I don't think that's the right question. The better question is "How strong is the competition in the <XYZ> market".
If the market is saturated but companies are weak you can easily grab market share. If the market is unsaturated but a very strong competitor currently aims it your attempt will probably just lose money.
And the answer is often analysing google keywords, requesting a few security checks yourself from the google leaders, investigating who appears often in related media, and asking possible customers who they know and how they evaluate their options.
PS: If you "Ask HN" your market research, you'll either find out about together with us that there's no opportunity in the given market, or you create competitors by highlighting an opportunity.
Another factor to consider is how unsaturated a market is (how much unmet opportunity is available). It's easier to break into a field, and get good at working in that field, if you're competing with anyone. Most (all?) fields have room for people at the top of their game, but some fields are simply lacking enough people to do the work.
Agreed. Also unsaturated markets may mean that there is either not enough potential or there is a huge problem that isn't resolved yet. So yeah, I agree that having at least some saturation is necessary.
From my experience, the current security market is not yet saturated, is mostly dominated by large firms at the top, and has room for smaller boutique firms that can differentiate themselves on technical excellence.
I used to be in security auditing. I don't know about market saturation – that would depend heavily on your location, as it often requires some face-to-face discussion – but I think for security the saturation is less relevant than your credentials. Once a company decides to spend some money on outside security, they tend to go for a name-company with good credentials and certifications such as approval for PCI-DSS compliance checking. Once you provide the needed services, your name needs comes up as one of the go-to companies. Reputation and word-of-mouth are pretty important. For instance in the CC and banking sector companies are very aware whose services are being used by other companies. No company wants to give a good chunk of money away on something as sensitive and invasive as security checks without being sure they're receiving quality service and not some random script-kiddie with an automated security scanner.
If your company (or the company you want to work for) floats up as one of the top security firms in your region, you will probably get a lot of business. If you start from zero with no reputation, you're going to have fight hard to get your name on the map.
Naive question: what if you just hack your prospect, without causing unrecoverable damages and show them you've hacked them, do they hire you?
EDIT: ok thats illegal but isnt it in the interest of the prospect to hire you more than seeing you in jail? Also, I was wondering if there were some loopholes or field practices one can use to hack for being hired? Something like: "I may have hacked you, do you wanna hire me?"
Just curious, because it seems to me every company should welcome that. I might be wrong.
Not only is hacking them illegal, but trying to sell them services after that could easily be seen as an attempt at blackmail. It's a profoundly bad idea.
Almost certainly no. If they have a bug bounty program they will pay out through that, but attacking a company of any sort that does not have an open program is a good way to get prosecuted.
I've done this long ago to one of the companies I had worked for before – as in pointing out major holes, not taking over anything – but I think it's not a good idea if you don't have any previous relationship at that company and don't know anybody there. It's a huge risk. It doesn't give people a good feeling to be criticised, or to notice others are sneaking around their livelihoods... Imagine someone sneaking around your car to check if any doors are open. Even if you just want to helpfully point something out, you have given people a bad vibe that is surely not going to help you to get hired.
I'm a security analyst at an MSSP with hundreds of large companies as customers. The typical response would be to press charges and try to send you to prison.
A more accurate analogy is that you contact the home owner and advise them that their home is at risk of being broken in to because of whatever security they're lacking. No need to actually break in to the home, just point out the vulnerabilities.
Okay but you need to check if they are vulnerable. I think the owner wouldn't be happy with people fiddling with his locks to check if he is vulnerable.
The correct solution is the same as for pentesting: ask for permission first.
My perspective comes from doing hardware and vmware installs at businesses for a Dell partner in the US. The problem is that, as far as many small businesses are concerned, there's only two options: get a full, comprehensive, money-paid-if-we're-wrong-guarantee-backed pentest that's way too expensive, or do nothing.
There's a lot of places that would just like some idea how vulnerable they are on the basics. Something the IT admin can show management. If you can come up with a decent suite for a reasonable price with the legalese to say this is for informational purposes and a starting point but not comprehensive, you could carve out a sustainable niche.
Edit to say: in person. Shake hands, tour the facility, ret to know how they operate, and test inside and out. Online automated scanners are a dime a dozen and no one would seriously trust them.
of course there's a third option, one that small businesses are opting for en masse: pay for a well-known 3rd party to run a simple remote vulnerability scan, pass the results (full of false positives and just plain wrong information) to someone else to deal with, and pretend like you just accomplished something useful, and reject all recommendations for anything that costs more.
