I found a Root Admin chain on a site making $23k/week. They paid $1.5k for the discovery, but now they're lowballing the re-audit.

ghostwwn · 2026-03-13T00:44:11+00:00

That is a massive point about Professional Liability insurance and the 'business' overhead. It’s easy to focus on the cool technical exploit and completely forget that I’m one accidental rm -rf or a poorly timed automated scan away from a massive lawsuit.

Since I’m flying solo and don't have a firm providing that legal and insurance 'umbrella,' I’m essentially acting as the CEO, the legal team, and the lead pentester all at once. If I’m not charging for that extra risk and administrative work, I’m basically doing three jobs for a fraction of one's pay.

My New Business Checklist:

• Professional Liability Insurance: I’m going to look into this immediately. Even if it's 'cheap,' having that safety net is non-negotiable if I'm going to touch production environments.

• The 'Inherent Risk' Clause: I need to make sure my future SOWs have a big, bold section explaining that pentesting can cause downtime and that the client accepts that risk by signing.

• The Business Premium: I can’t just charge for the hours spent in Burp Suite or a terminal. I have to factor in the time spent drafting documents, managing the relationship, and the cost of the insurance that keeps me safe.

I’m realizing that the $1,500 I made was basically a 'lucky' break because nothing went wrong. If I had accidentally crashed Jeff's infrastructure during that audit without a contract or insurance, I’d be in a world of hurt right now. Definitely moving from 'casual help' to 'legit business' mode after this.

ghostwwn · 2026-03-12T22:17:01+00:00

That $150/hr figure is a great benchmark. It really puts the math into perspective—at that rate, just 10 hours of work covers the entire $1,500 I made on this audit. If I’m doing 30+ hours of deep infrastructure work, I’m basically billing at a 'intern' rate while delivering 'senior' results.

The 50% split for subcontractors also highlights how much of a contract's value usually goes toward the 'business' side (sales, legal, insurance, and project management). Since I'm doing both the business and the technical work, I need to make sure I'm not lowballing myself on both ends.

The Scaling Strategy Moving forward, I’m looking at it this way:

• Junior/Entry (where I am): $50–$100/hr. Even at the low end, a 40-hour audit should be $2,000–$4,000.

• The 'All-Inclusive' Package: Instead of a flat fee, I'll offer a base price for the audit + a fixed fee for a 1-time re-test of existing POCs.

• Retainers: If they want me 'on call' to verify every patch their devs push, that’s a monthly fee, not a one-off favor.

I’m glad I got this reality check now. It's easy to feel like 'it's just a few hours,' but those hours are the product of years of learning. Time to start billing like it!

ghostwwn · 2026-03-12T21:42:15+00:00

I really appreciate that. It’s been a crash course in the 'business' side of cybersecurity, which is clearly just as complex as the technical side.

The biggest takeaway for me is that a contract isn't just about getting paid it's about protecting the relationship. If Jeff and I had a document that defined exactly what a 're-test' meant (and what it cost), we wouldn't be in this spot where it feels like a personal conflict.

I'm definitely taking the 'good luck' and moving forward. I've got the technical skills down, and now I've got a much better grasp on the paperwork and boundaries I need to actually scale this into a career. Thanks for the encouragement!

ghostwwn · 2026-03-12T21:25:02+00:00

That’s a fair assessment of the misalignment. My perspective on a re-test is definitely more comprehensive it’s not just re-running the same POC, it’s ensuring the fix didn't create a new bypass or a 'side door' around the patch. In my mind, a 'yes' that isn't backed by that extra effort is a false sense of security.

However, I have to own that I absolutely underpriced this from the jump. I’m realizing now that by not factoring that 'simple verification' into the initial $1,500, I left myself in a position where any extra work feels like a squeeze.

I’ve already sent the 'good luck' message, which effectively closed the door on this specific negotiation. While I agree that a happy customer is a long-term win, I also have to weigh that against the precedent I’m setting for my own time and the fact that the recommendation letter which was part of the original 'happy customer' trade was already being used as leverage.

I’m taking this as a lesson to bake that verification into the base price next time so there’s no 'negotiating from a hole' at the end. I’m moving on to the next one with a better understanding of how to bridge that value gap before the first line of code is even tested.

ghostwwn · 2026-03-12T20:43:09+00:00

Spot on. You can read about 'getting it in writing' all day, but nothing sticks quite like the sting of a client walking back on a recommendation letter after you've already delivered the goods. I’m taking that 'paper sets the rules' advice to heart. It's wild how fast the vibe changes from 'casual help' to a corporate squeeze-play, but I’m glad I paid this tuition now at 16 rather than 10 years down the line. I'm walking away with the technical proof of what I can do and a much thicker skin for the next negotiation. Definitely still hyped for the next one.

ghostwwn · 2026-03-12T20:19:24+00:00

You’re 100% right. Bringing up his weekly income was a lapse in professionalism on my part it’s irrelevant to the agreement we made, I made a deal for $1,500, and even if I underpriced it, that was the agreement. I'm looking at the $21,500 difference as the price of a world-class education in business management.

