How To Build Your Own Infosec Company

Flint so welcome to my talk that is called how to build your own intersect company and that's pretty much where we're going to talk about but we're going to talk about building like a very specific kind of information security company because we have enough of the other ones I believe we're going to talk about the boutique and not the behemoth I'm gonna elaborate on what that actually means quickly before that I would like to introduce myself my name is Mario and it's the first time that I will talk like this because usually I do technical talks and then I did a couple of talks to just piss people off network really well and this is my first

actually constructive talk so bear with me if not everything is perfect and if everything's like weird or you can't follow just like way for make yourself known or something like that I was researcher once I don't do research anymore I was or am still employed at the University in Bochum um I wrote a PhD thesis about cross-site scripting yes that's possible and what I'm mostly doing right now is I run a company and the companies in Berlin we do penetration tests and source code audits and other stuff and it's called cue 53 we're a small company like 18 people and pretty much every single person we have on board is a technical person we don't have any managers or

marketing people or anything else like that because I don't believe you actually need them and I want to talk about why you don't need them and why this actually makes a difference I've been giving a couple of talks at other conferences that mention mostly technical talks or talks for this other purpose I maintain a couple of open source projects one of them you might actually know maybe you use it it's done purify which is like a client-side sanitizer and pretty much prevents cross-site scripting in all sorts of situations where otherwise you can't and I also have an email address so if you have any feedback for me after this talk then you can write me an email I don't

use Twitter any because because it's the kind of not really making any sense anymore so email is right now the only way of actually reaching out but you should be able to do that so this talk is basically advice that I found on something that is pretty much anecdotal so this is like the stuff that I learned over the past 11 to 12 years I was building my own company and it works for me so your milage after this might vary so these things that I tell you my not work for you I might not care about this after all but I'm just gonna tell you what did work for me and maybe this is helpful for you as well if you have

that very goal that we're going to be talking about let's first of all find out who is actually here who here is a penetration tester almost everybody who's a developer excellent who say is OSI so managerial position excellent there's any bug bounty hunters not that many other conferences other countries they have more anyway who here is employed uh-huh who likes being employed the your description interesting excellent like who has that one thing running excellent good not that many people maybe it's more next year so before we dive directly into the topic I would like to kind of show you at first how this whole thing is structured the first act of four is the onboarding I

want to tell you about how to actually get into this particular position why we're here when we talk about this why I believe that this is an important topic and then we move right into the second act into building your own security company getting to the point of having one then we talk about the third act where you run the security company because getting one is easy but running it is a bit harder and the final act is the most important one because when you have all that figure out it's about how to stay sane how do not go crazy because that's actually not that easy let's talk about the onboarding and let's talk about why we're here what the motivation

is and why I actually came here to present this talk which is as mentioned only for this conference so far and let's see how it goes my reasoning for this was because why not because I had the problem at some point a couple of years ago pretty much 11 12 years ago that I was not fulfilled with being an employee I hated it I was first a developer at a company in Cologne and I was writing like websites that nobody really used and there was like this other dude coming in and I hated him and then I quit my job and I'm into a different company and I hate it but there as well and then I decided that

somebody this is not for me I don't like employment I don't I don't like to report up to others I don't I don't like being forced to work with others I wouldn't have liked or decision-making capabilities I want to have more freedom in what I do and the only choice was to go freelance to go build my own company and I was scared back then it had no idea about anything I was like practically like a freshly and I still did it because why not then I entered the startup scene and I failed miserably and the startup that we build was a catastrophe then we sold it and became the capital for old people which

is also interesting and then slowly slowly slowly the first building blocks of putting something together that was my own appeared and over the course of the years often talked to a couple of other people and said okay what are you doing with your job so yeah I'm working with this company we do pen tests and stuff like this some people were happy some people were fulfilled with the employment but other people were unable I can hide my job that's ridiculous we don't get to do the research we want to do I get not as money my superiors are annoying me like the reporting chain I don't like it so much it's like why don't you just quit and do something on

your own yeah because it's hard so it's not that hard maybe it's maybe it's not that hard and I was thinking like why would you complain all year about home Chile your job is where you can actually construct your own thing and then I was looking out for templates and for instructions and everything you would find it's pretty much pointing you into building like the classic template company that everybody else has already but I wanted to build something else and I did and that's why I feel entitled to give this talk and I want like to tell you how I actually did it and want to show you that you can do this as well if you ever

arrive at the point of not finding your employment fulfilling anymore don't worry you can do your own thing it's actually not that hard let's take a look at an example company I just like randomly picked this company and see see if this is a huge company that everybody loves they have 35 offices across the world and there's like a group meanwhile they cater to like 15,000 clients it's like a ridiculous amount of times 15,000 it's a massive cooperation it's not like an info SEC shack with a couple of cool people sitting in the cellar in hacking no it's a massive company compound world spanning 15,000 clients holy [ __ ] so this is not probably the type of company

I'm gonna be talking about as you can imagine I very I'm not really sure if they even do pen testing anymore I think that's just like buy stuff left and right no criticism if that's fulfilling for you that's fine no it's not judging here and 2006 de Boer recalled whole information management SQL division source Harbor security site constant is s correct it's like next generation secure software Isaac partners are they were quite good sdlc married UNIX own an escrow matters honor there was a quickie interpreters for concern like they just like buy stuff so they're not really in it for sec company anymore look at at some point InfoSec falls out but what they really do is global business fair enough

it's not the kind of companies we can talk about here's what people believe the typical intersect company is actually looking like a cool kids just like doing stuff with their spray-painted keyboards which just makes any sense and just like hacking away and eventually upend this report falls out and everybody cipher afterwards here's what a classic infra SEC security really looks like a very diverse boardroom cuz this guy's hair is a little bit different from this guy's hair and he also has hair so this is the reality and the other thing is perceptional the idea of what we actually want to but I think this is the actual case here and why not if you want to do this more judging so

