Building a security scanner for non-technical business owners (medical/dental practices) — looking for honest criticism before I go further
Hi everyone,
I'm building SecureWatch, a domain scanning/monitoring tool, and before I put more time into it I want criticism from people who actually work in this space.
The scanning itself (subdomain enumeration, SSL/TLS config checks, header analysis, email spoofing/DMARC checks, tech fingerprinting) isn't new — Nuclei, testssl.sh, and a dozen other tools already do this well, mostly free. I know that. What I'm trying to solve is different: my target users are small compliance-bound businesses (independent medical and dental practices, small law firms) whose owners aren't going to read a Nuclei JSON dump or a Nessus report. So SecureWatch generates two outputs from the same scan — a technical report for whoever handles their IT, and a plain-English report meant for the practice owner or office manager, explaining what's exposed and why it matters in terms they'll act on.
Questions I actually want pushback on:
Is "translate findings for non-technical decision-makers" a real gap, or does this already exist in some form I'm not aware of (compliance platforms, MSP tooling, etc.)?
For SMBs like dental/medical practices — who's currently doing this for them, if anyone? Local MSPs? Nobody?
If you sell or evaluate security tools professionally, what would make you dismiss this outright versus take it seriously?
Underlying scan engine aside, what would you need to see (accuracy, false-positive rate, methodology transparency) before trusting a report enough to hand it to a client?
Not fishing for encouragement — if the differentiation is too thin or the market's a dead end, I'd rather know now.
Thanks for reading.