
Ask HN: How saturated is the market for offensive security/pentesting? - hd4
Answers relevant to the UK would be good, but if not then any info at all would be better than nothing.
======
erikb
I don't think that's the right question. The better question is "How strong is
the competition in the <XYZ> market".

If the market is saturated but companies are weak you can easily grab market
share. If the market is unsaturated but a very strong competitor currently
aims it your attempt will probably just lose money.

And the answer is often analysing google keywords, requesting a few security
checks yourself from the google leaders, investigating who appears often in
related media, and asking possible customers who they know and how they
evaluate their options.

PS: If you "Ask HN" your market research, you'll either find out about
together with us that there's no opportunity in the given market, or you
create competitors by highlighting an opportunity.

~~~
amorphid
Another factor to consider is how unsaturated a market is (how much unmet
opportunity is available). It's easier to break into a field, and get good at
working in that field, if you're competing with anyone. Most (all?) fields
have room for people at the top of their game, but some fields are simply
lacking enough people to do the work.

~~~
erikb
Agreed. Also unsaturated markets may mean that there is either not enough
potential or there is a huge problem that isn't resolved yet. So yeah, I agree
that having at least some saturation is necessary.

------
wvh
I used to be in security auditing. I don't know about market saturation – that
would depend heavily on your location, as it often requires some face-to-face
discussion – but I think for security the saturation is less relevant than
your credentials. Once a company decides to spend some money on outside
security, they tend to go for a name-company with good credentials and
certifications such as approval for PCI-DSS compliance checking. Once you
provide the needed services, your name needs comes up as one of the go-to
companies. Reputation and word-of-mouth are pretty important. For instance in
the CC and banking sector companies are very aware whose services are being
used by other companies. No company wants to give a good chunk of money away
on something as sensitive and invasive as security checks without being sure
they're receiving quality service and not some random script-kiddie with an
automated security scanner.

If your company (or the company you want to work for) floats up as one of the
top security firms in your region, you will probably get a lot of business. If
you start from zero with no reputation, you're going to have fight hard to get
your name on the map.

~~~
quadcore
Naive question: what if you just hack your prospect, without causing
unrecoverable damages and show them you've hacked them, do they hire you?

EDIT: ok thats illegal but isnt it in the interest of the prospect to hire you
more than seeing you in jail? Also, I was wondering if there were some
loopholes or field practices one can use to hack for being hired? Something
like: "I may have hacked you, do you wanna hire me?"

Just curious, because it seems to me every company should welcome that. I
might be wrong.

~~~
erichurkman
If you want to try that route, there's an ethical way: look for companies with
vulnerability disclosure programs on HackerOne or Bugcrowd.

Being well-written in your interactions with companies on those platforms
would go a long way in improving your credibility.

~~~
martenmickos
Sign up here: [https://www.hackerone.com/resources/hack-learn-
earn](https://www.hackerone.com/resources/hack-learn-earn)

------
mysterydip
My perspective comes from doing hardware and vmware installs at businesses for
a Dell partner in the US. The problem is that, as far as many small businesses
are concerned, there's only two options: get a full, comprehensive, money-
paid-if-we're-wrong-guarantee-backed pentest that's way too expensive, or do
nothing.

There's a lot of places that would just like some idea how vulnerable they are
on the basics. Something the IT admin can show management. If you can come up
with a decent suite for a reasonable price with the legalese to say this is
for informational purposes and a starting point but not comprehensive, you
could carve out a sustainable niche.

Edit to say: in person. Shake hands, tour the facility, ret to know how they
operate, and test inside and out. Online automated scanners are a dime a dozen
and no one would seriously trust them.

~~~
iamacynic
of course there's a third option, one that small businesses are opting for en
masse: pay for a well-known 3rd party to run a simple remote vulnerability
scan, pass the results (full of false positives and just plain wrong
information) to someone else to deal with, and pretend like you just
accomplished something useful, and reject all recommendations for anything
that costs more.