what I want to talk about it's not this kind of company that's kind of template company that is optimized for growth or for an exit or for selling or something like this or for world pending operations I'm going to talk about the boot team because I think we need more info security boutiques and they're like well it's like boutique a small company that has like 5 to 20 people max his team focus where everybody knows everyone and everybody knows exactly why they are there because of their skills and a good fit and not being data-driven about numbers and making revenue and increasing the margin and all this stuff I'm talking about small companies like just a couple of examples reputed labs

in Berlin for example their amazing or enabled security in Berlin or x41 deseg this is a couple of companies we work together with and they're similarly small and they do similarly well and there's a couple of other ones out there maybe give your own one that is exactly like this five to 20 people highly technical delivering good work and it's estimated because this is easy to build and you can do this as well if you just want to again the question why are we here why are we delivering this talk is it just about judging about larger companies or something like this know a little bit maybe because not everything is always great with large corporations and I hear

this from clients clients who come to us and basically say well we were with this other company before him was so complicated and is so expensive the processes were taking so long and the back step you get were so shitty so we wanted to try a smaller company and then they are happy because they receive a report that contains actual information and as sometimes if the feeling the problem with vigorous it's not better it's just bigger but it's long atman heavy process tons of paperwork lots of people involved who even don't know the field I had I had a sales call with a dude who wanted to sell me like a scanner and I told him

about a fake website that we were running it says like yellow website is running PHP and he was like ah of course PAP that is our specialty it's like what this is ACLU's hang out the phone very expensive contracts we had situations where our client was telling us or the other company they were like 20 times as expensive for the same service the guy of course and I mean they need to find us the huge building and the flags in front of the building and the secretary and the marketing people the cars and all that and they're indestructible trucks and whatnot all these things so in a way you get to the point when exclusively working with large companies

that you create a situation where you can have security for the big and security for the rich and the large comparation doesn't give a [ __ ] if it gives million dollars to another large corporation because they have those millions anyway it's just like pocket money whereas for a small company or group of activists or open-source project they just can't they can't reach out to these huge behemoths and get decent services because all they get is well not enough thing for the back I feel as mentioned this is any total data and working with so I don't have real data it's just what I learned over the past years you don't even know who's gonna be on the test for you I

could if you don't know who's gonna paint us your application if that person's actually skilled it's completely unclear who is gonna run the test against here in many situations and what falls out is very generic reports with lots of uses text and cake charts and pie charts and all these things that really help and sometimes they have the feeling that the larger corporations they value financial growth over everything else and as mentioned you oftentimes might not get enough pain for the backend that sucks I'm not saying that all this is better per default in a small company in a boutique but it can be better if you just want to and if you're running your

own boutique you have this under control it's your decision then there might be very short processes they're possible almost no hierarchies often all the people that are involved in the tests and the assessment are experts and the client will notice that contracts can be much cheaper you can offer a pen test for five days if the client is poor doesn't have much money give them five days or four days it's better than nothing and they at least get like an initial assessment larger companies might not be able to do this because it's simply not valuable for them so in a way you create a situation where Security's available for everybody even for those who don't have big pockets and

can't spent millions and that's a good thing you're diversifying democratizing the whole thing what's important the client knows who they deal with because you can tell the on this particular test we're gonna have fighters prepare in Massaro and they know there shouldn't guys oh yes we always will be tested by them and then they're happy because they know that experts working with them and not random names from a random company that they're never gonna see on the street or anywhere else you can individualize different parts of the services you can do things that others can't without a massive administrative effort and you're working not towards numbers but you're working towards good ethical standards if you want to enter

stainability and you value these over growth and clients might get more bang for the buck which is a fine thing and everybody wins in the end if done right of course so now let's talk about my interpretation of how to do it right and it might be completely wrong probably I'm wrong but at least that's what I experienced in the past 11 years and let's summarize that let's talk about building of the home first of all you need to want the whole thing you need to kind of want to create your own company my motivator back then and usually still is is Rach like I get best when I hate things and back then I hated being in a company

because I hated that other douchebag coworker and I wanted to leave so I had motivation was that guy and it worked it was good it's like Rach can be good if you're channel it the right way you need to also know why you wanna what kind of reasons you have from what you want to reach for yourself maybe it's just freedom maybe you want to get rich maybe you want and have an exit at some point maybe you were to build a product maybe you just want to hang the people that you used to work with and kind of create your own thing let's report upwards anymore all these things but how how you do it it's

not super important first you need to know why you actually wouldn't do this you need to be clear with yourself about the motivation you need to know do I want to become a suit or do I want to walk around in welllet's you want to build a template company that is optimized for growth or do I want to build a michelin-star restaurant do I want to make an exit and sell for 20 mil or the one wanting to be my baby do you want it to be a keeper you need to know where you want to stand ethically are going to sell exploits through the mob so people get killed or or criminals get culture and like you need to know these

things you need to know the framework of what you're trying to produce you need to more with your own goal is for us today the goal is to build a keeper something that you're not gonna sell because you grow it and you keep it dear it's like your heart-shaped box your think that you want to have that thing that you built that's the goal for this particular situation because that was the goal for me I wanted to build something that was my thing where I had my freedom and my liberties and that I could keep we're not intending to sell like who will be stop doing first of all you just kind of grow your name you come

up with a name the name q 53 back then was pretty much randomly chosen because I assumed that it would be like a one-man show and then I went to the business center at the City Council and like yeah you need a company name but I don't have a company name oh then I need to make one up and I made something I was like urand alphanumeric and secure say twisted and it was pure 53 it was decision that was made in five minutes and I had no clue whether it was thick or not but then people were wondering like why are you call like this it's like I don't really know it was an

accident you were wondering about this and then you got stuck in our heads so that's kind of good so the name is not super importance of advantage if you have one but once you have one you need to grow it you need to start building up reputation that's easy because these days you can attack random websites just so because they have bad programs and you can make yourself a name if you're good people will recognize you were going to invite you to private programs you will get your first contracts and all these things publish research publish stuff not the nonsense that you would find from from any of the exits as Wizards out there are not calling names

