The Solo Pentester’s Retainer: Why You Get Me, Not a Rotation of Interns
You signed a retainer with a big firm. β¬20k/month. You get a different junior every quarter. Each one spends the first month learning your infrastructure. By the time they know it, they’re rotated out. Rinse. Repeat.
You’re not paying for security. You’re paying for a training program for other people’s employees.
Here’s what a solo pentester’s retainer looks like. Same price. Sometimes less. No juniors. No handoffs. One person who knows your infrastructure by week two.
Big firm retainers are designed for their benefit, not yours. They bill you for the junior’s learning curve. You never get consistency. You never get institutional memory. You get a rotation of faces and a folder of templated reports.
The Big Firm Retainer β What You’re Actually Getting
| What happens | Month 1 | Month 6 | Month 12 |
|---|---|---|---|
| Who tests you | Intern A | Intern B | Intern C |
| Knows your infra? | No | No (different person) | No (different again) |
| Report quality | Template | Same template | Same template |
| You pay | β¬20k | β¬20k | β¬20k |
You’re not getting better over time. You’re getting a reset every quarter. The firm wins. You don’t.
The Solo Retainer β What You Actually Get
| What happens | Month 1 | Month 6 | Month 12 |
|---|---|---|---|
| Who tests you | Me | Me | Me |
| Knows your infra? | By week 2 | Inside and out | Could rebuild it blindfolded |
| Report quality | Custom | Custom + trends | Proactive threat hunting |
| You pay | β¬1,500 | β¬1,500 | β¬1,500 |
Same person. Same context. Compounding knowledge. That’s the point of a retainer.
Month 1: I find your lowβhanging fruit. Month 3: I find the weird stuff. Month 6: I predict where your next vulnerability will appear based on your team’s patterns. Month 12: I’m threat hunting before you even know there’s a problem.
That only happens when the same person stays on your account. Rotation kills that curve.
Why Big Firms Rotate You
- Staff utilization. They need to bill juniors to train them. Your retainer is a tuition fund.
- No incentive for continuity. They bill the same whether they know your infra or not. Actually, less β because discovery is billable.
- “Fresh eyes” myth. They call it fresh perspective. You call it explaining your architecture for the fifth time.
- Key person risk. They deliberately avoid single points of dependency. That’s good for them. Bad for you.
Your big firm retainer isn’t a security program. It’s a staffing agency with a logo.
You’re paying β¬20k/month for the privilege of training their employees. When you cancel, the knowledge walks out the door with the junior. You have nothing left but invoices.
What a Solo Retainer Looks Like in Practice
- Week 1: Onboarding. I learn your stack, your team, your risk tolerance. I don’t bill for discovery.
- Month 1: Full baseline pentest. 20βpage report. Every finding is real. Every fix is actionable.
- Month 2 onward: Monthly vulnerability scans, quarterly deep dives. I know where your developers cut corners. I know which legacy systems are rotting.
- Ongoing: 24/7 support. Critical finding? You get a call before I finish writing the note. No ticket system. No “let me escalate.” Just me.
Not a logo. Not a template. Not a junior’s learning curve.
You’re paying for a person who knows your infrastructure better than your own team in some places. A person who has seen every mistake you’ve made and helped you fix them. A person who is awake when your SOC is asleep.
That’s the solo retainer. Not a service. A relationship.
When the Big Firm Retainer Makes Sense
There are two scenarios:
- You need a compliance stamp that says “Deloitte/PwC/EY” on it. That’s fine. Do that.
- You have infinite budget and don’t care about outcomes. Then sure, rotate away.
For everyone else who actually wants to stop breaches, the solo retainer is the only model that compounds value instead of resets it.
A retainer is supposed to get better over time. Big firm retainers don’t. They reset.
You’re not paying for security. You’re paying for a carousel of faces and a stack of templated PDFs.
Try a solo retainer. Same person. Every month. Growing knowledge. Real security.
β¬1,500/month. No juniors. No handoffs. Just me.
Stop paying for someone else’s training program.
Security retainer: β¬1,500/month. Monthly scans, quarterly pentests, 24/7 support. 3 spots left.
π© DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about what you’re actually getting.
Leave a Reply