Introduction

The Cybersecurity job market has become a hot field, seeking new, highly qualified candidates. It is a diverse field with various job types, but one of the most desired positions is unquestionably penetration tester. A pen tester is an ethical or white hat hacker. Because of this, a pen tester needs to understand the sensitive nature of their job and ensure that they are always compliant with policies, procedures, laws and legislature. Becoming a pen tester is not a decision that should be taken lightly. It can, however, be a lucrative field and also personally rewarding, so if one does take this path, it can be a real life changer.

As with many IT related fields, this job has flexible options. It could be performed remotely, outside of normal office hours, as a consultant, or an employee of a larger, or small, corporation. If one is considering pen testing, it’s important to weigh the pros of cons of being a W-2 employee or 1099 freelance consultant.

What are some considerations you need to think about when becoming a pen tester?

 Being a freelance consultant in any field normally means you are a 1099 employee, thus a small business owner, versus a W-2 employee. But many people do not fully prepare for what being a freelance consultant really entails.

The first item to consider is whether you want to start an actual business, or just be a 1099. As a 1099, you normally do work for a company and they provide you a 1099 statement at the end of the year. They will pay you a set rate for services performed; however, they do not pay your taxes or provide you any level of benefits. You are 100 percent responsible for paying your own taxes and ensuring you still have enough money left over for health insurance, as well as any time you need to take off from work. Remember, you only get paid for time and services rendered. If you perform no work, you will not receive any money. There is no paid time off in the 1099 world!

If you decide you want to be a freelancer, you could also start a business. You can be a sole proprietor, or you could start a LLC or corporation. You would need to look into the laws of your particular state to understand what the differences are. A sole proprietor is similar to just being a 1099 employee. In some states, you can be a sole proprietor and file a “Doing Business As” (DBA) certification with your state to present yourself as a business. For example, your name is Alex Jones, you’re a freelance pen tester in Alabama, but to look a bit more professional, you might want to send your customers invoices using the name, “AJ Pen Testing Services.” Alex would fill out a DBA with the state of Alabama so he could use that name for his Pen testing services.

If you decide to launch a LLC or corporation it is important to consider the business licensing laws in your state. You also want to understand and evaluate how this affects your tax structure. If you do start a freelance business, you will want to obtain business insurance. As a pen tester, you will be penetrating and possibly exposing the vulnerabilities related to an organization’s Information Technology structure. As a result, it is possible to be sued if something goes wrong. You want to ensure you have some form of liability insurance so you protect your personal assets from your business. In some states, you do not have this level of protection if you are a sole proprietor, so again it is important to weigh your options.

Being an employee provides some level of stability. That is why many people choose to become employed at companies instead of starting their own. Being a Pen tester at a corporation means a steady paycheck, normally provides medical and dental benefits, vacation time, the camaraderie of a team, additional resources, and maybe even other perks like occasional free lunches or snacks, or even holiday parties. If you are fairly new to pen testing, having some additional training could prove useful to enhancing your skillset. In some cases, a company may pay for training. Most cybersecurity related training is fairly expensive, so having a company pick up the tab is a great perk. Many pen testers have some type of related certification. These technical certifications require CPEs (Continuing Professional Education), also referred to as Continuing Education credits. Some companies provide training opportunities that employees can take advantage of while still getting paid, allowing their employees to maintain their needed CPEs. Some companies even pay for the renewal fees that many certifications require.

Working for a company also provides all of the pen testing resources needed to complete the job. There are many open source tools that can be used to perform pen testing, but many advanced tools require the purchase of a subscription or a license for installation. Some items that have costs associated to them include:

BurpSuite: Used to automate crawl and scan. Using the professional addition requires a subscription.

Metasploit: This is open source software, but the professional addition has associated costs.

Nessus: A scanning tool that requires a yearly license.

Pen testers also need a laptop that has these tools along with others to perform their work. Kali Linux does come pre-loaded with many of these tools, which can be helpful for the freelance employee, though you may not have the professional versions that provide additional capabilities. As an employee, you have all of your needed resources provided for you. As a freelancer, you are responsible to pay for them yourselves; however, as they are being purchased for business purposes, these items could be potential tax write offs, so that is a potential advantage to consider. The toughest issue with being freelance pen tester is finding clients.

Finding work

Outside of the financial considerations, finding work is the biggest hurdle for any pen tester. That is employee or freelancer alike. Many companies are not eager to pay a stranger to come poke around at their network and find vulnerabilities, so even large corporations with great reputations in the field may not always have pen testing opportunities available. The advantage working at a company as a pen tester is that when there are times of low to no pen testing work available, they may have other projects that you can work on to keep you busy and fulfilled. As a freelancer, you have to find ways to fill those voids.

As a freelancer, you will also have to find ways to build clientele and get people to trust you. When you are not working, you will need to spend time going to various conferences to try and get your name around the industry. Some of the big conferences can be expensive so those costs are other items to consider. Other ways to get your name around it to train or teach. Doing talks at events like Black Hat or Defcon are ways to create interest in your expertise.

Mobile Device Penetration Testing

Conclusion

There are both advantages and disadvantages to being a freelance or company employed pen tester. Pen testing can be a full-time job for either, but there can be slow periods. Being a hired employee can offer additional educational benefits as well as opportunities for other work during slow periods, but being a freelance offers flexibility and the ability to take on certain types of projects according to your skills or interests. Employed pen testers get the benefit of working with other like-minded individuals (or even finding mentors) in the field to bounce ideas off of, but as a freelancer, you can start your own business and hire other like-minded individuals. Building clientele as a freelance could prove difficult, but that is true in any profession. If you have the drive and prove yourself an expert in the field, freelancing could be just as steady and fulfilling as being an employed pen tester. Whichever route you choose, it’s a fun, exciting, and rewarding field!