Offers · 2026-05-21

Reorder your four offers. Lead with the one you can deliver today.

Offer Stack v2. A sharpened replacement for the 4-tier table in the business plan. Adds a free-finding lead-in, reorders so the strongest wedge leads, sets pricing-ladder triggers, and locks payment + ops standards.

The reorder (and why)

The current plan lists four tiers in this order: Pen-Test, Productized Audit, AI/LLM Review, Retainer. This buries the strongest commercial wedge at position 3.

Three reasons to re-rank:

AI/LLM Security Review is the only tier deliverable today. The methodology lives in the LLM cybersecurity thesis already finished. Productized audits and pen-tests both require Phase 2 to 4 of the curriculum (PortSwigger + PNPT). Leading with the offer that needs 20 weeks of training kills 5 months of revenue.
AI/LLM security is the rarest, highest-margin niche in web security right now. Almost no credible practitioners. The thesis is a defensible moat. Standard web pen-test is a crowded global market where Chiang Mai-based newcomers compete on price.
The accounting + business admin background converts in the AI niche, not the pen-test niche. SMB SaaS founders shipping AI features need someone who can translate model risk into board language. Pen-test buyers usually just want a PDF with severity ratings.

New order

Position	Tier	Status
Tier 0	Free Finding (entry hook)	Available now
Tier 1	AI/LLM Security Review	Lead offer, billable Week 4
Tier 2	Productized Web App Audit	Mid-funnel, available Wk 12+
Tier 3	Full Web App Pen-Test	Mature offer, available Wk 20+
Tier 4	Monthly Security Advisor Retainer	End-game, available Mo 4+

Plus add-ons sold attached to a tier, never standalone.

Tier 0

Free Finding (the entry offer)

The free-finding lead-in is mentioned in one line of the current plan. It is the single most leveraged commercial mechanism in the stack. Productizing it matters more than productizing any paid tier.

Field	Value
Price	$0
Time	5 to 10 minutes of recon, single specific vulnerability, sent over email or LinkedIn DM
Purpose	Outreach hook, qualifies buyer interest, converts dramatically better than a generic pitch (the plan asserts this; productize it so it's true)
Buyer profile	Same as Tier 1 and Tier 2. SMB SaaS founder, 5 to 50 employees, web app handling user data or payments
Deliverable	One short email or DM. One named vulnerability. One paragraph reproduction. One sentence on business impact. One closing line: "Want me to show you 4 more?"
Triggers upgrade to	Tier 1 if buyer responds positively and is shipping AI. Tier 2 if buyer responds positively and is not
Exclusions	No deep dive. No PDF. No follow-up if no reply. No more than 10 to 15 minutes total per prospect

What to look for in the 5 to 10 minute scan

Missing or misconfigured security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy)
Exposed admin panels at predictable paths (/admin, /wp-admin, /administrator, /dashboard)
AI features with no rate limit on the prompt endpoint
Chatbots that respond to obvious prompt injection in a single message
Public S3 buckets, exposed Firebase configs, leaked .env in JS bundles
Outdated framework versions visible in headers or source
Authentication endpoints with no lockout, no CAPTCHA, no MFA option
API keys, tokens, or internal URLs in front-end JavaScript

Outreach cadence

10 to 20 free findings per week (matches the plan)
Track reply rate, positive reply rate, conversion to Tier 1/2 in a simple sheet
After 30 sends, audit which finding types convert best, double down on those
After 50 sends, raise the price of the next tier by one increment (see pricing-ladder section)

Free-finding template (paste-ready)

Subject: Quick security note on [their product]

Hi [name],

Spent 10 minutes looking at [their domain] this morning. Noticed [specific finding, named precisely]. Quick reproduction: [1 to 2 sentence steps]. Risk if exploited: [business impact in 1 sentence].

Not a sales pitch. I run a small web app security consultancy and use free findings to introduce myself to founders shipping interesting products.

Happy to send the other 4 things I spotted if useful.

Sebastian

Tier 1 · Lead Offer

AI/LLM Security Review [billable Week 4]

This is the wedge. Built on the thesis already written. Sellable before any cert or PortSwigger badge is in hand.

