How to Succeed as a Freelance Pentester

all right good morning everybody and welcome to the las vegas b-sides proving ground track few announcements before we get started i'd like to take an opportunity first to thank our sponsors first of all our diamond sponsors last pass and palo alto as long as well as our gold sponsors intel invisium and blue cat without their support and the support of all the volunteers and sponsors and other donors who wouldn't be able to have these amazing talks come see all these amazing people and get together like this and have this uh awesome conference so a huge thank you to all those people a reminder right now if you have a cell phone to please take it out from

wherever it is and put it on silent uh this is a out of a respect for the speaker and then also we will be recording this so we don't want to get any of those cell phone sounds on the recording in addition to recording this will be live streamed and so a quick reminder uh our photography policy is you are uh you should not be taking any photographs unless you have the consent of everybody in the room that includes slides unless the speaker specifically says that that's okay questions will be if you don't mind hold your questions until the end i will come around with the microphone so that you can talk it uh speak into

the microphone that way we can get the question your question on the stream and on the recording and then lastly we are requiring masks you need to take it off to have a sip of a drink or eat something real quick that's fine but otherwise please keep your masks on at all times and so without further ado i'd like to introduce mike lisey and his presentation on how to succeed as a freelance pen tester [Applause] good morning how's everybody doing uh thanks for coming it's a really good turnout i'm pleasantly surprised i'm here to talk today about freelance pen testing a quick note about me mike lacy at mike hacks things on twitter i do penetration

testing i have a couple certifications oscp jwapt ceh i am the founder of meltech solutions which is the company that i established for my freelance pen testing i also work as the ctf design lead for the ncae cybergames which is a collegiate cyber security competition and i am the co-organizer of a security meetup group called ithacasec and that's in upstate new york so quick note before we begin i'm going to be covering a lot of different aspects on creating the business and talking about freelance pen testing but it's important to know i'm not a lawyer this isn't legal advice this isn't financial advice uh you're responsible to do your own due diligence and understand what works for

you in your individual individual circumstances so just take that into mind as we move forward so if you're interested in pursuing the freelance work there's a few important questions that you need to answer and these are to kind of make sure that you're ready to jump into freelancing so first off why do you want to do it why do you want to become a freelance pen tester your answer is going to be unique to yourself for me i had the opportunity to work on the ncaa cyber games but i was a full-time consultant at the same time and there wasn't enough time for me to do full-time job for that the part-time job for the education and then still have

time for family friends hobbies things like that so freelancing was an opportunity for me to pursue all those things while making it under my terms but for you i mean there's obvious benefits if you're interested in freelancing uh some of those benefits are you know you get to decide when you work how much you work who you're working for what you're doing um big benefits but there's downsides to consider too you're going to have to make sure that you can get through the times when there's not enough work available how are you going to handle those situations uh you may be working with clients that you don't necessarily like or get along with but they provide a lot of work um

things like that you go you have to be ready for those things and you have to find the work it's not going to be provided to you you know unlike with a regular job you have tasking that gets presented to you have you uh to have you do not the case with freelancing you got to do a lot of work to get that work so if you've decided okay that's all fine i still want to do it um let's talk about you know preparation if you have experience as a pen tester you probably have an idea of what your strengths are you know what kind of tests that you can do what kind of work

you can do um so identify those make sure you know that you've established what you're able to offer you know are you an app tester do you work in cloud environments uh do you like breaking medical devices this helps you establish you know your client base who you're going to go after to get some of that work for me i mainly do web app pen testing i do external pen testing there's a lot of work available in those areas so depending on where your expertise is you have to identify how much work there is to pursue outside of you know the specific technical strengths there's a lot of soft skill type things that you need

to be aware of too are you able to talk to clients can you establish relationships can you define you know how to approach testing how to get all the documentation in place do you know what your clients need can you identify those by having discussions with the client you know what are their goals what are their concerns you know are they worried about user data breaches are these uh worried about pii health information credit cards you know all these are very specific to the customer and you need to have an understanding of what those are when you approach them to get work on the non-technical side are you ready are you financially prepared you know how long can you go until the

invoices start rolling in you know you may not have work day one when you start on this path uh you have to be prepared for that work isn't consistent there's going to be especially in the pen testing world there's going to be ebbs and flows when there's a lot of work and when there's not a lot how are you going to approach things like benefits retirement time off you know all these things that are established and coordinated with a typical job when you're freelancing it's all kind of falling back on you there's legal aspects to consider too a lot of contracts a lot of legal documentation agreements things like that with the clients you have to be ready to approach

