In partnership with

GM. This is Needs to Exist (aka NTE), delivering you a startup idea that turns your held-open lobby door, your bored security guard, and the $30 cloned badge into the highest-paying gig economy nobody has built yet.

NTE Pro: 7,000+ startup ideas when you need momentum, clarity, or your next move.

WhoFiled: See what's quietly getting funded, launched, and gaining traction before everyone else.

Check out all the past newsletters here

Here’s what we’ve got for you today.

• HackerOne For Hallways

• The Patagonia Vest

HackerOne For Hallways

The One Liner

The platform that pays vetted security pros to break into companies legally, prove the breach with video, and turn physical risk into a measurable, insurable score.

The 140 character tweet (or X) version

Your $2M cyber stack is useless if a guy in a vest walks into your server room. Build the bug bounty marketplace for physical breaches.

The Longer Story Version

The Problem

Companies spend $1.4M a year on cybersecurity tools and $14 on the lobby printer.

The cyber stack is hardened. Endpoint detection. Zero trust. SOC 2. SAML. Pentests every quarter. A ten-person security team that gets pizza on Fridays.

The front door is held open by a guy named Greg who wanted to be polite. The badge reader can be cloned with a $30 device on Amazon. The CCTV system runs on the default admin password. The "vendor" wandering near the server room has a clipboard, a vest, and a clear view of every rack.

Most physical security audits are a compliance worksheet. Someone fills out the form. The form gets a stamp. The stamp goes in the binder. The binder sits in a drawer. Nobody actually tries to break in.

Then someone does. They don't fill out a form.

The Solution

Turn physical security into a live, adversarial marketplace.

A bug bounty platform for the real world.

• Companies post real-world breach scopes. "Can someone access our server room?" "Can someone tailgate into HQ at 7am?"

• A network of vetted physical pentesters, ex-DEF CON, ex-military, ex-Pinkerton, accept the challenge

• Successful breaches get documented with video, photos, and step-by-step writeups

• Companies pay per successful breach, scaled by severity

• Continuous testing rolls up into a public-facing security score, eventually insurance-backed

• Every engagement is pre-scoped, legally bound, and ringfenced

Think HackerOne plus Pinkerton plus Moody's, built for the buildings, badges, and bodies that protect everything else.

How We'd Build It

Phase 1: One city, ten testers, white glove.

• Recruit the first 10-20 elite testers from communities like DEF CON Physical Security Village and locksport meetups, vetting on real engagement history

• Stand up the private invitation portal in Lovable in a weekend, one page, one job, gated by NDA

• Run tester intake, scoping, and engagement contracts through Tally, with e-signatures handled via Dropbox Sign

• Deliver encrypted video evidence and full breach writeups to clients through Tresorit, nothing leaves on a personal device

• Source the first 50 office-heavy enterprise security leaders from Apollo and pay testers per successful breach through Stripe Connect

• Move every active engagement to Signal the moment a scope is signed

Phase 2: From audits to live marketplace.

• Build the public scoping board in Bolt, where companies post bounties with location, scope, payout, and hard red lines

• AI-drafted breach narratives and exec summaries generated through Anthropic Claude using structured prompt pipelines that mirror SOC 2 language

• Vulnerability database and engagement logs housed in Supabase with row-level security baked in from day one

• Tester reputation, badges, and a public leaderboard tracked in PostHog so buyers sort on signal, not vibes

• Engagement scheduling through Calendly and on-site SMS coordination via Twilio so legal, security, and the tester are aligned in real time

• Per-engagement liability insurance auto-bound through Vouch before anyone walks onto a property

Phase 3: The Moody's Of Buildings.

• Continuous testing subscriptions billed through Chargebee, enterprise pipeline managed in Attio

• Live security scores and trend dashboards rendered in Retool, pulled directly from breach event data

• Insurance partnership with Coalition, tying physical posture scores to actual cyber premium discounts

• API access so Vanta can pull physical security posture into compliance dashboards alongside SOC 2 and ISO

• Building telemetry from door sensors and badge readers piped continuously into Datadog, turning the lobby into a stream

Why It Needs To Exist

The internet has bug bounties. The physical world has clipboards.

