Here’s how my niche SaaS company structured our SEO strategy

I run marketing at a venture-backed SaaS company and wanted to share with you guys some of the ways that we (and many other SaaS companies) go about in order to create a comprehensive/effective SEO strategy.

–Let's fictitiously say that my company offers a CRM for Animal Shelters.–

IMO, the SEO strategy begins with and comes down to the keywords you intend on targeting. And I break these down into two groups. Direct and Indirect.

Direct: Keywords used to search for the specific tools…

Here's how my niche SaaS company structured our SEO strategy

Application and API Penetration Testing – SaaS solutions

I have managed projects where we have a used a third-party to do application penetration testing. Based on what I could gather, it entailed manual testing and did identify some good issues. We also used Zap to prep ourselves before we went to third-party pen testing. So familiar with that too.

I was wondering if there were SaaS solutions for pen testing that meet the following criteria:

1 – Easy to use in that canned policies exist that are meaningful. Example: You have never done any pen testing before on your app, let’s start here… You are requires to meet a specific regulation, try the following policy set …

2 – Have adequate depth and credibility (both subjective) such that the report will be accepted by a Fortune 500 company’s security team or by a SOC2 auditor (I recognize that the auditors really do not care how you did your pen test as long as you did it given that SOC2 does not really call for a pen test)


Dominio dinamico para aplicação saas

Tenho uma aplicação que funcionará como um SAAS onde meu cliente tem um login e pode cadastrar seus produtos. Quero que esse usuario possa cadastrar a URL dele e que essa URL direcione para minha aplicação onde será exibido somente os produtos desse usuario(esses dados foram buscados dinamicamente baseado na URL).

Pesquisei e encontrei algumas termos como DNS, CNAME, etc… mas nada respondeu minha duvida.

Como eu posso fazer isso? eu posso fazer a URL direcionar para uma pasta no servidor? eu poderia direcionar todas as URLs para um mesmo local e ali verificar a URL atual para consultar os dados no banco de dados?

isso é possivel?, se sim qual seria a melhor abordagem? se possivel eu gostaria de usar plataformas como Heroku e AWS.

How to hanlde changing plans in a SaaS

I am working on a SaaS product that I intend to have multiple plans for, I will have a limit of 50 of item A example and then a per user cust where I will have a base plan of 3 users.

I’m building this application primarily out of Node.js microservices. I was wondering where it makes sense to put in the controls for this type of limiting (the 50 items A not the per-user that seems simple enough).

Do I put it as its own service or is there a reasonable way to integrate it into say an API gateway or auth service?

Currently, the services I have that would be involved in item A are:

  • API gateway

  • Auth

  • Service A

I’d like to do it in a way that I could remove the limiting per item later on as I have plans to change my pricing plan structure as the product develops.

I’m open to almost anything, I have a few poorly thought out ideas like adding a middleware that checks the user model and if the user’s company/payment/plan data says that it exceeds the limit then I would return an error.

How can I forward SaaS calls from the client to a third-party service?

In the browser (e.g., for there is Javascript for third-party services, say Let’s say that I rewrite the Javascript so that it calls instead of Then that proxy will invoke, rewriting headers as needed.

Of course, my proxy will see all the traffic, but I don’t see that that is a problem. The traffic comes from my webapp and serves the purposes of my webapp. In terms of Same-Origin Policy, it is all

The calls are Ajax, so the browser will not show the user that the calls are to rather than

I can see that if the user is sending sensitive data to and expects that will never see it, that could be a problem with user expectations.

But would this architecture be blocked by some security layer?