Has anyone ever started a pen testing company?

[port...@hushmail.com]

Hi

Ive been thinking about this for sometime now, and im looking to start a pen testing company & forensics.

I just wanted to ask if anyone has setup up there own company and whether you have and tips on how you went about things, ie how did you attract your first client etc etc.

any help would be great!

Many Thanks

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at req...@cenzic.com for details.
------------------------------------------------------------------------------

[AgentSmith15]

Try asking Kevin Mitnick :)

On 20 Jun 2006 10:00:38 -0000, port...@hushmail.com

[Christine Kronberg]

Hi,

> Ive been thinking about this for sometime now, and im looking to start
> a pen testing company & forensics.
>
> I just wanted to ask if anyone has setup up there own company and
> whether you have and tips on how you went about things, ie how did you
> attract your first client etc etc.

I've just started my own business, penetration testing being a part
of the services I offer. When I started I already had customers; I'm
not sure that I tried without.
How I have done things: I first learned bookkeeping, sales, marketing,
and so on. The business stuff. Being good in the techniques is not
enough to run a company. You must know how to write your contracts
to avoid liabilities that ruin you. You must know how to calculate
your rates.

To attract customers: You have to make yourself known (so basically
we are back to marketing). Be it with talks at conferences (visit
conferences and talk to the people, present you knowledge), writing
papers, be active in mailinglists and forums, join business communites
to get contacts. There are several more ways to accomplish this.

All the best and good luck,

Christine Kronberg.

[Robin Wood]

Hi
I've recently done this and it was hard work. First thing to check is
whether there is a market in your area. Where I am there are not too
many companies who are interested in security so as well as having to
try to sell my services I also have to raise awareness that there is
an issue in the first place.

Think of the first burglar alarm salesmen, first no one wanted one,
then they started to take off in the big cities but still in rural
towns no one thought they needed one.

Robin

On 20 Jun 2006 10:00:38 -0000, port...@hushmail.com
<port...@hushmail.com> wrote:

[AdamT]

On 20 Jun 2006 10:00:38 -0000, port...@hushmail.com
<port...@hushmail.com> wrote:

> Hi
>
>
> Ive been thinking about this for sometime now, and im looking to start a pen testing company & forensics.

I've not set up my own company, but I was with a pen testing company's
European office from the word 'go'.

>
> I just wanted to ask if anyone has setup up there own company and whether you have and tips on how you went about things, ie how did you attract your first client etc etc.
>

This is the tricky bit. Talk to prospective clients before you 'go
live'. Try to get at least one signed up with you. You'll need an
idea of who your staff will be, and their areas of expertise before
you can sell their skills to prospective clients. If possible, get
yourself a couple of 'big guns' - names that are known in the security
arena, whom journalists love to quote (giving your company a mention,
too).
Developing a partnership or affiliation with some security vendors
might be worth looking at here. If you become a preferred 'Acme
Security Devices' partner, you might get a bit of consultancy work
installing Acme Firewall or Acme IDS or suchlike.

Getting whichever accreditations are useful in your neck of the woods
will be useful for this. In the UK, that means being CHECK certified.
If you can pull that off, you can get listed, and you might start
getting clients knocking on your door instead of vice-versa.

However tempting it may be, don't go trying to poach your current
employer's clients, and don't go making copies of their intellectual
property (that includes work you did for them, document templates,
test scripts, etc)- it will end in tears.

--
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche

[cids...@hotmail.com]

Well, how about working for a pen test company first. That way you know the business side which is really the more important that pen test skills. Just thought I send in my two centz!

[tech...@comcast.net]

It's very difficult starting out cold. If you've been working in the field for several years and already have a good network of contacts, it will be easier by several magnitudes to get initial clients.

Or, if you have a superlative reputation as a security guru, your reputation will attract clients. Of course, the catch 22 is that to become such a guru, you will need to be working in the field for several years (see first paragraph).

PG

-------------- Original message ----------------------
From: "Robin Wood" <dni...@gmail.com>
> Hi
> I've recently done this and it was hard work. First thing to check is
> whether there is a market in your area. Where I am there are not too
> many companies who are interested in security so as well as having to
> try to sell my services I also have to raise awareness that there is
> an issue in the first place.
>
> Think of the first burglar alarm salesmen, first no one wanted one,
> then they started to take off in the big cities but still in rural
> towns no one thought they needed one.
>
> Robin
>

> On 20 Jun 2006 10:00:38 -0000, port...@hushmail.com
> <port...@hushmail.com> wrote:
> > Hi
> >
> >
> > Ive been thinking about this for sometime now, and im looking to start a pen
> testing company & forensics.
> >
> >

> > I just wanted to ask if anyone has setup up there own company and whether you
> have and tips on how you went about things, ie how did you attract your first
> client etc etc.
> >
> >

> > any help would be great!
> >
> >
> > Many Thanks
> >

[K K Mookhey]

> > Ive been thinking about this for sometime now, and im looking to start a pen testing company & forensics.

When we started NII in 2001, it was essentially a penetration testing
company. For the first year, the bulk of our revenues came primarily
through penetration testing. And before formally launching the
company, I was freelancing as a penetration tester. So it's definitely
something you can do. Plus, forensics has huge potential too.

> I just wanted to ask if anyone has setup up there own company and whether you have >and tips on how you went about things, ie how did you attract your first client etc etc.

The good news is that as a pen-tester or forensics consultant you
don't need a full-fledged office or staff. You could incorporate the
company and to begin with you could be a one or two-person operation.
The most important thing is to establish credibility. I remember that
our major hurdle in getting business was providing assurance to the
client that we had our moral compass set right. This you can do by
having a body of work behind you either in your current position with
your company, or some good references. You could also contact larger
security or tech consulting firms and offer that they outsource
pen-testing work to you. This would add to your credibility as well.

A couple of important things:
1. Do NOT hack into systems unauthorized. There is simply no excuse
for this, even if you don't intend to do any "harm".
2. Do NOT offer your services free even if it is tempting to do so.
Clients do not perceive any value in a free service. You can offer
value additions to the vanilla penetration testing that you intend to
do. For instance, you could offer to do follow-up pentesting in the
same price. Which is, you do the test, client fixes the issues, you do
another round of testing to ensure issues are fixed. Be careful not to
go into an infinite loop here.

HTH,

KK

K. K. Mookhey
Founder
NII Consulting
Web: www.niiconsulting.com
Tel: +91-22-2839 2628
+91-22-5620 2628
------------------------------------
Information Security Services
http://www.niiconsulting.com/services.htm

Checkmate!
http://www.niiconsulting.com/checkmate/
------------------------------------

[Mark Teicher]

Ask Joe Seanor although not as famous as Kevin Mitnick, but he does have the title of "First Cyberspace Investigator" www.cibir.net.. It is way too funny to read

-----Original Message-----
>From: AgentSmith15 <agents...@gmail.com>
>Sent: Jun 21, 2006 12:39 AM
>To: pen-...@securityfocus.com
>Subject: Re: Has anyone ever started a pen testing company?
>
>Try asking Kevin Mitnick :)
>

>On 20 Jun 2006 10:00:38 -0000, port...@hushmail.com
><port...@hushmail.com> wrote:
>> Hi
>>
>>

>> Ive been thinking about this for sometime now, and im looking to start a pen testing company & forensics.
>>
>>

>> I just wanted to ask if anyone has setup up there own company and whether you have and tips on how you went about things, ie how did you attract your first client etc etc.
>>
>>

>> any help would be great!
>>
>>
>> Many Thanks
>>