How to provide a free trial without being abused?

Limit their outgoing connections until they provide a CC number. Most software can be initially tested without needing to connect to the wider internet. Throw in plenty of /examples directories for the different applications you offer.

You could provide some approved outgoing connections to trusted plugin/package repos.

If you want to get stricter only allow incoming connections from the trial user's IP to stop them hosting scam landing pages.

one alternative idea to free trials from Jason Cohen's ancient 2013 microconf talk, 21:00 minute mark

> another hack: lotta people have free trials. 15 day free trial, 30 day free trial. makes sense. customers want to test us out first, no one trusts anyone, that's fine. but i hate free trials actually, especially for bootstrapped companies, because you never get the money back. most people that sign up with a credit card will stay. if that's not true, by the way, something is incredibly poisonous, fix that part [...]. but if that's true, most of the time they give you their credit card, you're giving them 15 or 30 days for nothing and you're never going to charge them, so you just lost the money, and that sucks. so i don't like trials. you have to give them something.

> so we switched to a 60 day money back guarantee instead of a 15 day free trial. but in both cases we take the credit card. originally in one case we say we won't charge you until the trial is over, in the other one we just charge them anyway. but we'll give you a refund and much more time.

> and sales went up. and people would email us and say "you know, 15 days didn't seem like enough time, now that i have 60 days, i decided to sign up".

> but i'm charging you more, don't you understand?

https://www.youtube.com/watch?v=otbnC2zE2rw

Anyone who won’t give you a credit card for the free trial isn’t likely to give you a credit card later to become a customer*. In this space, giving a credit card seems perfectly normal and serves as a vetting function of seriousness for you.

* I can concoct exceptions of course: worker who wants to try it for work but doesn’t have their own company card being one. But if you’re targeting cloud users, “doing whatever AWS does to gate accounts” is perfectly reasonable.

Just something that occurred to me:

You could make a link allowing them to explain by email their need for a no-CC-required trial.

That way you make a little speedbump and get a an email you know they use to market to (with opt-in).

In reality though, I suspect that most of the users who won't put in a card for a trial won't put in a card to pay either.

You could limit the free trial in some way (number of connections, ability to connect to other services) that makes it less appealing for abuse, however you may just end up playing a cat and mouse game on that front

Personally I'd be okay providing a CC for verification/fraud prevention, but what puts me off doing it most of the time is it'll then automatically start being charged if I forget to cancel within a certain time. If there was a manual step of moving from free trial -> paid subscription I'd be less hesitant

Can you limit resource use after some reasonable amount? Seems like you've got the tools for that already. "Network Firewall [...] + Web Application Firewall", "IP Rate Limiter", "Alerts to detect abnormal activity", etc.

I can see why people don't want to give their credit card to someone they haven't made a deliberate decision to give money to, or to mix their social life with business. Edit: there's also the problem of trusting a company to hold onto your card data securely - I let almost no companies I do business with save the card details, and prefer to just type it in every time. Storing credit card details makes you a target, and I'm doubtful many smaller companies have the security skills to defend themselves.

BTW, "software" is not a countable word. Instead of "softwares" you mean "software services" or something.

Your basic problem is that a single person can pretend to be many persons, and therefore use up much more resources than expected.

The only way to prevent this is to identify the users in some way. Every way of identification is a tradeoff between convenience and security.

CC card info is very secure (it's really hard to fake a CC), but it's extremely inconvenient. Personally, if a service requires me to put in my CC info before even trying it, I am not using it.

Phone number is fairly secure (can be faked, but faker must spend money to buy phone cards, so their costs scale linearly), and it's kinda inconvenient, but not really, since every website and its grandmother ask for 2FA nowdays. It's more inconvenient for you, actually, since you have to find a way to send an SMS to any phone, anywhere in the world.

Email addresses can be secure (but only because most email providers require email confirmation over phone number), but they are the most convenient option I can think of. Ngrok does something like that, they require an email for an account, and provide you with a key you can use to use their service. Free option only gets you like 4 tunnels and 40 connections/minute, which I assume is negligible, given their total traffic.

Free trials are most useful / valid in my opinion when the product or service is novel and your potential customers aren't sure yet if you'll solve their problem. It makes perfect sense for a project management SaaS because everyone works in different ways. However, you're offering managed services which should already be well understood by your real customers. Managed Postgres is something they need or not - you're not in the business of selling them on Postgres itself. Thus I don't think offering a free trial does anything to attract a real willing customer.

As an alternative you could offer free credits if you really want to test this, but this will always be a trade off and there will be a lots of people who use the free credit and never convert.

