Penetration Testing mailing list archives
Re: The business/marketing of pen-testing.
From: "Davi Ottenheimer" <infosec () westmarine com>
Date: Wed, 03 Nov 2004 16:55:57 -0800
The best approach is to network and make connections, or find a place with people who want to hear your pitch. Attend local ISSA, ISACA, ISC2, etc. events and try to spend time talking with folks who are looking for someone to perform an external assessment. You could also do related contract engagements (e.g. network roll-outs, system upgrades, software enhancements, etc.) and make contact with as many people as possible to sell your security expertise. Just like any professional trying to build a practice, there are many online guides and books that deal directly with how to build your network of references and create a compelling sales pitch. Hope that helps, Davi
Aaron Drew <ripper () internode on net> 11/02/04 03:02AM >>>
Thanks for all the great responses. From the responses I've received it is now painstakingly obvious that I need to start with the small fish and offer fairly simple services (basic vuln-testing/pen-testing). I should probably have elaborated a little more however on my question. The area I am most stuck on is *how* to approach potential customers. Networking is good and well once a foot is in the door but how have individuals as yourselves achieved that big 'first break'? Cold calling? Door to door? Stumbling onto a vulnerable system and throwing the evidence in their face? The much-condoned scare tactic method? I've tried suiting up and walking into businesses offering a free test of their network. I've tried calling businesses that I *know* have wide-open wireless networks and explaining that anyone could read their emails. So far, all of them have shown no interest - even when I've pointed out what data I could conceivable capture given enough time. Do I really need to go in there with something like an email sent from the owner to his wife? I'm certain I could do a good job for cheap - even if a little unrefined in my initial procedures. I am just lost as to how to convince a market that doesn't *want* to see that they need security services. ************************************************************************************************ The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. This email was scanned for viruses, vandals and malicious content. via mail3.westmarine.com *************************************************************************************************
Current thread:
- Re: The business/marketing of pen-testing. kingpang (Nov 02)
- Re: The business/marketing of pen-testing. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Nov 03)
- <Possible follow-ups>
- RE: The business/marketing of pen-testing. Randy Golly (Nov 02)
- Re: The business/marketing of pen-testing. Aaron Drew (Nov 03)
- Re: The business/marketing of pen-testing. Davi Ottenheimer (Nov 05)
- Re: The business/marketing of pen-testing. kingpang (Nov 05)