The market is not nearly saturated with firms capable of delivering security assessments (penetration tests + source code reviews) with high technical proficiency. I started a consultancy several years ago which has done very well among smaller tech companies, and I know of at least two new consulting practices started this year by ex-NCC folks.
There are many, many firms that bill for web scanning and static analysis. Their business model boils down to, buy a bunch of tools for <$10,000, resell their usage on engagements for >$5,000 per week. They leave a trail of horror stories in their wake eventually. Starting a consulting shop is a great opportunity if you have the requisite skill/experience, and can differentiate yourself from the snake oil salesmen of the industry and the monolithic firms everyone knows.
The industry for internal security engineers as well as outside security consultants is growing at a healthy pace. In my circles, people usually need to widely advertise a position to get it filled by someone qualified. In one case, a friend of mine at a tech company informed me that he had only one candidate pass the phone screen in three months despite posting the position here on HN, on /r/netsec, etc.
Consulting firms are a different sort of beast because they are usually always hiring. Every security consultant added to a growing firm directly increases the total amount of potential revenue, and most successful firms have to start turning away work at a certain point (for example, I no longer take on work for network security because I find it unenjoyable, I would much rather work on reverse engineering and application security engagements).
Everything I've said is US-centric, but hopefully it's reasonably helpful and relevant to you in the UK. I know a few bug bounty-turned-security-consultant people in the UK and they seem to be reasonably well off, but they could be outliers (in fact they are, skill-wise).
As a small company with limited budget who is looking to have its application tested, how can we differentiate between good firms and firms that will just run a scanner and charge you $5000?
Also, is it a good idea to hire a freelancer to pen-test your application?
> As a small company with limited budget who is looking to have its application tested, how can we differentiate between good firms and firms that will just run a scanner and charge you $5000?
Reputation, mostly. It's easier for the large firms that everyone is familiar with. For smaller firms, you probably want to get a strong referral from someone who has been through this before. Also, ask the consultant(s) performing the assessment what they'll be doing in some technical depth to see how familiar they are with a penetration test/source code review outside of running Acunetix or Burp Suite Scanner. They shouldn't shy away from talking about what specific technical vulnerabilities they feel they're likely to find when you describe your app and its stack off the top of their heads.
> Also, is it a good idea to hire a freelancer to pen-test your application?
Theoretically, this is a good cost savings versus a firm. But in practice, it's hard to do correctly because you really need to be sure that the person knows what they're doing. If you want to hire a freelancer, I would suggest looking for very well-known/successful bug bounty participants and security researchers who opened their own solo shops.
Also, shameless plug: if you're looking for a security assessment I'm happy to help you (and if I can't directly, I am nearly positive I can refer you to very competent smaller firms for your budget). Feel free to get in touch.
I'm sorry, I would rather not say specifically who without their permission :) If you really want to know, you can generally find them by browsing the list of top security researchers for large bug bounty programs. That should give you a start.
Interestingly most of the comments in this thread are about the quality of existing organisations in this space. My experience echoes this sentiment.
Over the years I've worked on systems that have been pen-tested and it's always been the same thing. The testing picks up a bunch of standard/generic and not all that important issues, while missing much worse and glaring specific issues. I've sat in meetings with people from pentesting companies who couldn't describe the attack vector/risk of an exploit they'd said needed patching.
I'm sure there are some companies that do it properly but I guess the good ones charge a load more money. Then again, as a lay-enterprise, how do you know who to hire? I know that if I was hired to pentest various systems I've had to work on in the past I'd have picked holes in them all over the place.
I am a professional penetration tester right now in the US. I got into the field from education, but once I got my OSCP I had multiple offers from different companies.
There are a ton of "boutique" firms in the space right now, but there are quite a few who seemed to be popular and then died off right away.
One of the big market gaps I see is the ability to provide really good tactical feedback but also package it in a way that it provides value to the actual decision-makers at the top. There are so many pentesting firms that are extremely talented at breaking in, but are really lacking at helping to actually implement cultural and program-level changes so that it doesn't happen again. There are also firms whose idea of a penetration test is just running Metasploit/Nessus/Acunetix and then packing it up without a lot of insight.