those situations and to be able to handle them you know initially i didn't know what i needed to do in this regard i went to my uh employer and i basically said hey i have this other opportunity i kind of want to pursue it i can't do both can i be a contractor and my manager at the time said oh sure you know what's your rate what are your terms uh you know how long are we establishing this relationship for what what are we doing and uh i was completely blank no idea no idea what i had to do but thankfully they were able to help me identify these things get everything established i learned a lot in that

process so it's one of these things that you need to to make sure that you can do when you're setting up these relationships so the last thing you got to consider is how are you going to find the work right the work doesn't just come to you you have to go after it so as a pen tester there's times when there's not consistent work this is kind of a graph of my workload throughout the year you know q1 q4 tons of work available q2 kind of gets a little bare you know i gotta make some changes in order to keep going uh things start ramping up again so you got to take that into account

with your budgeting you know how are you going to get through that q2 slump to make it successful and the other thing to keep in mind is that when you're a freelancer you're taking on all these other roles and responsibilities that are typically handled by other people in an organization you know you have hr you have legal sales marketing freelancing that all becomes you so outside the technical technical knowledge that you need to know you need to start getting acquainted with these other concepts but okay you know you want to do this none of that stuff scares you that's fine you're ready to learn all that or you know it great you're ready for the change

so what do you do next you got to get set i'm going to go over a few things here that are basically required but they take time they take effort they take money but they're all required to get started you've heard the saying there's no such thing as a free lunch that's how it is in business it all these things cost money but they're really necessary and you'll understand why so first up uh you want to create a company not a dba uh do business ads that's just basically hey i can do this work you want to have a legal entity something like an llc an s corp why uh cya you know you know what that

is you know cover your ass right having a company protects you as an individual it gives the company the legal responsibility for the work that you're doing so if during a penetration test you you something catastrophic happens you take down a whole data center client's pissed they're gonna sue you if you don't have a legal company in place then you are personally liable for that stuff so if you have a house if you have other assets you know all those are on the line you don't want to take that risk if you want to go into the into the freelance world so creating a company kind of helps protect you in that regard company does some other things

too it it legitimizes what you're doing right if you're just saying hey i'm a pen tester okay that's great but now you say hey i'm a pen tester i have a company set up all this other stuff the companies the clients that you go after they're gonna be like okay yeah i get it you have you know you've gone through the legwork of establishing a company and everything so that you know i'm more willing to to work with you on that uh doing so really kind of varies by where you establish the company right uh different states have different requirements uh there's paperwork involved there's renewal fees you know the research that i've said that i've done uh has

ranges between like 120 bucks and a thousand dollars to establish the company and maintain it throughout you know year to year so depending on where you're looking to establish it there's going to be a cost associated with it next you want to get business insurance some companies won't even work with you if you're if you're not insured right they want to make sure that they're covered too if your company you know isn't worth anything and you screw up and they sue you you know having insurance means that they they have some comfort in knowing that you know something goes wrong they'll be compensated in some way uh so it's on you to make sure that you

have the insurance established the other thing that does is it um it has extra protections in place where contracts don't cover right so you're going to have legal contracts that you know absolve you of different things and they dictate the terms but in areas where there's where there isn't coverage on that insurance really helps so it's basically layered protection right we talk about defense and depth in infosec this is like protection depth so you have the company that's one you know way of covering yourself business insurance is another way um the types of policies to look into you know that's uh you're looking at like commercial general liability it's protecting you against you know bodily

injury property damage uh liable advertising mistakes things like that policies on that you're looking into like one to two million dollars worth of coverage um it's relatively cheap though it's about 350 bucks a year the next one probably one of the most important ones the arizona missions again you're looking at one to two million dollars worth of coverage maybe more depending on the clients uh about seven hundred fifty dollars a year but what that one does is if a client claims that you were negligent in some way or your work was inadequate um then this insurance kind of policy helps cover that so you know in a pen testing world you missed a no day something got

released after you did a test client got breached now they come after you because you didn't find it right uh the insurance policy helps cover in those situations finally you have like professional liability again you know million dollars two million dollars that covers against misrepresentations inaccurate advice things like that there's a lot of things that cover on the insurance side so one way to approach this is looking into insurance agents right i use his cox that's a really big player in that they know you know the type of insurance that is ideal for these types of things other agencies may be beneficial to look into too you need a lawyer uh specifically you want a lawyer that understands business

