# The Free Scan Everyone Can Try (And Almost Nobody Can Break)

> Source: <https://dev.to/taborbachelor/the-free-scan-everyone-can-try-and-almost-nobody-can-break-5el5>
> Published: 2026-07-09 17:14:48+00:00

A free tool with no signup wall is the best acquisition lever you can build and the easiest thing on the internet to abuse, and those two facts show up at exactly the same time.

Relevyn's public audit — type in a brand and a website, get a free AI-visibility check, no account required — exists specifically to remove friction. Every bit of friction we didn't add is also a door we didn't lock. Somewhere between "anyone can try this instantly" and "anyone can script a few thousand requests against our LLM bill overnight" is a line we had to actually draw, not just hope nobody would find.

The naive fix is a single cap — say, five free audits per IP address per day. That stops one visitor from hammering the endpoint. It does nothing about distributed abuse: a hundred different IPs, each politely staying under the per-IP limit, adding up to a very real bill with zero revenue behind any of it.

The other naive fix is a single global ceiling — the whole system accepts, say, a few hundred free audits a day, full stop. That protects the budget, but it has a different failure mode: one aggressive actor (or one bad script) can burn through the entire day's allowance before a single genuine visitor gets a turn.

Neither limit alone covers both failure modes. You need both, layered.

A **global daily ceiling** is the backstop against catastrophic, system-wide abuse — a hard number the whole free tier can't exceed in a day, regardless of where the requests are coming from. It's blunt on purpose. It's not there to catch normal usage; it's there so a worst-case script kiddie or scraping run can't turn a growth lever into an unbounded bill.

A **per-IP cap** is the finer-grained rule underneath it — a handful of free tries per address per day, generous enough that a real visitor can check their own brand and maybe a competitor's without hitting a wall, tight enough that scripting requests from one machine stops being worth the trouble.

Together they cover the two shapes abuse actually takes: concentrated (one IP, many requests) and distributed (many IPs, few requests each). Either limit alone leaves the other door open.

Here's the part that surprised me more than the architecture: there's no formula that tells you the "correct" per-IP number or the "correct" global ceiling. Five audits a day per IP is a bet about where a genuinely curious visitor stops and a script starts — informed by nothing but intuition on day one, because there's no real traffic yet to learn from.

That's the actual lesson. Rate limits aren't a constant you set once during setup and forget. They're a hypothesis you write down, ship, and revisit once real usage tells you whether you guessed too tight or too loose. Anyone waiting to "figure out the right number" before shipping a free tool is waiting for information that only exists after you ship it.

Try the free audit yourself, limits and all: [relevyn.com](https://relevyn.com/?utm_source=devto&utm_medium=article&utm_campaign=ratelimiting)
