Cybersecurity Consulting
The shortcut: Most cybersecurity consultants spend their first six months chasing enterprise clients who want SOC 2 or ISO 27001 audit experience. The actual money is small businesses who have never had a single security review and will pay $5K-$15K just to learn what they're exposed to.
Industry: Software & Tech | Investment level: Medium — $5,000-$25,000 | Time to launch: 6-12 weeks (one cert + one signed authorization template + one pilot risk assessment gate the launch)
Best for: A developer or IT/sysadmin person who can read a network diagram, write a one-page memo a non-technical owner will actually act on, and stay disciplined about written authorization before touching anything. What you'll likely make: $2,000-$4,000 month 3, $5,000-$10,000 month 6, $10,000-$18,000 month 12 (one risk assessment plus a small ongoing advisory book). Math is in Section 4.
Market Opportunity
Most cybersecurity consultants chase the wrong client. The pitch deck says "we help enterprises with SOC 2 audit prep," and they spend six months getting ignored by Fortune 1000 procurement teams who won't consider a vendor without three case studies and a Big-Four pedigree. Meanwhile, the auto dealer down the street, the local CPA firm, and the 30-person mortgage broker have never had a security review — and they have new federal obligations they don't understand.
The FTC Safeguards Rule (16 CFR Part 314) now applies to non-bank financial institutions — auto dealers, mortgage brokers, CPAs, tax preparers — and requires a written information security program. Most of these businesses have a 50-person staff, no IT lead, and a compliance deadline they half-understand. They will write a check for someone to walk them through it.
Healthcare is the second wedge. The HIPAA Security Rule requires covered entities and business associates to conduct a formal security risk analysis. Dental practices, small medical clinics, and therapy groups owe one and rarely have one. Risk assessments here typically bill $3,000-$10,000 per engagement.
The crowded slice is pen testing for tech-forward customers who want a glossy report. The quiet one is writing a 12-page risk roadmap an owner can hand to their accountant.
Start with this idea — free signup, no card required.
