How to Build A Profitable Web3 Auditing Business | For Solo Auditors and Firms

John Fáwọlé's photo
John Fáwọlé
·

8 min read

How to Build A Profitable Web3 Auditing Business | For Solo Auditors and Firms

Photo by Trust "Tru" Katsande on Unsplash

Table of contents

Smart contracts, unlike what most people think, are not smart in themselves. Humans write them, and humans are imperfect; therefore, smart contracts often contain vulnerabilities.

There are tales of reputable protocols that hackers drained. Should I start with the story of The DAO hack? Or should I talk about the Euler Finance hack?

Numerous incidents of hacks threaten the prosperity of Web3.

This is where Web3 auditors and security researchers come in. They help review smart contracts and protocols and detect their vulnerabilities on time. Thereby helping the team to fix up.

Within a short time, Web3 security has also become a recognized business like the general cybersecurity in Web2.

Spearbit DAO, one of the leading security firms in Web3, pays their junior researchers $3k weekly, and lead researchers take home nothing less than $20k weekly.

Yes, the Web3 security space is that lucrative. However, I must also be honest and clear to say that a greater percentage of researchers don’t even earn anything close to the above figures.

You can ask anywhere. So, how do you stand out and build a profitable audit firm or solo career?

I explained everything here.

Be Technically Sound

“You cannot build something on nothing and expect it to stand.”

– Justice Niki Tobi of Blessed memory

To thrive in Web3 security, you must know your onions. As the founder, you have to be technical; you should know about security yourself, too.

Once a good number of your clients get hacked, you start getting bad PR in the industry as incompetent.

Most leading firms or auditors with no record of their clients getting hacked are always topping in the space.

Now, how do you become technically sound in security?

Go take the Secureum Bootcamp, learn from Damn Vulnerable DeFi, and participate in CTFs. Of course, you should have learned languages like Solidity, Rust, Cairo, or anyone that catches your fancy.

Apart from that, read audit reports. Don’t only read for the sake of reading it, critically study and know how blackhats think.

Everything I have mentioned above is good, but they are insufficient to make you a sound researcher. You need to start auditing.

Become a security researcher on Code Arena, Code Hawks, Sherlock DeFi, and Immunefi. Roll your sleeves and get into audit contests; that will sharpen your skills and make you have testaments of brilliance.

Again, I emphasize being technically sound.

Before learning about the business side of things, you must be exceptionally good. Quality services, like I always say, are easier to sell.

Learn and Master Sales

The difference between profitable and not-too-profitable auditors is not necessarily skills. As a matter of fact, there are a lot of skilled auditors in the space.

If you want to build a business in the security space, you need to realize that tech is one thing, and business is another thing in its entirety.

Start to think like an entrepreneur.

For a moment, drop everything you know and start learning about marketing. Learn about customer journey, conversion, and retention.

How do you brand and sell your service? What gives you an edge over other solo auditors or firms?

Do you know who your target audience should be and how you can talk to them?

As a founder, this is more of what you will do as time progresses.

Don’t delegate sales. You have to do it yourself. Get your first 10 and 50 clients with whatever you have learned in sales.

I may write more about this in the future.

Get More Brilliant Auditors Onboard

Initially, I told you to be exceptionally good at Web3 security. That is valid. Without prejudice, it is sheer arrogance to think you are the only best researcher in the world.

No, no. There are other exceptional people around. Look for them and tender your offer.

Having more brilliant people in your team will help you provide more bespoke audit services. Two good heads, they say, are always better than one.

Don’t pick based on familiarity or closeness when hiring people to join you. Check out the most promising security researchers in audit contests. Use meritocracy in choosing your team members.

By the way, you do not have to look far when assembling brilliant people into your team. They are always around you.

When I kicked off my company, I realized some of my friends were exceptionally good, and I am now building with them.

So, while you are objective enough to look outside, don’t forget that Twitter bro you did peer-audit together the last time and discovered critical vulnerabilities in a contract.

