Started with one tool. It worked. Now it's a platform.
We built an ISM controls explorer because we needed one and it didn't exist. People started using it. So we kept going — same approach, new problems. Three focused tools, one platform. Free to use, no theatre.
How it started
We spent years working in cyber — writing policies, triaging controls, sitting through vendor pitches for tools that cost six figures and solved problems nobody had. The ISM had 800+ controls buried in a PDF. We needed to actually work with them. So we built rule1 — a searchable, filterable, version-diffable ISM explorer.
It worked. People started using it. Not because we marketed it, but because it solved a real problem that practitioners actually had. That was the proof we needed: small, focused tools built from direct experience are worth more than enterprise platforms built from pitch decks.
So now we're building more. Same philosophy — find a problem we've lived through, build the tool we wished existed, ship it fast, keep it sharp. No roadmap theatre. The basic tools are free for non-commercial use — and they'll stay that way.
And yes — we use AI to build this. Unapologetically. It lets a small team ship at the pace of a large one. But we're not hiding behind it. Every piece of AI-generated content in our tools is clearly labelled. Our opinions are ours. The code is ours to maintain. AI is the power tool, not the craftsman.
What we're building
Three tools that do one thing well. Use them standalone, or together as a platform.
Where it all started
The Australian Information Security Manual has 800+ controls across dozens of topics. The official format is a PDF. We turned it into a searchable, filterable, version-diffable explorer — because reading security controls shouldn't require a magnifying glass and a stiff drink.
Live · FreeThreat intel without the price tag
Open-source threat feeds exist, but they're scattered across a dozen formats and APIs. threat10 pulls them together — normalises IOCs from Abuse.ch, MITRE ATT&CK, PhishTank, and more into one searchable source of truth.
Live feeds · FreeVulnerability intel, unified
NVD, EPSS, CISA KEV — the data you need to prioritise patching lives in three different government feeds that don't talk to each other. patch8 pulls them into one searchable database with risk scoring and enrichment.
Live feeds · FreeOne integrated platform
Three tools, one platform. They share identity, data, and design, but each does one thing exceptionally well.
Shared Identity
Powered by login2. Create one account, get access to everything. No juggling passwords across different tools.
Unified Experience
A consistent design language and a persistent PlatformBar means you can jump between apps without losing your context.
Edge Deployed
Everything runs on Cloudflare Workers. No cold starts, no waiting for instances to spin up. Sub-100ms responses globally.
How we build
Small and sharp
Every tool does one thing well. We'd rather ship three focused tools than one bloated platform that tries to be everything and ends up being nothing.
Free where it counts
The basic tools will stay free for non-commercial use, permanently. Premium tiers will exist — running infrastructure costs money — but the core experience won't be paywalled.
Fast by default
Everything runs on the edge. Cloudflare Workers, D1, no cold starts, no "please wait while we spin up your instance." Sub-100ms or we're not done.
Born from experience
Years of doing the work — the audits, the policies, the board decks. We don't guess what practitioners need. We were practitioners. We build what we wished existed.
AI-assisted, human-owned
We use AI heavily to write code and generate content — and we label every bit of it. You'll always know what's a human opinion and what came from a model. Transparency isn't optional.
Practitioners first
Built for the people at the coalface — the analysts triaging alerts, the GRC leads wrestling frameworks, the mentors giving their time. If it doesn't help them, it doesn't ship.
Jump in
No sign-up required for the public tools. No "book a demo" button. Just go use them.
We didn't write this page. An AI did, based on our direction. We were busy building the actual tools. That's the point.