How to become a freelance pentester

TL;DR

If you definitely want to move into freelance pentesting:

1. Timing is everything. You need to be fully prepared, and ideally have a client or two lined up, before you make the move
2. Make sure you’ve got your certifications
3. Learn the ‘business side’. How are you going to manage your accounts? Paying taxes? Legal aspects?
4. Got some experience under your belt? Great. Make sure you can get testimonials, case studies, or references from past projects.
5. Decide whether you’re going to brand/market yourself, or go down the more direct reaching out over LinkedIn/email route.
6. Then learn how to find clients using your chosen route
7. Make sure you have a plan for staying up to date with the industry and your training

Are you sure you want to go freelance?

Looking to become a freelance pentester? Before taking the leap you need to be absolutely sure it's what you want. Check out 'Considering going freelance? Everything you need to know' to make sure you've considered everything.

Timing is everything - a freelance pentester checklist

The last thing I’d recommend is to give up a stable employment to go freelance before you’re actually ready.

There are lots of decisions you need to make before concluding that you’re ready, but here’s a top-level checklist:

• Do you have enough experience to compete? The money might sound good, but you’ll only land the gigs if you can show you’ll do a better job than the freelancers you’re competing against
• Do you have clients lined up? Ideally, before going freelance you’ll have your first client or two ready to sign a contract. If not you’ll at least have an idea of where your first client is going to come from.
• Does your financial situation suit going freelance? Can you survive a couple of months on no/low income?
• Do you have your certifications? Even one’s that hasn’t been relevant to your career so far might be the difference between landing a client or losing out.
• Do you have the appropriate hardware?
• Do you have the right software to of your job?

Making sure you’ve got the certifications

Companies that are looking for a freelance pentester need to make a decision about whether or not they want to work with you. There are a number of ways they’ll do this, but one of the simplest, and most common, is checking your certifications.

The OSCP is probably the bare minimum required to undertake pen testing as a viable independent contractor.

Here are a few you might want to consider:

• Certified Ethical Hacker
• Licensed Penetration Tester Master (LPT) Certification
• Offensive Security Certified Professional (OSCP)
• GIAC Penetration Tester (GPEN)
• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
• CompTIA PenTest+
• Certified Penetration Tester (CPT)

I’m not suggesting you need all of these certificates, but it’s a good idea to get at least a couple of them if you want to compete for freelance pentesting jobs.

Brush up on your business skills

The exact steps here will vary depending on your location.

Firstly, you need to decide on the business structure for your venture. Operating as a sole proprietorship, forming a limited liability company (LLC), or establishing a corporation. Each structure has its own implications for taxes, liability, and management, so it's crucial to research and choose the one that aligns best with your goals and circumstances.

Once you've chosen a business structure, it's time to register your business and obtain any necessary licenses or permits required in your jurisdiction. This may involve registering your business name with the appropriate government authorities and obtaining an employer identification number (EIN) from the IRS if you plan to hire employees or subcontractors. Ensuring compliance with local regulations and tax laws is essential for avoiding potential legal issues down the line.

Next, you'll need to set your rates and define your pricing strategy. Consider factors such as your level of experience, the complexity of the projects you'll be undertaking, and the prevailing market rates for freelance pentesting services. You may choose to charge clients on an hourly basis, per project, or using a retainer model, depending on your preferences and the expectations of your target clientele. Be sure to clearly communicate your rates and billing terms to clients upfront to avoid any misunderstandings later on.

Drafting contracts and service agreements is another critical aspect of setting up your freelance pentesting business. These documents should outline the scope of work, project deliverables, timelines, payment terms, and any other relevant terms and conditions. Having well-written contracts in place not only protects your interests but also helps establish trust and professionalism with your clients. Consider consulting with a legal professional to ensure your contracts are legally enforceable and provide adequate protection for both parties involved.

Finally, establish a system for invoicing and payment processing to streamline your financial transactions. Whether you choose to use accounting software, online payment platforms, or traditional invoicing methods, having a reliable system in place will help you manage your finances more efficiently and ensure timely payments from clients. By setting up your freelance pentesting business properly from the outset, you'll lay a solid foundation for long-term success and growth in the cybersecurity industry.

Get some testimonials and case studies

I’m assuming you’ve got some experience. I wouldn't recommend going freelance without it.

Testimonials and case studies are the most powerful and most important marketing content you will create. Later down the line you might want to start creating articles, and thought pieces to share with your network, but the most valuable content you can start putting together now are case studies.

