Episode 154: Starting a Pentesting Company on Top of Bug Bounty

Title: Transcript - Sun, 04 Jan 2026 05:53:45 GMT
Date: Sun, 04 Jan 2026 05:53:45 GMT, Duration: [00:41:29.26]
[00:00:01.12] - Brandyn Murtagh
Definitely, definitely, definitely pay to get the advice or consult someone that is very well versed in business and tax structure for where you're operating from because that will pay dividends tenfold. 

[00:00:36.95] - Justin Gardner
all right, hackers, if you're really looking to take the deep dive this year, I really recommend you check out the critical thinkers tier in the CTV Discord. Okay. This is the place where we are doing hack alongs. AMA's giving you exclusive content that only the inner circle has access to to boost you as a hacker. Master classes, you know, custom interviews with extended interviews with guests, that sort of thing. It's a great way to support the pod and it's a great way to invest in yourself as a hacker. And it's a tax write off for sure. So give it a shot. Check it out. CTV Show/ Discord will help you join us. Thanks.

[00:01:12.67] - Joseph Thacker
Dude. Just before we hopped on, we were talking about how Justin is so emotive. I feel like honestly growing up and even in my adult life, I. I feel like an emotive person. Like I feel like I have a lot of personality. But then I'm in a podcast with Justin and I look like the drab one, you know, I look like the, like, I look like the low key kind of playing person.

[00:01:32.92] - Brandyn Murtagh
Yeah, I agree. I realized that when I did my very first episode before I was a co host and I was just comparing like, like for like obviously you're next to each other on the screen and I thought, yeah, I look completely dead compared to this man. He's always so expressive. He uses everything to explain himself better. But I comparing myself, I need to work on it a little bit more.

[00:01:55.54] - Joseph Thacker
Yeah, I feel like also just the English thing is a little more subdued. Right? I mean we're just the crazy Americans who are loud and boisterous.

[00:02:03.79] - Brandyn Murtagh
We have some quirks as well.

[00:02:05.54] - Joseph Thacker
Yeah. Well, guys, we have a really cool episode for you all today. Me and Brandon both have taken kind of similar trajectories from getting into Bug Bounty and then spinning it into some pen testing engagements and or companies. Both of us have started our own companies, but I think that this is just as applicable if you're a person who does Bug Bounty but just wants to do a few contract pen tests here and there. So we put together super practical and super helpful, I think, guide for helping bug hunters move into the pen testing space. And this is not some sort of like you should transition type talk. It's just really nice to have Another income stream to have more consistency. You know, if you get a company on an annual retainer now, you just can rely on that income. And so we got a bunch of practical tips and we wanted to talk about our story for how we did that.

[00:02:55.37] - Brandyn Murtagh
Exactly that. Exactly that. I think some of my points are more associated around the reality of doing it, where you have this very romanticized image in your head of what it could be like. But there's some realities to come to terms with as well when you're in the thick of it. So we've got a lot of talking points to get through.

[00:03:16.65] - Joseph Thacker
Yeah, I feel like our audience are going to come from like two or three different angles. Some people will have came from pen testing and gotten into Bug Bounty. And then some people will have done kind of what I did, which was more get in Bug Bounty first and then kind of transition into pen testing and then everywhere in between. So, yeah, let me. First of all, I think, like, let's just talk about some, like, kind of high points for why it is valuable or why it's good, and then we'll circle back to our stories. I think sometimes, you know, people want the practical tips before they want to hear about our life stories. Sure, yeah. So, like, like I said, the main thing that I think is the most interesting about it or that can be the most useful is that it is a diversification of income. So where Bug Bounty can be kind of highs and lows, where, you know, you might go a while without finding a good vulnerability, or you might find a vulnerability that you think is really nice and then the company disagrees. It's a nice way to say it and you get. Or you get duped or whatever. And it could feel like a kind of a low. Low. Pen tests are really nice because they're just basically guaranteed cash. Right. Whether it's guaranteed at an hourly rate or for the job itself, you know you're going to get that money.

[00:04:29.74] - Brandyn Murtagh
Yeah, 100%. And what you touched upon there, the mental aspect as well. I feel like sometimes you need some consistency when you're hunting full time because although it's nice, and Justin's mentioned this concept of before, but your income is very spiky, like, it goes all over the place. If you've got a live event, if you're in ipc, like whatever that could be, pen testing helps blunt that a little bit. And even for like your actual dopamine, man, like, knowing that, like, I do X, I get Y, like, that is very, very nice to deal with, especially if You've been hunting for long periods of time. And here's a little tip, actually. I didn't put this in the notes, but I've actually just remembered it. A very effective way to, like, get yourself back in the groove if you've been on holiday or you've taken a break, is to start off with a pen test just to like, if it's from one of the pen test ptest platforms or services. Warming yourself up with a pen test of I'm doing X and now I'm going to get Y is a bit of a cheat code I use every time I have a holiday. Now, every single time I try and make sure I have a pen test to come back to. And it really works for me because I'm like, right, cool, we had a good pen test, now let's find some bugs. And it's just like a little cheat code which is quite effective for my brain.

