Hacker TL;DR

• Pentesting = predictable cash that can help you leverage your skills and build a solid income next to bug hunting

• Your bug bounty profile is a good proof of your skills, it builds your personal branding and show to the client what you can bring to the table

• Pentesting != just hacking, it’s half hacking, half soft skills like reporting, calls, timelines, trust.

• A few guaranteed days/month can bankroll long-term research and help with mental fatigue

We do subs at $25, $10, and $5, premium subscribers get access to:

– Hackalongs: live bug bounty hacking on real programs, VODs available
– Live data streams
– Exploits, tools & scripts
– Un-redacted bug reports
– A collaborative hacking environment

Check out the CTBB Discord!

You can also find some hacker swag here.

HACKERNOTES;

Bug Bounty is not predictable

Bug bounty income is volatile. You have high highs and low lows, disputed reports, dupes, and so on. It’s hard to rely on it.

Pentesting is different. Whether it’s hourly or a fixed fee, you do X, you get Y. It’s not only financial but also psychological. Knowing money is coming in makes it way easier to hunt after without desperation.

A great tip here: after time off like holidays, coming back with a pentest first. It will help reduce the pressure to “find bugs”. Just hack, ship, get paid. It will restore the momentum to bug hunting.

Platforms vs your own company

There are basically two pentesting lanes :

Pentesting via platforms

Usually on Hackerone or Bugcrowd, easy to start, low friction. You don’t have to do sales. You only focus on hacking. But you get a lower payout, because the platform takes a cut.

Independent Pentesting

More money and more control, but you need to do sales, scoping, proposal, reporting, and so on. It’s just different. If you go with your own company, take a look at which type of company is best for you in your country. You can ask people you know who are doing it, or pay for a consultant who will help you.

The question is not which pays more, but whether you want less friction or more upside.

We, as bug hunters, have an advantage

You already have external validation that many pentesters don’t. You already have:

• Public platform profiles

• Accepted reports

• Writeups

• Reputation

• Companies you’ve broken

Even if those companies weren’t clients, you found real vulns on real targets, after the company's pentest team comes out. That builds trust and helps to grow your personal branding.

Pentest is different from Bug Hunting

This is not bug bounty but paid, it’s closer to 50% hacking, 50% other stuff like calls, sales, timelines, writing reports, explaining the impact, and remediation.

You are not selling bugs, you sell clarity and trust. To help with that, you need to build your personal branding. It can be as easy as using an AI to create your full identity, or as Brandyn did, hire someone to make a nice identity and personal brand that will help you grow your trust.

To help you find clients, you can usually ask the team from the apps you’re using regularly. You can also talk to people and ask your contacts. It can be the pizzeria near your place that has a website and needs a pentest from you.

You will also need to go with compliance sometimes. Doing SOC 2, CREST, or vendor requirements, it is usually with larger companies. You can do the paperwork or subcontract it under a larger firm that already meets requirements. You trade margin for access, and it can be worth it.

Pricing tips

Pricing can be arbitrary depending on the client and the geographical location. Some keys here are to ask local pentest firms what they charge in your country, as the market matters. It’s not about fairness but more about what the market will bear.

You can also calculate your bug bounty hourly average over time. If bounty averages is $100/hour for you, selling pentesting at $30/hour makes zero sense unless you need stability right now.

You can also, as Joseph prefers, do a fixed-fee pentest. You sell outcomes and not timesheets. Better to deliver value, and don’t count the hours, and your effective hourly rate usually goes up.

Reach mental freedom

The dream setup is to have a retainer for a few days a month to cover your bills. This way, the pressure is gone, and you have the rest of the month to do deep research, bounty hunting, or whatever you want.

Another pattern is people staying on part-time jobs to help build confidence and money before trying to be full-time.

Final Takeaways

• You can start small and part-time. No need to “be a company” on day one

• Bug bounty proof translates your skills, use it as an advantage

• Overcome the impostor syndrome. If you find bugs, you are qualified

• Pentesting is a hedge against burnout, volatility, or future automation using AI

Bug bounty doesn’t have to be replaced. Pentesting just gives you other options.

That’s all for today, keep hacking.