Penetration testing and vulnerability assessment demand specialized skills—but attracting enough clients to stay profitable is a different challenge entirely. Most pen testing shop owners focus exclusively on delivery, leaving sales and visibility to chance. Without a deliberate growth strategy, you'll hit a revenue ceiling faster than you can patch a zero-day.
The Core Problem: Service Delivery vs. Business Growth
Running a pen testing business means juggling billable hours (typically $150–$300 per hour, or $3,000–$15,000 per engagement for mid-market clients) with business development. If you're the primary tester, you're trading time for money—a model that doesn't scale. Most owners can only handle 3–4 concurrent engagements before quality drops and burnout sets in.
The math is simple: you need either more testers on payroll or a revenue model that doesn't depend entirely on your hands typing at a keyboard.
Building a Repeatable Service Offering
Standardize your most profitable engagements. Instead of custom scopes for every client, package your core services:
- Quarterly external network penetration tests ($4,000–$8,000 per quarter)
- Annual internal assessments with a fixed scope (e.g., 40 hours, $6,000–$10,000)
- Web application testing in tiers (basic, standard, comprehensive) starting at $3,500
- Compliance-focused assessments (HIPAA, PCI-DSS, SOC 2 readiness) with predictable timelines and pricing
Packaging reduces sales friction. A prospect knows exactly what they're getting, and you can deliver it faster because the scope is tight. It also makes delegation easier—once you document the methodology, you can train junior testers to execute standardized engagements.
Hiring and Building a Bench
Your first hire should be a mid-level penetration tester or security analyst (salary range: $70,000–$100,000 depending on location and certifications). This person doesn't need to be a Pwn2Own champion—they need to reliably execute scans, document findings, and write clear reports under your review.
Before hiring, ensure you have enough backlog to justify 30+ billable hours per week from that person. If you're averaging 2 engagements per month, wait. If you're turning down work or have a 6–8 week pipeline, hire.
Lead Generation: The Unglamorous Part
Most pen testing owners rely on referrals alone. It works until it doesn't. Establish multiple channels:
Inbound (20% of new leads):
- Appear in local B2B directories and security-focused platforms like Mercoly, where buyers actively search for pen testing firms. A well-optimized listing with service descriptions, certifications (OSCP, CEH, GPEN), and past work samples gets discovered by prospects ready to buy.
- Publish 1–2 technical posts per month on your website. Topics: "Top 5 Vulnerabilities in Mid-Market SaaS," "What to Expect in a Pen Test," "HIPAA Compliance and Red Team Exercises." Target 800–1,200 words per piece. This builds trust and ranks for local searches.
Outbound (30% of new leads):
- Target decision-makers at IT companies, MSPs, and mid-market firms ($10–$100M revenue) using LinkedIn Sales Navigator. Aim for 10–15 personalized outreach messages per week. Pitch: "I help [Industry] firms find security gaps before attackers do. 30-min call?"
- Partner with managed IT providers. They resell your services at 20–30% markup. One MSP partnership can generate 2–3 qualified leads per month.
Referral (50% of new leads):
- Offer $1,000–$2,500 referral fees for client introductions that close. Track referral sources and reward your best advocates.
Pricing and Margins
Aim for 50–60% gross margins on service delivery. If your fully-loaded cost per hour (salary + taxes + insurance) is $75, charge $150–$200 per hour. For fixed-scope engagements, build in a 40% buffer for scope creep and reporting.
Don't compete on price. Compete on speed of delivery, clarity of reporting, and actionable remediation guidance. Clients care more about avoiding a breach than saving $2,000 on an assessment.
Frequently Asked Questions
Q: How do I know when to hire my first tester? Hire when you have consistent pipeline visibility of 150+ billable hours per quarter and are regularly declining work. A new tester won't be profitable immediately, so ensure you have runway.
Q: What certifications should I look for in junior testers? CEH, OSCP, or GPEN are solid. More important: hands-on lab experience (HackTheBox, TryHackMe), clean communication skills, and a proven ability to learn from feedback.
Q: How do I price a pen test for a client I've never worked with before? Scope the engagement first (1–2 hour discovery call, no charge). Quote based on hours needed, not perceived budget. If they push back, reduce scope, not rate.
Get listed on Mercoly today—it's where security buyers find and vet pen testing firms.