[00:05:47.86] - Joseph Thacker
Yeah, that's interesting because, like one, you get in the swing of things, you're not worried about having to find something. And like you said, it does kind of smooth out that spikiness. I know Kieran, our friend, has mentioned that he, like, just does a little bit of both and I think that's, that's like a pretty smart model. You know, he'll just do a pen test or two, I think one at least per month and then, you know, you have that guaranteed income. You know, I think he does his through, through hackerone and bug crowd. But I mean, you know, today we're going to be talking more about like having like and doing our own independent pen test, which I think has the downside of to do your own sales, which you can talk about in a minute. Whereas the, you know, the bug bounty platforms kind of bring those to you and you can like accept or deny them, but, but it has the, the. So you have the upside of no sales, but the downside of you can't charge as much. Right, the pen test that the platform sell is going to be less, total payout, usually because they have to have their cut. Whereas when you're selling your own pen test, you can kind of charge a bit more.

[00:06:45.19] - Brandyn Murtagh
Yeah, exactly. And there's a bit of meta around the sales and that as well. And I mean meta you because first of all, actually, what is funny, whilst I remember when I speak to my pen test friends, I have a lot of pen test friends, good friends, JDK man, loads of people like that, they always go, why are you doing pen tests for? Just do bug bounty? Because you can Earn so much more. And I'm like, dude, on paper, I get why you're saying that. But the reality is a pen test can just help alleviate so much mental things that aren't on paper but mean a lot. So sometimes being able to do a pen test does really help. So that's the first thing. The second thing, on the pricing that you just mentioned, you have to be careful as well with what locality and region you're based in. Right. Because depending on where you are, depends on how much you can charge for a pen test, if you target that market, if you target your local market. And second, of all the other things that you need to consider around how is there any actual mandates around how you charge for it? Does it have to be for a business? Do you have to play yourself? Yeah. So there's a lot to think about when you do that. Because in the uk, for example, you can become a, let me just get this right, a limited company, a sole trader. And there's one other thing as well. And depending on what you do, depends on the tax brackets and the tax incentives or lack of incentives that you get for each. And there's a lot of like other paperwork around that as well. So that's something to consider.

[00:08:23.45] - Joseph Thacker
Yeah, that's cool. We have one kind of upside to doing it in the US is you can just be a sole proprietor or a single member llc. And a lot of times you don't even have to register with the state at all. That's how it is in Kentucky. I think about half of the US states are that way. You don't even have to register your organization. And you can just do this work as like a, basically a contract worker. And you could even subcontract to other, to other pen testers if you have buddies that are doing it with you. And you don't ever have to go register with the government or anything. You're just kind of like a sole proprietor and you use your, use your Social Security number as like your business ID number on all forms. And it just works, which is pretty neat.

[00:09:00.95] - Brandyn Murtagh
That is good. Yeah, I feel like that's probably a good takeaway. Now we start speaking about. It is definitely, definitely, definitely pay to get the advice or consult someone that is very well versed in business and tax structure for where you're operating from, because that will pay dividends tenfold. Especially if there's a lot of things I didn't know before I started, which could have been very expensive mistakes and actual like legal things that you have to do to make sure you're doing things properly.

[00:09:33.25] - Joseph Thacker
Yeah. I would say, you know, the first step, which could be something free, is just ask other bug hunters, like in critical thinking in our discord or, you know, or on X or whatever else. Because I'm sure there are pen testers that you know in your, in your country. Ask them kind of the, the bare minimum. And then you said maybe seek professional counsel if you, if you land a gig or if you want to set aside some bug bounty money for that.

[00:09:55.30] - Brandyn Murtagh
Sure.

