Considering becoming a freelance pentester?

Everything you need to know before taking the leap.

TL;DR

  • Make sure you’re aware of the glamorous and ugly sides of going freelance
  • You may have more flexibility, but when you have the work, you’ll probably be working longer hours
  • You’ll lose perks like PTO, healthcare, and social security
  • Clients don’t just appear. Make sure you know where they’re going to come from
  • Are you aware of all of the costs involved? Legal, software, hardware, training etc.
  • Are you on top of the legal issues?
  • If yes, check out How to become a freelance pentester

Why do you want to go freelance?

Do you want to be your own boss and manage your own work/life balance? Or s it the lure of what appears to be good money and shorter hours?

On the face of it, freelance pentesters have a great life. The money is good, you can chose when to work and pick your clients. The reality is that all this can be true but it takes effort to get there and then to stay there. Clients generally don't come banging on your door. And while the daily rate can be good, you are unlikely to be working 5 days a week every week.

Are you prepared for the working environment?

There's no way to fully appreciate what freelance pentesting is like until you give it a go. But you should try to get as clear of an idea as possible before you do. Ideally, you'd reach out to connections who are currently freelancing. Either pentesters you already know, or through a LinkedIn search.

To prepare for those conversations, there are some things you should consider.

Can you cope with the hours?

Freelance pentesters generally work more hours than they did when employed. There are a few reasons for this:

  • You are now running a business so have to do "business stuff" as well as the actual client work. Bank reconciliation, marketing/advertising, and VAT returns all take time that isn't billable, so are usually done in the evenings or weekends.
  • Quality of work/reputation. Your next job with a client is likely to be based on the deliverables from your current job. There's an extra pressure to do the best job possible, even if that means putting in a few extra hours.
  • There is often no one there to stop you doing the extra hours. When working in an office the end of the day is obvious as everyone else is packing up and leaving. But working on your own it is easy to get sucked into a job and lose track of time.

Are you prepared for losing your current perks/benefits?

How many of the perks your current company offers will you miss?

  • PTO
  • Sickness leave
  • Healthcare and insurances
  • Social security/pension contributions
  • Maternity/paternity leave

Have you budgeted and forecasted?

Have you forecasted how much money you'll make?

How many clients will you need to make as much money as you're currently making?

The money as a freelancer, on the face of it, is a lot better than as an employee. But add in the extra hours and expenses, and the loss of benefits, it may not work out that much better.

When working out your budgets don't assume that you'll set your day rate at X and will get 253 * X. Make realistic assumptions about how much work you think you'll get on a good and bad month. Then make forecasts based on having one bad month for every good one. It might sound pessimistic, but you need to be prepared for that eventuality. And what will happen if you have a couple of bad months back to back, can you survive?

Where are your clients going to come from?

It is unlikely that clients will simply appear in your inbox. You'll need to go out and win them in.

When starting out you need to be careful how you do this. You probably have a non-compete clause in your current contract. So don't assume that if you are friendly with some of the company's clients that you will be able to lure them away. Signing up your own clients while still employed may also breach your contract. If this is the case you may start your freelance career without any signed clients. Which isn't a good position to be in.

Do you know where your clients are going to come from? And how many will you be able to sign each month? Checkout some tips for finding clients.

Have you considered the clients that won't pay you?

Until it has happened, most freelancers don't think about clients not paying. They assume that they’ve done the job so the cash will come in, and hopefully on time.

But it happens. More often than you think. And it's not necessarily as simple as taking the legal route to recoup that money. Legal action is costly and you wont be high on the list to get cash back if your client has gone into administration. Make sure you think about this and have reserves in case it happens.

Have you budgeted for software/hardware

As an employee you are most likely provided with all the hardware and software you need. You'll get a laptop, Nessus licence, that kind of thing. When you are on your own you have to provide all that yourself.

While there are free options, there are some instances where you'll need the paid-for solution. Make sure you add all these costs to your budget.

Don't forget the non-security tool software costs as well. A Windows licence, Office and all the other little apps that you previously just installed off the main app server.

Laptops, phones and other hardware. Are you going to share your personal kit with the business or are you going to get an own dedicated set? Duplicating is expensive but means you can do extra hardening on the work equipment. Ensuring it is only used for work can lessen the risk of exposing client data.

How will you pay for training/professional development?

It's all down to you, if you want training you have to pay for it yourself. In time and money. There are a lot of free, or very cheap, courses out there and you can learn a lot from just reading articles. But it isn't billable work so you have to fit it in around your paying clients.

Signing up to This Week in Cybersecurity might help. It’s a weekly email with the latest news, research and new tools in the industry. So you won’t have to trawl the web to keep up to date.

Are you on top of the legal issues?

Your exact needs are dependent on your location and the jobs you are doing but these are the basics.

The contract

You need a good contract. There are lots of contracts floating around on the net which you could download and modify. This is the cheap option but not one that I would necessarily recommend. The contract is the thing that decides who is in the right if things go wrong. You should consider spending money on a good lawyer to make sure it's legally sound.

There are also other potential issues with contracts found on the net:

  • It could be out-of-date - Laws and regulations change
  • The contract may not be for your country/jurisdiction
  • The contract may have flaws or may be by someone who was not a lawyer

Do you have insurance?

Some insurance may be mandatory, some recommended and some personal preference. As with contracts, what you need depends on the kind of work you are doing and where you are doing it. The different types I'd definitely look at are:

  • Professional indemnity - Covers you if you make a mistake while on a job
  • Public liability - In case someone gets hurt as a result of you doing a job
  • Income protection - In case for some reason you are unable to work

When getting insurance, explain exactly what it is you will be doing to the insurance company. Insurers may not cover you if they aren’t clear on exactly what you’re doing. And 'cyber security' may put some off.

Do you have enough experience?

This is a competitive field. When you’re approaching potential clients, or pitching for freelance opportunities, your competition is going to be very experienced.

You're competing with other freelance pentesters who have been in the industry for years. With consultancies with decades of combined experience.

How do you make the move to freelance?

Convinced that freelance is the rout you want to go down? How do you actually make it happen?

Check out ‘How to become a freelance pentester’ to find out.

This week in cybersecurity

Don't have the time to keep up with the industry? We've got you covered.

This week in Cyber is a weekly email with the latest news, research, and discussions from the world of cyber security. Sign up:

About the Author

Robin Wood, is a freelance pen-tester, researcher and developer. Among his projects are Karma, KreiosC2 and Jasager. He is based in the UK. Find him on Twitter as @digininja or at www.digininja.org

Streamline InfoSec Project Delivery

Learn practical tips to reduce the overhead that drags down security assessment delivery with this 5-day course. These proven, innovative, and straightforward techniques will optimize all areas of your next engagement including:

  • Scoping
  • Scheduling
  • Project Planning
  • Delivery
  • Intra-team Collaboration
  • Reporting and much more...

Your email is kept private. We don't do the spam thing.