Re: Has anyone ever started a pen testing company?

From: K K Mookhey (kkmookhey@niiconsulting.com)
Date: Wed Jun 21 2006 - 14:02:17 EDT


> > Ive been thinking about this for sometime now, and im looking to start a pen testing company & forensics.
When we started NII in 2001, it was essentially a penetration testing
company. For the first year, the bulk of our revenues came primarily
through penetration testing. And before formally launching the
company, I was freelancing as a penetration tester. So it's definitely
something you can do. Plus, forensics has huge potential too.

> I just wanted to ask if anyone has setup up there own company and whether you have >and tips on how you went about things, ie how did you attract your first client etc etc.

The good news is that as a pen-tester or forensics consultant you
don't need a full-fledged office or staff. You could incorporate the
company and to begin with you could be a one or two-person operation.
The most important thing is to establish credibility. I remember that
our major hurdle in getting business was providing assurance to the
client that we had our moral compass set right. This you can do by
having a body of work behind you either in your current position with
your company, or some good references. You could also contact larger
security or tech consulting firms and offer that they outsource
pen-testing work to you. This would add to your credibility as well.

A couple of important things:
1. Do NOT hack into systems unauthorized. There is simply no excuse
for this, even if you don't intend to do any "harm".
2. Do NOT offer your services free even if it is tempting to do so.
Clients do not perceive any value in a free service. You can offer
value additions to the vanilla penetration testing that you intend to
do. For instance, you could offer to do follow-up pentesting in the
same price. Which is, you do the test, client fixes the issues, you do
another round of testing to ensure issues are fixed. Be careful not to
go into an infinite loop here.

HTH,

KK

K. K. Mookhey
Founder
NII Consulting
Web: www.niiconsulting.com
Tel: +91-22-2839 2628
     +91-22-5620 2628
------------------------------------
Information Security Services
http://www.niiconsulting.com/services.htm

Checkmate!
http://www.niiconsulting.com/checkmate/
------------------------------------

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:09 EDT