[00:09:56.11] - Joseph Thacker
I do think that when it comes to starting your own, like your own pen testing firm, which I know you did, it has just, well, one, it's easier than ever, I think, with AI because you can use, you know, current free AI software and models out there to, you know, come up with copy. By copy, I just mean, like, marketing material. You can use AI to come up with, like your logo or your slogan or your domain or whatever. I feel like it's like easier than ever to start any kind of company. But that just includes pen testing companies, which is, which is pretty legit. I will say though, if you want something that looks really professional, you should actually hire professionals. Brandon sent me his marketing kit for murtasec, which is his pen testing firm, and I was blown away. You know, like, I thought, hey, I can do basically any kind of design work these days. And then you sent that over and I was like, oh, this is actually really good. This is kind of nice.

[00:10:51.08] - Brandyn Murtagh
Yeah. And like, to touch to your point, absolutely. It's never been easier to do this stuff, which is great. It's so empowering. It's really fun. And you can experiment, but, and I've got points on this later, when it comes to your positioning and how you market yourself, how you market your company and your brand, you need to think about, okay, is this actually a different differentiator or do I mix them with the noise now? And this is going to actually be detrimental to me in the long run. So I feel like it's a balance of knowing what tools to use and when. So, like, for example, to your point there, that marketing kit, I hired a designer to work with me on my brand, my logo, my design, my feel, mate. That took weeks of work. Like, that took so much time that I just didn't even consider. It wasn't even in my, like, realm of possibility that it could take that long. And like, all these questions that come up and I was just like, I don't know, I haven't done this before. But the good thing is I got some really good output and deliverables from that which I now use everywhere. So there's pros and cons to everything, right? Like of course going the human and getting someone very high end will come with that price tag, but it'll look better. Whereas if you want, if you just need something to get started, if you have the demand there and you just need something to get started to put on deliverables and like go, okay, right, I now have something I can use on a pen test report, then what's the harm in going the AI route and using some automated tooling? There isn't.

[00:12:23.65] - Joseph Thacker
Yeah, for sure. So I did want to mention that I think that bug bounty hunters have like a really unique advantage against other pen testing companies or pen testing bids in the fact that we have external evidence of our quality, like external evidence of our findings. You know, the majority of us have hacked on both public and private companies programs. And when you've packed on those public programs, you know, those reports often show up in your profile or at the very least, you know, you could take a redacted screenshot or you've posted about write ups. I think at the end of the day people want results, right? Well, most people do. I guess we should mention this to some people who might not know. Pen tests kind of come in two flavors. Some people are getting pen tests for SOC compliance and they don't really care if they get good findings or not. In fact, they prefer less findings. But the vast majority of pen tests you get are going to be people who are like really wanting to know what security vulnerabilities they have. And a lot of pen testing firms out there kind of are snake oil or just lower quality. I think that at least in the top, you know, 20 percentile of bug bounty hunters, we're extremely talented from a skill perspective relative to your average pen tester. And so your ability to find bugs on these pen tests is probably much better than you think. And so if you have imposter syndrome, like oh, I'm not good at XSS or I'm not good at this or whatever, you know. Well, guess what, the pen testers are already hiring also have strengths and weaknesses and that's totally okay. But I do think it's like our strength as bug bounty hunters that we have basically external validation and proof of our value. Add to companies already through previous findings, through Reputation points on Hacker1 and bug crowd and through just like brand logos, you know, like in marketing material. I've seen a lot of bug hunters put like in their X Bio like the companies they found bugs on. Right. Or you can put that on your resume or you can put that in your marketing material for your pen testing, like packets or marketing material that you use. Like, you know, have found bugs on all these major companies. And so even though those companies are not your pen test clients, you're not lying, right. You have found legitimate vulnerabilities on those companies. And I think those logos can be really valuable for leveraging into sales.

[00:14:33.25] - Brandyn Murtagh
100%. 100%. When you are speaking to customers and you're positioning yourself, having those established brands on there builds that trust. It builds that reputation that, okay, I am finding the bugs that the traditional pen test teams did miss on these targets. And it can be a very good and honest way to earn credibility when it comes to your technical skills. Now, I do also want to make the point of that is one part of delivering a pen test, right? That's 50% hacking, 50% everything else. Ish. Depending on the pen test and the engagement. And I'm saying that because we ran an engagement together that took me days of config that for us to do, if you know what I'm talking about. I do like days of config, like a lot of time. But it doesn't matter. A considerable amount of time.

[00:15:28.72] - Joseph Thacker
I'm still mad about it. This is actually one reason why I turned this pen test down, by the way, guys. But Brandon subcontracted me, so I got to do the fun parts.