Field	Value
Price	$1,500 launch. Raise to $2,500 after 3 sold. Raise to $3,500 after 6 sold.
Time	3 days fixed scope, calendar-time delivered in 1 calendar week
Buyer	SMB SaaS founder (5 to 50 employees) shipping an AI feature: chatbot, agent, RAG search, AI assistant, copilot, generative UI
Trigger	Pre-launch nerves about an AI feature, post-prompt-injection news cycle, Series A diligence question about AI risk, enterprise customer asking "is your AI safe", board-level concern after a competitor's incident
Scope	ONE AI feature on ONE production URL. OWASP LLM Top 10 assessment. Manual probing plus tool-assisted (Garak, PyRIT, custom prompts from the thesis). Includes prompt injection, data leakage, model denial of service, supply chain, training data poisoning where applicable, sensitive information disclosure, insecure plugin design, excessive agency, overreliance, model theft
Deliverables	PDF report 15 to 25 pages: executive summary, scope statement, methodology, findings table (severity, exploitability, business impact), prioritized remediation steps, references. Plus a 1-hour remediation call within 2 weeks of report delivery
Exclusions	Infrastructure pen-test, mobile app testing, non-AI features on the same domain, source code review, fixes (review only, remediation guidance only)
Payment	50% on signing, 50% on report delivery. Stripe Invoicing or bank wire. Net-0. Late penalty 1.5% monthly.
Why deliverable Week 4	The thesis is the methodology. OWASP LLM Top 10 is already studied. No PNPT or PortSwigger badge required. Tooling (Burp Community + Python + Garak) already installed or one-day install.
Upgrade paths	To Tier 2 if buyer wants the rest of the web app covered. To Tier 4 if buyer ships AI features regularly and wants ongoing review. To add-on if buyer wants a re-test after fixes.

"3-day fixed-price AI/LLM security review of your launch-ready AI feature. OWASP LLM Top 10 methodology. Report in 72 hours plus a 1-hour remediation call."

Tier 2

Productized Web App Audit

Available from Week 12 (after Phase 2 PortSwigger Academy complete). The current plan's "Productized Audit" tier, sharpened with explicit scope and exclusions.

Field	Value
Price	$2,500 launch. $3,500 standard after 3 sold.
Time	3 to 5 days fixed scope, delivered in 1 to 2 calendar weeks
Buyer	SaaS team with a web app handling user data or payments. Pre-funding or pre-major-launch stage.
Trigger	Enterprise customer asking for SOC 2 or security review, compliance officer pressure, founder nerves before launch, breach scare at a competitor, insurance underwriter request
Scope	ONE production web app, 1 main domain. Manual testing across OWASP Web Top 10 plus authentication, authorization, session management, business logic flaws. Burp Suite assisted.
Deliverables	PDF report 25 to 40 pages: executive summary, scope statement, ~10 to 20 findings prioritized by severity, business impact framing for each, remediation steps, references. Plus a 1-hour debrief call.
Exclusions	Source code review, internal network, infrastructure or cloud config, mobile apps, AI-specific features (those are Tier 1 add-on), ongoing monitoring, the fixes themselves
Payment	50% on signing, 50% on report delivery. Net-0.
Available from	Week 12 (after PortSwigger Academy Phase 2)
Upgrade paths	To Tier 3 if buyer wants depth, sub-domain coverage, or API endpoints in scope. To Tier 4 if buyer wants quarterly re-audits. To add-on Tier 1 if the app ships AI features.

"Fixed-scope web app security audit. 3 to 5 days. Pen-tester eye, business-owner translation. Prioritized findings, clear remediation, 1-hour debrief."

Tier 3

Full Web App Pen-Test

The original plan's lead offer, repositioned as the mature/upsell tier. Highest ticket, longest engagement, requires PNPT cert plus a delivered portfolio. Available from Week 20.

