Pricing tends to be a spectrum. If I’m just getting a report which interprets some commonly-used scanners, that’s cheap(er) — this feels like a “Box Check” test if I gave it a term. When someone’s going beyond scanners and digging into source code to find issues — that’s often more valuable. Bringing specialized knowledge about cryptography to evaluate our implementation? Also more valuable!

Beyond pricing have you thought about your differentiation, or what’s special about you? Are you able to do web applications, but i.e. intending to be focusing on industrial control systems, financial systems? Are you going to be comfortable auditing C# or Rust and identifying issues? Do you know a lot about Kubernetes? Are you focusing on cloud environments, if so, are you more specialized on AWS, Azure or GCP?

Next thing I think is important to be able to answer: why award the business to you over Deloitte, or over a smaller shop with a good reputation like Cure53, Trail of Bits, TrustedSec, etc? Perhaps you’re a prolific speaker in the security community at Black Hat, Defcon, CCC, or something?

If you’re going to be a one-man band, does that rule out engagements large enough to require 5 people for a month? (Sometimes engagements are urgent and multiple people sure helps them go faster).

Good luck on the new venture.

Penetrating is important.