[00:15:35.79] - Brandyn Murtagh
Exactly. Well, this is it. And this is exactly my point that although there are some really, really good skill sets that complement each other with pen test and bug bounties. Perfect match in terms of actual technical findings, you are consulting at the end of the day. And that comes with a very different requirement and skill set. Because a customer isn't paying for a bug bounty finding, they're paying for a report and they're paying for your expertise to help them fix that finding. So, for example, yourself very comfortable talking to customers. I've seen you talk to many people. That comes naturally. Some people that might not come as naturally. And it's a skill that you would either have to get someone on board to handle for you or know that you have to improve upon it to make sure that your customers actually are getting a good pen test, they can trust you and they're getting good deliverables from it. Because although, as I said, you are still hacking, remember, the customer actually cares about the report or whatever deliverables that you're providing them as well.

[00:16:37.91] - Joseph Thacker
Yeah, I think that There's a lot of interesting tidbits that you bring up there. I think the one thing that jumps to my mind is like, that there is a kind of a significant level obligation. Right. With bug bounty, you can get away with, oh, I look at this and then I just turn off my laptop and I go do whatever hobby I have for the next 12 hours. And with the pen test, you've got timelines, you've got meetings, you've got the report writing. For this reason, I actually prefer bug bounty. Right. But that doesn't mean that it's not valuable or worth it. In some cases. You just have to think about one what's the value of your time and to what's your price point? Like, we know a lot of really top hackers. I mean, within the critical thinkers tier of, of our, of our discord, you know, we have some of the best hackers on the planet, and I think a majority of them probably do prefer bug bounty. But there's a price point for everybody, right. If we threw out a 50k pen test for a week worth of work, I would say the majority of them would say yes to it. Right. And so I think, like, you just have to know what your price point is and know what you like to test and, you know, figure out if the clients you're searching for really, like, have, like, with you, like whether or not they, whether or not you get along with them. Right. I've had, I've had a lot of people who I hop on calls with, and I can just tell that they're so stoked to have me looking at their app and that makes it really easy to hack. Right. And I've. And I've had other. I've had other customers hop on the sales call or the, or the, you know, the, the kickoff call, and it feels like they're interviewing me. And I've turned several of those down because it's just like, I don't know, for some reason, for me, it's not worth it if I'm being, like, questioned, you know, if I'm like constantly being. If they're skeptical of me. Right. And so anyways, I think for everybody, you know, there's different metrics there on like, you know, like you said, whether or not they're comfortable doing those sales calls, how much it's worth, how much time it's worth, and then is it worth being beholden to someone to write the report up in time and get it to them and all that?

[00:18:28.13] - Brandyn Murtagh
Exactly. And that feeds into a point I did actually want to make is be honest with yourself as to why you had the desire to maybe do some pen tests on the side or want to start a company. Like do you have an actual desire to start and run a company or do you just want an additional way to diversify your income that's outside of bug bounty? Right. As I said, there's pen test as a service platforms you can sign up to and get extra money that way. If you are just looking to diversify your income a little bit and to build upon that point, I think the personal stories with me and you, we don't necessarily have a sales team and a sales pipeline. It's almost being built through speaking personal brand and relationships that we have. Right. So there's very little effort on that part. We've, you know, like the Goldilocks zone when you have like the two circles and then you've got the in between part. We capitalize of that in between part where the, the opportunities. We're very fortunate that we don't have to do outreach and they're there. So I feel like be honest with why you want to do it. If it's for additional income, maybe look at, okay, if you want to start a company, build up the personal brand or look at ways of how you can start building up a company brand, how you do that, or if you just want some extra money, look at pentest as a service platform and deliver pen tests on that because there's a lot less friction. You can get going very quickly and you can focus on the actual, like the fun, the hacking part, right?

[00:20:00.76] - Joseph Thacker
Yeah, that's a great point. And I think in general there are a lot of hackers, you know, a lot of, I think people who have been consistently posting on things like X probably do have a good following where they could leverage their brand in the same way. If you're somebody out there and you don't have that, I would recommend just doing something cool and then telling the world about it. And if you're a bug buddy hunter, you're already doing something cool, right? So just like post, write ups and then at the very least, even if you don't grow some massive personal brand, even if you still have to do sales outreach one day, you can still point back to your blog and be like, hey, here's a bunch of my findings. Right? It's huge technical proof. And so I think that that's a, that's a good thing there. The other thing that jumped in my mind when you were talking, Brandon, was I did want to Tell people that. I think pen testing has a potential for more long term legacy and more long term. What would you call it like financial growth in the form of if you start it and it's not all focused around your personal brand, but just like the business brand, it actually is an acquirable asset if you have, if you have annual contracts. So I personally have not been able to pull this off. It's pretty, it's pretty tough to do like you know, recurring sales where you buy like you know, companies buy a three year contract or what have you. But, and so I would, I would be interested in hearing your perspective on this, Brandon. But I do think that from a Bug Bounty perspective, we're not building a business like anyone who does full time bug bounty. You're not building a business that is acquirable in any kind of way and that's totally fine. Right? Like if you just make good cash, I mean our margins are huge compared to any other organization. Right. Most people who own businesses have margins that are like 10% or 20% or even the best ones are 50%. In Bug Bounty it's like, oh, I own my computer and so my margins are 99%. Right. Maybe I have a VPS or something. But in general we have insane margins. So I don't think that everyone needs to build an acquirable business. Personally I haven't. Right. Like my, my pen test firm is called Rezo and my, you know, my personal brand is called Joseph Thacker. Like I have no desire to be acquired but I do think that for people out there who really have a desire to be acquired and you know, have like a bigger exit or have a business that they plan to hand over to their kids one day or whatever. I think that a pen test firm could, could fill that role a little bit better than bug bounty 100%.