Field	Value
Price	$5,000 launch (after PNPT cert and first 2 audits delivered), $8,000 standard, $12,000 deep
Time	5 to 15 days, delivered in 2 to 4 calendar weeks
Buyer	Funded SaaS (Seed or Series A+), regulated industry SaaS (fintech, healthtech, legaltech), pre-IPO companies, any company with a compliance-mandated annual pen-test
Trigger	Compliance audit window, breach scare, board-level security mandate, contract renewal with an enterprise customer that requires a recent pen-test
Scope	Full web app: main domain, sub-domains in scope, API endpoints, business logic, authentication and authorization flow, admin panels, session handling. Excludes infrastructure unless explicit add-on.
Deliverables	PDF report 40 to 80 pages: executive summary, methodology, full scope statement, findings with severity (CVSS), exploitation evidence, business impact, prioritized remediation roadmap, references. Plus 2 calls: kickoff and readout. Plus re-test of fixes within 30 days of report.
Exclusions	Source code review (separate engagement), internal network, cloud config audit, mobile, social engineering, physical security, DDoS testing
Payment	30% on signing, 30% on testing kickoff, 40% on report delivery. Net-7.
Available from	Week 20 (after PNPT cert)
Upgrade path	To Tier 4 retainer for continuous security program.

"Full web app penetration test. 1 to 3 weeks. Built for SaaS pre-compliance, post-incident, or pre-enterprise-contract. Re-test of fixes included."

Tier 4

Monthly Security Advisor Retainer

End-game. The plan targets this by Month 9. Available from Month 4 if a Tier 1/2/3 client converts into ongoing engagement.

Field	Value
Price	$1,500/mo (junior tier), $2,500/mo (standard), $4,000/mo (premium with quarterly re-audit)
Buyer	Funded SaaS with 5+ engineers, shipping weekly, no internal security headcount, AI features shipping regularly
Trigger	Post-incident (breach, near-miss, customer complaint), growth stage where breach risk grows faster than headcount, compliance certification in progress (SOC 2, ISO 27001), insurance underwriter asking for security oversight evidence
Scope	Monthly office hours (4 hours), weekly Slack or Discord channel access (24 to 48 hour response), quarterly mini-audit (1 day scope, severity-only findings list), threat advisory when relevant CVEs land, review of new features before launch (up to 2 per month at standard tier, unlimited at premium)
Deliverables	Month-end summary email, ad-hoc advisories, quarterly mini-audit findings list, Slack/Discord transcript
Exclusions	Incident response (separate engagement, hourly), legal advice, compliance audit certification (refer out to SOC 2 auditor), implementation of fixes (review and guide only)
Payment	Monthly on the 1st via Stripe Billing or bank wire. 3-month minimum commitment. 30-day notice to cancel after minimum.
Available from	Month 4 (after first 2 to 3 audits delivered; retainer is best sold as upsell from a one-off engagement, not as cold offer)

"Your fractional security advisor. Monthly retainer. Office hours, weekly chat access, quarterly mini-audit, launch reviews."

Add-on offers (sell as upsells, not standalone)

Add-on	Price	Sold with
AI/LLM Review attached to a Tier 2 or Tier 3 engagement	+$1,500	Tier 2 or Tier 3
Re-test (verify fixes) for prior client	$750 to $1,500 depending on original tier	Any prior tier
1-hour security advisory call (use sparingly, retainer converts better)	$250	Standalone, but pitch retainer first
Sub-domain or additional API endpoint added to in-scope Tier 3	+$1,000 per	Tier 3
Rush delivery (48 hours for Tier 1, 7 days for Tier 2)	+50% of tier price	Tier 1 or Tier 2

What NOT to offer

Saying no to the wrong work is more valuable than saying yes to the right work. The accounting background is an asset here; it fights the freelancer instinct to take any paying engagement.