anymore I'm kind of done with that but like actual quality posts and people will read them people who recognize them reference to them and this will grow your name partake in discussions talk to people on conferences on meetups on chapter meetings if Gareth for example Gareth Hays from the UK who's like a wizard an actual wizard across that's creeping if he follows you on Twitter then you know you came far already because then you have a certain amount of relevance that's great so grow your name but grow it clean me my papers if you have the chance if you're somehow connected to academia when hacking challenges engage with others partner up do things together with other people

stay connected or speak on conferences start small build your way up maybe reject investor money because then you lose your freedom and try to kind of grow your own name organically that is possible you can do there's a lot of people did it before you can do this as well let you go and register your business or you do this before or whatever you feel the time is right you should kind of follow a lean approach like no don't go far like you know this huge stock market share of laughing just like start a small company as small as it can be because you can still change it as long as you stay flexible and HL that is perfectly fine I

have no idea how it works here I hear that it's hard in a couple of countries it's less harder different countries so I can't give you any advice on how to register your own company in the ideal shape of the company in Portugal because I really don't know but I can tell you a couple of things about Germany but that's probably not that super interesting to me anyway once you have done they're pretty much the formal teas and have like a certain bit of reputation but it's not hard to achieve you need to run the whole thing you kind of keep the company running and kind of keep getting clients for you and potentially your team that might be hard

the first client is usually the most important client and sometimes the way to get this first client is weird and that's okay so we got our first client um by me tweeting a lot back then I still had Twitter and was like tweeting here and tweeting there about like weird ways of executing JavaScript where it shouldn't be possible and then someone talked to us the some of us Microsoft and says like dude it's like cool stuff you want to work with us and it's like sure why not and then we work together I can talk about this this is public meanwhile but it happened by a twitter and they just like caught up on the

stuff and then they sent me a DMS as I do you want to have the contract with us like you know absolutely and then we did it and then others came and they basically saw me rambling on Twitter and there was enough already I think it's still enough today the first client is needless to say usually the most important one because they are gonna help you through the first months of the first year it helps if your first client is maybe someone you already know you have been a green teen adventurous with or have been working with together or maybe you like a group of people who kind of want to create something together in the first place and have

some connections but that's important ideally you pick a client that is like friendly towards you that you know already and it kind of knows that you're young that you're like a small company and helps you in the first months maybe in the first year with a client like that you get pure gold because that's exactly what you need to survive the first hardships if you're like really unlucky even your first client is an a so we're going to talk about assault specifically later on but I hope for you that this is not gonna be the case and usually you have to be like very very very unlikely for this to be the case Elfman should often the way to find the

first client or for the first client to find you might be quite weird so networking being connected and just being loud and being seen having visibility is key and if you have that then at some point it's gonna happen and then and then it's like one of the most important things because I see this missing with a lot of people is to get organized getting organized as so hard like people just don't manage to organize themselves it's ridiculous like I see people using the calendar like they're a five-year-old and I'm like oh my god what are you doing of course we have time zone differences Jesus Christ you're in PST or not like what kind of

invitations are you sending out and stuff like this and sometimes people don't even have that - it's straight we started to do something quite early on as we started using Google Docs and not everybody likes them but a thing looks like one of the best possibilities that there are right right now I don't want to make advertising anything like that's just like saying for acid work the best because pretty much all of our clients use Google Docs as well so we have an easy time sharing stuff and collaborating on stuff and doing these things so that was like one of the best decisions that we made early on just like get one of these corporate

accounts over at Google Drive and just like use it and all of us have never connected to so many things we were actually genuinely considering to use something like Microsoft Office 365 or something they were like close to it back then but now anyway so you should you should pretty much do with what you hate the least because there's a lot of office solutions out there most of them are catastrophic extremely insecure and I think Google cloud or Google Docs or Google Drive still comes close is no advertising just saying you're speaking from my own experience don't go knees don't go something weird like this one unique office solution from Panama sorry just think it's not

gonna fly because they're gonna go bankrupt in half a year and then you have a problem this can also happen of course with the big providers like the other day I received an email from from Google Drive says like dude we're gonna disable SMS calendar notifications on 7th of January sex [ __ ] I need this feature I'm paying for this now we're gonna disable it learn more you just install the app on your cell phone that's gonna be fun no I don't want it now anyway it can happen so as mentioned the majority of our clients are actually using Google Drive and they also use slack everybody left slack and what we do right now is we stay in touch we stay

close with them by just sharing a fleck Channel and they love that so like oh my god bring up the Penta steam in our slack we can ask them questions all the time that's awesome in many other situations it would be possible but they love it and that makes the difference but still you need to get organized you need to choose your tools and you need to use your tools the right way and that's often hard if you use them if you have made your choice you should use the hell out of them just like pretty much find one or two or maybe three tools and you use only then don't spread out with like millions of tools and monitoring

interfaces and tracking they're just like we don't even run Google Analytics on our homepage because we don't care if any people are going there so I only use the tools that you really need but those you really need to use as much as you can so if you trusted with them you understand them you notice what all the benefits are and using for yourself and the most important thing was getting organized and using your tools start tracking absolutely everything and not talking about visitors on your website no one gives a [ __ ] I'm talking about conversations about stuff that you negotiate with your clients have everything in writing take a note of absolutely everything if your client

over the phone tells you something ABC said okay can you take this and send me by an email because I don't accept agreements via phone I have to write it down I have to store it somewhere and afterwards you have to find where it was because you will eventually get confronted with that and the client will challenge you and tell you some [ __ ] and you have to prove that this is not the case so this is extremely important this takes time and practice so I recommend to learn to work with your tools and your organization as early on as possible with self-organization and it's really the hardest part and for people joining our team it usually takes

