I asked this question because in the course of a contracting position I spoke to a couple of guys who said they did pen testing.  We didn't get into their exact business model, but they were operating in rural parts of the US and the context of the conversations led me to believe that they were loners.

  I've seen comments before this thread about the field becoming more specialized, so I expect these guys are only able to do this because they are in the sticks.

  Yeah, a one-person shop probably could only service very small businesses.  Just try and sell them on the idea, and then try to get paid. 

  Guess I need to find out who's offering pen testing services around here (Rochester, NY).

Hmm, I see what you mean, Dale.  Just looking at the ASV requirements, it looks doable until you get to the experience requirements.  It begins to look like you need several people doing the pen testing and at least one person keeping track of whether you can recertify next year.  Probably a lot to chew on for a one-person operation.

  Let's say you want to do pen testing as an independent contractor.  I would think this is a general plan:

  Set up a business structure as a corp or perhaps LLC.  Do the right thing about getting an accountant, paying franchise taxes, keeping personal and business money separate.  It all costs money and raises overhead, but will be critical if there are any legal problems down the road.  Also makes it possible to subcontract from larger firms who can't deal with individuals and DBA's.

  Liability insurance.  Looks like risky business.  How much?  A million? More?  (Ouch...)

  It looks like not your basic nine-to-five kind of job.  Nobody's going to want you to try to knock over their network during THEIR business hours.

  PCI compliance looks like a good place to look for clients.  Who would you talk to in your area to find out how to get into that area?

  What else?