[00:22:13.77] - Brandyn Murtagh
And it goes back down to how, how do you position yourself, how do you brand yourself? And also like that skill set in order to build an acquirable company that can be bought out, that isn't solely dependent on you, you need a very different skill set to being just a bug bounty hunter. You need to be more in that entrepreneur mindset. You need to be able to look at your processes, get some tooling in place, do hires as well. Hiring is a huge, huge topic, massive topic that you can talk about for ages if you are in that position. But I completely agree with what you're saying. There's the skill set in order to do that that very different to just doing it on the side to earn some additional income and maybe profit off of some of the work you're doing if it's taught like, whatever that could be. But yeah, I completely agree.

[00:23:06.29] - Joseph Thacker
Yeah, I do think that the whole single owner business, no matter what that looks like in your country, is valuable to have. Even if you never plan to start a company or, sorry, even if you never plan to start a pen test firm or anything. Because yeah, even doing small talks, you might get somebody who comes up afterwards like, hey, you know, I'd love to have you test my website or and I'm sure you've had this happen plenty, Brandon. It's like you're literally like out for lunch and you meet somebody who runs some local business. You know, maybe they have a donut shop or they have a something, but they have a website. Right. And they like, they're kind of worried about hackers. And so like, hey, do you mind to test it for me? Or whatever. And so even if you don't have some large personal brand, the odds that you're like talking to people who live near you about hacking and then they ask for you to test their stuff is probably still pretty high. And you could, even if you really wanted to lean into that sort of thing, you could actually go try to find that by just hanging out in public spaces or talking more about your job or whatever around people who are also entrepreneurs or who are also business owners, 100%.

[00:24:08.43] - Brandyn Murtagh
If you genuinely enjoy networking, speaking to people and just doing that thing, then lean into that. Because the opportunities that come off this stuff are just like, you can predict them even if you tried. It's so wild, the series of events that happens. And it's funny that you say that about the local business owner. JRock right now is doing a pen test for this exact reason, because he found a vulnerability in a site that he was using as a customer, spoke to the founder, and now he's delivering a pen test and he's absolutely torn this up to shreds. So JRock is actually doing this right now as we speak.

[00:24:41.84] - Joseph Thacker
That's funny.

[00:24:42.56] - Brandyn Murtagh
I was caught up with him yesterday about it and I realized I completely skipped over your earlier point about the reoccurring contracts. I have actually managed to do this with one that starts next year, for the entire year to start off with, for three days a month. Yeah. So in order to actually do that, there was a lot of sales involved. It wasn't just technical delivery, a lot of relationship building, which again, wasn't my intention. It was just a natural byproduct of the work I was doing. So I was quite fortunate in that sense, but very valuable because I know from three to four days, months worth of work, everything's covered for the next year. Bills like my. Everything's covered from that perspective. So mentally that can be huge. It's huge.

[00:25:38.48] - Joseph Thacker
Just know it's like I work three or four days and I'm set. Yeah.

[00:25:41.31] - Brandyn Murtagh
Like imagine for example, you know, these guys on Twitter, like zero and things like that, doing this crazy research. Perhaps if you wanted to lean more into research, if you secure something like that, you have the other 24 days a month to do research and not have to worry about bills. It can be a very useful tool for sure, but the actual execution and delivery and how you make these opportunities happen will require a lot of soft skills. From my experience anyway, a lot of soft skills, good relationship building and making sure that you are delivering under your personal brand or your company brand to high standard.