Compliance is a huge driver right now, meaning some companies just want to check the boxes and be done with it. However, just because you are PCI compliant doesn't mean you are actually secure. It takes a special set of "soft skills" to be able to help companies truly improve their posture.
The problem appears to be how to sort the bad security assessment firms from the good. There are thousands of firms out there that make grand promises, but how does anyone without the required knowledge to not need such a firm know which ones are good and which one are bad. Rather than add yet another firm, it would be better to work on a startup than can objectively sort those that already exist.
Edit. If anyone wants to work on this problem I have a clever way of solving it (I of course don’t have the time to work on it myself).
Say you need to get a penetration test for PCI compliance. There are literally hundreds of vendors that offer these services. Your CTO would like to use X vendor because he read a paper / saw their name at Defcon / recommended by a partner.
When the vendor comes to perform a penetration test, they launch a Nessus scan against the target ranges. They compile the results and manually validate the findings to ensure they are not false positives. The end product is a report that looks something like a checklist: SSLv1 in use, self-signed certificates internally, missing the latest third party software patch on a server.
According to the penetration testing firm, you are probably at a low / medium risk level. The tacit implication is that as long as you fix those issues, you should be good to go.
The problem is that first, a vulnerability scanner is an imperfect piece of software and does not test anything a real attacker would. A real attacker might try phishing, or guess "Password1" on a user account. Maybe the attacker would attempt a man in the middle attack or set up an evil hotspot. Once you have AD credentials, now you can find which users have local administrator access, which then you can see if there is a shared Administrator password across all workstations.
The other problem is that the first penetration test does nothing to address potentially systemic issues for why the security vulnerabilities occurred in the first place. The patches could have been missing because there is no formalized patch management program, or inaccurate change management, or an issue with their Puppet config.
Currently there's no way to separate the "good" (read: thorough) from the bad other than direct referral or looking at a sample report.
My notes from working at a pentesting consultancy during an internship (in the UK):
- There are plenty of SaaS offerings, but they aren't VC-backed with flashy websites, they are much more corporate.
- Lots of the SaaS offerings are just an automated Nessus or equivalent, and only really look at servers/operating systems, not actual web apps.
- The consultancy side is pretty saturated, but most of them are crap, new-grads, pentesting Java/PHP apps.
- There is a strong market for the trickier stuff – hardware pentesting, pentesting more interesting environments/languages, etc.
- Pentesting is ridiculously expensive, to the point that the startup I work for would never consider it at our size – making that more affordable is a hard problem, but would be very valuable to lots of companies.
There are thousands of firms who will happily run a vuln scan or webapp crawler and send you a crappy canned report.
There are less who can really perform a comprehensive test and document the hell out of it.
I personally think pen testing is not very useful, except as a 3rd party check to tell you if you've done a reasonable job at protecting your software (and if you get a bad tester, you literally won't know!). We need more people in InfoSec who can explain how to build defensible software - finding holes is the easy part.
These things are not really mutually exclusive. Defense in depth. Getting more information on building defensible software does not preclude the need to have someone knowledgeable try to rip it apart afterwards.
I don't disagree on this, but the mentality of pentesting (as I have seen it conducted) is wrong. Typically a firm wants to find a way in, and snatch the Crown Jewels. Once they achieve that, the level of effort goes way down, and they often leave a lot of surface area unchecked.
Or maybe more succinctly: they are incentivized to find SOMETHING quickly, rather than EVERYTHING.
I think it can help if the testers are internal and not quite under the same time pressure / engagement limits though.
I've been in the UK pentesting market since the closing of the dotcom days, and run a small boutique pentesting outfit.
In all honesty, this is not an industry you want to build a company around. There's a lot of smaller players that are getting by on a small client base and subbing. There's a massive amount of box-ticking compliance companies out there that offer differing shades of the same awful service. There are a smaller number of larger companies that offer box ticking and bespoke stuff, then right at the top of the market you have NCC Group.
The market itself is dominated by compliance work. I spent several years trying to scale the company I run up by working towards getting more badges, then doing more compliance work, and repeating. In the process I ended up realising that we were turning into one of those mid-tier box-tickers, and that's not where I'd want to be, any more than if I was a mid-sized accountancy. Unless you enjoy mediocre work, it's not a good look.
If you're an experienced tester with a bunch of friendly customers, I suspect you could set up something small and go contracting, but you're unlikely to grow too quickly without going through that box-ticking phase.
