Every few months, a security professional with ten years of experience, a CISSP, and a strong employer reputation decides that going independent is the obvious next step. They look at their current billing rate at a consulting firm, do the math on what the firm charges clients for their time, and conclude they are leaving a large amount of money on the table. Sometimes they are right. Often they are not.

The gap between what looks true from the inside of employment and what is actually true about running an independent practice is wider than most people expect. This article covers the business mechanics that determine whether an independent cybersecurity consulting practice becomes a sustainable income or a two-year detour back to employment.

Client Acquisition: Where the Work Actually Comes From

The single most common mistake among newly independent consultants is underestimating how long it takes to build a reliable client pipeline β€” and overestimating the quality of their existing network as a source of paid work.

Most security professionals know a lot of people. The problem is that knowing people and having a pipeline of paying clients are different things. Your former colleagues respect you. Your LinkedIn connections may follow your posts. Neither group is likely to become your client base, because most of them work inside organizations that already have security resources or that are not in a position to buy consulting services.

The clients who actually write checks come from a smaller and more specific set of sources:

Former employers and direct past colleagues who have moved to organizations that need help. This is the most reliable early source. When someone you worked with becomes a VP of Engineering at a 200-person SaaS company with no security function, that is a real lead. The relationship already has trust embedded in it. These opportunities do not require a sales cycle β€” they require staying in contact with people as their careers evolve.

Referrals from other consultants. Established consultants routinely turn away work β€” either because they are at capacity, or because the engagement is outside their specialty. If you have a relationship with a consultant who does penetration testing and you specialize in compliance, you can receive overflow referrals. This takes time to develop, but it scales better than cold outreach.

Inbound from thought leadership. Conference talks, published writing, and consistent LinkedIn content generate inbound inquiries. This is not fast. A talk at a regional security conference does not produce clients the following week. Twelve to eighteen months of consistent output starts to produce inbound leads at a meaningful rate. The reason it works is trust transfer β€” someone reads three articles you wrote about implementing a SOC 2 program and concludes, before ever speaking with you, that you understand the problem they have.

Broker and staffing relationships. vCISO platform networks, boutique staffing firms that place fractional security executives, and advisory networks can surface clients you would never have found independently. The trade-off is margin β€” some platforms take 20 to 30 percent of the engagement value. For a consultant still building a pipeline, the margin cost is often worth paying to get early revenue and client references.

What does not work well: cold outreach to procurement departments, generic LinkedIn DMs to strangers, and listing yourself on freelance marketplaces without a specific niche and existing reviews. These approaches produce very low conversion at high time cost.

Rate Setting: The Math Most People Get Wrong

The instinct to set rates by comparing your hourly cost at an employer to market consulting rates produces a number that feels aggressive but is often insufficient. The correct starting point is not what your employer pays you β€” it is what you need to net after taxes and expenses to replace your total compensation, including benefits you currently take for granted.

A useful framework: start with your target annual net income. Add back federal and state taxes (as a self-employed individual, you owe both the employee and employer portions of self-employment tax, which is 15.3% on the first $168,600 of net earnings in 2025, reducing after that). Add business expenses β€” software subscriptions, professional liability insurance, health insurance premiums (if not covered through a spouse’s plan), home office costs, travel, continuing education, and professional memberships. Add a buffer for unpaid time during gaps between engagements.

Then apply billing efficiency. A common error is assuming you will bill 240 days per year β€” roughly the number of working days in a year. Realistic billing efficiency for an independent consultant in years one through three is closer to 100 to 140 days. The remainder goes to business development, proposal writing, administration, professional development, and gaps between engagements. Even experienced consultants with full pipelines rarely sustain more than 180 billed days annually without hiring support staff.

Working backward: if you need $200,000 in net income, add $50,000 for taxes and expenses (conservative estimate), and divide by 120 billable days, you arrive at a required day rate of approximately $2,083, or roughly $260 per hour at an eight-hour day. A consultant who sets their rate at $150 per hour with optimistic billing assumptions will often net less than they did as an employee.

Market rates in 2026 vary significantly by specialization:

vCISO and fractional CISO services typically run $200 to $400 per hour for direct engagements, or $5,000 to $15,000 per month on retainer. The wide range reflects company size, complexity, and what the engagement actually covers. A 50-person startup paying $5,000 per month expects eight to twelve hours of availability and a security program built from scratch. A 500-person regulated company paying $12,000 per month expects strategic leadership, board reporting, vendor oversight, and incident response coordination.