like I don't know a quarter sometimes half a year until they get to the point and say no I get it no use killing are all the other tools and I should really understand them and I can be very productive with them but it takes time the time is worth being taken this guy like actually had a conversation with someone who was like quite fresh on the market and he was like I don't need to kill an hour because I can remember all the appointments in my head like what no you can't you're a [ __ ] that's impossible the only thing that you're telling me with this is that you're not busy because it's impossible

it's impossible to keep all these things in your head you need a tool that reminds you constantly of what to do next I have the calendar I have a to-do list and have my inbox and these are the three tools that I use to stay organized and they work for me your mileage may vary but I could never never remember these things in my head know that I don't have to have space our father' stuff and that's good so if everybody tells you no I don't need this to look like oh absolutely not this is idiotic in some years you will realize and it's gonna be painful but don't overdo it with the tools there's no need to kind of kind of buy

into all those shitty little helper apps that are already the tendrá to sell your vision stratosphere that like the market leading document management cloud using quantum ready artificial intelligence on the blockchain you don't need it no one needs there is no need for these kinds of software you need simple tools like a calendar document management and a decent email client for grown-up people and then you should be good and maybe you to do lists but that is usually integrated already and then you have everything that you need that is pretty much our tool chain oh yeah we use something to chat like or something like this fair enough the most important tool however is a

behavioral tool that you need to kind of train yourself when actually applying to whatever you do and I know there's like very motivating talks about this already like Ted and TEDx talks and all this stuff but I can't just like stress if not enough and that is like mailbox zero try to work with mailbox zero it's gonna change your life I didn't believe it in the beginning was like are so many meizu clear you can click click on that respond to this one and eventually I tried it and it changed my life like organization wise productivity wise and work wise mailbox zero changed my life basically my mission right now is I get up in the morning I bring the kid to

school and then I sit down in the office and start working and by the end of the day when it's like getting slowly towards six o'clock I wanna have an empty mailbox I don't want to have this clutter lying around robbing my sleep overnight I want to make sure for today I did everything that I could there's like a few mails that I still need to respond to tomorrow so I started like maybe one or two but the rest is gone it's archived and you should use archiving as much as you can with your email business because you're gonna drown in emails it's gonna be ridiculous archive as much as you can make sure that there's no unread stuff just like

someone responds to you respond back archive immediately so this thing is out of your side because that person will eventually get back to you and if not then it's not your fault you just bought yourself time it's good it's okay if they forget to write you back forget doesn't matter then what is it that important anyway the ball is not in your corner anymore and that's key if you sometimes and that's what I do now if you don't have time to respond because the question is too or you're annoyed or you have other things and the things on the radar respond with the question buy yourself some time just like play it back and just like wait it out because then

they're gonna think about this like no we have to kind of come up with a response how are we going to do it tomorrow and you bought yourself time you watch it you basically can lean back like ah and there's a bar and that's good you can do that that's legal that's fine no one's gonna be angry about that I do this all the time I'm not motivated to respond to an email I just like formulate another question and there you go archive and that works it really works try to kind of get there try to slowly work towards mailbox zero because it's really gonna help and you're gonna notice you can have less stress because there's nothing floating

around in your head anywhere that tells you I got a cylinder do this as sitting with that needless to say after six o'clock every day you're still gonna get tons of emails just ignore them just like don't open your mailbox after six o'clock just like whatever I know there is time zones I know there's the client in California but just don't respond just do it to the next morning when you're fresh again and everything is fine don't do the mistake of checking your mailbox every half an hour until it's nine o'clock in the evening because that's gonna kill you I'm gonna talk about this later on let it fill up overnight come back the next morning

brush your teeth do the other business and then look at the stuff of the fresh eye and it's going to be much easier to maintain maybe you had a grudge before and then the day you don't anymore because you slept over it on your right like a very cool response a frosty response instead of a heated one which is also good once you have actually mastered mailbox zero I think you're ready to kind of tackle bigger brackets and slay them because then you have the possibility to chain on your work in a way that you have maximum efficiency and maybe not maximum but you're getting close to there and then you can do bigger things you can take on bigger

projects bigger tasks and you will notice over time that your capabilities of handling projects will move from like a small five-day website pen test to like a 50-day massive code ordered with a people involved and of course takes time that takes a couple of years but this is one essential tool to actually get there avoid overhead avoid clutter get organized and then you can do these things it's possible there's a couple of other things that of course you need to take care of I'm not going to go too much in because I think you can fill an entire talk movies or even an entire book like security how do you secure your stuff and redundancy how do you make sure that

destroyed heart this doesn't destroy the entirety of your work the security I know a couple of people who say like well my laptop has like you know cubes OS and then like containers and it's like NSA safes like yeah cool so like the N is a lot of misread model I don't care what they do we sell box and web applications to the clients and then they fix them the half-life of this information is very very low compared to other bugs and other systems of course we don't really matter and if you do it like a small InfoSec company you're not important enough you don't really matter that's fine if you sell exploits where exam again I make sure that those

exploits don't get re-found don't get shared and then don't get burned it's a different situation when you're working in a pen testing field and you intend to have the box that you file to get fixed then the NSA is not your problem so you don't have to prepare against the NSA you can prepare against the threat model of your neighbor's child that's also okay oh maybe not but close them so don't sacrifice too much productivity over security I know that sounds weird from a security person but don't overdo it with the paranoia find your threat model decide what kind of information you have is relevant for what player and will they go the extra mile to get it

and if they won't then you can also kind of just like not protect yourself against that because it's just voodoo after all as for the redundancy you know what I'm going to talk about this tool on just like make sure that everything that you have is mirrored backed up ideally somewhere on a different place not in your flat or offers and off-site backup and so on and so on we were using SVN for quite some time for those we're using git which is quite awesome for that actually also to manage your document in different religions of documents sometimes it's a pain but it's not enough of a pain to not do it anymore so we're actually going with

