I've been in the UK pentesting market since the closing of the dotcom days, and run a small boutique pentesting outfit.
In all honesty, this is not an industry you want to build a company around. There's a lot of smaller players that are getting by on a small client base and subbing. There's a massive amount of box-ticking compliance companies out there that offer differing shades of the same awful service. There are a smaller number of larger companies that offer box ticking and bespoke stuff, then right at the top of the market you have NCC Group.
The market itself is dominated by compliance work. I spent several years trying to scale the company I run up by working towards getting more badges, then doing more compliance work, and repeating. In the process I ended up realising that we were turning into one of those mid-tier box-tickers, and that's not where I'd want to be, any more than if I was a mid-sized accountancy. Unless you enjoy mediocre work, it's not a good look.
If you're an experienced tester with a bunch of friendly customers, I suspect you could set up something small and go contracting, but you're unlikely to grow too quickly without going through that box-ticking phase.
The main box ticks to get are (in no particular order):
* CHECK
* CREST
* PCI
* Cyber Essentials Plus
Check licenses you to do certain types of government work. Most of the market is sewn up by outsourcers and big boys thanks to government cuts and it puts massive constraints on employment.
CREST is an odd-fish. It's built mostly by mid-large size CHECK companies fed up with the way that scheme was going when it was run by CESG (now NCSC). There's a few things they've build to seal off parts of the market (like CBEST and STAR) from non-CREST players. Competing schemes like Tiger and Cyber schemes offer equivalence for CHECK-type roles but lack some of the market advantages CREST offers. It's best to think of CREST as a one-stop shop for Meta-box-ticking in some respects. To be fair, they've done a good job in some areas, come across as a little bit cartel-like in others but on the whole have done what other standards bodies have failed to achieve, which is to have a cross-discipline certification curriculum that's respected at a technical level.
PCI is for payment data and is absolutely saturated with low-end box-tickers flogging rebadged Qualys scans. The Local Authority market (good god, the horror) is the closest thing to this in terms of sheer volume of WTFs per minute you'll encounter.
Cyber Security Essentials is a scheme that nobody wanted, that CREST picked up with IASME and is now being rolled out by force via backdoor programmes like DCPP.
OSCP is gaining, but not really popular here because of the abundance of other schemes.
Prices are all over the place, but depend on market segment and the box being ticked but have generally been relatively stagnant or lowering since around 2004. When I went full time pentesting, average rates were around £1250-£2000 per day. These days expect between £700-£1250 depending on the market in which you're operating.
So, in a market that sells things people don't want to buy at prices they don't want to pay to tick boxes nobody enjoys ticking, is it worth going into?
There are a lot of companies looking to consolidate testing firms into their portfolios. Blackberry bought Encription a while back for a fair old wedge. Digital Assurance were recently acquired by F-Secure. NCC appear to have stopped acquiring companies at the rate they were previously, possibly connected to decreasing profits.
You could spin up a company and if well connected grow it to about 500k-1million in revenue, possibly sell for 750k-2 million and work for about 5 years extending a services portfolio at a Cybersecurity distributor or reseller before cashing out.
Realistically, the money in the compliance end of the market is in services that support the compliance management side, while the money in the technical end of the market is going to be in making tools that do something new for people who consume testing services as well as the testers themselves.
A good example of the former is probably Canopy[1] or Dradis[2], reporting toolsets that integrate various scanners. The best example of the latter is Burp suite[3], which is a web app testing tool used by both testers and developers. A lesser example would be Nipper (for network infrastructure config review) or Matasano playbook (sadly now gone).
So, in conclusion:
1. The market is highly divisible based on compliance targets, with associated badge-based barriers to entry, low margins and high salary costs.
2. There are a huge amount of companies (e.g. scanner firms) in some areas of the market. There are few in certain niches but they tend to have barriers to entry.
3. It is still possible to build a small firm that is a cheap acquisition target for a larger firm and make out and there is scope for consolidation.
4. You are more likely to have longer term growth looking at the market and seeing how to provide to it rather than providing the service yourself.
