Re: The business/marketing of pen-testing.

["Davi Ottenheimer" <infosec () westmarine com>]

The best approach is to network and make connections, or find a place with people who want to hear your pitch. Attend 
local ISSA, ISACA, ISC2, etc. events and try to spend time talking with folks who are looking for someone to perform an 
external assessment. You could also do related contract engagements (e.g. network roll-outs, system upgrades, software 
enhancements, etc.) and make contact with as many people as possible to sell your security expertise. Just like any 
professional trying to build a practice, there are many online guides and books that deal directly with how to build 
your network of references and create a compelling sales pitch.

Hope that helps,

Davi

> > > Aaron Drew <ripper () internode on net> 11/02/04 03:02AM >>>
Thanks for all the great responses. From the responses I've received it is now 
painstakingly obvious that I need to start with the small fish and offer 
fairly simple services (basic vuln-testing/pen-testing). I should probably 
have elaborated a little more however on my question.

The area I am most stuck on is *how* to approach potential customers. 
Networking is good and well once a foot is in the door but how have 
individuals as yourselves achieved that big 'first break'? Cold calling? Door 
to door? Stumbling onto a vulnerable system and throwing the evidence in 
their face? The much-condoned scare tactic method?

I've tried suiting up and walking into businesses offering a free test of 
their network. I've tried calling businesses that I *know* have wide-open 
wireless networks and explaining that anyone could read their emails. So far, 
all of them have shown no interest - even when I've pointed out what data I 
could conceivable capture given enough time. Do I really need to go in there 
with something like an email sent from the owner to his wife?

I'm certain I could do a good job for cheap - even if a little unrefined in my 
initial procedures. I am just lost as to how to convince a market that 
doesn't *want* to see that they need security services.
************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

This email was scanned for viruses, vandals and malicious content.
via mail3.westmarine.com
*************************************************************************************************