this I've set a couple of remote repos and hope that they're fairly we'll secure that against the NSA but against the regular threat model and you're super fine but the most important thing is plan for fast recovery because nothing is worse - for example travel around with your travel laptop where you have like parts of your work and then the hardest like [ __ ] what am I going to do right now I'm in a different country for the next six days I'm like that workwise I can't do anything at all plan for this plan for this chaos to happen plan for this to actually occur because Hardware breaks and when your workstation breaks or you're operating

on company server or your office server breaks or your left cup breaks it might be devastating so always think about how fast can you get from the point of total data distraction on one device to getting back on track I actually measured this from myself I actually did the maneuver once and deleted all my [ __ ] and took a fresh laptop and measure the time that it would take me to get back to be productive and it was six hours I think this can be optimized but after six hours I was back so I lost quarter of a day so that was fine if you get to this particular value or already there then you don't have this problem

anymore but try it once play the chaos monkey try the monkey before the monkey tries you because it will come one day it's not a threat actor it's just like it will happen and now since we figured out how to roughly have like a template on how to build things how your motivation needs to look like how to actually deal with your first clients and kind of build it slowly maybe you can start thinking about building a team and getting yourself organized now let's assume that you are at the point where you have a good and constant flow of work that is coming and something that keeps you busy in the rest of your team busy now the

question is like how do you stay sane because to be quite honest this is quite a grind and it's usually not physical work so you're not like digging shovels and stuff like this but you sit in front of the computer all day and you get in touch with all sorts of people from all over the world that tells you the weirdest horseshit that you can't imagine it's incredible what they come up with and you need to be the sponge you need to be the person that kind of stay sane over all that and manages kind of pass on that information to your team without being insulting or pushing to them and that's a hard job you're pretty

much the membrane because the huge world of crazy clients and your small team that you love and then you want to keep thriving and that can be very very hard the problem is that the amount of diversity out there that you get from people in the amount of ideas on what you should deliver and what they expect from you and what kind of magic they want to have from you it is incredible and it is pressuring and sometimes this gets close to you this gets under your skin because clients will at some point try to manipulate you into doing things that they don't pay for or that you can't do or that you shouldn't do and they will use all the

means that is even something that is like culturally sensitive because in some countries clients will pull other tricks on you then in the other country I'm not going to give any examples but there is definitely behavioral patterns depending on the country where your client is from and you will have to kind of deal with it you are the membrane between the horseshit and your brilliant team and that's hard and it got to me multiple times that actually got me close to a burnout at some point because I couldn't take it any more than an ascetic [ __ ] that [ __ ] there's a guy can't have this I'm gonna do something I'm gonna talk about later what that is

and that's also important so be aware that this is gonna be hard the more clients you talk to the more weird pressure you're gonna get and you shouldn't be getting this under your skin in a very beginning when you have like a couple of like handful clients this is gonna be peachy Danny you probably know them personally it's like your first client in your second client maybe you hang out with them and go drinking or something like this or you hang out in their office we have a good atmosphere they are unlikely to screw you over but once you get more reach and more reputation then the weird ones will come and I guarantee you they will come

and they will try to screw you over there's no way you can escape that like once do they see you they will target you and I will try to eat you and it's not gonna be nice the first ones are gonna be nice but the flood that's gonna come at you at some point handy very devastating so I took some time and sat down and look at all the emails that have been and check in with clients I want to kind of classify the different types of [ __ ] as well this by the way in abbreviation for asterisk holes so don't take this as the offensive version and I came up with four I'm

pretty sure we can come up with more we had a conversation already earlier that day we talked about like even more and this is the four ones that we encounter the most often the first one my favorite one they consistent we want to have a penetration test it's like sure we can do this let's have like a communication and conversation about what you actually want to have tested and how much is there and lines of code and so on and so on and let me do all this we sent over the quote and we have all our send a daily rate and then they get back to it's like oh your daily rates are very

very high it's like no they're not because I know what the competitors cost oh yeah but for us they're very high okay yeah but we don't really care there are daily rates are you trying to devalue it over are you trying to tell us that you figured out after us working in this field for 11 [ __ ] years you came and figured out that we should actually charge less because you're so special

sometimes they have to do this you know there's procurement and procurement kind of needs to do these things and the funniest case that we heard was that was so good so we had like a deal with a company from Europe and they wanted like a C or C++ audit and we knew we were the only company in the race because there was something that we figured out we developed it together and I sent a crow just Performa and ascended and I get a call from one of the developers it's like hey procurement is trying to reach you it's like okay how yes I've been talking on your mailbox thank you what my mailbox do you think I

listen to my mailbox my mailbox like yeah they talk to me in a box and they really need to talk to you can I tell them that I can reach you right now in this moment it's like sure whatever phone was ringing again procurement was answers that mr. Heydrich mr. Heydrich your prices are too high uh-huh but there is a couple of other companies in the race as well and they're much cheaper instead are you [ __ ] liar there's not I know this for a fact I didn't tell him there's a yeah so if you could go down a little bit that would be really great like how about no yeah but then the other company

will get the job okay uh-huh so you don't want to go dance nope okay um so I take it you don't really want that job that's accurate sir okay half an hour later the PA was on the table and we had the job because he called his boss was like are you crazy and then there was done and that happens all the time pyramid and your clients will try to manipulate you into being cheaper than you should be and you probably put thought into your daily rates and they make sense and then they come and kind of swing themselves up to the high horse and tell you no this just doesn't fly that's number one the second one we hit

this just recently your report is very very bad we're not gonna pay you we expected so much more oh my god are we disappointed it's like yeah then just like give us realistic scope we reached out to you we talked about you with the expectations that you have and everything else everything is formalized everything is on paper we did exactly what you asked us for but we expected like a critical yep when there's no critical we can make one up there is no magic the critical dream we're not gonna pay you of course you will because we have a contract we have proof of delivery no and then eventually they pay ridiculous its again trying to squeeze something out of you

