Home Forums How hard is it to make money legally?

This topic contains 1 reply, has 2 voices, and was last updated by  recviking 1 month ago.

  • Author
  • #400678

    How hard is it to make money independently is bug bounty the only option?

  • #400679


    I’m a decent pentester (not great), but I’ve got a LOT of experience on all kinds of OSes, architectures, platforms, and time with many different programming languages. I’m not really great at any of it, but I’m passable with nearly everything I’ve ever been asked to look at. I’m not the guy that is going to write a custom binary exploit for an app with all compiler protections turned on in a modern language on a modern OS, but I can customize existing exploits and do novel work on embedded systems without most of those protections enabled. I’m not the guy that will likely find new exploits in web frameworks and libraries after they’ve already been picked over in the broader security community, but I’ll happily test and find vulns in your company’s implementations of those frameworks and libraries. I’m not the guy that will decap a chip and reverse engineer your silicon, but I’ve got the tools and knowledge to work with inter-chip communications protocols and snag rom dumps and/or encryption keys to hit IoT and embedded at a lower level. I’m not a developer, but I can work with any language I need to to accomplish whatever goal I’m set on doing. I’m a full stack tester that works from hardware to web apps and every component in between and connected to or by.

    I’ve done consulting work and also worked directly for large corporations and institutions. Out of the past almost 20yr career tract, the first 5 were mainly troubleshooting, dev, and administrative with a focus on security. The 5 after that were extremely focussed on security and vulnerability work. the 5 after that were vulnerability work, dev work, electrical engineering, and pentest work. The last 5 have been almost exclusively pentesting. I now pull in mid to low six figures (200-400k depending on year, bonuses, and other comp) in a mid to low cost of living area. If I lost my job today, I’d have another job by next week paying nearly the same.

    Was the progression difficult? No, but it was long. Can you be a pentester without that kind of broad experience? yes, but you will need to find a focus/niche to work in. Will it take that long to become a full time penetration tester? Not likely, a simple OSCP can get you an entry level job. Will you make good money? You will make decent money until your experience broadens or deepens and then you can make good money.

  • #400680


    Seeing as every business uses some form of technology or has some form of security, there’s a little bit of exploit protection needed everywhere.

    You just need to find an opportunity. Like get a job as working on a help desk for a company that offers training or experience working with something security related.

    That or become an infamous 1337 hacker and get caught and hired by the NSA.

    First option is significantly easier and more lawful.

  • #400681


    If you can communicate effectively with humans, work in a hierarchy, and continually learn the prospects are good. People and companies aren’t getting any LESS stupid about security that’s for sure.

  • #400682


    “Independently” is misleading. You always answer to someone, even if it’s clients. And then there is the bullshit of late/missing invoice payments that aren’t covered by labor laws. And sales/marketing to keep the money flowing. And contracts.

  • #400683


    Took me 22 years of being an avid hobbyist with a few close calls. It wasn’t easy but easier if you have comp sci and your credentials are bonified with a good analyst program and you pay the $400 for the exam. I just have a ba and a MSc in biology and microbiology along with a certificate in operations management. I also networked at cons and gave a few presentations. Got published etc etc. That helped my cause. Now I’m under a strict NDA so I can’t do squat publically. But I’m getting paid so I guess it’s been worth it? We’ll see.

  • #400684


    To get hired by a company? A nation state? A private party? Consulting firm? Doing what? Analytics? Threat hunting? Penetration testing? Risk mitigation? Administration?

  • #400685


    You wouldn’t be asking us if it wasn’t hard.

  • #400686


    FASTER algorithms can become REAL faster architectures, physically embedded into ICs.
    That’s how you make the BEST money with “hacking” out of **Number Theory**.

You must be logged in to reply to this topic.