and contract law somebody understands penetration testing all the legal aspects and requirements associated with that you know you want a lawyer that works for you right they're going to watch out for your best interests so why you know we're cya right we're there's a kind of a theme going here they're going to be able to review all the legal documents that you're getting established when you're setting up a relationship with a business you know everything's done over these legal contracts msas scopes of work ndas all these things all this legal verbiage in there your lawyer will review that but make sure that you're being represented correctly and in your best interests and it helps to make sure that both

sides are in agreement as to how to move forward so i've had uh agreements in place that were provided to me from clients and they had provisions of things like hey any any tools any scripts anything that you create while you're doing any work for us belongs to us we get a royalty free license forever and i was like no that's you can have ownership over the reports anything like that that makes sense but anything that i create is mine uh so my lawyer caught that in the contract review they amended it the company was totally fine with it too they said yeah that's not really what we were going for but you know their lawyer

put it in so you know having a lawyer on your side is is really beneficial but the cost on the lawyer it can vary so you know i mentioned before creating the company there's lawyers that will set that up for you i had my lawyer create my company and everything for me they handled all the paperwork all the documentation for it um so there's a fees you know fees associated with that maybe a few thousand dollars and then you have an ongoing retainer with your lawyer basically you give them a pot of money and anytime you need their services they would draw from that pool uh to work for you and then you know whatever the agreement that you have

with them you refresh that as needed so a lawyer's a big help it it saves you a lot of time a lot of money on understanding all the legal implications that you're agreeing to when you're looking to do freelance testing you also want an accountant not a tax guy not somebody that'll just file your taxes for you somebody that really understands all the tax laws because they're insanely complicated right so when you're working for a company and you're a full-time employee there's things like payroll taxes right you pay half of them as employee the employer pays half when you go into freelancing you're responsible for that total amount so there's extra taxes that you end up

having to account for a cpa really helps you with that um you're going to have payments that you have to make right you're getting paid directly from the client there's no withholdings so every quarter you're going to have to make payments based on the income and your cpa will help you define what that needs to be there's benefits to take advantage of two when you're self-employed there's a lot of write-offs things like the equipment that you use the software you use if you have cloud hosting uh mileage for uh meeting with clients all those things can be taken in into consideration and the cpa helps you identify those things and make sure they're accounted for so

that you know you know what you can uh you can claim what you can't claim making sure you're playing by the rules because you know at the end of the day the government wants their cut they don't care uh having somebody that actually understands it is the best way to go and they're relatively cheap you know mine is about 500 a year for all the services they provide for my personal my business taxes my wife's taxes it's it's really not a huge expense and it's a huge like burden to be absolved of so um you know summarizing that there's a couple things here we have the business creation you know hundred to a thousand bucks

legal side one to five thousand dollars counting insurance you know it's all your startup fees essentially for the for the freelancing could be in the area of five to ten thousand depending on your unique situation okay so we talked about why you want to do a got some things established on you know how to get ready for it uh the last thing before you take the leap is work right how do you get the work where do you get the customers as a pen tester one of the best ways to go about it is subcontracting right a lot of consultancies they have ebbs and flows in the work that they have available or that they need to get

done similarly according to the chart like i showed before that you know q4 uh craziness and work a lot of companies face that so they typically don't always have enough work to hire a full-time person so they'll so they'll subcontract it out uh basically the nice part about this is you don't have to go find clients to do the work the companies already have it ready they just need somebody to do it so that's where you can come in you still basically have to interview with these companies they want to make sure that you're good fit that you're technically capable that you're able to do the job you can follow their guidelines their procedures as they relate to things like

reporting client communications things like that but there's also some additional things to take into consideration when you're looking into subcontracting you want to talk about rates you want to talk about terms uh scope statement of work reporting and communication your availability right because it's on your terms now as far as when you're going to be available but you need to communicate these with anybody that you're looking to subcontract with because they want to know are you able to are you going to be there when i actually need you for the work so you need to discuss all those things um it's definitely a great way to get started it relieves some of the pressure of finding the work

um it's not quite as profitable as some of the other methods of getting work but if you're looking to get into it this is this is definitely a great approach but i mentioned rates here so that's one thing i really wanted to take a moment here to kind of discuss you know when you're freelancing you have to understand that you're not working 100 of the time all year so you need to figure out what your rate's going to be according to you know all those uh specific factors so calculating your rate you know one way to approach it is take like a target salary for like a position like a pen tester um you divide it you know by 48 and