that you don't want and that you don't have to do have a clear contract have a good quote where everything is clarified and this is not gonna happen and if it happens you just kick them out my favorite one number three sure next week's test is gonna happen we had this on the calendar for six months we're so looking forward to the test and Friday evening they call you we have like a deployment problem and can be kind of do this one week later look [ __ ] you know you can't its q4 we have no resources next week we have them this week for you oh that's like bad because then we can't do the test at all it's like thank you

for absolutely nothing because we plan for this thing with like five people on the job and this is gonna cost us real money there's not much you can do against that except for having like a waiting list and that's kind of a luxury good but eventually this is not going to hurt you anymore but this is gonna hurt you a lot in the beginning and it sucks like I was close to raging and destroying the apartment at home and this kind of call came in because that meant that I could pay less money to my team and we would all lose and there was few - no mitigations - that unfortunately I wish I had a better

recipe for that or you have a complex contract where even this is being managed and will and they get a little bit of money it depends on how much already happy 1/2 but you are gonna run into this kind of [ __ ] and my favorite one the last one the pay you once asked for your head forever and it is like the risk when you have your clients on slack because they will check you up day and night and they will expect responses from your day and night and if you tell them look the budget is used up it just does one tiny question yeah but the budget is really used up just one more question and it just like

keeps on going like this and eventually you need to do something against this the problem is as mentioned these assaults will come they will haunt you it's gonna suck it might even break your neck so you better know what kind of essence gonna come at you I'm pretty sure if you have a beer afterwards then this list is gonna grow because you probably know your own kinds of [ __ ] and we can enrich this list may be for the next revision of the talk your type of SL might be um that's led as well we're Don's but in most situations when they come at you and they want you it's not even your fault don't think it's

your fault it's not your fault grow thick skin realize it's their fault not yours in most situations the way against those the way to deal with them is pretty much to have very clean documentation we're getting back to being well organized writing everything down that is of relevance never agreeing to anything via the phone because this is gonna screw you over get absolutely everything in writing be polite but be clear don't kind of beat around the bush of the client when something is like vague or like not really not really clearly defined tell them look this is weird and we can't really tell you anything about this you have like this magic mystery box source code out there

with a number of lines of code that we don't know we can't do it you have to give us information select your borders clients can behave like five year olds sometimes I think it is five year old sitting turba she's like very male voices but they can't behave like five year olds and you have to kind of compensate for that as well and the most important thing and that is most likely something that you can't do in the very beginning so you have to sweat it through but the most important thing is realized when it's enough and when it's enough and the client gave you enough hell enough torment fire them just like fire then just like tell you know what

we're not going to work with you anymore the test next week is chemically can be cancelled we don't really care yes it's well for for us but it's more helpful for you don't call us again bye-bye we put you in the blacklist maintain a blacklist fire clients the client is not the king if they screw you up too much do the needful and throw them out we do this one's that's actually a couple of weeks ago um I mean we did this multiple times but just like once a couple of years ago what couple of weeks ago sorry when we need a test coming and the test was supposed to happen on Monday and it

was a first day and the new CTO of the company reached audiences like yeah you know I read the pendous report from youth from last year and a notice that we had like a terrible bug back then because we deployed our private keys in the javascript in the compressed torus and yeah we did that and I was shocked that you didn't find this and it's like hmm interesting first that's the stupid back I don't really know if she would look for that uncompressed Java Scooby usually don't look for private keys in there now we do and then I looked at my documentation which was seamless and I realized we didn't practice them last year repented

so than two years ago so he's trying to [ __ ] me and I wrote a bank note reading on that and says like look um can you kind of tell me what exactly was there that you did now can you prove to us that the test environment that we looked at back then was indeed having time the keys in compressed JavaScript through like a dis plumbing script failure it was like no I don't have this proof anymore I just wanted to kind of point you in the right direction so I try to help you and also I don't like the tone and you should really start auditing JavaScript what there's a dear friend you can go [ __ ]

yourself and the test next weeks is cancelled someone else is gonna get the slots bye-bye tell your CEO buddy and yourself that you're not gonna write this again because you're on the blacklist like this behavior doesn't fly needless to say that was a couple of more males being exchanged and the tone was really really bad but at this particular moment though the point was reached to say like how come never again just like go to whatever other company do it with them but not with us we can remember your name we can remember yes no it feels so good if you do this finally if we have like a client that kind of torments you over a long

period of time and then you finally fire them oh my god that feels so good I can't describe the feel you have to try it at some point seriously try it out anyway the most important thing is and that's that's something that only comes with experience and that is to have like a good nose for telling them apart early on the good bands part from the bad ones have a good smell have a good feeling about the client usually it kind of starts with the briefing meetings or the material that they deliver you or just with the general questions that they ask you if you have a bad feeling then already and then everything's already

unorganized and you have to compensate for them being five-year-old's then you can kind of imagine how the invoicing process is gonna go it's gonna be a nightmare so maybe just like step back it's like how are we actually like we don't have capacity I'm gonna refer you to my partner companies I mean if she's three actual partner companies you don't do that but you just refer them somewhere else and they are happy and you're happy and you don't have to be bothered with them it's gonna be fun but this takes time to actually get there and develop this kind of nose develop the smell and realize this client is bad but the rest is good that would happen over time

another thing that is extremely important which is referring to it partner up I know a lot of security companies who kind of think that it's a great idea to be a silo or a silo naturally pronounce it actually you know this kind of contain tank obviously keeping all your knowledge and holding on to it and never sharing anything never partnering and just like basically being a lone wolf and that doesn't work lone wolves won't survive in the field they won't survive from the marker early success I heart is much harder to survive as a lone wolf than partnering up with others we started partnering up with other companies from Berlin about a couple of years ago like five years ago

it was awesome was the best experience it's like hey guys do you want to join us in this project because we need help and we can't handle this part of here sure why not it worked smooth it was awesomely well everything was well defined was just technical people wanting the same thing wanted to make good business together turning something around and it worked and then we kept doing this and was awesome and meanwhile we do this pretty much not every time but once a month at least we partner with someone they're happy we're happy the client is happy everybody wins there is no need for like a tank and which you isolate your knowledge share it spread

