We built an ISM controls explorer because we needed one and it didn't exist. People started using it. So we kept going — same approach, new problems. Focused tools for people who actually do security.
We spent years working in cyber — writing policies, triaging controls, sitting through vendor pitches for tools that cost six figures and solved problems nobody had. The ISM had 800+ controls buried in a PDF. We needed to actually work with them. So we built rule1 — a searchable, filterable, version-diffable ISM explorer.
It worked. People started using it. Not because we marketed it, but because it solved a real problem that practitioners actually had. That was the proof we needed: small, focused tools built from direct experience are worth more than enterprise platforms built from pitch decks.
So now we're building more. Same philosophy — find a problem we've lived through, build the tool we wished existed, ship it fast, keep it sharp. No roadmap theatre. No feature-gating what should be free. The ISM explorer is free. It will stay free. That's still the whole pitch.
And yes — we use AI to build this. Unapologetically. It lets a small team ship at the pace of a large one. But we're not hiding behind it. Every piece of AI-generated content in our tools is clearly labelled. Our opinions are ours. The code is ours to maintain. AI is the power tool, not the craftsman.
It started with one. Now there are three — each born from a problem we actually had.
The Australian Information Security Manual has 800+ controls across dozens of topics. The official format is a PDF. We turned it into a searchable, filterable, version-diffable explorer — because reading security controls shouldn't require a magnifying glass and a stiff drink. This was the first tool. The one that proved the idea.
Live · previously secctrl.fyiAfter rule1, we looked at what else in the industry was being held together with duct tape. Mentoring programs — especially in niche communities — run on spreadsheets and good intentions. peer6 replaces that with smart matching, real-time chat, and progress tracking. Same approach: build what you wished existed.
Beta · invite onlyOnce there were two tools, we needed shared auth. Rather than bolt it on twice, we built it properly once — SSO, org management, team roles, billing, 2FA. The boring-but-critical stuff, centralised, so every new tool we build doesn't reinvent the auth wheel.
Live · platform authEvery tool does one thing well. We'd rather ship three focused tools than one bloated platform that tries to be everything and ends up being nothing.
Everything is free right now — no trials, no feature gates, no "contact sales." Public-good tools like the ISM explorer will stay free permanently. If anything else changes, it'll be because running costs demand it, not because we hired a growth team.
Everything runs on the edge. Cloudflare Workers, D1, no cold starts, no "please wait while we spin up your instance." Sub-100ms or we're not done.
Years of doing the work — the audits, the policies, the board decks. We don't guess what practitioners need. We were practitioners. We build what we wished existed.
We use AI heavily to write code and generate content — and we label every bit of it. You'll always know what's a human opinion and what came from a model. Transparency isn't optional.
Built for the people at the coalface — the analysts triaging alerts, the GRC leads wrestling frameworks, the mentors giving their time. If it doesn't help them, it doesn't ship.
No sign-up required for the public tools. No "book a demo" button. Just go use them.
We didn't write this page. An AI did, based on our direction. We were busy building the actual tools. That's the point.