Going Freelance in IT Security

Thinking of going freelance but not sure if it's for you?
Here are a few things that I think are worth considering before you take the plunge.

First, are you sure you actually want to go freelance? Is it that you want to be your own boss and manage your own work/life balance or is it just the lure of what, on the surface, appears to be good money and short hours?

I've been working for myself on and off for the last eight years so have quite a bit of experience of the advantages, disadvantages and things to consider when making the jump and in this article I'll cover some of these. I hope they will be helpful to those of you thinking of making the jump or who have recently made it. A short disclaimer though, these are my experiences and opinions, they may not work for everyone and others may disagree but they will at least give you one point of view.

First off, back to the original question, do you really want to work for yourself? On the face of it, freelancers have a great life, the money is good, you can chose when to work, pick your clients and generally have a great time. The reality is that all this can be true but it takes effort, you have to put a lot of work in to get there and to stay there. Clients do not simply come banging on your door and while the daily rate can be very good you are unlikely to be working 5 days a week every week so don't forget, you have to average that rate out over the month and year.

Here are some other things worth thinking about.


I find that I work a lot more hours working for myself than I ever did working for someone else. There are lots of reasons for this:

  • You are now running a business so have to do "business stuff" as well as the actual client work - Things like bank reconciliation, marketing/adverting and VAT returns all take time that isn't billable so ends up being fitted in around jobs, usually in the evenings or weekends during busy periods.
  • Quality of work/reputation - Not that I didn't care about the quality of work when I was employed but now the business is just me and the next job with a client is likely to be based on the deliverables from this job, I feel an extra pressure to do the best job possible, even if that means putting in a few extra hours. I also end up knowing the client at a more personal level as I've often been involved with the whole process from initial contact to final delivery and so want to deliver a higher quality product.
  • There is often no one there to stop you doing the extra hours - When working in an office the end of the day is obvious as everyone else is packing up and leaving but working on your own it is easy to get sucked into a job and lose track of time. This applies to employed people who work from home as well so not just freelancers.


Unless you are really lucky and are well known or have very specialist skills, it is unlikely that clients will simply come to you and so you'll need to go out and win them in some way. When starting out you need to be careful how you do this. Most companies have a clause in their contract that stops you approaching any of their clients if you leave so don't assume that if you are friendly with some of the company's clients that you will be able to lure them away. You may also have to be careful signing up your own clients while still employed, this may breach your contract. If this is the case you may start your freelance career without any fully signed up clients which isn't a good position to be in.

When working out where to get clients from there are a couple of options, go direct to companies and try to sell them your services or work through middlemen who resell your services for you. Which you choose is up to you and how you would rather work. Going direct to companies can be more lucrative as you get to negotiate for yourself and keep all the cash but doing this requires you to put effort in finding and winning these clients. Back to the hours worked, this isn't billable work and you have to fit it in around paying clients. Working through a middleman means you don't have to worry about sales and marketing and all the client schmoozing but means you lose a cut of the final invoice to the middleman.

I personally prefer using a middleman, actually a number of them, as I really don't like having to do sales work and so am happy to give them their cut to do the work I don't enjoy. Something I do consider here though is that if the middleman goes on holiday or has a bad month then I'll not be getting any work that month. That is why I like to have a number of agencies that I work through as one may be on an ebb while the other is on a flow.

Until it has happened once, most freelancers don't think about clients not paying, you just assume that you've done the job so the cash will come in, hopefully on time. I've had a couple of clients not pay, the first one hit me so badly that I ended up going back to employment as I couldn't cover it. Telling friends their response is often "take them to court, sue them", that is easier said than done when you find out that they haven't paid because they've blown all their cash and have nothing left to pay anyone. Legal action can cost a lot of money and you are unlikely to be high on the list to get cash back if they are going belly up. Make sure you think about this and have reserves in case it happens.


As an employee you are most likely provided with all the hardware and software you require to do your job. You'll get a laptop, Nessus licence, that kind of thing. When you are on your own you have to provide all that yourself. While a lot of security tools are free there are some instances where the commercial versions are really the best ones to choose. Make sure you add all these costs to your budget. Don't forget the non-security tool software costs as well, a Windows licence (even if just used in a VM), Office and all the other little apps that you used to just install off the main app server without worrying about licences for.