it because you get something back many people don't see this and think like who or feel the so mysterious we need to kind of sit on the very important or should we have fact it's not just like share the stuff other people find critical bugs as well and be open with others and get them on board and do stuff with them it really is beneficial for pretty much everyone and most importantly it's gonna help you with a big spring to slay and the biggest wrecking to slay that's q4 who knows what I mean with that yeah q4 is the worst because if you for everybody has budget and no one has any idea how to spend it so they're gonna

burn for something and that's usually appended I mean this gives a great feeling about the value of all work right okay usually that's apprentice and every client usually comes at you in December October November latest October says that oh we have this huge project like 50 person days and we have to do this before December can you fit us it's not Jesus no never because q4 is always full q4 you will always run a hundred and ten percent and you're really and I mean it you're close or you can get close to burning I'll never be catastrophe but partnering up kind of relieves the pressure a little bit because you can share the work with

others you can let some people do this let some other partners do that they can give you some of their stuff and pretty much everybody then does what they're best at and doesn't have to force something and it makes things much much easier like we started doing this as mentioned a while ago I'm never gonna go back because that is the model to go for especially if you want to stay a small company so this is gonna be hard but not just cook for is gonna be hard like the other quarters can be hard as well q4 is usually the hardest as we all know but in all those pews you can still burn out

and that's a realistic danger one of the guys of my team was there and was terrifying another one came really close me myself came really close like actually just like sitting on my chair and just sobbing just like not being able to do anything anymore that goes quickly that can happen that usually hits you as a surprise and it sucks and it takes weeks if not more to get back from there and it's really really hard and the more pressure you have the more people you work with the more projects you're doing this can go faster and that is very very dangerous so you need to respect your own capabilities and your own limitations as did I and I had to

learn it's not really the hard way but close I was very very close and my friend he had to learn the hard way another friend had to learn it the hard way as well and then he was gone for many many months we wouldn't even be able to contact him and I think no he's like slowly getting back and this is tyre because this can kill you honey so better don't get there in the first place you need to learn over the years what kind of amount of work is the right what is too much what is too little and she totally doesn't exist the Christian you can still do research but anyway you need to learn what is too

much and that might be hard you will of course be able over time to learn and do a more stress so I believe that for example the amount of work that I'm doing right now after eleven years of running this business is significantly more than the amount of work that I've got done in the very very first years naturally because I learn new tricks I got myself organized the team got itself organized we got processes and templates for this and this and that and things are just running smoothly and if things are running smoothly you can do more stuff and you can take more projects on and so on and so on but this takes time

you need to give at that time don't start hundred percent right away give yourself the time to learn where your limitations are not everybody's racehorse not everybody's workhorse not everybody is another kind of animal you need to kind of find out what kind of animal you are how you can take the stress how you can turn it best into productivity and then make something out of it without burning and you build Otis that at some point a challenge that you couldn't solve two years ago or four years ago today you can solve them in five minutes easy Gigi you're like oh wow I actually grew on that that's pretty cool so let's let's continue that course but

give it time and take the time to grow a thicker skin because that's key no one wants to burn our moments to go crazy or go nuts or go emotional and have personal drama on the internet no one wants that it's unnecessary about helping and the only thing that heals here is the right dose and the right time as mentioned cut stress enough don't burn out watch yourself ask others if they see indicators in you burning out I did this for a while and it's like I for example told me hey I noticed that you like very erratic and doing this and doing that you should really take care of every day of vacation so yeah you

might be right I should have a day of vacation do it if someone tells you rely on others to help you rely on your peers because that might kind of get you around this particular point and you're not special you're not invertible I'm not special are not in Robo like everybody can't have this particular phenomenon and if you have it it's hard to get back from that so I think I'm already over time I'm very sorry the topic for me was a bit shorter so I can be a bit longer arrogant to sum it up because we're already close to the end be organized if you want to create your own security company your first

boss enemy or yourself because you're likely not experienced with being super organized and that takes time I was a mess at the beginning but meanwhile I think I haven't figured out this least at least as much as I need right now you need to sell your tools you need to fight your rhythm and then at some point you're Dennis's no I'm ready most importantly be more organized than your clients because your clients will be very very very unorganized and we had to hit just I just like this it's ridiculous how unorganized some clients are and you have to compensate for that you're the sponge you're the membrane between your team and that client you have to compensate for all that and that

caused the stress and stress was burnt up and so on so learn to deal with that expect the worst from your client maybe it's good but then it's better but it's safer to expect the worst and of course be open I mean the next crazy-ass email that is terribly formatted and contains weird gibberish might be indeed an interesting opportunity I received one of these emails once that was born so yeah let's respond to that what came out was like a pretty cool trip to India and a lot of good relations coming from there just because they respond to that one mailer was close to putting into the spam folder but something amazing came out so

that might also happen look at the weird requests sometimes they're not as weird as they look at first and cool clients come out we open and be ready for interesting stuff to happen be whoever also was tricked when a client goes too far tell them don't let them go through with us discipline them it's important because if they realize that you can be [ __ ] with they will do exactly that and they will continue doing that and we'll make work be careful with this draw a clear line select until here and no further because otherwise we're gonna fire it be stubborn if something is missing and the client is like beating around the bush or giving like baked

information or something looks fishy speak up let them know as early on that something is not working that with what they give you you cannot deliver the expected coverage and the ex level of quality and then they get it's like oh yeah sure we want to deliver quality of course so uh here's the material that really works play it back make them realize that when they give you [ __ ] material that it rains down on them not on you in the end you look stupid at first but if they think it through it's then causing the bed results and they need to understand that and they will understand that and as but at least of course be brilliant

