That scenario should never come up. You shouldn't start a business (at least in this industry) unless you have extensive subject-matter expertise.

If this is something you're considering in the future, I highly recommend you read these two books:
http://www.amazon.com/Million-Dollar-Consulting-Alan-Weiss/dp/0071622101/ref=sr_1_1?ie=UTF8&qid=1349907953&sr=8-1&keywords=million+dollar+consulting
http://www.amazon.com/Start-Your-Business-Fifth-Edition/dp/1599183870/ref=sr_1_1?ie=UTF8&qid=1349907966&sr=8-1&keywords=small+business

Something else to keep in mind is that if you run your own business, you will probably spend more time on business activities than whatever services you provide. Legal work, accounting, marketing, sales, etc. are going to take a significant amount of time. Don't start a business unless you want to run a business or have the resources to contract all those services out.

Disclaimer: I'm currently employed elsewhere, but I've run my own business for a stint and have done consulting on the side during some of my previous positions.

I read this one back in the day (After being let go from a large telco company).
http://www.amazon.com/From-Serf-Surfer-Becoming-Consultant/dp/0782126618

There was another one, even older, that I read. I don't remember what it was called. It was written by an electrical engineer who went in to photography consulting if I remember right.

Starting your own business is a great thing to do.

you have basically 2 types of Entrepreneurs:

The ones that start a business to make a living
The ones that start a business to become the next billionaire (so they think)

I assure you, being a pentester will maximum be the first one.

The second ones usually blow up within a year or 2,3 max. I'm not investing in those business anymore, I lost too much money so far with several failures.

The first type of business is still a good business. The book advise on the million dollar consultant is a good book.

I have actually a friend who is a very senior consultant in IT, call it a top Java specialist, used to be with Sun but is on his own the last 4 years and he is invoicing his personal consulting services for more than 1 Million $ a year. We don't see him very often. He's all over the world. So it is possible. I would never want his life. Never. He's actually not living. He's consulting.

I would say if possible start small with a minimum of investment. If possible do it as a side job. The best consultants who work on payroll and who want to become independent still can work for their previous boss usually. that's my experience.

Good luck. You will need it. Just remember my words: start small, low cost and invoice your customers quickly. 

What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don't just knock on doors and ask for work.


Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There's an abundance of charlatans passing off copy-pasted Nessus reports as "penetration tests." I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.

A lot of organizations are having these services performed to satisfy a compliance check box. How are you going to position your quality services against others' that cost a fraction of what you charge when the customer doesn't care about quality? I think there's a huge gap between the amount of work available and the amount of legitimately skilled practitioners.  

The same concept applies. Join the local Chamber of Commerce and/or find other events where you can interact with local business owners.

This is a fun niche in the IT industry.

What many don't understand is that it's absolutely not easy to find a job. I think it's easier to make a buck to provide training to people than to actually make a living doing pentesting on a daily basis.

I have customers who need pentesters. I do this because of my customers question.

There is no way my customers are going to trust somebody else to sneak around and provide some report about it. That's the whole thing in this industry. TRUST is everything. That's where the power is.

Strongly agree with you. Its not just limited to Penetration Testing but also to the Infosec education being offered.