Every company in America spends millions on the assumption that bad actors are typing. The cheapest, most reliable attack vector still walks through the front door at 7am, holding a coffee, smiling at Greg.

Cyber pentesting got productized in 2012. HackerOne, Bugcrowd, Synack. Worth billions today.

Physical security never did. It's still consultants on retainer, checklists in PDFs, and one annual audit that nobody reads.

Meanwhile return-to-office is real, foot traffic is back, AI voice cloning is a $19 toolkit, and every CEO knows in their gut that their building isn't actually secure. They have no system to prove it.

The company that builds the bug bounty platform for buildings sells one thing. Proof. The only proof of physical security buyers will trust by 2030.

That category doesn't have a winner yet.

It will.

HubSpot's ex-Head of Paid shares his 2026 playbook

Most paid media doesn't fail because of budget. It fails because of strategy. On Monday, April 27, we're going live with HubSpot for Startups to fix that. You'll walk away knowing:

• Which channels to prioritize and in what order (and why most people get this wrong)

• Why following up with leads within 1 minute can improve conversion by 391%

• How to set up tracking so your AI bidding actually optimizes for pipeline, not just clicks

• The top gotchas on Google and LinkedIn that quietly kill performance

Free to attend. Free ad credits for everyone who shows up live.

Save Your Spot

The Patagonia Vest

Picture this. A glass tower lobby at 7:14 AM. The morning rush is starting. The marble floor is wet from the cleaners. A security guard named Miguel is scrolling on his phone behind a desk that has a sign saying "All visitors must check in."

A man walks in. Patagonia vest. Cold brew. Headset. Clipboard. Confidence.

"Morning."

Miguel looks up. "You here for a meeting?"

"Yeah, AV team. Conference room on 14. Friday rebuild."

"Cool. Sign in?"

The man does the squint everybody does at a clipboard with a pen on a string. "Hey, you wouldn't believe my morning. Battery dead, Uber late. Mind if I run up first and grab my badge from Carla? She's expecting me."

"Yeah. No problem."

He walks to the turnstile. An employee badges through. He follows half a step behind, eyes on his phone, completely unsuspicious.

Beep. He's in.

He takes the elevator to the 14th floor. He gets out. He turns left. He walks past 12 desks, none of which look up. He finds the server room. The door is propped open with a can of LaCroix because the vendor was just in there.

He takes 47 seconds of video. He plugs in nothing. He touches nothing. He walks out.

In the lobby on the way back, Miguel waves at him.

"Catch you, man."

"Catch you."

The man gets in his car. He drives to a coffee shop two blocks away. He uploads the video to a platform with a black logo. He fills out a short form. Severity. Time of entry. Time of egress. A list of every door, badge reader, and human checkpoint that should have stopped him.

He clicks submit.

Forty-seven minutes later, $4,200 hits his account.

Three floors above where he just was, a CISO is starting his Tuesday standup with a slide that says "Q1 Security Posture: Strong."

He believes it.

There's a weird moment that happens when you see a truly good idea.

Your brain instantly starts building it in the background.

That's the feeling NTE Pro is built for. Inside are 7,000+ business ideas designed to spark momentum, side hustles, startups, pivots, and profitable rabbit holes you wouldn't have thought of alone.

Some are tiny and practical. Some are wild and massive. Some are one tweak away from becoming your thing. It's not homework. It's gasoline.

Open it when you feel stuck, bored, underpaid, or dangerous. NTE Pro is where stalled people regain motion.

Imagine getting invited to the first inning instead of showing up in the seventh.

That's what WhoFiled does. It surfaces companies, products, and markets right as they start becoming relevant, not after podcasts, Twitter threads, and VCs make them obvious.

You'll see raises, launches, hiring moves, founder chatter, and strange little signals that often matter more than headlines. If anyone's about to raise capital to build the bounty marketplace where strangers get paid to break into corporate HQ, WhoFiled is where you'll see it first.

Some people read business news. Others use it to create leverage.

Guess which group wins more often.

Sign Up For WhoFiled

One More Meme