don't be data-driven don't be money driven you're gonna get you're gonna make money anyway like this kind of come automatically if you have a company so you're driven by brilliance and by actual value that you want to deliver try to deliver a little bit more value than your competitor a little bit of an extra a little bit of more quality and then they will come back to you they will recommend you just gonna word of mouth and at some point you're not gonna have a marketing department or you never had one in the first place and that's great because actually if you're good you don't need marketing sorry if that hurts a little bit be mindful if things get over your head

take a step back go on a vacation just like say alright I have I have to go for a few days just like I don't know somewhere out there some farm or some some spa or some whatever you prefer whatever rocks your boat just be gone for three days that's fine you come back rested and everything changes try to not go into this rabbit hole of getting emotional and on the extreme under pressure and just like fight back into this and scream and one don't do it it's not gonna work so it gonna yield just take a couple of days off I do it in a way that I do like a lots of small and

short vacations not just like one big one just like several small and scattered over the year and it works for me maybe for you something else works but be careful be aware of your own limitations and realize that this whole thing is not a game but it's also no life and death so you don't have to make it life and death you just don't have to chill and think about yourself and your family or your loved ones and consider that they're there as well and that you need to make decisions accordingly so think we're almost done now you might have some pointers and as mentioned this is just anecdotal anecdotal evidence this is just a couple

of points that I believe worked well for myself and they might also work well for you if you have the intention of creating your own concern into the comical and to build up your own thing however might look it's like a small booth with high people are 20 people are doing this or doing that that's completely up to you but I hope that this presentation gave you a couple of pointers like the things that work for me maybe also work for you and that would be great needless to say you might as my very but maybe there's some input from me for you from this presentation that you can take and maybe next year we meet again at

whatever conference or whatever location maybe you can come up and say ok I created my own thing it's awesome what's tough at first but then it got awesome and that would be great because that would be my intention if you don't like what you're doing right now or have the feeling that there's more you can do try it it's not hard if I can do it you can do it as well it's actually not that hard and if you might and respect a couple of things then you might be there in no time just remember and I don't want to make like too much politics here if you hate being an employee you don't have to be an employee you can make your

own company it's not that hard and it's likely going to be very very cool and I think it's safe to say that but right now in effect years of InfoSec like everybody needs a pen test everybody needs to know this gdpr and hackers everywhere in Russia and China oh my god everybody has the feeling that this is the hot thing right now everybody needs a pen test there are so many potential clients out there it's incredible it's bizarre all the companies in the world or the info SEC companies in the world cannot satisfy the need that is out there so if you want to do it don't do it in ten years do it now because now we

have the Fed years and you should make use of them it's a chance and maybe it stays maybe it goes away but now is a very good time in my opinion so think of it maybe it's your thing maybe it's gonna rock maybe not but you can decide and usually try not to become a whale because there's another way it's out there with that I'm referring to like the big companies it's very easy to build like this big tablet companies because you just need like a couple of economics people and a couple of suits and then you very much there try to build something that's angel that's more that's lean then become a way to become

a [ __ ] not be able to sting a whale eventually kind of drifts at the beach and then the birds eat it and I wanted to put a photo of that in here but then was like laughs no so I took the Hornet and it's like a bit nicer than the rotting whale no one wants to see the carcass of a rotting whale so don't become one because it doesn't make any sense it's much more fun to say small it's much more fun to stay professional but the small focus team where everybody knows everybody everybody knows about their skills and they deliver exactly the work that they want to deliver because then everybody's happy now when does [ __ ] work and

that only can happen if you stay small you should stay the Hornet I'm not the whale don't be data-driven I mean everybody's data driven right now don't be get another suit I'm not judging here but I think we have enough suits in the field so try to do something different try to deliver value don't optimize your numbers because everybody else can do that there's excellent sheets who do that for you don't become an actual team be someone who tries to actually deliver value to tries to help your clients help your team and then help yourself because then you are magically gonna create quality in that's in the end what counts and if you're create quality people will

come to you and that's going to be easy Gigi so baby now you have the feeling that it's time to do something maybe not that's also fine but at least I hope you have given you some inspiration for that and I think besets is quite a good I think it's a good Avenue for that I hope so maybe we're different at different conferences but anyway I hope it was useful to you and good luck out there if you do if you have any questions ask me via email because I'm happy to help I think there should be more small intersect companies more boutiques and if you want to become one of them and have some questions that you can't

figure out yourself ask me I'm happily going to help and that's pretty much it thank you very much

any questions and your push-ups anyone has any questions but they don't want to send by email yes there's a question I

work in a country that is where the pen testing market is sewn up by a cartel I don't want to name that country an also a government department that's trying to get in on everything what would your advice be for people looking to engage in that environment and what's your thoughts on the value of badges move somewhere else move to Berlin it's awesome move to Spain to France I mean there's there might be other reasons to do so but this thing alone if you want to escape like a like a like a clock market or a a market where you don't have a chance to kind of convince people and clients with quality they're just

moving right this is Europe you move anywhere like the world is big now you've suppressed Steve how is that for Marsha have you ever had to deal with the fear that for example you've got now five colleagues in your team and you have to play them and if you looking at your calendar and you see like oh there's not enough projects and the bank accounts or the money in the bank account is going down have you ever had you to deal with this fear or how did you compensate it in the beginning yes and it was a very pressing fear um but you can deal with it by in the first place not having that big of a team

first it was a one-man show then I realized I couldn't handle it myself anyone with one person so I got another one and it was perfect and then we realized that we couldn't handle this anymore so we got a third person then we got an intern the intern was awesome so we took him and so on grow organically because then this is not a problem and I know that there's like a remainder of fear that at some point like the project situation might collapse it might happen didn't happen so far and I think it won't just referring back to the fat years right now as a security company if you don't have any work something's going wrong and into this in

my opinion not to answer your question more precisely um draw organically grow with the rate that you can afford and then this is unlikely to happen and the fear is not that big but I know the fear and I had the fear in it sucks but in this particular situation the only way out is the way through anyone any more questions hmm okay thank you very much for coming over