------
dsacco
The market is not nearly saturated with firms capable of delivering security
assessments (penetration tests + source code reviews) with high technical
proficiency. I started a consultancy several years ago which has done very
well among smaller tech companies, and I know of at least two new consulting
practices started this year by ex-NCC folks.

There are many, many firms that bill for web scanning and static analysis.
Their business model boils down to, buy a bunch of tools for <$10,000, resell
their usage on engagements for >$5,000 per week. They leave a trail of horror
stories in their wake eventually. Starting a consulting shop is a great
opportunity if you have the requisite skill/experience, and can differentiate
yourself from the snake oil salesmen of the industry and the monolithic firms
everyone knows.

The industry for internal security engineers as well as outside security
consultants is growing at a healthy pace. In my circles, people usually need
to widely advertise a position to get it filled by someone qualified. In one
case, a friend of mine at a tech company informed me that he had only one
candidate pass the phone screen in three months despite posting the position
here on HN, on /r/netsec, etc.

Consulting firms are a different sort of beast because they are usually always
hiring. Every security consultant added to a growing firm directly increases
the total amount of potential revenue, and most successful firms have to start
turning away work at a certain point (for example, I no longer take on work
for network security because I find it unenjoyable, I would much rather work
on reverse engineering and application security engagements).

Everything I've said is US-centric, but hopefully it's reasonably helpful and
relevant to you in the UK. I know a few bug bounty-turned-security-consultant
people in the UK and they seem to be reasonably well off, but they could be
outliers (in fact they are, skill-wise).

~~~
PerfectElement
As a small company with limited budget who is looking to have its application
tested, how can we differentiate between good firms and firms that will just
run a scanner and charge you $5000?

Also, is it a good idea to hire a freelancer to pen-test your application?

~~~
dsacco
_> As a small company with limited budget who is looking to have its
application tested, how can we differentiate between good firms and firms that
will just run a scanner and charge you $5000?_

Reputation, mostly. It's easier for the large firms that everyone is familiar
with. For smaller firms, you probably want to get a strong referral from
someone who has been through this before. Also, ask the consultant(s)
performing the assessment what they'll be doing in some technical depth to see
how familiar they are with a penetration test/source code review outside of
running Acunetix or Burp Suite Scanner. They shouldn't shy away from talking
about what specific technical vulnerabilities they feel they're likely to find
when you describe your app and its stack off the top of their heads.

 _> Also, is it a good idea to hire a freelancer to pen-test your
application?_

Theoretically, this is a good cost savings versus a firm. But in practice,
it's hard to do correctly because you really need to be sure that the person
knows what they're doing. If you want to hire a freelancer, I would suggest
looking for very well-known/successful bug bounty participants and security
researchers who opened their own solo shops.

Also, shameless plug: if you're looking for a security assessment I'm happy to
help you (and if I can't directly, I am nearly positive I can refer you to
very competent smaller firms for your budget). Feel free to get in touch.

------
aidos
Interestingly most of the comments in this thread are about the quality of
existing organisations in this space. My experience echoes this sentiment.

Over the years I've worked on systems that have been pen-tested and it's
always been the same thing. The testing picks up a bunch of standard/generic
and not all that important issues, while missing much worse and glaring
specific issues. I've sat in meetings with people from pentesting companies
who couldn't describe the attack vector/risk of an exploit they'd said needed
patching.

I'm sure there are some companies that do it properly but I guess the good
ones charge a load more money. Then again, as a lay-enterprise, how do you
know who to hire? I know that if I was hired to pentest various systems I've
had to work on in the past I'd have picked holes in them all over the place.

------
Benichmt1
I am a professional penetration tester right now in the US. I got into the
field from education, but once I got my OSCP I had multiple offers from
different companies.

There are a ton of "boutique" firms in the space right now, but there are
quite a few who seemed to be popular and then died off right away.