In all honesty, this is not an industry you want to build a company around. There's a lot of smaller players that are getting by on a small client base and subbing. There's a massive amount of box-ticking compliance companies out there that offer differing shades of the same awful service. There are a smaller number of larger companies that offer box ticking and bespoke stuff, then right at the top of the market you have NCC Group.
The market itself is dominated by compliance work. I spent several years trying to scale the company I run up by working towards getting more badges, then doing more compliance work, and repeating. In the process I ended up realising that we were turning into one of those mid-tier box-tickers, and that's not where I'd want to be, any more than if I was a mid-sized accountancy. Unless you enjoy mediocre work, it's not a good look.
If you're an experienced tester with a bunch of friendly customers, I suspect you could set up something small and go contracting, but you're unlikely to grow too quickly without going through that box-ticking phase.
The main box ticks to get are (in no particular order):
* CHECK
* CREST
* PCI
* Cyber Essentials Plus
Check licenses you to do certain types of government work. Most of the market is sewn up by outsourcers and big boys thanks to government cuts and it puts massive constraints on employment.
CREST is an odd-fish. It's built mostly by mid-large size CHECK companies fed up with the way that scheme was going when it was run by CESG (now NCSC). There's a few things they've build to seal off parts of the market (like CBEST and STAR) from non-CREST players. Competing schemes like Tiger and Cyber schemes offer equivalence for CHECK-type roles but lack some of the market advantages CREST offers. It's best to think of CREST as a one-stop shop for Meta-box-ticking in some respects. To be fair, they've done a good job in some areas, come across as a little bit cartel-like in others but on the whole have done what other standards bodies have failed to achieve, which is to have a cross-discipline certification curriculum that's respected at a technical level.
PCI is for payment data and is absolutely saturated with low-end box-tickers flogging rebadged Qualys scans. The Local Authority market (good god, the horror) is the closest thing to this in terms of sheer volume of WTFs per minute you'll encounter.
Cyber Security Essentials is a scheme that nobody wanted, that CREST picked up with IASME and is now being rolled out by force via backdoor programmes like DCPP.
OSCP is gaining, but not really popular here because of the abundance of other schemes.
Prices are all over the place, but depend on market segment and the box being ticked but have generally been relatively stagnant or lowering since around 2004. When I went full time pentesting, average rates were around £1250-£2000 per day. These days expect between £700-£1250 depending on the market in which you're operating.
So, in a market that sells things people don't want to buy at prices they don't want to pay to tick boxes nobody enjoys ticking, is it worth going into?
There are a lot of companies looking to consolidate testing firms into their portfolios. Blackberry bought Encription a while back for a fair old wedge. Digital Assurance were recently acquired by F-Secure. NCC appear to have stopped acquiring companies at the rate they were previously, possibly connected to decreasing profits.
You could spin up a company and if well connected grow it to about 500k-1million in revenue, possibly sell for 750k-2 million and work for about 5 years extending a services portfolio at a Cybersecurity distributor or reseller before cashing out.
Realistically, the money in the compliance end of the market is in services that support the compliance management side, while the money in the technical end of the market is going to be in making tools that do something new for people who consume testing services as well as the testers themselves.
A good example of the former is probably Canopy[1] or Dradis[2], reporting toolsets that integrate various scanners. The best example of the latter is Burp suite[3], which is a web app testing tool used by both testers and developers. A lesser example would be Nipper (for network infrastructure config review) or Matasano playbook (sadly now gone).
So, in conclusion:
1. The market is highly divisible based on compliance targets, with associated badge-based barriers to entry, low margins and high salary costs.
2. There are a huge amount of companies (e.g. scanner firms) in some areas of the market. There are few in certain niches but they tend to have barriers to entry.
3. It is still possible to build a small firm that is a cheap acquisition target for a larger firm and make out and there is scope for consolidation.
4. You are more likely to have longer term growth looking at the market and seeing how to provide to it rather than providing the service yourself.
[1] - https://www.checksec.com/canopy.html
[2] - https://dradisframework.com/ce/
[3] - https://portswigger.net/