Incident response retainers are priced at $300 to $500 per hour for active response work. Retainer arrangements β€” where a client pays a monthly fee for priority access and a set number of hours β€” commonly run $3,000 to $8,000 per month for SMB clients. The retainer model is valuable to both parties: the client gets guaranteed response time and pre-scoped pricing; the consultant gets predictable base revenue.

Compliance consulting (CMMC, SOC 2, ISO 27001 preparation, HIPAA gap assessments) typically runs $150 to $250 per hour for straightforward engagements. Project-based pricing for a full SOC 2 Type II readiness engagement commonly ranges from $25,000 to $75,000 depending on scope and current maturity. Assessors with formal certification command premium rates; commoditization at the low end of compliance work is real and ongoing.

Penetration testing and red team work is highly commoditized at the low end. Web application tests priced at $5,000 to $12,000 are common among mid-market firms. Full red team engagements for larger organizations run $50,000 to $150,000 and above. Independent penetration testers competing with large firms on price rarely win β€” the differentiation that sustains independent practice in this space is typically niche expertise (OT/ICS environments, specific cloud platforms, specific regulatory contexts) or strong relationships.

Contract and SOW Structure: Protecting Yourself in Writing

Most early consulting engagements are agreed on informal terms or poorly scoped statements of work. Scope creep is the primary reason consulting engagements become unprofitable.

Fixed-price versus time-and-materials is the first structural decision for each engagement. Fixed-price arrangements work well for clearly defined deliverables with defined inputs β€” a gap assessment against a specific framework, a penetration test of a defined scope, a policy documentation package. They work poorly for anything that depends on client responsiveness, organizational complexity that you cannot fully assess in advance, or work that requires iterative feedback.

Time-and-materials (T&M) is appropriate for ongoing advisory work, incident response, and any engagement where the scope genuinely cannot be defined in advance. The risk for the client is cost uncertainty; the risk for the consultant is that the client drags their feet and the engagement stalls at low hours.

A well-structured SOW includes: a precise description of deliverables, explicit exclusions (what is not included), client obligations and timeline dependencies, a change order process with defined triggers, payment terms (net-15 or net-30, not net-60), and late payment provisions. Retainer agreements should specify the number of hours included, what happens to unused hours at month end (forfeiture is standard β€” rollover is a liability), and escalation rates for work beyond the retainer scope.

Require a signed agreement before beginning any work. Verbal agreements and email confirmations are not adequate protection. The contract does not need to be elaborate, but it needs to exist.

Professional Liability Insurance: Non-Negotiable

Errors and omissions (E&O) insurance, also called professional liability insurance, covers claims arising from your professional advice and services. If a client suffers a breach after following your security recommendations and decides to hold you responsible, your E&O policy responds. Without it, you are personally liable up to the limits of your business entity’s protection β€” which for a single-member LLC with limited assets may be inadequate.

E&O premiums for cybersecurity consultants vary by revenue, claims history, and coverage limits. A new practice with under $500,000 in annual revenue can typically obtain $1 million per occurrence / $2 million aggregate coverage for $3,000 to $6,000 annually. Higher revenue or higher-risk engagements (incident response, penetration testing) push premiums up.

Cyber liability insurance is a separate policy that covers your own business’s exposure to data breaches β€” relevant if you handle client data, store sensitive assessment findings, or process any personally identifiable information. Annual premiums for small practices run $1,500 to $4,000 for reasonable coverage limits.

Many enterprise clients will require proof of E&O insurance before signing a contract. Some will specify minimum coverage limits ($1M or $2M per occurrence is common). If you are not insured, you cannot close those engagements.

The Feast-or-Famine Revenue Cycle

Independent consulting revenue is lumpy. A consultant who lands two large engagements in Q1 may find themselves with very little billable work in Q3, not because demand dried up, but because sales activity collapsed while they were heads-down delivering. This is the most common structural problem in small consulting practices.

The discipline required is counterintuitive: you must continue business development even when you are fully occupied. That means allocating time each week β€” even during busy periods β€” to maintaining relationships, following up on proposals, and publishing content that keeps you visible to potential clients.

The structural approaches that reduce volatility:

Monthly retainers over project work. A vCISO retainer at $8,000 per month is worth more to practice stability than a $30,000 project, even though the project pays more in a single transaction. Retainers create a base of recurring revenue that absorbs the gaps.

