PG - How to Succeed as a Freelance Pentester

all right good morning everybody and welcome to the las vegas b-sides proving ground track few announcements before we get started i'd like to take an opportunity first to thank our sponsors first of all our diamond sponsors last pass and palo alto as long as well as our gold sponsors intel invisium and blue cat without their support and the support of all the volunteers and sponsors and other donors who wouldn't be able to have these amazing talks come see all these amazing people and get together like this and have this uh awesome conference so a huge thank you to all those people a reminder right now if you have a cell phone to please take it out from wherever it is and put it on silent uh this is a out of a respect for the speaker and then also we will be recording this so we don't want to get any of those cell phone sounds on the recording in addition to recording this will be live streamed and so a quick reminder uh our photography policy is you are uh you should not be taking any photographs unless you have the consent of everybody in the room that includes slides unless the speaker specifically says that that's okay questions will be if you don't mind hold your questions until the end i will come around with the microphone so that you can talk it uh speak into the microphone that way we can get the question your question on the stream and on the recording and then lastly we are requiring masks you need to take it off to have a sip of a drink or eat something real quick that's fine but otherwise please keep your masks on at all times and so without further ado i'd like to introduce mike lisey and his presentation on how to succeed as a freelance pen tester [Applause] good morning how's everybody doing uh thanks for coming it's a really good turnout i'm pleasantly surprised i'm here to talk today about freelance pen testing a quick note about me mike lacy at mike hacks things on twitter i do penetration testing i have a couple certifications oscp jwapt ceh i am the founder of meltech solutions which is the company that i established for my freelance pen testing i also work as the ctf design lead for the ncae cybergames which is a collegiate cyber security competition and i am the co-organizer of a security meetup group called ithacasec and that's in upstate new york so quick note before we begin i'm going to be covering a lot of different aspects on creating the business and talking about freelance pen testing but it's important to know i'm not a lawyer this isn't legal advice this isn't financial advice uh you're responsible to do your own due diligence and understand what works for you in your individual individual circumstances so just take that into mind as we move forward so if you're interested in pursuing the freelance work there's a few important questions that you need to answer and these are to kind of make sure that you're ready to jump into freelancing so first off why do you want to do it why do you want to become a freelance pen tester your answer is going to be unique to yourself for me i had the opportunity to work on the ncaa cyber games but i was a full-time consultant at the same time and there wasn't enough time for me to do full-time job for that the part-time job for the education and then still have time for family friends hobbies things like that so freelancing was an opportunity for me to pursue all those things while making it under my terms but for you i mean there's obvious benefits if you're interested in freelancing uh some of those benefits are you know you get to decide when you work how much you work who you're working for what you're doing um big benefits but there's downsides to consider too you're going to have to make sure that you can get through the times when there's not enough work available how are you going to handle those situations uh you may be working with clients that you don't necessarily like or get along with but they provide a lot of work um things like that you go you have to be ready for those things and you have to find the work it's not going to be provided to you you know unlike with a regular job you have tasking that gets presented to you have you uh to have you do not the case with freelancing you got to do a lot of work to get that work so if you've decided okay that's all fine i still want to do it um let's talk about you know preparation if you have experience as a pen tester you probably have an idea of what your strengths are you know what kind of tests that you can do what kind of work you can do um so identify those make sure you know that you've established what you're able to offer you know are you an app tester do you work in cloud environments uh do you like breaking medical devices this helps you establish you know your client base who you're going to go after to get some of that work for me i mainly do web app pen testing i do external pen testing there's a lot of work available in those areas so depending on where your expertise is you have to identify how much work there is to pursue outside of you know the specific technical strengths there's a lot of soft skill type things that you need to be aware of too are you able to talk to clients can you establish relationships can you define you know how to approach testing how to get all the documentation in place do you know what your clients need can you identify those by having discussions with the client you know what are their goals what are their concerns you know are they worried about user data breaches are these uh worried about pii health information credit cards you know all these are very specific to the customer and you need to have an understanding of what those are when you approach them to get work on the non-technical side are you ready are you financially prepared you know how long can you go until the invoices start rolling in you know you may not have work day one when you start on this path uh you have to be prepared for that work isn't consistent there's going to be especially in the pen testing world there's going to be ebbs and flows when there's a lot of work and when there's not a lot how are you going to approach things like benefits retirement time off you know all these things that are established and coordinated with a typical job when you're freelancing it's all kind of falling back on you there's legal aspects to consider too a lot of contracts a lot of legal documentation agreements things like that with the clients you have to be ready to approach those situations and to be able to handle them you know initially i didn't know what i needed to do in this