
Consultants: what services do you provide and how do you set your rates? - seppblatter
I am being hired for a hardware security audit and have no idea how to structure the deal. It would be helpful to know the following:<p>- What services do you provide?<p>- How experienced are you?<p>- What industry do you operate in?<p>- How much do you charge per hour, and how do you structure your SOWs?
======
tptacek
Don't charge by the hour.

It's less important what you start out charging, and more important that you
develop the discipline of continuously walking your prices up.

Hardware security is a high-status subset of software security. There aren't
that many consultants who can reverse firmware, understand embedded C, or
write assembly for a debugger. You should be able to charge a premium to what
bread-and-butter software security projects (like web app testing) get.
Consider $2k/d your floor (that's what a high-end consultant gets for a bread-
and-butter project) and $2.5k/d a rate that probably captures some of the
premium for doing hardware work.

Factors on a hardware security project that would tend to "up" the bill rate:

\+ Non-X86 non-ARM

\+ No source code provided (but this can also be reflected in the project's
scope)

\+ You have special tooling for the project (for instance, it's MSP430 and you
have a really good MSP430 hit tracer)

\+ Involves "actual" hardware, like: you'll need to tap a bus, or defeat a
JTAG countermeasure

\+ Serious RF work

\+ Cryptography

"Down" the bill rate:

\+ Startup customer, not in a financial vertical

\+ Startup customer, has raised less than 5MM

\+ Client buys more than 4 pentests per year

\+ Competitive bid

\+ Minimal software

Source: in 2012 my partners and I sold Matasano Security to NCC Group, which
is now the largest software security firm in the US.

~~~
147
Hey Thomas,

I'm looking to get into web app testing and I read this article earlier today:
[http://krebsonsecurity.com/2012/06/how-to-break-into-
securit...](http://krebsonsecurity.com/2012/06/how-to-break-into-security-
ptacek-edition/)

Say I did what you said and got some experience. How do you know when you're
ready to strike out on your own and do what the OP is doing? Or should I join
an existing firm to get more experience?

~~~
tptacek
If you've never worked for an appsec consulting firm, I would highly recommend
doing that for a year before starting your own firm.

------
dsacco
I provide high quality software security consulting for funded startups and
enterprises - this includes technical penetration testing and source code
review, but also various other things like parachuting in to help developers
and managers and solving business/policy issues in the realm of "security." I
differentiate my services on several grounds - higher technical proficiency
than competitors (many of whom use automated scanners and call it a day) and
greater involvement than a simple pen test.

Like many people, I would tell you to frame yourself as someone solving a
business problem rather than someone performing a pen test for a client. One
is a valuable investment, the other is a commoditized item on a compliance
checklist.

I structure statements of work using clauses for 1. scope and definition of
the project, 2. approximate dates, 3. rates, including terms of
payment/invoicing, 4. limited liability, 5. various other boilerplate and
project-specific minutia, such as how and when reports on findings are
delivered, etc.

I charge $2000 a day, or $10,000 per week. This is implicit - if you do the
math you'll figure it out, but I really just give a final project-based price.
A 50% deposit is taken at the beginning of the project and paid towards the
final invoice (so 50% at outset, 50% on completion). I know there are many
opinions on this; it works, so it's what I do.

I have about five years of experience in information security specifically.
Feel free to reply here, or reach out to me via email if you have more
questions or want more guidance.

~~~
kohanz
Can you speak about where you started with your rates, why you started at that
level, and how you progressed them to where you are today?

I'd also be interested to know the length of a typical client engagement.

