New Business Idea - Need your feedback

**HostingandPost** · 02-02-2012 09:51 AM

Hello guys and gals,

I've been thinking about starting a business to generate some additional income. I work as a penetration tester (ethical hacker) for the company I am with now. I am thinking about offering these services to small business owners who would want their business websites tested for the standard vulnerabilities exploited by the hackers. Right now, hackers are making a lot of noise, and all over the media so I'm guessing now would be a good time to get started with this.

I would love to hear your feedback on this area, specifically:

1 - would you, as a young entrepreneur be interested in such a service?
2 - what do you think would be a fair price point for something like this? The "pros" are charging up to $250 per hour, but at the same time, they're focusing their business toward the big multi-million dollar companies. I would prefer to focus on smaller businesses on whom I can test at night when not busy with my day job.
3 - I'm struggling with this, should I charge by the hour - which guarantees no results, or do I charge per finding that can range from 1 finding to like 300 findings?

I'd love to hear your feedback and thoughts on this.

**Sarah456** · 02-05-2012 02:55 PM

That quite interesting. Personally I think that a lot of businesses aren't aware of how much of a problem hackers can cause so a lot of them are oblivious to it. Firstly you meed to make them aware that they need such a service before you can market to them otherwise they just wont buy because they don't think they need it. My advice is charge per fault found to get started with and if you're good word will get around and when you have more jobs than time, thats when you can charge per hour

Hope this helps and good luck

**HostingandPost** · 02-05-2012 06:56 PM

Thank you for your feedback Sarah - so now on to my next question...what would be a good price per finding? Or do you think I should create some kind of risk based price plan (i.e. SQL injection = $100 per finding, Cross site scripting = $50, server configuration issues = $10?)

**loanuniverse** · 02-05-2012 08:05 PM

Finding the vulnerability is not enough, you have to be able to fix it for your customers. I suggest you come up with plans, which include detecting, fixing and detecting/fixing. With a discount on the later if they already hired you to detect the problem.

I see a possible conflict of interest if you are going to be doing the same type of work for yourself as your employer.

Also take into consideration that you are entering a highly competitive industry, where you are going to have to pay between $1.00 to $3.00 for lead {CPC}, so you need a good attractive website to convert those to sales.

**HostingandPost** · 02-06-2012 08:55 AM

Thanks Loanuniverse - I agree that just finding the vulnerability is not enough. Although, as you pointed out, me doing the fixing is also not an option - as it brings in independence issues as well as the fact that they will not let a "hacker" access their systems and make changes. When I was thinking about this, I had a final deliverable in mind....a spreadsheet detailing all of the findings, and a high level report that summarizes all the findings, the risks associated with those findings, and a recommended remediation.

**BrianJames** · 02-08-2012 08:41 AM

In this tough times, I think $250 per hour is very expensive.

**HostingandPost** · 02-08-2012 09:29 AM

Agreed Brian - I'm still debating a good way to charge for this service....but yes $250 per hour is definitely not even in the range i'm considering.

**BarbaraKParker** · 02-14-2012 03:10 AM

As an entrepreneur, I might become interested but there is no way I will gonna pay $250

**sbriggman** · 02-15-2012 09:17 PM

Hmm...If I had a business that is online security intensive, I'd obviously use a service like this, but not really otherwise... I would want to pay by # of problems found.