regard i went to my uh employer and i basically said hey i have this other opportunity i kind of want to pursue it i can't do both can i be a contractor and my manager at the time said oh sure you know what's your rate what are your terms uh you know how long are we establishing this relationship for what what are we doing and uh i was completely blank no idea no idea what i had to do but thankfully they were able to help me identify these things get everything established i learned a lot in that process so it's one of these things that you need to to make sure that you can do when you're setting up these relationships so the last thing you got to consider is how are you going to find the work right the work doesn't just come to you you have to go after it so as a pen tester there's times when there's not consistent work this is kind of a graph of my workload throughout the year you know q1 q4 tons of work available q2 kind of gets a little bare you know i gotta make some changes in order to keep going uh things start ramping up again so you got to take that into account with your budgeting you know how are you going to get through that q2 slump to make it successful and the other thing to keep in mind is that when you're a freelancer you're taking on all these other roles and responsibilities that are typically handled by other people in an organization you know you have hr you have legal sales marketing freelancing that all becomes you so outside the technical technical knowledge that you need to know you need to start getting acquainted with these other concepts but okay you know you want to do this none of that stuff scares you that's fine you're ready to learn all that or you know it great you're ready for the change so what do you do next you got to get set i'm going to go over a few things here that are basically required but they take time they take effort they take money but they're all required to get started you've heard the saying there's no such thing as a free lunch that's how it is in business it all these things cost money but they're really necessary and you'll understand why so first up uh you want to create a company not a dba uh do business ads that's just basically hey i can do this work you want to have a legal entity something like an llc an s corp why uh cya you know you know what that is you know cover your ass right having a company protects you as an individual it gives the company the legal responsibility for the work that you're doing so if during a penetration test you you something catastrophic happens you take down a whole data center client's pissed they're gonna sue you if you don't have a legal company in place then you are personally liable for that stuff so if you have a house if you have other assets you know all those are on the line you don't want to take that risk if you want to go into the into the freelance world so creating a company kind of helps protect you in that regard company does some other things too it it legitimizes what you're doing right if you're just saying hey i'm a pen tester okay that's great but now you say hey i'm a pen tester i have a company set up all this other stuff the companies the clients that you go after they're gonna be like okay yeah i get it you have you know you've gone through the legwork of establishing a company and everything so that you know i'm more willing to to work with you on that uh doing so really kind of varies by where you establish the company right uh different states have different requirements uh there's paperwork involved there's renewal fees you know the research that i've said that i've done uh has ranges between like 120 bucks and a thousand dollars to establish the company and maintain it throughout you know year to year so depending on where you're looking to establish it there's going to be a cost associated with it next you want to get business insurance some companies won't even work with you if you're if you're not insured right they want to make sure that they're covered too if your company you know isn't worth anything and you screw up and they sue you you know having insurance means that they they have some comfort in knowing that you know something goes wrong they'll be compensated in some way uh so it's on you to make sure that you have the insurance established the other thing that does is it um it has extra protections in place where contracts don't cover right so you're going to have legal contracts that you know absolve you of different things and they dictate the terms but in areas where there's where there isn't coverage on that insurance really helps so it's basically layered protection right we talk about defense and depth in infosec this is like protection depth so you have the company that's one you know way of covering yourself business insurance is another way um the types of policies to look into you know that's uh you're looking at like commercial general liability it's protecting you against you know bodily injury property damage uh liable advertising mistakes things like that policies on that you're looking into like one to two million dollars worth of coverage um it's relatively cheap though it's about 350 bucks a year the next one probably one of the most important ones the arizona missions again you're looking at one to two million dollars worth of coverage maybe more depending on the clients uh about seven hundred fifty dollars a year but what that one does is if a client claims that you were negligent in some way or your work was inadequate um then this insurance kind of policy helps cover that so you know in a pen testing world you missed a no day something got released after you did a test client got breached now they come after you because you didn't find it right uh the insurance policy helps cover in those situations finally you have like professional liability again you know million dollars two million dollars that covers against misrepresentations inaccurate advice things like that there's a lot of things that cover on the insurance side so one way to approach this is looking into insurance agents right i use his cox that's a really big player in that they know you know the type of insurance that is ideal for these types of things other agencies may be beneficial to look into too you need a lawyer uh specifically you want a lawyer that understands business and contract law somebody understands penetration testing all the legal aspects and requirements associated with that you know you want a lawyer that works for you right they're going to watch out for your best interests so why you know we're cya right we're there's a