|

How Victor Nihoul & Wesley Wasielewski Built a Security Startup That Got Acquired by Bubble

Two friends. One shared mission. And a no-code security breakthrough that caught the attention of Bubble itself.

In less than 18 months, Victor Nihoul and Wesley Wasielewski built Flusk, a security tool for Bubble apps, scaled it to a five-figure MRR, and got acquired by the very platform they were protecting. Now officially part of the Bubble team, they’re continuing their mission on a much bigger stage — straight from New York City.

Let’s break down how two 23-year-old freelancers hacked their way into one of the most important acquisitions in the no-code world.

From Minecraft to Bubble Mastery

Wesley started coding at 13 — but not in the way you’d expect.

“I wanted to create Minecraft servers for my friends,” he said. That early exposure to Java, although short-lived, gave him a logic-first mindset that stuck with him.

Fast forward to engineering school in France, Wesley stumbled upon Bubble. He loved it. So much so that after three years into his Master’s degree, he dropped out to become a full-time Bubble freelancer.

Victor, his eventual co-founder, followed a similar path. Both were freelancers, working with clients who, as they’d quickly realize, had no idea how to secure their Bubble apps.

Why Flusk Was Born: The Black Swan Moment

At BubbleCon 2024, Victor shared a chilling tale: a dating app built for a far-right community had its entire user database leaked — sexual orientation, email addresses, personal data, everything.

The app was built by a Bubble agency that hadn’t properly configured its privacy rules.

The backlash was immediate: mainstream media coverage, police investigations, and user harassment.

This was Bubble’s first “Black Swan” moment. Something thought to be impossible — a massive security breach on a no-code platform — had happened. But it was also predictable.

With more non-technical users building apps, security was becoming the biggest blind spot.

Flusk was Victor and Wesley’s answer to that.

From Service to SaaS: Pivoting to a Product

Flusk wasn’t born as a product. It started as a $5,000/month debugging concierge for Bubble agencies — offering real-time help for app emergencies.

They got their first customer instantly.

Then… crickets.

The service didn’t scale. So they pivoted to what people actually needed: a tool that automated security audits.

In just three weeks, the first version of Flusk was born.

What Flusk Actually Does

At its core, Flusk audits Bubble apps against 23+ security checkpoints, including:

  • Data leaks
  • API security
  • Swagger docs exposure
  • Privacy rule misconfigurations
  • Version protection flaws

It even offers downloadable PDF certifications, essential for founders pitching to investors or managing enterprise clients.

The tool automates what Victor and Wesley used to do manually — making security “as easy as no-code.”

The 80/20 Rule of Bubble Security

At BubbleCon, Wesley outlined a powerful insight:

“80% of vulnerabilities come from 20% of misconfigurations.”

Those 20%?
Data leaks. Bad redirections. API breaches.

Wesley walked the crowd through test page techniques, a simple method to expose privacy rule misconfigurations by simulating user roles. It was practical, visual, and brilliant — the type of thing that made Flusk so effective.

The Business Model That Worked

Initially, Flusk sold annual licenses. But users would fix issues in one month and churn.

So the duo added monitoring tools — capturing errors, behavioral anomalies, and ongoing vulnerabilities. This not only increased stickiness but opened up a monthly recurring revenue (MRR) model.

They scaled to:

  • $9,000/month in software subscriptions
  • $10,000/month in consulting revenue

Marketing with Hustle and Heart

Their marketing strategy was scrappy but effective:

  • Cold outreach to Bubble app owners
  • Free help on Bubble forums to build trust
  • Security-focused blog posts
  • Offering Flusk free to agencies in return for referrals
  • Active engagement on Twitter and LinkedIn

In short: they gave more than they took. And the community paid it forward.

The Acquisition by Bubble

Then in early 2024, Bubble called.

They wanted to acquire Flusk — and have the duo join their NYC team to continue the mission at scale.

“It took 10 calls to agree on price,” Wesley recalls. “A mix of cash and shares — and then we had to learn what lawyers actually do.”

For two 23-year-olds with no legal experience, closing a deal with one of the biggest no-code platforms in the world was surreal.

But it made perfect sense.

Bubble wanted:

  • To show their community they take security seriously
  • To integrate Flusk’s features natively
  • And to hire two of the sharpest minds in no-code security

Lessons from the Flusk Founders

Victor and Wesley don’t pretend to be startup gurus, but they did share some takeaways:

  • Do what you love. Passion is the only sustainable edge.
  • Security isn’t a feature, it’s a foundation.
  • Treat your startup like a marathon, not a sprint.

Their success wasn’t about viral hacks or growth cheats — it was about solving a real problem really well.

What’s Next for Flusk

Now backed by Bubble, Flusk won’t disappear — it’ll go deeper.

More automation. Better documentation. Native integrations. Enterprise-grade features. And more awareness about the importance of security for all no-code builders.

As Wesley put it:

“We want to make security as simple as no-code.”

And with Bubble behind them, they just might.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *