Same pattern, different fake login. I just sat there for a second. The "I made it !" feeling got replaced by something heavier : I'm now responsible for what people do on this thing.

Lesson 1 : Build for abuse before you build for users
I had no moderation system. I figured I'd add it later, once I had real users.
Spoiler : scammers ARE real users. Sometimes the first ones. I spent the afternoon with Claude Code building :
- Automatic content scanning on every upload
- Scoring system that flags suspicious patterns (login forms, banking keywords, etc.)
- Manual review queue for high-risk uploads Should have been there from day 1.

Lesson learned.

Lesson 2 : The plot twist I didn't see coming
Same evening, around 11pm, I opened my Google Search Console. Red banner. Multiple pages flagged for malicious content.
The two phishing sites had been crawled by Google before I could take them down. My main domain (supadrop.host) was about to get flagged for distributing malware.
That hit different from the morning scare. The first one was a moral problem : I don't want my platform used for fraud.
The second was an existential one : if Google flags my main domain, I lose my SEO, my reputation, and my credibility before anyone even hears about Supadrop.
And the technical risk underneath all of it : user sites sharing cookies and trust with my app domain. One bad actor compromises everything.

Three problems at once. None of them optional.

The overnight fix
I bought a dedicated domain : supadrop.site.
Migrated the architecture so user sites now live on a completely separate domain from the app.
Then I submitted a full incident report to Google : what happened, how I detected it, what I changed architecturally to prevent it. Alert was lifted in a few hours.

I caught this with 2 sites to migrate. Not 200. Not 2,000.
Two. Probably one of the luckiest mistakes of my dev career.

Lesson 3 : The "first users will love your product" narrative skips a chapter
Every platform that accepts user-generated content is a target. The smaller you are, the more attractive : less moderation, fewer eyes, slower response.

If you're building anything where users upload, publish, or share content, ask yourself today (not next month) :
- What's my abuse vector ?
- What's my detection mechanism ?
- What's my response plan ?
- Is my main domain isolated from user content ?

I genuinely thought I had time. I didn't.

The silver lining
I'm actually grateful this happened on day 1. The cost of fixing it now was one stressful evening and a $12 domain. The cost later would have been my entire project.

First real launch in years. Two scammers. One Google panic. A weekend I won't forget. Building in public means making the obvious-in-hindsight mistakes in public too.

If this helps one other indie hacker avoid the same trap, the stress was worth it. If you've had similar abuse stories on your platform, I'd love to hear how you handled it.