kind of a theme going here they're going to be able to review all the legal documents that you're getting established when you're setting up a relationship with a business you know everything's done over these legal contracts msas scopes of work ndas all these things all this legal verbiage in there your lawyer will review that but make sure that you're being represented correctly and in your best interests and it helps to make sure that both sides are in agreement as to how to move forward so i've had uh agreements in place that were provided to me from clients and they had provisions of things like hey any any tools any scripts anything that you create while you're doing any work for us belongs to us we get a royalty free license forever and i was like no that's you can have ownership over the reports anything like that that makes sense but anything that i create is mine uh so my lawyer caught that in the contract review they amended it the company was totally fine with it too they said yeah that's not really what we were going for but you know their lawyer put it in so you know having a lawyer on your side is is really beneficial but the cost on the lawyer it can vary so you know i mentioned before creating the company there's lawyers that will set that up for you i had my lawyer create my company and everything for me they handled all the paperwork all the documentation for it um so there's a fees you know fees associated with that maybe a few thousand dollars and then you have an ongoing retainer with your lawyer basically you give them a pot of money and anytime you need their services they would draw from that pool uh to work for you and then you know whatever the agreement that you have with them you refresh that as needed so a lawyer's a big help it it saves you a lot of time a lot of money on understanding all the legal implications that you're agreeing to when you're looking to do freelance testing you also want an accountant not a tax guy not somebody that'll just file your taxes for you somebody that really understands all the tax laws because they're insanely complicated right so when you're working for a company and you're a full-time employee there's things like payroll taxes right you pay half of them as employee the employer pays half when you go into freelancing you're responsible for that total amount so there's extra taxes that you end up having to account for a cpa really helps you with that um you're going to have payments that you have to make right you're getting paid directly from the client there's no withholdings so every quarter you're going to have to make payments based on the income and your cpa will help you define what that needs to be there's benefits to take advantage of two when you're self-employed there's a lot of write-offs things like the equipment that you use the software you use if you have cloud hosting uh mileage for uh meeting with clients all those things can be taken in into consideration and the cpa helps you identify those things and make sure they're accounted for so that you know you know what you can uh you can claim what you can't claim making sure you're playing by the rules because you know at the end of the day the government wants their cut they don't care uh having somebody that actually understands it is the best way to go and they're relatively cheap you know mine is about 500 a year for all the services they provide for my personal my business taxes my wife's taxes it's it's really not a huge expense and it's a huge like burden to be absolved of so um you know summarizing that there's a couple things here we have the business creation you know hundred to a thousand bucks legal side one to five thousand dollars counting insurance you know it's all your startup fees essentially for the for the freelancing could be in the area of five to ten thousand depending on your unique situation okay so we talked about why you want to do a got some things established on you know how to get ready for it uh the last thing before you take the leap is work right how do you get the work where do you get the customers as a pen tester one of the best ways to go about it is subcontracting right a lot of consultancies they have ebbs and flows in the work that they have available or that they need to get done similarly according to the chart like i showed before that you know q4 uh craziness and work a lot of companies face that so they typically don't always have enough work to hire a full-time person so they'll so they'll subcontract it out uh basically the nice part about this is you don't have to go find clients to do the work the companies already have it ready they just need somebody to do it so that's where you can come in you still basically have to interview with these companies they want to make sure that you're good fit that you're technically capable that you're able to do the job you can follow their guidelines their procedures as they relate to things like reporting client communications things like that but there's also some additional things to take into consideration when you're looking into subcontracting you want to talk about rates you want to talk about terms uh scope statement of work reporting and communication your availability right because it's on your terms now as far as when you're going to be available but you need to communicate these with anybody that you're looking to subcontract with because they want to know are you able to are you going to be there when i actually need you for the work so you need to discuss all those things um it's definitely a great way to get started it relieves some of the pressure of finding the work um it's not quite as profitable as some of the other methods of getting work but if you're looking to get into it this is this is definitely a great approach but i mentioned rates here so that's one thing i really wanted to take a moment here to kind of discuss you know when you're freelancing you have to understand that you're not working 100 of the time all year so you need to figure out what your rate's going to be according to you know all those uh specific factors so calculating your rate you know one way to approach it is take like a target salary for like a position like a pen tester um you divide it you know by 48 and divide it again by 40 to get kind of like an hourly rate and that hourly rate you want to double that so you know let's say for example target is 150 000 a year uh weekly it's uh what 3 100 gets you an hourly rate of 75 dollars so a good rate to go about you know as a pen testers starting at 150 an hour that helps you cover the times when you'r