Comment by cperciva
4 years ago
I do occasional consulting in cryptography and security design, and anything related to FreeBSD/EC2.
$300/hour with discounts for open source, startups based in Canada, longer engagements, and anything which particularly piques my interest.
$300/hr for your time is a steal.
Feel free to steal from me. ;-)
As a practical matter: If I were a full time consultant I probably would charge more, but I would also be spending some of my time making sure I had a full pipeline of gigs lined up. The fact that my marketing process is about as lean as it gets -- people send me emails from time to time -- means I don't have to cover that sort of overhead.
If I had cryptography work, I would! My strategy is to go way out of my way to make sure I don't have cryptography work to bid out. :)
The fact that you're not booked wall-to-wall while underbidding the market for the expertise you're selling to this extent should be a lesson to everyone about price competition.
You're happy! I'm not criticizing you. I'm literally just saying that your rate is a steal. It is way, way under the market. People should take you up on it.
4 replies →
To give a reference point, you get the equivalent of $300/hr starting around L6 at a FAANG: https://www.levels.fyi
I don't think most people realize they can hire a putnam winner and world class crypto expert for the price of a staff engineer.
3 replies →
Patio11 is typing...
You interested in being a sub contractor?
Only half joking...
Seriously though, one of the most powerful tools in consulting is a deep rolodex of unique talent. You never want to be in the position of telling a client you can't help them. You should always be honest, but you should also be prepared.
Someone could probably put together a pretty nice consulting association/firm with contacts made here on HN.
As long as I get paid, I don't really mind who writes the checks. ;-)
Seriously though, I wouldn't want to give up any of the flexibility I currently have, which includes both absolute veto over customers and projects, and "best effort" availability which ranges from "reply within 5 minutes because I happened to be checking my email" to "I'm busy with the baby today while my wife plays an orchestra gig" and in the extreme case "I'm tracking down a FreeBSD bug this week; hopefully I'll get around to helping you next week".
This may be incompatible with being contracted out by an agency.
You could probably charge a good bit more. Our customers are at 14k week rate for good quality pen testing, app sec, device hacking, sec eng, red teams etc.
Edit: and I know friends at big firm with crypto services specialty and they charge a looot more. $400-$500/hr. They stay pretty busy.
I'm fairly good at crypto (not as good as Colin of course) but I think that's not of that much help in general security stuff. Pen testing = knowing all the bugs and code smells in the popular Javascript frameworks, 0 days in a zillion libraries like log4j, etc. I'm basically resigned that the modern web is bloaty buggy crap and so I haven't found it worthwhile to get too familiar with its workings. I have gotten some fairly pure crypto gigs here and there, but I think wider security, especially web security, is a much bigger and messier subject.
much bigger and messier subject
Exactly. I won't touch gigs like that; the closest I'll get is to make a point about "keep your system at minimalist as possible" during general security review.
Heck, I'm unlikely to even take code review gigs any more -- IIRC the last time I did one of those it was reviewing STUD before Bump released it.
The difference is the level of knowledge required. Deep vs wide. To pick a nit, too, customers use the term pen testing very broadly. So, it could just be internals and externals, could be app sec, etc. I haven’t found a ton of changes all that important in the last decade in web app testing.