Laptops, phones and other hardware - are you going to share your personal kit with the business or are you going to get it its own dedicated set? Duplicating it all is expensive but means you can do extra hardening on the work equipment and ensure it is only used for work to lessen the risk of exposing client data.

Also consider hardware redundancy, when employed, if your laptop dies the night before a test you might be able to acquire a replacement from a colleague and if not then you can probably hand off to the project manager talking to the client and postponing the job. When you are on your own all that becomes your responsibility. I've been a Linux user for over 10 years but my main laptop has been running Windows 7 for over a year because I've not had time to take it out of service for long enough to reinstall it. I have a backup machine that I can use if I need to but being older it is a much lower spec so even when I've had a few days spare I haven't risked making the swap just in case.

Legal Issues

The contract

This section could also be called Cover Your Ass and you need to give it close attention. What you need is dependent on your location and the jobs you are doing but here are the basics.

First you really should get a good contract. There are lots of contracts floating around on the net which you could take and either use as is or modify to your own requirements. This is the cheap option but not one that I went for. The reason I chose not to do it is that I wanted to know that my contract matched my business and the jobs I was doing. The contract is the thing that decides who is in the right if things go wrong, I was happy to spend money and time with a good lawyer to make sure mine was as good as I could get.

There are also a number of potential problems with random contracts found on the net:

  • It could be out-of-date - Laws and regulations change
  • Location - The contract may not be for your country/jurisdiction
  • The contract may have flaws or may simply be written by someone who was not a lawyer and just thought the words sounded good


In terms of insurance, some may be mandatory, some may be recommended and some may be personal preference. As with contracts, what you need will be based on the kind of work you are doing and where you are doing it. The different types I'd definitely look at are:

  • Professional indemnity - Covers you if you make a mistake while on a job
  • Public liability - In case someone gets hurt as a result of you doing a job
  • Income protection - If for some reason you are unable to work there will be no money coming in, this can help in this kind of situation

When getting insurance, make sure you explain exactly what it is you will be doing to the insurance company or broker. I went through a few companies who turned me down straight till I got annoyed and asked one for an explanation as to why they wouldn't cover me. After a discussion they realised they didn't fully understand the job I initially described to them so changed their minds and covered me. This was quite a few years ago and as the industry has grown there are now many more options out there and companies understand the profession better but I'd still make sure you fully explain to them what it is you will be doing just in case.


It's all down to you, if you want training you have to pay for it yourself in time and money. There are a lot of free, or very cheap, courses out there and you can learn a lot from just reading articles but back to hours worked again, it isn't billable work so you have to fit it in around your paying clients.


No holiday pay, if you aren't working you aren't earning! You don't even get paid for bank holidays.

I like to tie training and conferences with holidays, our family holiday last year started in Gent at BruCON then moved on to a more normal holiday.


I can't lie, the money as a freelancer, on the face of it, is a lot better than as an employee but, when you add in all the extra hours you'll end up working, the lack of holiday pay, having to provide all your own hardware, software, stationary (I still send letters occasionally) and all the other non-billable things you need to do and buy it doesn't necessarily work out that much better.

When working out your budgets don't assume that you'll set your day rate at X and will get 253 * X (253 is the number of working days 2013). Make realistic assumptions about how much work you think you'll get on a good and bad month and then decide if it looks as good as it did.

Think about what will happen if you have a couple of bad months back to back, can you survive?


I love being freelance. I much prefer the freedom it gives, especially with two small children at home, but I'm lucky that I have a lot of very good clients and I'm able to sit at my desk from 9-5 (or however long a job takes) without getting distracted. I take regular breaks and will take a day off just to play with the kids if work is quiet but I'll also get my head down and barely leave my office when work is there.

If you are thinking about it, make sure you look at the unglamorous side of it as well as fun looking public side and if you decide to do it, good luck, I hope you enjoy it as much as I do.

About the Author

Robin Wood, is a freelance pen-tester, researcher and developer. Among his projects are Karma, KreiosC2 and Jasager. He is based in the UK. Find him on Twitter as @digininja or at www.digininja.org

Streamline InfoSec Project Delivery

Learn practical tips to reduce the overhead that drags down security assessment delivery with this 5-day course. These proven, innovative, and straightforward techniques will optimize all areas of your next engagement including:

  • Scoping
  • Scheduling
  • Project Planning
  • Delivery
  • Intra-team Collaboration
  • Reporting and much more...

Your email is kept private. We don't do the spam thing.