One of the big market gaps I see is the ability to provide really good
tactical feedback but also package it in a way that it provides value to the
actual decision-makers at the top. There are so many pentesting firms that are
extremely talented at breaking in, but are really lacking at helping to
actually implement cultural and program-level changes so that it doesn't
happen again. There are also firms whose idea of a penetration test is just
running Metasploit/Nessus/Acunetix and then packing it up without a lot of
insight.

Compliance is a huge driver right now, meaning some companies just want to
check the boxes and be done with it. However, just because you are PCI
compliant doesn't mean you are actually secure. It takes a special set of
"soft skills" to be able to help companies truly improve their posture.

------
danieltillett
The problem appears to be how to sort the bad security assessment firms from
the good. There are thousands of firms out there that make grand promises, but
how does anyone without the required knowledge to not need such a firm know
which ones are good and which one are bad. Rather than add yet another firm,
it would be better to work on a startup than can objectively sort those that
already exist.

Edit. If anyone wants to work on this problem I have a clever way of solving
it (I of course don’t have the time to work on it myself).

~~~
askz
Can you share more thoughts on this ?

~~~
Benichmt1
Say you need to get a penetration test for PCI compliance. There are literally
hundreds of vendors that offer these services. Your CTO would like to use X
vendor because he read a paper / saw their name at Defcon / recommended by a
partner.

When the vendor comes to perform a penetration test, they launch a Nessus scan
against the target ranges. They compile the results and manually validate the
findings to ensure they are not false positives. The end product is a report
that looks something like a checklist: SSLv1 in use, self-signed certificates
internally, missing the latest third party software patch on a server.

According to the penetration testing firm, you are probably at a low / medium
risk level. The tacit implication is that as long as you fix those issues, you
should be good to go.

The problem is that first, a vulnerability scanner is an imperfect piece of
software and does not test anything a real attacker would. A real attacker
might try phishing, or guess "Password1" on a user account. Maybe the attacker
would attempt a man in the middle attack or set up an evil hotspot. Once you
have AD credentials, now you can find which users have local administrator
access, which then you can see if there is a shared Administrator password
across all workstations.

The other problem is that the first penetration test does nothing to address
potentially systemic issues for why the security vulnerabilities occurred in
the first place. The patches could have been missing because there is no
formalized patch management program, or inaccurate change management, or an
issue with their Puppet config.

Currently there's no way to separate the "good" (read: thorough) from the bad
other than direct referral or looking at a sample report.

------
danpalmer
My notes from working at a pentesting consultancy during an internship (in the
UK):

\- There are plenty of SaaS offerings, but they aren't VC-backed with flashy
websites, they are much more corporate.

\- Lots of the SaaS offerings are just an automated Nessus or equivalent, and
only really look at servers/operating systems, not actual web apps.

\- The consultancy side is pretty saturated, but most of them are crap, new-
grads, pentesting Java/PHP apps.

\- There is a strong market for the trickier stuff – hardware pentesting,
pentesting more interesting environments/languages, etc.

\- Pentesting is ridiculously expensive, to the point that the startup I work
for would never consider it at our size – making that more affordable is a
hard problem, but would be very valuable to lots of companies.

~~~
whatusername
Veracode was VC backed and had a $600million exit this year.

~~~
lawnchair_larry
They were not just a pentesting shop though.

------
spydum
There are thousands of firms who will happily run a vuln scan or webapp
crawler and send you a crappy canned report. There are less who can really
perform a comprehensive test and document the hell out of it.

I personally think pen testing is not very useful, except as a 3rd party check
to tell you if you've done a reasonable job at protecting your software (and
if you get a bad tester, you literally won't know!). We need more people in
InfoSec who can explain how to build defensible software - finding holes is
the easy part.

~~~
philjr
These things are not really mutually exclusive. Defense in depth. Getting more
information on building defensible software does not preclude the need to have
someone knowledgeable try to rip it apart afterwards.