The main box ticks to get are (in no particular order):
* CHECK
* CREST
* PCI
* Cyber Essentials Plus
Check licenses you to do certain types of government work. Most of the market is sewn up by outsourcers and big boys thanks to government cuts and it puts massive constraints on employment.
CREST is an odd-fish. It's built mostly by mid-large size CHECK companies fed up with the way that scheme was going when it was run by CESG (now NCSC). There's a few things they've build to seal off parts of the market (like CBEST and STAR) from non-CREST players. Competing schemes like Tiger and Cyber schemes offer equivalence for CHECK-type roles but lack some of the market advantages CREST offers. It's best to think of CREST as a one-stop shop for Meta-box-ticking in some respects. To be fair, they've done a good job in some areas, come across as a little bit cartel-like in others but on the whole have done what other standards bodies have failed to achieve, which is to have a cross-discipline certification curriculum that's respected at a technical level.
PCI is for payment data and is absolutely saturated with low-end box-tickers flogging rebadged Qualys scans. The Local Authority market (good god, the horror) is the closest thing to this in terms of sheer volume of WTFs per minute you'll encounter.
Cyber Security Essentials is a scheme that nobody wanted, that CREST picked up with IASME and is now being rolled out by force via backdoor programmes like DCPP.
OSCP is gaining, but not really popular here because of the abundance of other schemes.
Prices are all over the place, but depend on market segment and the box being ticked but have generally been relatively stagnant or lowering since around 2004. When I went full time pentesting, average rates were around £1250-£2000 per day. These days expect between £700-£1250 depending on the market in which you're operating.
So, in a market that sells things people don't want to buy at prices they don't want to pay to tick boxes nobody enjoys ticking, is it worth going into?
There are a lot of companies looking to consolidate testing firms into their portfolios. Blackberry bought Encription a while back for a fair old wedge. Digital Assurance were recently acquired by F-Secure. NCC appear to have stopped acquiring companies at the rate they were previously, possibly connected to decreasing profits.
You could spin up a company and if well connected grow it to about 500k-1million in revenue, possibly sell for 750k-2 million and work for about 5 years extending a services portfolio at a Cybersecurity distributor or reseller before cashing out.
Realistically, the money in the compliance end of the market is in services that support the compliance management side, while the money in the technical end of the market is going to be in making tools that do something new for people who consume testing services as well as the testers themselves.
A good example of the former is probably Canopy[1] or Dradis[2], reporting toolsets that integrate various scanners. The best example of the latter is Burp suite[3], which is a web app testing tool used by both testers and developers. A lesser example would be Nipper (for network infrastructure config review) or Matasano playbook (sadly now gone).
So, in conclusion:
1. The market is highly divisible based on compliance targets, with associated badge-based barriers to entry, low margins and high salary costs.
2. There are a huge amount of companies (e.g. scanner firms) in some areas of the market. There are few in certain niches but they tend to have barriers to entry.
3. It is still possible to build a small firm that is a cheap acquisition target for a larger firm and make out and there is scope for consolidation.
4. You are more likely to have longer term growth looking at the market and seeing how to provide to it rather than providing the service yourself.
Consumer of pen testing services here. I feel like it's saturated with sales-driven companies. Basically, "call us so we can figure out how much to charge you".
If there was a pen testing company with no annoying sales people and transparent pricing I think it could do well.
You could also ask: Is the market saturated with electronic calculators or guitars. It's depend on what you do with such a tool and if you are able to decide between the several variations.
And sure there experts and there are experts. Some are better to impress other are better in doing.If you make a good and honestly job you will not fail. Mostly.
I love your answer. I always use restaurants as my example! If you want to open a restaurant, do it! Don't let the fact that there are already a lot of restaurants stop you! (Or don't open one!)
If you look at it in terms of open positions then the market appears to be growing.
I imagine finding experienced people would be difficult for employers. The learning curve is relatively small for an experienced developer to pick up something like metasploit. Finding someone who can creatively come up with zero days etc probably very difficult.
This is exactly my position on it right now, thinking about a pivot into security from application programming as it seems to be dawning on industry that it's no longer a nice-to-have.
I think it greatly depends on the kind of pentesting. A military network is different from a bank, or an AWS site, or a social network.
It's a guess, but I would suspect the market is saturated -- by opportunists, not talent -- leading to necessarily high-touch sales and high barrier to entry, but not oversupply.