Instead of a trial you could offer a sandboxed demo account with limited functionality and network access only to a demo LAN and not the outside world. Just enough to show your orchestration and control panel features in a realistic way.

UX-wise, as other said, I think it makes sense to ask for the CC as late in the process as possible: you will make your most valuable user understand how great your platform is.

Also, I think that for a platform such as yours, credit cards are absolutely a must. The risk in opening it to scammers (mining, torrent seeds, etc) is just to high; I remember reading this from fly.io [0] that explains the pain in reducing fraud.

0: https://community.fly.io/t/new-prepaid-credits-and-a-bonus-s...

- trigger warning -

Allow the whole onboarding process to be done without a CC, don't even mention that.

But when a user is doing their first deploy, tell them they need a CC to complete this step.

Thanks to the sunken cost fallacy, users will be more likely to proceed.

We had this problems a lot. You have to make it painful enough that scammers do not want to bother.

Put Cloudflare in front of your IP. Everytime someone abuses you then block their IP at CF. If you can automate this even better.

Reduce the service for a free trial in someway that hurts hackers but not real customers. You will have to think about this it might tricky or not possible.

Add software to your stack to watch for port scans and cut the users off instantly. Or watch for DDOS. There is some number of packets that come out of a valid session vs the number that comes out of DDOS.

And then finally the trials that abuse you are junk trials they will never convert. The CC definitely will keep your trials low it just will I have seen that first hand but your conversion rate will be through the roof.

3 possibilities, learned the hard way:

1) Offer a limited free tier

2) Ask CC before free trial, you don't need customers that are not able to pay you later

3) Make a shared demo account where customers can log in and check out the product without need to commit

Fellow OSS founder here (robusta.dev for Kubernetes monitoring).

Can you explain in more detail the way people are misusing your service? Aren't you running within someone else's infrastructure? At least that's how I understood your site.

We have an extended free trial for our SaaS platform (the only part that isn't open source) without a cc and have seen a lot of usage but nothing we'd flag as abuse. (Lots of fake accounts, but those don't hurt us.) Different product though so obviously the potential for abuse is different.

I think you should collect CC.

For the type of business you are running (online software) you will get abusers, so you migth have to bite the bullet and accept some genuine people will be turned off by credit card validation.

I've been thinking lately that we need some sort of internet identity. Something that proves you are a real, legitimate and unique person, but shields your privacy.

Netherland has something like this for government services: DigID. Every citizen can get one, and you use it to handle all sorts of government-related stuff, like your taxes, etc.

We need something like that, but internationally, and useable for everything, rather than just government services. But international is hard. And who will be put in control? Different countries have different privacy standards, not to mention different standards of corruption.

Curious - how do you compare/compete with Bitnami (https://bitnami.com)?

Ask for a phone number for 2 factor authentication.

(prescriptive input at the end) I work specifically on improving Trial-to-Paid and here are some pointers:

-> Most companies calculate their T2P churn incorrectly because they combine both the Right_Audience and the Wrong_Audience within the Trial.

-> Get rid of the Wrong_Audience with better customer acquisition Qualification (e.g. if I sell bats to bullies people will get hurt, if I sell bats to sports teams, well... chances are lower for misuses)

-> Get better conversions with the Right_Audience with an Orchestrated Trial

Most trials are just the product but free for a while. This leads to exactly the situation you describe.

An Orchestrated Trial focuses on reducing the Anxiety of your Right_Audience, so that they can decide easier to switch to paying. Full access to the product changes nothing in conversions, people already know what the product does from your description. The point is to reduce specific uncertainties and unblock the subscription decision.

(prescriptive) To do this, the Trial has to be Orchestrated around getting the Right_Audience to say "AHA! This actually does what I want." And if they have the money, the decision is straightforward. No need to give the access to what the solution does, that's for paying users.

Let me know if I can help

Don't offer a free trial.

Charging money tends to filter out bad actors.

Good luck.

What do you think about offering locking up some minimum amount of cryptocurrency (say, Bitcoin), which would withdrawable at the end of the trial but also being usable as payment for continued service?

One could utilize HTLCs so that the coins are locked for a predefined amount of time - so you wouldn't need to take custody of the coins during the trial but still be able to them if you decide there was abuse. If you do nothing after the initial lock-up, once the HTLC expires the user can claim the coins back again. That way there is less risk and impact of losing funds due to errors or compromise on your side, compared to just requiring a deposit going into a wallet.

As a complement and alternative for CC. I would think that the people either unable to, or not willing to provide CC out of principle, and the people comfortable with Bitcoin have a decent overlap.