~~~
spydum
I don't disagree on this, but the mentality of pentesting (as I have seen it
conducted) is wrong. Typically a firm wants to find a way in, and snatch the
Crown Jewels. Once they achieve that, the level of effort goes way down, and
they often leave a lot of surface area unchecked.

Or maybe more succinctly: they are incentivized to find SOMETHING quickly,
rather than EVERYTHING.

I think it can help if the testers are internal and not quite under the same
time pressure / engagement limits though.

------
ryanackley
Consumer of pen testing services here. I feel like it's saturated with sales-
driven companies. Basically, "call us so we can figure out how much to charge
you".

If there was a pen testing company with no annoying sales people and
transparent pricing I think it could do well.

------
iuguy
I've been in the UK pentesting market since the closing of the dotcom days,
and run a small boutique pentesting outfit.

In all honesty, this is not an industry you want to build a company around.
There's a lot of smaller players that are getting by on a small client base
and subbing. There's a massive amount of box-ticking compliance companies out
there that offer differing shades of the same awful service. There are a
smaller number of larger companies that offer box ticking and bespoke stuff,
then right at the top of the market you have NCC Group.

The market itself is dominated by compliance work. I spent several years
trying to scale the company I run up by working towards getting more badges,
then doing more compliance work, and repeating. In the process I ended up
realising that we were turning into one of those mid-tier box-tickers, and
that's not where I'd want to be, any more than if I was a mid-sized
accountancy. Unless you enjoy mediocre work, it's not a good look.

If you're an experienced tester with a bunch of friendly customers, I suspect
you could set up something small and go contracting, but you're unlikely to
grow too quickly without going through that box-ticking phase.

The main box ticks to get are (in no particular order):

* CHECK

* CREST

* PCI

* Cyber Essentials Plus

Check licenses you to do certain types of government work. Most of the market
is sewn up by outsourcers and big boys thanks to government cuts and it puts
massive constraints on employment.

CREST is an odd-fish. It's built mostly by mid-large size CHECK companies fed
up with the way that scheme was going when it was run by CESG (now NCSC).
There's a few things they've build to seal off parts of the market (like CBEST
and STAR) from non-CREST players. Competing schemes like Tiger and Cyber
schemes offer equivalence for CHECK-type roles but lack some of the market
advantages CREST offers. It's best to think of CREST as a one-stop shop for
Meta-box-ticking in some respects. To be fair, they've done a good job in some
areas, come across as a little bit cartel-like in others but on the whole have
done what other standards bodies have failed to achieve, which is to have a
cross-discipline certification curriculum that's respected at a technical
level.

PCI is for payment data and is absolutely saturated with low-end box-tickers
flogging rebadged Qualys scans. The Local Authority market (good god, the
horror) is the closest thing to this in terms of sheer volume of WTFs per
minute you'll encounter.

Cyber Security Essentials is a scheme that nobody wanted, that CREST picked up
with IASME and is now being rolled out by force via backdoor programmes like
DCPP.

OSCP is gaining, but not really popular here because of the abundance of other
schemes.

Prices are all over the place, but depend on market segment and the box being
ticked but have generally been relatively stagnant or lowering since around
2004. When I went full time pentesting, average rates were around £1250-£2000
per day. These days expect between £700-£1250 depending on the market in which
you're operating.

So, in a market that sells things people don't want to buy at prices they
don't want to pay to tick boxes nobody enjoys ticking, is it worth going into?

There are a lot of companies looking to consolidate testing firms into their
portfolios. Blackberry bought Encription a while back for a fair old wedge.
Digital Assurance were recently acquired by F-Secure. NCC appear to have
stopped acquiring companies at the rate they were previously, possibly
connected to decreasing profits.