What sorts of barriers to entry? Purely the fact that there is a lot of noise vs. signal in terms of low-grade operators? Or is it more to do with learning the requisite skills?
There are plenty of companies who perform pen testing and security. Their biggest deficiency right now is understanding new emerging cloud technologies. We have been working with some pretty big name security companies around the globe and very few of them understand AWS or Azure adequately.
I'm in the same position thinking of making a pivot into the security sector (coming from a mobile developer background). I think if you're good and always on top of infosec stuff and contribute to the community, you'll always have work.
The market for infosec in the UK and internationally is pretty healthy, if that's where you want to build your career I wouldn't worry about the size of the market, but finding yourself a good consultancy firm to start your career at.
Oversaturated as hell. Everyone & their mother that thinks just because they can code or use a computer, they can use metasploit or (insert tool here). There's more to it than that.
I spent twelve years as a "security guy" before becoming employee #1 at a now-wildly-successful security startup five years ago. I've spent a lot of time in the last year "professionalizing" our security program, now that we've grown large enough to need repeatable security procedures. I am intimately familiar with the domain.
Three things to segment the space:
- Clients are typically driven by compliance or practical security value. Understanding who you cater to and qualifying your customers will save a lot of pain.
- Many/most "pentesting" firms are focused on the corporate enterprise and IT people, not SaaS and dev people. Recognizing the difference in yourself and your customer needs will save a lot of pain.
- Many/most of the traditional IT enterprise security best practices & tools do not apply to a well-managed SaaS platform. e.g., I do not need a traditional vuln scanner to check for unnecessary and vulnerable services when I have one domain that's terminated at an AWS ELB.
Some industry color:
- The 2013 Target compromise root cause was not Target themselves, but their HVAC contractor who maintained trusted access. As a result, third party vendor risk assessment is becoming "standard practice" during the procurement process of any technology vendor, including SaaS applications.
- The vendor risk assessment teams expect all vendors to have mature security programs - SSAE-16 SOC2 audits, full Secure Development Lifecycle practices and customer-facing documentation to describe it all in detail.
- The result is a growing demand amongst smallish SaaS vendors for more professional security guidance.
With that context, some commentary on your original question:
- There are very few firms that provide good "practical security value." I cannot find enough good pen-testing firms that are a reasonable proxy for a capable attacker.
- The market for firms providing "compliance" services to "corporate enterprise IT" shops is noisy and full. The market for providing similar services to smallish SaaS vendors/developers is very sparse.
- The security tooling for dev is pretty good - static & dynamic source code analysis, tied into the build pipeline, etc. The security tooling for devops is not. There is a large gap in security tooling for devops/SaaS vendors - distinguished by automation and focus.
Finally, commentary on the question you're really asking:
- If you are world-class good, or can build a world-class team, you can build an outstanding company providing practical security value pentest services. Scale will be limited by the number of world-class staff you can hire/train.
- There is a gap in providing higher-level services to smallish startups to help them navigate third party risk assessment procedures from their customers. HN's tptacek and elptacek recently launched a new consultancy with this focus. They nailed the product/market fit. [a, b] Again, scale will be limited by the number of staff you can hire/train, but it is an easier team to grow than world-class attackers.
- There is a gap in security toolchains for devops/SaaS providers. Review the public projects from Netflix, Facebook and the other SaaS heavies for specific gaps _they_ had to fill. Every one is a product waiting to happen.
No one has bottled this yet and made it cheap. If you could do a saas of automated kali and ssllabs scans, for example, I think there is a huge market. If you want to start a consultancy, the market is saturated.
services like penteston.com will make bank doing this. It should be free, but I'm very biased. It's geared toward smallest pentesting consultants or people who don't know what they are doing. Seems to do a lot of the heavy lifting. Saying nobody has 'bottled' it is silly. People here in YC have done half the work, or will figure out how to do half of it for you as a pentester. The rest is validating those results, which is where a bulk of pentesting comes in.
If the market is saturated but companies are weak you can easily grab market share. If the market is unsaturated but a very strong competitor currently aims it your attempt will probably just lose money.
And the answer is often analysing google keywords, requesting a few security checks yourself from the google leaders, investigating who appears often in related media, and asking possible customers who they know and how they evaluate their options.
PS: If you "Ask HN" your market research, you'll either find out about together with us that there's no opportunity in the given market, or you create competitors by highlighting an opportunity.