Offer	Why not
Hourly pricing	Devalues senior judgment. Buyers price-shop the rate, not the outcome. Fixed scope wins every time.
Free pen-tests "to build portfolio"	Use Juice Shop, DVWA, Hack The Box, HackerOne public programs for portfolio. Never give real client work away.
DDoS testing	Different skill, different liability, different tooling, different legal exposure
Social engineering or phishing campaigns	Adjacent niche, different methodology, different insurance requirement
Physical penetration testing	Not the niche, not the methodology, not the geography (Chiang Mai-based)
Mobile app pen-test	Different OWASP guide (MASVS), different tooling, study separately if pursued at all
SOC 2, ISO 27001, GDPR compliance certification	Sebastian is a security tester, not an auditor. Refer to a partner firm and take a referral fee.
Source code review as a primary offer	Adjacent skill, separate engagement type. Mention as available add-on if buyer asks, do not lead with it.
Friend-of-friend referral discounts	Devalues the price. Offer faster delivery slot or a small add-on instead.
"Discovery call" for free that turns into 90 minutes of free consulting	Cap discovery at 30 minutes. After that, it is a paid advisory call ($250) or a proposal.
Retainer to a client who has not done a one-off engagement first	Retainer trust is built on the back of a delivered audit, not a cold pitch.
Long-term exclusivity clauses	Limits future business with same-vertical clients. Always carve out non-exclusive language.

Pricing-ladder logic (when to raise)

The plan gives price ranges but no triggers for moving up the ladder. Without triggers, prices stay at launch level forever.

Trigger	Action
3 of any tier sold at price X	Raise that tier 20 to 30% on the next quote
Waitlist forms (2+ buyers want next available slot)	Raise 30%, push next slot out 2 weeks
80%+ close rate on Tier 1 proposals	Stop discounting, raise to next standard price
50% close rate on Tier 2 proposals	Pricing is correct, hold and refine positioning
Under 30% close rate on any tier	Pricing is not the bug. Scope or positioning is. Investigate before discounting.
6 Tier 1 reviews delivered	Productize a Tier 1a "Express Review" at $750 (1 day, headline findings only) as a downsell
First Tier 2 sold	Raise Tier 1 to $2,500 (Tier 1 should always be cheaper than Tier 2)
First Tier 3 sold	Raise Tier 2 floor to $3,500
3 referrals from a single client	That client gets +1 free retest annually. Do not discount their retainer.
Buyer asks "do you offer a discount" before scope is agreed	Hold price, offer to remove scope instead. Discounting before scope-lock signals weak positioning.

Geographic arbitrage rule

Price for US/EU client value, not Chiang Mai cost-of-living. A $3,500 audit in NYC is the same $3,500 audit in Chiang Mai. The buyer pays for the report and the risk reduction, not for the consultant's rent.

EUR pricing for German-speaking clients: convert at the prevailing rate plus 5% (covers FX risk and Stripe FX fees). Round up to the nearest 100 EUR. Always invoice in the client's preferred currency, never force them to convert.

Payment + ops standards

All contracts include the following standard clauses. Draft the master template once, reuse for every engagement.

Payment terms

Tier 1: 50% on signing, 50% on report delivery, Net-0
Tier 2: 50% on signing, 50% on report delivery, Net-0
Tier 3: 30% on signing, 30% on testing kickoff, 40% on report delivery, Net-7
Tier 4: monthly on the 1st, 3-month minimum
Late payment penalty: 1.5% monthly compounding
All quotes valid for 30 days from issue

Currency

USD as default for US clients, all Asia-Pacific, all undecided
EUR for German-speaking clients (DACH region) if requested
Never invoice in THB (Thailand) to a non-Thai client
Never accept crypto unless client has paid in fiat first

Invoicing entity

Decision required: Stripe Atlas Delaware LLC OR German Einzelunternehmen OR Thai BOI smart visa entity
Flag in profile.md as open question. Recommend Stripe Atlas LLC for US client invoicing speed and limited liability exposure. German Einzelunternehmen is the cheapest setup but exposes personal assets.

Contract standards (every engagement)

Master Service Agreement (MSA) signed once per client, covers all future engagements
Statement of Work (SOW) signed per engagement, references the MSA
Mutual NDA: included in MSA, not a separate document
Liability cap: equal to fees paid under that engagement
Cyber liability disclosure: state coverage limit in MSA
Right-to-test authorization: explicit, signed, scope-bounded, before any testing begins
Re-test clause: 30 days post-report for verifying fixes, included in price for Tier 3, billable for Tier 1/2

Cyber liability insurance

Must be in place BEFORE first paid engagement, not from Month 5 as the current plan says
Hiscox or Embroker, ~$60/mo for $1M coverage
If Month 1 sale happens (likely given the Tier 1 wedge), insurance must already be active
This is a hard pre-flight gate, not a "later" item

Tooling for ops

Stripe for invoicing and payments
DocuSign or HelloSign for contracts
1Password for client credentials when testing
Notion or simple sheet for pipeline tracking
Encrypted email (ProtonMail already in use) for report delivery
Signal or Wire for sensitive client comms during active engagement

Two-line elevator pitch per tier (for LinkedIn, email, calls)

Use these as opener lines in cold email, LinkedIn DMs, intro calls. Memorize and adapt.