Staggered engagement end dates. If you have three active clients all on six-month engagements that started at the same time, they all end at the same time. Deliberately structuring engagements to end at different points in the year reduces the probability of simultaneous revenue gaps.

A minimum cash reserve. Standard advice is three to six months of operating expenses in a dedicated business account. Given the specific revenue patterns of consulting, six months is more appropriate. This reserve should be built before leaving employment, not assembled from early consulting revenue.

Business Entity Structure

Most independent consultants start as a single-member LLC. An LLC provides liability separation between business and personal assets, is straightforward to establish in most states ($50 to $500 in filing fees), and is taxed as a pass-through entity by default β€” income flows to your personal return and is subject to self-employment tax.

The S-Corporation election becomes financially meaningful at approximately $80,000 or more in net consulting income. The mechanics: an S-Corp allows you to pay yourself a reasonable salary (subject to payroll taxes) and take additional profit as a distribution (not subject to self-employment tax). The savings on the self-employment tax side can be significant β€” at $150,000 net income, the S-Corp structure might save $8,000 to $12,000 annually in self-employment taxes after accounting for the added administrative costs (payroll processing, potentially a business accountant or CPA).

The S-Corp election requires paying yourself a β€œreasonable compensation” β€” the IRS scrutinizes arrangements where the salary is artificially suppressed to minimize payroll taxes. A reasonable salary for a cybersecurity consultant at $150,000 in net income might be $80,000 to $100,000, with the remainder taken as distribution.

Work with a CPA who has experience with self-employed consultants before making the S-Corp election. The structure has ongoing compliance requirements β€” quarterly payroll taxes, separate business tax filing β€” that add cost and administrative overhead. At low income levels, the overhead exceeds the tax savings.

What Fractional CISO Work Actually Looks Like

The vCISO or fractional CISO model is the fastest-growing segment of independent security consulting. The demand driver is straightforward: many organizations need executive security leadership but cannot justify a full-time CISO at $300,000 to $500,000 total compensation. A fractional arrangement at $8,000 per month provides the function at a fraction of the cost.

A typical engagement covers: a security program assessment at the start, development or updating of security policies and procedures, vendor security review, employee security awareness oversight, board or executive reporting, incident response planning, and ongoing advisory availability to the engineering and IT teams. Compliance readiness β€” SOC 2, ISO 27001, CMMC β€” is commonly added scope.

Time commitment is not standardized, but a $6,000 to $8,000 per month retainer typically implies eight to fifteen hours of active work monthly, plus availability for urgent issues. A consultant managing four clients at these rates is billing roughly thirty to forty hours per month across the portfolio while earning $24,000 to $32,000 monthly. The challenge is that four active vCISO clients at eight to fifteen hours each, plus business development and administration, constitutes a full schedule.

The expectation gap that breaks these engagements: clients often expect executive-level availability β€” responses within hours, participation in leadership meetings, attendance at board presentations β€” without accounting for the fact that a fractional engagement is, by definition, a fraction of a person’s time. Setting explicit service level expectations in the contract prevents most of these conflicts.

When Going Independent Makes Sense β€” and When It Does Not

Going independent is the right move when: you have a specific, demonstrable expertise that the market will pay for at a premium; you have an existing network of potential referral sources or clients; you have twelve months of personal expenses saved; you are genuinely comfortable with income variability; and you have tested demand before leaving employment (side work, speaking opportunities, inbound interest).

It is the wrong move when: you are leaving primarily because of frustration with your current employer rather than genuine demand pull; your network is internally focused (colleagues at current and former employers, rather than potential clients); your expertise is broad but not deep in any particularly valued area; or you need the stability of a salary to manage personal financial obligations.

The people who build durable independent practices almost always share one characteristic: they had clients, or a credible path to clients, before they left employment. The first client is the hardest. Getting it while still employed β€” even at reduced scope or lower rates β€” proves demand and eliminates the most dangerous element of the early months: the combination of no income and no proof of concept.

The honest picture is that the first year is harder than almost everyone expects, the second year is better, and by year three you either have a real business or you have learned enough to make an informed decision about whether to continue. The economics are favorable for consultants who solve specific problems for clients who have budget and motivation to pay for solutions. They are unfavorable for generalists competing on availability and price.

This article is provided for informational purposes only. Salary data and market conditions change; verify figures with current industry surveys before making career decisions.