You _could_ spin up a company and if well connected grow it to about
500k-1million in revenue, possibly sell for 750k-2 million and work for about
5 years extending a services portfolio at a Cybersecurity distributor or
reseller before cashing out.

Realistically, the money in the compliance end of the market is in services
that support the compliance management side, while the money in the technical
end of the market is going to be in making tools that do something new for
people who consume testing services as well as the testers themselves.

A good example of the former is probably Canopy[1] or Dradis[2], reporting
toolsets that integrate various scanners. The best example of the latter is
Burp suite[3], which is a web app testing tool used by both testers and
developers. A lesser example would be Nipper (for network infrastructure
config review) or Matasano playbook (sadly now gone).

So, in conclusion:

1\. The market is highly divisible based on compliance targets, with
associated badge-based barriers to entry, low margins and high salary costs.

2\. There are a huge amount of companies (e.g. scanner firms) in some areas of
the market. There are few in certain niches but they tend to have barriers to
entry.

3\. It is still possible to build a small firm that is a cheap acquisition
target for a larger firm and make out and there is scope for consolidation.

4\. You are more likely to have longer term growth looking at the market and
seeing how to provide to it rather than providing the service yourself.

[1] -
[https://www.checksec.com/canopy.html](https://www.checksec.com/canopy.html)

[2] - [https://dradisframework.com/ce/](https://dradisframework.com/ce/)

[3] - [https://portswigger.net/](https://portswigger.net/)

~~~
petecooper
Not OP, but this was really insightful and useful. Thank you.

------
ccddss
You could also ask: Is the market saturated with electronic calculators or
guitars. It's depend on what you do with such a tool and if you are able to
decide between the several variations. And sure there experts and there are
experts. Some are better to impress other are better in doing.If you make a
good and honestly job you will not fail. Mostly.

~~~
snissn
I love your answer. I always use restaurants as my example! If you want to
open a restaurant, do it! Don't let the fact that there are already a lot of
restaurants stop you! (Or don't open one!)

------
1ba9115454
If you look at it in terms of open positions then the market appears to be
growing.

I imagine finding experienced people would be difficult for employers. The
learning curve is relatively small for an experienced developer to pick up
something like metasploit. Finding someone who can creatively come up with
zero days etc probably very difficult.

~~~
hd4
This is exactly my position on it right now, thinking about a pivot into
security from application programming as it seems to be dawning on industry
that it's no longer a nice-to-have.

~~~
1ba9115454
I would recommend some Metasploit tutorials on YouTube. There's already a
metasploit module for some of the NSA stuff that got released. Topical.

------
avaer
I think it greatly depends on the kind of pentesting. A military network is
different from a bank, or an AWS site, or a social network.

It's a guess, but I would suspect the market is saturated -- by opportunists,
not talent -- leading to necessarily high-touch sales and high barrier to
entry, but not oversupply.

~~~
hd4
What sorts of barriers to entry? Purely the fact that there is a lot of noise
vs. signal in terms of low-grade operators? Or is it more to do with learning
the requisite skills?

~~~
PeterisP
Selling the service to end customers has a high barrier of entry, in part due
to chicken-and-egg problem of reputation and connections.

Doing work for/with someone who is doing the sales part well doesn't have a
big barrier of entry IMHO.

------
tptacek
For consulting work? Not at all saturated.

------
mighty_warrior
There are plenty of companies who perform pen testing and security. Their
biggest deficiency right now is understanding new emerging cloud technologies.
We have been working with some pretty big name security companies around the
globe and very few of them understand AWS or Azure adequately.