Tier 1: "3-day fixed-price AI/LLM security review of your launch-ready AI feature. OWASP LLM Top 10. Report in 72 hours plus a 1-hour remediation call."
Tier 2: "Fixed-scope web app security audit. 3 to 5 days. Pen-tester eye, business-owner translation. Prioritized findings, clear remediation."
Tier 3: "Full web app penetration test. 1 to 3 weeks. Built for SaaS pre-compliance, post-incident, or pre-enterprise-contract. Re-test of fixes included."
Tier 4: "Your fractional security advisor. Monthly retainer. Office hours, weekly chat access, quarterly mini-audit, launch reviews."

How the tiers stack into a 12-month revenue ladder

A worked example showing how the reorder compresses revenue from Week 20 to Week 4.

Month	Tier activity	Realistic revenue
Mo 1 (Wk 1 to 4)	Tier 0 outreach (40+ free findings), first Tier 1 sold at $1,500	$0 to $1,500
Mo 2 (Wk 5 to 8)	2 to 3 more Tier 1 reviews at $1,500 to $2,500, free findings continue	$3,000 to $5,000
Mo 3 (Wk 9 to 12)	Tier 1 raised to $2,500, first Tier 2 sold at $2,500	$5,000 to $7,500
Mo 4 (Wk 13 to 16)	Tier 1 at $2,500, Tier 2 at $2,500 to $3,500, first retainer signed at $1,500/mo	$5,000 to $8,000
Mo 5 (Wk 17 to 20)	PNPT passed. Mix of Tier 1, 2, retainers continuing	$5,000 to $8,000
Mo 6 (Wk 21 to 24)	First Tier 3 signed at $5,000 to $8,000, retainers at 2 to 3 clients	$7,000 to $12,000
Mo 7 to 12	Steady mix of Tier 1, 2, 3, retainers. Target $4,000 to $8,000/mo achieved by Mo 7	$4,000 to $10,000/mo

The plan's Mo 7 to 12 target of $4,000 to $8,000/mo is achievable. The reorder pulls the first revenue from Week 20 to 26 to Week 4 to 8.

What goes on the portfolio site

Sebastian's website (tagwercher.io or .com, pending domain decision) needs these pages to support the tier stack. None of them require completing the curriculum first.

Page	Content	Built by
Home	Hero with Tier 1 elevator pitch, 3 logos (placeholder until first 3 clients), 3-line bio	Wk 1
Services	All 4 tiers laid out with price ranges and timelines, link to "Request a quote"	Wk 1
Sample report	Sanitized AI/LLM review report on a fake target (Juice Shop with an AI feature added)	Wk 2 to 3
About	Bio, thesis link, photo, 2-line credibility statement	Wk 1
Free finding form	Email capture: "Drop your URL and I'll send 1 free security finding within 48 hours"	Wk 2
Blog	First 3 posts: OWASP LLM Top 10 explained, "Why your AI chatbot is leaking your prompts", "5 things every SaaS founder should ship before launching an AI feature"	Wk 2 to 4
Contact	Calendar booking (Cal.com or SavvyCal) for 30-min intro calls, ProtonMail address	Wk 1

What done looks like

Sebastian reviews this document and confirms or pushes back on the reorder
Tier 1 priced and listed on the portfolio site by Wk 1
Free finding template lives in his outreach tooling by Wk 1
Master Service Agreement template drafted before Tier 1 outreach goes live
Cyber liability insurance bound before first paid engagement
First 10 Tier 0 free findings sent within 2 weeks of plan approval
Pricing-ladder triggers tracked in a sheet from Sale #1 onwards
First Tier 1 review delivered by Wk 6 at the latest