[00:26:20.78] - Joseph Thacker
Yeah, it's a little bit of a similar situation, but I do know people who have transitioned out of their full time gig to go full time bug bounty, but stayed on as a retainer at a much higher hourly rate. So it's kind of similar to what you're talking about, right? Like if you're a person who lives a little bit below your means, maybe you go down to quarter time or you know, a few days a month for your current employer because they know that you know all the stuff that you've already deployed, they know your work ethic, they know that you know their systems and their ins and outs. So they might want to keep you on for just a little bit to make sure the transition's smooth or whatever. You stay on for a year or two at some slightly reduced salary, but at way fewer hours, and then now you can transition in a more seamless way. It kind of feels similar to the situation you have now.

[00:27:03.24] - Brandyn Murtagh
The.

[00:27:03.40] - Joseph Thacker
Similar to the setup where you've got this retainer fee that kind of enables you to have so much more free time for what you want to do.

[00:27:09.44] - Brandyn Murtagh
Exactly. Yeah, man. I, I hear that situation a lot from like, like my US friends and I'm like, that just doesn't happen annoyingly in the UK at all. Yeah, like it. That just doesn't happen. I don't know why, I don't know what the cultural difference is, but that would be like such a sweet spot for so many people if you could pull that off. Because it will reduce that. I guess when you first start and you haven't got a fund like that safety net to tap into it can be quite daunting. It would just completely reduce that and blunt that, that, that like fear factor. So you can just get running, focus on your business or whatever that might be. But yeah, I hate, I hear about that and I'm very envious and jealous of when I hear about people doing.

[00:27:52.25] - Joseph Thacker
You've already, listen, you've destroyed it as your first time, as your, as your first year of a full time hunter.

[00:27:57.94] - Brandyn Murtagh
Yeah, it's been wild, man.

[00:28:00.09] - Joseph Thacker
Yeah. But I, I think that that may come from the fact that it does seem like also the pay for pen test work, you know, or just like high levels of, of cyber security expertise are just worse in the UK and it feels like, it feels like the, the dynamics between business and employee. It's like the business has more power relative to the employee in the UK versus in the us. Like in the US it's the same way, right. The, the business at the end of the day has more power over the individual, but it feels like the individual is like relatively stronger. Like it's like a, you know, know, one to two instead of a one to five ratio or whatever. How, you know, compared to the uk.

[00:28:38.76] - Brandyn Murtagh
Yeah. Plus I remember in terms of like when you're speaking to people and your clients, are they majority just by natural coincidence, US based?

[00:28:49.56] - Joseph Thacker
Yeah, yeah. I mean I do get a lot of reach outs due to the AI stuff. I do get a lot of reach outs from Europe and as well. But in general. Yeah, vast majority are us.

[00:29:01.21] - Brandyn Murtagh
Yeah. Because I feel like if you know your market. So for example, before I was a bug bounty hunter I worked in AppSec and before AppSec I was a pen tester for a long time. You kind of have to have a semi feel on your market to know how you price. Because say for example, if I went right, I'm going to start this, I'm going to price at 4k a day and I'm in the UK, people are just going to be like, no you're not, you're not going to get any work. So the average is, is probably about a thousand a day of what you get in the uk, whereas in the US is I think it's over double that from what I see on average and more sometimes.

[00:29:39.00] - Joseph Thacker
Yeah, I would say it really depends on the company and it really depends on the value you're providing it feel and I wanted to bring this up as a topic for the, for this episode with you. It feels so hard to do pricing because it just feels so arbitrary, you know, it's like I'd be, many times I would be super happy with $200 an hour, but if I can get a thousand an hour, why would I not do that? Right? It's like it just feels so arbitrary sometimes. Assuming that it's like at least close to what my general hourly rate is, I think one way that you can kind of determine that would be to ask, you know, local pen testing companies what they're charging and how many hours they're putting in on their pen test. And another thing you can do is look at, at the amount of earnings you've made with Bug Bounty and divide it out per hour to try to figure out your hourly rate. And so you want to make it worth it to yourself. If you know that over the course of two years of bug bounty hunting you've averaged $100 an hour, you don't want to then go do a pen test at $50 an hour or $30 an hour, right? Maybe you do, but man, it's like it's not a very good trade off as long as you're in like a good financial situation. If you need that money right now, then yeah, sure, sell it. But in general, as long as you're not living like paycheck to paycheck, it would be better to you go to, for you to go to bug boun. So I think for most people that like break even point for like whatever their hourly rate is with bug bounty is like, like at least a starting point.