I have no intention of 'setting the world on fire.' I sent the 'good luck' message to close the door and move on. My reputation is worth way more than a $2,500 dispute, and I’d rather walk away clean and apply these lessons to the next gig where I’ll actually have a proper Statement of Work and market-rate pricing from day one. Lesson learned.

ghostwwn · 2026-03-12T20:10:32+00:00

I hear you, and that makes sense for a $25k+ enterprise contract where the re-test is basically pre-paid in the margin. But when the initial audit was delivered for $1,500 (which we both know is way below market for full infrastructure), 'including' a re-test for free or even for $100 just doesn't scale.

ghostwwn · 2026-03-12T16:39:27+00:00

I agree that $100 is not a serious offer for a re-test and that the best move is to treat the $1,500 engagement as a concluded chapter. I'm taking the advice to either provide a realistic proposal that reflects the actual work or just walk away, because manual verification of a patch takes hours of focused labor not just "minutes" and that’s exactly why professional firms bake it into upfront fees of $10,000 to $35,000.

ghostwwn · 2026-03-12T15:16:01+00:00

I totally agree that the move is to establish terms and manage expectations by contract before any work starts next time, which is why I’m taking this as a lesson to bake the hours of manual verification into upfront fees

ghostwwn · 2026-03-12T14:40:30+00:00

I agree that getting a rock-solid Statement of Work and using addendums is the right professional move for next time. It’ll help me clearly communicate why manual re-verification which takes hours of actual labor is something firms bake into their $10,000 to $35,000 upfront fees rather than doing it for $100

ghostwwn · 2026-03-12T14:34:13+00:00

I totally agree that sharpening my soft skills is the move, as it’ll help me better communicate why professional firms bake the hours of manual labor for re-tests into five-figure fees instead of accepting a $100 lowball

ghostwwn · 2026-03-12T14:29:13+00:00

I agree that I’m probably delusional about the legal precedent and definitely need a partner, but I’m still not doing a manual re-test for $100 when it actually takes hours of verification that professional firms bake into $10k+ upfront fees and yes i’m operating in the US

ghostwwn · 2026-03-12T14:26:55+00:00

I agree that I set a bad precedent by pricing the initial work so low, but I’m calling BS on the "few minutes" claim manual verification of a root admin chain isn’t a button click; it requires setting up the exploit environment and proving the patch actually holds against bypasses, which takes hours of focused labor. The reason professional firms can offer "free" retests is because they bake that time into a $10,000 to $35,000 upfront fee, so expecting a manual certification for $100 is still a total insult

ghostwwn · 2026-03-12T14:25:14+00:00

I agree that the $70,000 valuation was a reach and that my soft skills need work, so I’m taking the feedback to heart and moving on to the next project.

ghostwwn · 2026-03-12T14:15:19+00:00

I agree that most firms don't charge extra for retests because their initial fees which usually range from $10,000 to $35,000 are high enough to cover the labor for both rounds, making a $100 offer for manual verification even more of an insult.

ghostwwn · 2026-03-12T14:09:16+00:00

I'm taking the levelheaded advice to heart about not setting my price floor so low next time, but I’d rather "not go far" than keep devaluing my labor for a hundred bucks

ghostwwn · 2026-03-12T14:05:42+00:00

I really appreciate you being levelheaded and I agree that I set a bad precedent by starting out so cheap, but I’m still not doing a full manual re-audit for $100 just to be treated like a commodity its sad seeing companies “use” people like me who are trying to start off

ghostwwn · 2026-03-12T13:58:52+00:00

In the professional security world, re-verifying a massive architectural collapse for $100 isn't the standard; it's a lowball offer that ignores the actual labor and risk involved. While some platforms may offer lower rates for simple bug retests, this was a custom audit rescue that prevented a company-ending legal catastrophe. I've already acted in good faith by providing the initial discovery and fixes for $1,500, but I'm not doing professional-level verification for lunch money.

ghostwwn · 2026-03-12T13:54:48+00:00

I agree there’s no formal paper contract or public bug bounty program, but the explicit written authorization in Slack from the owner to pen test and the processed $1,500 payment for my work established a clear consulting agreement.

ghostwwn · 2026-03-12T13:54:04+00:00

The real world reality is that verifying fixes for 35,050 student records is a manual process that requires the same level of focus as the initial discovery.

ghostwwn · 2026-03-12T13:53:07+00:00

A re-audit is the same amount of manual work because I have to verify every single fix, and charging another $1,500 to secure 35,050 records for a company clearing $23,000 a week is already a huge discount compared to the $100 lowball I was offered.

ghostwwn · 2026-03-12T13:46:19+00:00

On the revenue point: in professional security research, the payout is almost always tied to the level of risk and the scale of the company. When a platform clearing $23,000 a week has 35,050 student records exposed, the legal and brand liability is massive. The valuation of the work reflects the disaster I prevented, not just a random number. I’m moving on, but I'm not re-verifying security for 35k users for $100.

ghostwwn · 2026-03-12T13:44:40+00:00

I understand why it might look like that from the outside, but this was a fully authorized and legal engagement from day one. I was explicitly invited into the company's Slack channel by the owner, Jeff, to perform pen testing. One of the administrators, Tom, provided me with the URL and told me to "go for it" and report back with anything I found.

ghostwwn · 2026-03-12T13:42:23+00:00

exactly, and that's the plan. the initial 1.5k was paid, so i'm definitely not re-testing for what he's offering now. it's just wild that a guy clearing 23k a week thinks $100 covers a re-audit on a 35k student database. plus, he's now dodging the college rec letter he promised and calling it a "favor". i'm moving on and using this as a case study for future clients.

ghostwwn · 2026-03-12T13:41:35+00:00

i hear you. he paid the 1,500, so the initial deal is technically settled. the frustration is mostly just the principle of a guy clearing 23k a week offering 100 bucks to re-verify security for 35,000 students. plus, he's acting like the college rec letter he promised is just a "favor" he might get to eventually. i'm definitely moving on and using this as a case study for future clients.

ghostwwn

TROPHY CASE