divide it again by 40 to get kind of like an hourly rate and that hourly rate you want to double that so you know let's say for example target is 150 000 a year uh weekly it's uh what 3 100 gets you an hourly rate of 75 dollars so a good rate to go about you know as a pen testers starting at 150 an hour that helps you cover the times when you're not working and to take into account all the administrative work that is part of getting the work established so you know things like having the discussions with clients setting up work discussing everything and all those things you want to calculate in so having you know a rate

that makes sense is going to help you be successful um but you know not all all companies that are willing to subcontract are going to meet your rate they're not going to be agreed agreeable to it just because they don't have the budget for that so you have to make a decision there like do you accept a lower rate if they're giving you more consistent work does that make sense or is it just not going to be a good relationship so things to take into consideration if you're going the subcontract route direct work is the other method to pursue it's harder to get because you're essentially reaching out to those end clients that need to have

the work done um there's a lot of overhead a lot of administrative work because you know this is where you become the sales person right you're trying to sell your services what you're able to do and how it's going to help them uh you need to understand and discuss their needs uh where you can help and then you have to also handle all that documentation that i mentioned before you know they they may want like a proposal they may want a scope of work uh they want pricing you know you want to take all that stuff and uh you're going to know how to do that for the direct work but on the plus side it's more profitable

you're going to make more money on that just because there's no middleman in between you and the end client right there's no company taking a cut for themselves so the other way to go about it is networking this has been one of the best ways that i've found work uh twitter linkedin uh the the netsec reddit subreddit um you know when you when you see a lot of job postings and there's companies that are looking to hire pen testers that means typically that they have a lot more work to do than they can handle so you know one tip there is to reach out to some of those companies ask them if they're open to subcontracting for them

it's kind of a win-win they can execute on the work you get some money and they don't have like you know an employee on their payroll but this is where a lot of marketing comes into play you know how do you approach some of this stuff you know some of the important things to consider is when you have your company having a website having business cards having a tire you know take into consideration how you're presenting yourself in person online because clients that you're looking to work with are going to use all that to make a decision on whether they want to work with you um so these are important things to to uh to to think about uh

here even you know besides las vegas yesterday just sitting around talking with a few folks uh you know talking about what i do they said hey we have a need for that let's exchange numbers you know let's talk about maybe how you can help me so you know conference networking is a huge huge way to get some work but main thing here is just your reflection on the company that you create who you are what you're doing and all that stuff is you know much more magnified when you're a freelancer right you're not you don't have a company to to hide behind or you know the reputation of a company other things that you want to do is

you know when you do work with any clients try and get some testimonials get some feedback so that you can use that you know to sell yourself to other companies that are looking for work be like hey if you're you know if you're looking to do this i've worked with somebody else here's some references they're happy to talk about it and this kind of helps establish that you're the right person to do the work with so i'm running out of time here i really wanted to thank everybody for coming i hope you found some of this useful i wanted to thank mouse and grant from the uh proving grounds you know they helped me a lot with this presentation

anybody that's looking to do presentation i would really recommend going through the proving grounds it's a great experience um you know i'll be around today the rest of the day i'll be at defcon too so feel free to reach out say hi i'm on twitter i'm on linkedin if you want to talk about any of these things happy to help happy to put you in contact with you know any resources that i can but you know thank you for uh stopping by

[Applause] we've got time for like a question or two if anybody has one

first of all thank you very much for the presentation um can everyone hear me so the question i had for you is in your opinion or in your experience how much of the workload is subcontracting and how much of it are companies now starting to bring this discipline in-house so from a company perspective uh that's going to vary depending on the company i know some that are very heavy on the subcontract side right they they prefer to subcontract out a majority of their work others are very much just as needed me personally i would say about 75 of my work is subcontract and 25 of my work is more direct i'm hoping to like invert

that a little bit but i went with the approach of the subcontract work to get more business going and to make sure that i could you know uh be successful and you know kind of make sure that i have a gave it a good shot any other questions yeah just feel free to reach me in the hall or whatever um i'll try and if there's online questions there's probably a way for me to check those out too i don't know i don't know about online questions but yeah um he'll be out in the hall uh that's it we ran out of time for questions so another big round of applause for mike