[00:30:59.69] - Brandyn Murtagh
Yeah, I agree. And that was actually going to be one of my points because let's say you are the caliber of hunter where you can very easily pull in 10, 20, 30, 40k a month and then you do want to start this pen testing thing, you have to mentally prepare yourself that one, you are going to see a dip in income. So like, like for me I can see if you look at my stats for the year, the massive dips where I had to focus on my business, whether that be for branding or reporting or tooling or whatever it is, writing proposals, things like that, you just see that my Bug Bounty income group, boom. And then it starts to come back up and then takes another hit again. So if you are to feedback to your point, one of those hunters where you can pull in a very healthy amount per month and you're comfortable in doing that full time, definitely use that as a rough price point as to where you want to position yourself so you at least have an idea of where you want to go because it also needs to be worth your time, right? What's the incentive? If you can consistently pull in X amount, but then you only get a third or a quarter from pen testing, mentally it might be okay, but long term it might not be sustainable. So you need to weigh that up as well.

[00:32:12.64] - Joseph Thacker
Yeah, and I think there's a tactful way to do that in sales call calls. Like, I, I almost always mention that. Like I, I do it in a very tactful, calm, happy way. And like you said, I'm really comfortable on sales calls. Maybe other people aren't. But I mean, if, even if you need to prep that statement of how you're going to say it and write it down in your document that they can't see, you know, as you're going through that call, just saying something like, you know, and pricing for me is going to come out to about this many dollars per hour. I know that I can make, you know, 250 an hour from bug bounty. So, you know, where this is consistent. I do price it a little lower at 200 an hour, but just wanted to let you guys know that up front. Right. And you just say it calmly and, and you say it confidently. And if they don't like that, that's fine. Right. I mean, I think that the one downside of that is that you might actually limit your amount of profit. So another thing I wanted to mention on the pricing is that like, you have a little bit of room to play with this in regards to, in, in some locations, in some locales and with some companies, some companies are just going to want an hourly rate, you know, and I find that kind of frustrating. Personally, I like to deliver value and if I find a bunch of highs and criticals, you know, I know I've delivered the value that they're paying for, for. So in general, I prefer to sell pen tests by the, by the, like just the cost of the full test. Like, you know, the full test is 20k. It may take me 2 or 3 or 4 weeks, I'm not sure. But, you know, you know, you can be rest assured that you'll have plenty of findings and that you'll have a good report and you can reach out to me anytime or whatever without trying to break it down into individual hours. I don't know if that's going to necessarily fly in the uk, Brandon, but I do know that that's often worked for me to get like a higher hourly rate. And, you know, then I didn't make any promises about putting in eight hours a day or whatever. And if it's a Busy day with the kids and I can only put in four hours. I don't feel bad about that because I know that I'm providing them a very high tier level of skill and value.

[00:33:58.45] - Brandyn Murtagh
Yeah, exactly. And I keep mentioning on about branding and positioning because I feel like it's so important for you. That's perfect because you very much operate under your personal brand. People contact you because they know you, they've seen the content you make, they've seen your blog post, they see you through the podcast, maybe they've been to your talk. That makes sense. It's a perfect match.

[00:34:18.09] - Joseph Thacker
That's true.

[00:34:19.36] - Brandyn Murtagh
Like is completely perfect. When you start doing that under a company, you need to find your company brand and your company positioning a little bit more and where you fit there. So prime example, a lot of UK clients or potential UK prospects I spoke to I actually turned down because I was like your budget and your requirement just doesn't match up with where I position myself. Which my strategy then become after a bit of trial and error. Okay. The US market is great because people have more budgets compared to a lot of the EU based companies. Like when I say more budgets it can be significant, like crazy amounts difference. So it depends if you want to. If you're happy with going in at a lower rate and you just want something different than Bug Bunny, then that's fine. But if you are building that more established company and brand and maybe you have an employee or you're thinking of hiring to, to help you out with some of the admin or delivery or whatever that might look like, you then start have to be being a bit more selective as I've had to be around those choices as well.

[00:35:31.59] - Joseph Thacker
Yeah, I agree and I think one thing that I will say is people can be flexible with this. I have always given much better process to my friends. Friends, right. Like I have friends who want pen test and I give them a cheaper price and it's no big deal. I also will sometimes price like local businesses that I care about at some low, low amount. Right. And you know, it's not hurting my family, it's fine. So that's just something that's another thing you can think about.

[00:36:01.59] - Brandyn Murtagh
Yeah, 100% like yeah, sorry to interrupt but like one of, one of the big drivers for some of the pen tests we've done and some other hacks done. Just like I get to hack with the boys or said not to like about that. Like it is an opportunity. I'm talking to a new customer, I'm delivering value. That's Fun. One thing I did want to bring up whilst I remember, have you had any compliance based pen tests or any compliance you've had to meet when delivering a pen test?