------
rdslw
Hey hd4. Can you leave your contact details here or on your profile? Or
contact me (keybase in my profile).

~~~
hd4
Sure, I'll have to wait till I get home to use keybase, this is a work
computer.

------
safetyscissors
I'm in the same position thinking of making a pivot into the security sector
(coming from a mobile developer background). I think if you're good and always
on top of infosec stuff and contribute to the community, you'll always have
work.

------
ig1
The market for infosec in the UK and internationally is pretty healthy, if
that's where you want to build your career I wouldn't worry about the size of
the market, but finding yourself a good consultancy firm to start your career
at.

------
darksim905
Oversaturated as hell. Everyone & their mother that thinks just because they
can code or use a computer, they can use metasploit or (insert tool here).
There's more to it than that.

------
jjguy
I spent twelve years as a "security guy" before becoming employee #1 at a now-
wildly-successful security startup five years ago. I've spent a lot of time in
the last year "professionalizing" our security program, now that we've grown
large enough to need repeatable security procedures. I am intimately familiar
with the domain.

Three things to segment the space:

\- Clients are typically driven by compliance or practical security value.
Understanding who you cater to and qualifying your customers will save a lot
of pain.

\- Many/most "pentesting" firms are focused on the corporate enterprise and IT
people, not SaaS and dev people. Recognizing the difference in yourself and
your customer needs will save a lot of pain.

\- Many/most of the traditional IT enterprise security best practices & tools
do not apply to a well-managed SaaS platform. e.g., I do not need a
traditional vuln scanner to check for unnecessary and vulnerable services when
I have one domain that's terminated at an AWS ELB.

Some industry color:

\- The 2013 Target compromise root cause was not Target themselves, but their
HVAC contractor who maintained trusted access. As a result, third party vendor
risk assessment is becoming "standard practice" during the procurement process
of any technology vendor, including SaaS applications.

\- The vendor risk assessment teams expect all vendors to have mature security
programs - SSAE-16 SOC2 audits, full Secure Development Lifecycle practices
and customer-facing documentation to describe it all in detail.

\- The result is a growing demand amongst smallish SaaS vendors for more
professional security guidance.

With that context, some commentary on your original question:

\- There are very few firms that provide good "practical security value." I
cannot find enough good pen-testing firms that are a reasonable proxy for a
capable attacker.

\- The market for firms providing "compliance" services to "corporate
enterprise IT" shops is noisy and full. The market for providing similar
services to smallish SaaS vendors/developers is very sparse.

\- The security tooling for dev is pretty good - static & dynamic source code
analysis, tied into the build pipeline, etc. The security tooling for devops
is not. There is a large gap in security tooling for devops/SaaS vendors -
distinguished by automation and focus.

Finally, commentary on the question you're really asking:

\- If you are world-class good, or can build a world-class team, you can build
an outstanding company providing practical security value pentest services.
Scale will be limited by the number of world-class staff you can hire/train.

\- There is a gap in providing higher-level services to smallish startups to
help them navigate third party risk assessment procedures from their
customers. HN's tptacek and elptacek recently launched a new consultancy with
this focus. They _nailed_ the product/market fit. [a, b] Again, scale will be
limited by the number of staff you can hire/train, but it is an easier team to
grow than world-class attackers.

\- There is a gap in security toolchains for devops/SaaS providers. Review the
public projects from Netflix, Facebook and the other SaaS heavies for specific
gaps _they_ had to fill. Every one is a product waiting to happen.

Cheers, and good luck.

a - [https://latacora.com/](https://latacora.com/)

b -
[https://news.ycombinator.com/item?id=12567578](https://news.ycombinator.com/item?id=12567578)

------
kapauldo
No one has bottled this yet and made it cheap. If you could do a saas of
automated kali and ssllabs scans, for example, I think there is a huge market.
If you want to start a consultancy, the market is saturated.

~~~
darksim905
services like penteston.com will make bank doing this. It should be free, but
I'm very biased. It's geared toward smallest pentesting consultants or people
who don't know what they are doing. Seems to do a lot of the heavy lifting.
Saying nobody has 'bottled' it is silly. People here in YC have done half the
work, or will figure out how to do half of it for you as a pentester. The rest
is validating those results, which is where a bulk of pentesting comes in.

