[ceinewydd]

Pricing tends to be a spectrum. If I’m just getting a report which interprets some commonly-used scanners, that’s cheap(er) — this feels like a “Box Check” test if I gave it a term. When someone’s going beyond scanners and digging into source code to find issues — that’s often more valuable. Bringing specialized knowledge about cryptography to evaluate our implementation? Also more valuable!

Beyond pricing have you thought about your differentiation, or what’s special about you? Are you able to do web applications, but i.e. intending to be focusing on industrial control systems, financial systems? Are you going to be comfortable auditing C# or Rust and identifying issues? Do you know a lot about Kubernetes? Are you focusing on cloud environments, if so, are you more specialized on AWS, Azure or GCP?

Next thing I think is important to be able to answer: why award the business to you over Deloitte, or over a smaller shop with a good reputation like Cure53, Trail of Bits, TrustedSec, etc? Perhaps you’re a prolific speaker in the security community at Black Hat, Defcon, CCC, or something?

If you’re going to be a one-man band, does that rule out engagements large enough to require 5 people for a month? (Sometimes engagements are urgent and multiple people sure helps them go faster).

Good luck on the new venture.

[lmorandi]

I don't know if you ever hired or done a penetration test, but when someone uses a common vulnerability scanner to identify issues, that's called a VRA (Virtual Risk Assessment), which is way different as a penetration test. In a penetration test you are not only focusing on tools, but you also perform manual testing. common tools aren't able to find business logic vulnerabilities, and also they are not able to chain them.

I see you also mentioned digging into code (code review), which is a different service. In cybersecurity there are different branches, and I don't think you want a guy that "knows" how to do everything, cause that person is probably not an expert in any of the mentioned areas. a Penetration test it's not the same as a code review, and it's not the same as a VRA, and it's not the same as a Red Team. They all cover different things, and are meant to satisfy different needs.

Trust me, in cybersecurity you cannot be an expert in every area. So you better find a specialist for web apps and a specialist for code review if you need both. Same for infra, cloud, etc.

The only one that is simple is the VRA cause it only depends on running a vulnerability scanner and checking if the reported vulnerabilities aren't false positives. (but you need a license for that software and those are pretty expensive)

[lmorandi]

First of all, one of my advantages over larger firms like or smaller, well-established firms like Cure53 is my flexibility and personalized service. As a smaller entity I can offer quicker turnaround times and more direct communication with clients. So I can ensure that every aspect of the client’s security posture is thoroughly assessed personally by me. Additionally, while I'm currently a one-man band, I have a network of trusted and certified freelance professionals who can be brought in for either larger or urgent projects if needed. This allows me to scale without compromising on the quality and speed of the engagement. Not even mentioning that based on my experience, when you hire a penetration testing service from a big company you don't really know who's performing the pentest and sometimes it's being done by not really qualified people. (I know about some companies that outsource certain projects and they're not doing a good job at all, this means reporting non-sense findings, or not being able to properly address the impact/risk of them).

This being mentioned, I own well known cybersecurity certifications (for web apps and infra), I'm constantly developing my skills and I also have been awarded by different bug bounty programs. And planning to be a speaker soon!

Regarding the specialty, I'm not planning to focus on industrial control systems, but apart form that specific case, the approach of a pentest is the same for every web application, I mean, the pentest methodology is the same if you are testing a fintech, a bank, an insurance company, an ecommerce, or any other web app. You can show yourself as an expert in ecommerce, but in the background there's no difference at all, since the procedures and methodologies are the same.

As you may have realized, I'm gonna be focusing on web application penetration testing which is my specialty, at least at the beginning. But I have experience in either webapp, infra and mobile.

Thanks!