I appreciate that getting testimonials before you’ve signed a contract sounds like a difficult task. Ask your past/current employers if they’re okay with you using work you did for them as a case study, or if they’ll give you a testimonial. You may find that it’s easier to write the case study and ask forgiveness later.

You’ll want to keep adding to your case studies/testimonials as you work with more clients, but they’ll be invaluable in helping you sign your first one or two. So do what you can to get some before going freelance.

Choose a niche

You’ll have more success if you find a niche and become known in that space, Your career has probably led to you going niche anyway, but if youve remained more of a generalist in your career, even if you’re highly skilled in a few types of security testing, niching down will help you grow.

Web/Mobile App Pentester

Developing coding skills is advantageous, although not obligatory. Essential comprehension of software stacks such as Java and PHP. Mastery of foundational concepts is paramount. A thorough exploration of OWASP resources is recommended to establish a strong groundwork.

Network/Desktop Apps Pentester

Establish a comprehensive laboratory environment comprising various components. Implementation of stringent security measures is imperative. Delve into the Penetration Testing Execution Standard (PTES) guidelines to grasp potential attack methodologies and construct robust defenses.

Specialized Pentester

Select a specific technology and delve into its intricacies. Whether it's Node.JS or another specialized area, thorough expertise is key. Dedication and fervor are essential for achieving mastery.

Red Teamer

In addition to technical prowess, proficiency in social engineering and physical security is essential. Interpersonal skills play a significant role. Learning from the experiences of others through documented journeys is invaluable. Effective networking is crucial for accessing opportunities in the field.

Decide on your brand/marketing approach

There are two broad approaches you can take to start getting clients. As I’ve mentioned a few times, ideally you’ll already know where your first one or two clients are going to come from - and they’re likely through your network. But unless you’ve been in the industry for a long time, and have a huge network, you’ll probably find that you’ll exhaust your network quite quickly.

Approach 1 - Outreach

Even if your ultimate goal is to go down the ‘personal brand’ route, you’ll probably want to attempt some outreach first. It’s not easy, and if you’re reaching out to people outside of your network then the success rate will probably be low.

1. Identify the type of company you want to work with and the type of employees within that company that would have the decision making ability to offer you a freelance contract.
2. Create a list of target companies, and find relevant employees on LinkedIn.
3. Test different outreach messages. Unless you have a premium account, you’ll have to send a message along with a connection request, and you’re limited on how many connection requests you can send a day. You’ll want to try different approaches to your first message, but I’d suggest starting out with question rather than an immediate sales pitch.

Approach 2 - building a personal brand

A more sustainable, longer term strategy is to build a personal brand. You wont see immediate results, but if implemented correctly, it should see you pick up new clients easier in the longer term:

1. Build a website for your services, to house your testimonials and articles
2. Post regularly to social media channels
3. Engage in discussion on social media, reddit, and forums
4. Reach out to industry podcasts and ask to appear as a guest
5. Look for speaking opportunities at industry conferences

Being pragmatic

In the early days you’ll want to get clients by any means possible. So don't neglect some more pragmatic routes:

• Networking: Attend cybersecurity events, conferences, and meetups to connect with potential clients and industry professionals. Networking not only helps you build relationships but also allows you to showcase your expertise and credibility within the cybersecurity community.
• Specialized Job Boards: Explore specialized job boards and forums dedicated to cybersecurity professionals, such as CyberSecJobs and InfoSecJobs. These platforms often feature pentesting job opportunities from reputable companies looking to hire freelance or contract professionals.
• Using a middleman who will resell your services: I personally prefer using a middleman to doing the sales side myself. Actually I prefer to use a number of them, as I really don't like having to do sales work and so am happy to give them their cut to do the work I don't enjoy.
• Freelancing platforms:
  • Freelance pentesters can find assignments ranging from vulnerability assessments to actual pentests on Upwork. (But the fees are quite high)
  • Pentesters are hired by organisations seeking security weaknesses in their goods to find security breaches in applications and domains on BugCrowd. Pentesters will find such programmes incredibly rewarding, with only a few guidelines about what tools to use and the scope to follow.
  • HackerOne is a community of hackers seeking product flaws. The remuneration is established by the companies being evaluated.

Make sure you stay up to date with the industry

When you’re freelance, its difficult to prioritize staying up to date with the industry. It’s not billable work, and there no deadlines you have to stick to.