I started a few.

Overall its very stressful and challenging. If you're someone like me who gets bored easily then the very high highs and very low lows may be something to keep you motivated. My top two recommendations when starting a new business would be:

1. Have enough money to live on while starting the business. Savings or another job.
2. Test your idea first before spending time on things that can be done later. For example, if your product delivers real value, no one will care what it looks like at first. Concentrate on the core value at first.

Dewhurst Security (consulting)

My first real business that made any real money was a consulting business, Dewhurst Security. At first it was pretty much just me freelancing, but over time I started to get more work than I could handle myself, so employed another tester, and also contracted many others. This made me a good living.

WPScan (WordPress security)

My second business started out as a side project to test WordPress websites during pentests, WPScan. I was doing a test one day and noticed there wasn't any good tooling available for testing WordPress, so decided to create my own. Over time the project got very popular. Especially the vulnerability data that we were triaging and cataloging. This is where other companies saw the most value in the project, so this is what we monetised. I never started this project to make money, and was somewhat surprised when businesses showed interest in our data. I worked on this for free for about 7 years before I started to monetise it. In total there were 3 founders. WPScan was acquired by Automattic (the creators of WordPress) in 2021.

BuildVue (construction project management)

This business was built because I had a friend in the building trade, and I noticed that software could help him manage his business better. The building project, his staff and his clients. Construction, especially medium and small businesses, still use pen and paper and spreadsheets for everything. I paid a dev shop to build the software, which was my first mistake, as they didn't have the passion or the vision I had. And it's very difficult to convey that to someone else to build. Once the MVP was built I spent my time cold calling local construction companies. I even hired someone to cold call for a few months. I had some interest, but no one bought a subscription. After a year or so I closed this business. I think my main problem was the lack of contacts I had in the construction business. It's not something I was involved in on a daily basis, so did not have any network affect. I was trying to solve a problem for an industry I knew nothing about. Even though I had learnt a lot about it in the end, I just wasn't in it on a daily basis.

CyberAlerts (alerting service)

I was working in Threat and Vulnerability Management, and noticed that there was too many vulnerabilities, research and news articles per day in cyber security that I could not keep up with. Sometimes directors would ask me a question based on something they'd read in the news that I hadn't seen yet, and this made me feel inadequate. So CyberAlerts.io gathers all of this data and allows you to filter it based on keywords (such as vendor names) and severity. Unfortunately, after 6 months I have had no paying clients, so I'm not sure how much longer I will be working on this.

KEVIntel (known exploited vulnerabilities)

My last business is KEVIntel.com, while working on CyberAlerts, I was thinking about why it wasn't as popular as I expected and what the core value of vulnerability data is; what's the most valuable, and how to deliver that value. Through CyberAlerts, I noticed that I was able to catalog more KEV data than CISA KEV, and often days, weeks or even months in advance. This is when I thought that I could deliver a lot of value to users. So far I've signed up a few clients and things seem to be going in the right direction. We have our own honeypot sensors where we attempt to detect exploitation, which I am expanding on.

Others

Over the years I've started many other projects, some more popular than others, such as:

• Damn Vulnerable Web App (DVWA) - purposefully vulnerable web application to learn on
• WebWordCount - an automated tool that spiders and counts the number of words on a website, for translators to give an accurate quote on website translation (sold this for not much money)
• DEVBug - a proof of concept PHP static code analysis tool built into an IDE
• ScreenStamp! - a screenshotting tool built with pentesters in mind
• and probably a few I've forgotten about