[00:36:32.44] - Joseph Thacker
Yeah. So I have about three or four minutes left. But I did want to bring this up as well. I sometimes will have stuff like Soc2 requests. I have only had it once or twice, maybe twice. Anyways, the whole point is they were able to work around it. I don't know how they did it. I think they basically had me sign a bunch of forms that had me agree to the requirements of SOC 2 and somehow it applied to them under the test. So like, you know, SOC2 says that everything needs to be encrypted. The, you know, you have physical security on your building, all these things. Basically when I, I agreed that those things were true for my business by signing those forms they were able to use me as a vendor. I don't know how, I don't know why, but it worked out. The other fix of this is just to like subcontract as a bigger firm, you know, like whether you work with Bishop Fox or another company, you know, get, get some sort of working relationship with a bigger firm, give them some sort of 5% or 10% cut or whatever you work out with them, maybe you. And then you work as a contractor. So like they sell the pen test technically to the company, they're fully stock to a compliant, you're a contractor under them and then you get paid. What has been your experience in that regard?

[00:37:50.01] - Brandyn Murtagh
Yeah, I've actually had quite a lot of compliance things crop up especially and again this comes back to the market you operate in but you might even get asked for Crest accredited testers or be a Crest accredited company. Crest was very heavy in the UK initially and now it's like spread globally somehow. Not too happy about it personally, but I am Crest accredited so I can't complain too much. So I've had very mixed and again it depends on the customers who you're selling to and what sector you're operating in. So I've had very mixed experiences on that as well. But I think we're on time. What rapid fire takeaways do you have for people thinking about it? I have a few.

[00:38:33.73] - Joseph Thacker
Yeah, you go first.

[00:38:35.48] - Brandyn Murtagh
So I would say pen testing isn't bug bounty but paid more. Pen testing is 50%, 50 to 70% hacking and then 30% delivery. Soft skills, client communication, writing proposals and things like that. Diversification can be smart with your income and also for your mental model. If you're the type of person that you think would benefit from a bit of that consistency, definitely exploring that. And if you are just looking for additional income, but maybe not the company aspect, look at some pentest as a service platforms or build relationships with consultancies to do some contracting work for them. I think those are the main ones for me.

[00:39:21.73] - Joseph Thacker
Yeah, I would say on the diversification of income it. I do think eventually bug bounty will be affected by hackbots and this will be much more resilient to that because obviously hackbot builders can go find bug bounty platforms online and then farm them. They're not going to necessarily get into the pockets of your local businesses that are buying your pen test. Right. So I think that it is a hedge against that, which is really nice. Even if you only do it once or twice and you get set up for that. If there ever is any kind of, you know, downfall or whatever, any issues, you can always transition. I think that my takeaways are that you can start super small, you don't necessarily need to hire anybody, use AI to launch it and just, you know, start doing it on the side. I think that you can use your bug bounty findings as proof or evidence of your quality and I think you can use your bug bounty earnings as proof of that as well. You know, sometimes in sales calls you might be able to say, I've made over a hundred thousand dollars doing bug bounty. People are going to be like what? They're going to be like, oh, they're going to be so impressed. Right. And then you can also use those brands in there as further validation of like, you know, companies that you found vulnerabilities on. And then I think, I think don't be scared of imposter syndrome. That's probably my biggest tip for so long. I felt so inadequate on pentest cause it's like, ah, but I'm not a front end expert. What if I don't find, you know, front end bugs? Then they won't have the full coverage that they want. They want to find all the bugs. Right. It's like, well, sorry, the pen test firms, they're fine, they're, they're hiring, are not finding all the bugs and so you're not going to find all the bugs either. And if you have found consistent bugs in bug bounty, you are definitely qualified and good enough to be a pen tester and I think you can stand behind that, that 100.

[00:40:51.94] - Brandyn Murtagh
Yeah, I agree, Very good point.

[00:40:54.57] - Joseph Thacker
Sweet dude. Well, I have to run so let's call it there. But hopefully people enjoyed this and got a lot of good takeaways from it.

[00:41:02.57] - Justin Gardner
And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end, y'.

[00:41:06.38] - Joseph Thacker
All.

[00:41:06.57] - Justin Gardner
If you want more Critical Thinking content or if you want to support the show, head over to CTBB Show Discord. You can hop in the community. There's lots of great high level hacking discovery discussion happening there. On top of the master classes, hack alongs, exclusive content and a full time hunters guild. If you're a full time hunter, it's a great time. Trust me. All right, I'll see you there.