Tell us about yourself and what you're working on.
Hi, I'm Louis Nyffenegger and I created PentesterLab. I'm originally from France, but I relocated to Australia 7 years ago.
PentesterLab is a learning platform that helps you learn web hacking/penetration testing. I started it almost 5 years ago as a paid platform and moved to a free platform after 6 months. In November 2015, I added a Pro version that is currently bringing in around $2k per month.
How'd you get started with PentesterLab?
I started PentesterLab after using Peepcode and realizing that something similar dedicated to web attacks would be great.
A lot of content was available on network attacks and binary exploitation, but I couldn't find any good content on web hacking. Furthermore, most of the content was hard to consume and inaccurate. I also was (and still am) convinced that you need hands-on training to learn this. You cannot just read and understand an attack, you need to reproduce it. This was 5 years ago.
After 6 months and only 2 customers, I decided to make everything free. Providing free content was great, and a lot of people learned a lot from it. But after a while, I wanted to be able to get a bit of reward for the time spent creating content and managing the platform. So I decided to keep the free content and to add Pro/Premium content: online exercises, videos, and a certificate of completion.
How'd you find the time and funding to build this?
PentesterLab is still a side project, and I still work full-time as a security engineer. The free content allowed me to get recognition and to land more and more exciting jobs.
During the week, I work a normal day. Then I spend time with the family. After that, I just start working on the site. During the weekend, I try to make sure that I spend at least 6 hours working on it, often early in the morning or late at night when the family is asleep.
How have you attracted users and grown your business?
I'm actually terrible at that. For example, I only tweet new content once, and I don't email people enough. Thankfully, the free content helps marketing the platform.
I recently added a way to buy access to the platform as a gift, and it's getting fairly popular. I'm also looking at how I can set up referrals. Enterprise sales are also something I've started doing more and more. It takes time but the payoff is worth it.
I tried Facebook, Reddit and Adwords, but I didn't get a lot of ROI from that.
I recently launched free meetup packs to help people running meetups. Organizers often struggle to find good content to talk about during these events. As I know a lot of people in this situation, I thought it would help them. The PentesterLab meetup pack provides an ISO, course, and slides to run a meetup. Unfortunately, it hasn't brought as much attention as I thought it would.
Releasing new free content is also a great way to get people. I haven't had time to do it, unfortunately.
What's the story behind your revenue?
My revenue can be split into three streams:
- Monthly subscribers at $19.99
- Yearly subscribers at $199.99
- Enterprise license on a yearly basis (US $240 per user per year)
Payments are processed with Stripe. It was a bit of a struggle with fraud at the start, but I've since found the right settings, and Stripe improved their detection as well.
Get a Beautiful Mockup. No Photoshop required!
Choose from 5000+ templates.
I'm currently trying to get more enterprise customers on board, but I can't find a security team willing to advertise that they are using my platform (even by offering a huge discount). I managed to secure (no pun intended) some big clients, but I just can't talk about them. But even enterprise sales often only means less than ten licenses per client.
Another big thing for me was to join Stripe Atlas and get incorporated in the US. I've spent a good chunk of my time moving things around in the last few months.
As for my running costs, they're still low:
- Digital Ocean costs $120 per month
- Stripe fees cost 2.9% + 30 cents per charge
- AWS cost $600 per month, but it's free with credits from Stripe Atlas (I wouldn't use as much if it wasn't free; I would only keep paying $70 per month to host and serve the ISO)
- SproutVideo for hosting videos costs $25 per month
- Fiverr and Upwork for banner design and photoshop tasks
What are your goals for the future?
I would like to create more content, especially around Microsoft applications. The recent news around "Microsoft" containers with Docker makes me think it shouldn't be too far way.
I think I also need to get more enterprise clients. It's a real struggle for people running a pentesting team to keep their team on top of its game. The attacks are constantly evolving, and it's just so hard to keep up. I think PentesterLab is the right answer to this problem. I just need to get people to realize it.
Finally, lowering the barrier to entry. I have a free boot camp that I would like to improve as part of the paid offering.
If you had to start over, what would you do differently?
I think I would wait longer before making the content free and try to pivot instead. I should have been more patient.
Working on my own is hard as well, especially with a full-time job. More and more, I think that I need a co-founder that is good at what I suck at: business, marketing, front-end, video production, and a native English speaker. But after five years of working on my own, it's hard to give the required level of trust to someone. And being on my own forces me to get out of my comfort zone and learn about those things.
What are the biggest advantages that have helped you so far?
I think I have multiple things that helped me get here:
- An understanding wife.
- A lot of feedback from friends who are brilliant (marketing/code/security).
- A passion for security.
- Productivity. I couldn't make it if I weren't as productive.
The move to free content was definitely something that helped me succeed and get the name out. It's also most definitely a double-edged sword. When you start with free content, a lot of people expect you to keep producing free content.
What advice would you share with aspiring indie hackers?
Just ship it! I think that's the best way to get started. I have wasted four years before I had something to sell (again). To give you an idea, putting together the initial content I sold access to only took me a month.
Where can we learn more?
The best place is on the website and Twitter @pentesterlab. For people who are getting started in security, make sure you check out the boot camp and some of our free exercises. Also, feel free to leave a comment below.