Put Structure Into The Business

I worked in a Web3 security firm earlier this year, and I enjoyed the structure of the business. It enhanced efficiency for everyone.

As a founder, you must realize that you, as the leader, only need to focus on the most essential things for the company to move forward with an impressive face.

Don’t be the only one managing payment, accounting, client communication, etc. You must entrust responsibilities to other members of the team as well.

Who will manage your social media? Who will attend events and represent the companies? Who will always be available to hold discovery calls with clients?

How will you maintain relationships with clients post-audit? You need to answer these questions and put structures in place accordingly.

When that is fixed, you, as the founder, can decide to be the lead security researcher and catch any bug your teammates might have missed.

The goal of having a structure is to optimize for performance and efficiency.

Attend Web3 Events

I have heard many people say events are a total waste of time and that any serious developer or researcher should not bother attending them.

Those who hold this view are equally right and wrong in some contexts.

Know this: You should never jeopardize the primary purpose of your firm, which is excellent security research, by merely attending events.

I mean, your researchers should not get too busy with events that their security research skills become rusty or they do not have enough time to deepen their technical knowledge.

With that said events are a fantastic way to gain clients in the Web3 space. I can confirm this as a founder as well.

When you go to events, be open to speaking with anyone. Talk with people beyond work and even security. Feel free to chat; that is how you build friendships and relationships.

Don’t be too conscious of finding a client at events, talk to everyone: developers, marketers, founders, or event organizers.

Are there some upcoming Web3 developer events around where you live? Attend and even sponsor if possible.

Build Products or Public Good

Don’t only review smart contracts and call it a day. Contribute to the ecosystem as a whole. How do you contribute?

One of the most incredible ways you can contribute is to build a product or public good.

Using Trail of Bits as a case study, they created Slitter, Echidna, and their most recent.

Similarly, Open Zeppelin has released many open-source tools, especially for smart contract developers.

You should also do more of this.

Build tools to help projects secure their codebase. Build products to help researchers discover bugs faster. Think of more problems and solve them.

Furthermore, if you can build a product that will be so valuable that people won’t mind paying for it, go ahead and give it your best shot.

Technical Content Marketing is Your Superpower

I will ask you two questions and appreciate it if you could give honest answers.

  1. Can you name 5 security firms in Web3 that come to your mind?

  2. Can you mention 2 solo auditors that come to your mind?

I’ll answer you too.

This is my subjective answer to the first question in no particular order: SpearbitDAO, Cyfrin, Trail of Bits, Open Zeppelin, and Hacken.

For the second question, Pashov and josephdara.eth comes to mind.

How come? They push out security content and talk about their audit journey on the internet. That is content, which is a form of marketing.

Auditing is a business, so don’t keep silent about it. Share what you know with people. Projects will see your brilliance and work with you. That is how it works.

At this point, I must emphasize that it is not just crappy content. Potential clients will see you as a crappy auditor if you push out crappy content. I’m sorry to break it to you, but that is client psychology.

Recently, I wanted to know more about fuzzing with foundry, and the content I saw on the blogs of some firms—respectfully speaking—only talks about fuzzing on the surface without even showing how to do it as a researcher.

Why am I saying this?

Push out technical content. Don’t try to go too low so everyone can understand you. Remember that your audience are technical themselves. So go raw; explain, teach with code, reference past audit cases, and replicate hacks in real time.

These types of content will pass value to your audience, impress them, and make them award security research contracts to you.

Partner with Blockchain Alpha to Build a Profitable Web3 Security Research Business

Cyfrin, a fast-rising audit company by Patrick Collins, is creating a content university about Web3 security. Don’t be surprised that they are doing numbers in revenues.

Investment in technical content will bring you greater visibility and more revenue. If you can do it for a quarter, you will see a remarkable increase in client conversion and revenue generation.

I have a marketing company of developers and auditors who write high-quality content. We can help you with result-driven technical content marketing.

Book a short 15-minute call with me.

https://calendly.com/johnfawole18/15min
Soliditypenetration testing#cybersecuritySmart Contractsbusiness