Where you are today, what you have, what you do not.
Sebastian Tagwercher, web application security consultancy. Friend-tier lead. Snapshot of the position, the plan he wrote, and the gaps this package closes.
Sebastian is transitioning from corporate tax accounting plus a master's in Information Systems into offensive web application security as a solo consultant. He met Donal at a Chiang Mai co-working space on 2026-05-20 and emailed his curriculum plus business plan the next morning, with an open invitation to critique.
This is a friend-tier, no-charge advisory engagement. Output lives in knowledge/leads/sebastian-tagwercher/ and at tagwercher-orb.pages.dev. Nothing moves into knowledge/clients/. No commercial expectation either way.
Snapshot
| Field | Value |
|---|---|
| Name | Sebastian Tagwercher |
| Location | Chiang Mai, Thailand |
| Origin | German-speaking (Proton Mail signature in German, native German market) |
| Business name | Tagwercher (solo consultancy) |
| Domain | tagwercher.io (business plan) / tagwercher.com (curriculum). INCONSISTENT, ask which is owned. |
| Operating entity | [INSERT: legal entity, jurisdiction] |
| Tax residency | [INSERT: tax residency for invoicing] |
| Currency for invoicing | [INSERT: USD / EUR / preference] |
| Plan start | May 2026 (now) |
| Current MRR | $0 |
| Target MRR (Mo. 7 to 12) | $4K to $8K |
| Budget over next 6 mo | ~$950 |
| Runway | 12+ months from savings + stock portfolio buffer |
| Time-to-first-paid (his plan) | Week 20 to 26 |
| Languages | German (native), English (fluent), [INSERT: others?] |
| Tech | Feb 2026 MacBook Pro, Burp Suite Community installed, Firefox with proxy configured |
| Open to recommendations | Yes. Asked Donal "feel free to reach out with suggestions". |
Background
Master's degree in Information Systems with thesis on LLM cybersecurity. Bachelor's degree in Business Administration. Multiple years of corporate tax accounting experience.
Currently transitioning into offensive web application security as a solo consultant. Has built a comprehensive 26-week self-study curriculum (29 pages, well-structured) and a 1-page business plan. Both delivered to Donal 2026-05-21.
The combination of LLM thesis + accounting + business admin makes him unusually well-positioned for the AI/LLM security niche selling to SMB SaaS founders, who need someone who can speak both engineering and P&L. Almost no credible practitioners in this lane.
What he has articulated (in the plan he sent)
Offer stack (4 tiers, his order)
| Offer | Price | Scope |
|---|---|---|
| Web App Pen-Test | $3.5K to $12K | 5 to 15 day full assessment |
| Productized Audit | $1.5K to $3.5K | Fixed-scope, 3 to 5 days, prioritized report |
| AI/LLM Security Review | $3.5K | OWASP LLM Top 10 assessment + remediation |
| Monthly Retainer | $1.5K to $4K/mo | Ongoing security advisor (goal by Mo. 9) |
Revenue prioritization (his order): Productized audits first, then Pen-test contracts, then Bug bounty.
Go-to-market (his plan)
- Cold outreach 10 to 20 founders per week with free-finding lead-in
- LinkedIn weekly write-ups leveraging LLM thesis
- Portfolio site at tagwercher.com with downloadable sample report by Week 20
- Community: r/SaaS, IndieHackers, OWASP chapter, Chiang Mai nomad events
- Warm: IS master's alumni + prior business contacts
Target buyer: SMB SaaS founders (5 to 50 employees) with web apps handling user data or payments. Fintech/tax-adjacent and AI-powered products prioritized.
Geography: US, EU, German-speaking. Served remotely from Chiang Mai (~25% client cost-of-living = geographic arbitrage).
26-week milestones
- Wk 1 to 4: Foundations (HTTP, Linux, Python, Burp)
- Wk 5 to 10: PortSwigger Academy (all 200+ labs)
- Wk 11 to 15: Methodology, recon, first mock report
- Wk 16 to 20: PNPT cert, website live, sample report published
- Wk 21 to 26: Bug bounty + outreach + first paid engagement
- Mo. 7 to 12: Scale to $4K to $8K/month
What he has NOT articulated (the gaps we close)
- The AI/LLM Security Review is treated as offer #3 but is actually his strongest wedge. It is the only one of his four offers he can deliver TODAY (his thesis is the methodology). Productized audits and pen-tests require Phase 2 to 4 skill build. He has buried his unfair advantage at position 3 of 4. This is the package's central insight.
- No revenue path before Week 20. His plan assumes he must complete PortSwigger + PNPT before invoicing. False. OWASP LLM Top 10 reviews need none of those. He can be billable Week 4.
- Free-finding methodology is a one-liner, not a system. Plan says "lead with a free finding" but no template, no script, no scope, no qualification gate. This is the highest-leverage commercial system he needs.
- No sample report. His plan says "sample report by Week 20". A sanitized sample report can be written Week 1 from his thesis + a fake target. Single most important sales asset.
- LinkedIn rhythm undefined. "Weekly write-ups" with no calendar, no post types, no hook structure.
- No contracts pack. SOW / MSA / NDA / payment terms / liability disclaimers all undrafted. He needs these before the first paid engagement, not at Week 22.
- Domain inconsistency (tagwercher.io vs tagwercher.com) and no decision on portfolio site stack.
- No partner / co-founder. Solo. Different from Jacques. Lower coordination cost, but also no division of labor between sales and delivery.
- No cyber liability insurance. Plan mentions it from Month 5 onward (~$60/mo). Should ideally be in place BEFORE first paid engagement, not after.
- No pricing-ladder logic. Fixed ranges given, no triggers for raising prices. Geographic arbitrage is a one-way street if he prices for Chiang Mai cost-of-living. He should price for US/EU client value.
Tech readiness (today, from his curriculum doc)
| System | Status |
|---|---|
| MacBook Pro (Feb 2026) | Ready |
| Burp Suite Community | Installed |
| Firefox + FoxyProxy + dev tools | Set up |
| Kali VM | Not yet (VMware Fusion or UTM recommended in his plan) |
| Native macOS tools (nmap, ffuf, sqlmap, nuclei) | Not yet |
| Python tooling (requests, BeautifulSoup, async) | Not yet |
| TryHackMe Premium / HackTheBox VIP | Planned ($84 + $96 for 6 months) |
| PortSwigger Web Security Academy | Free, planned heavy use Wk 5 to 10 |
| PNPT certification | Planned Wk 18 to 20 ($499) |
| Domain + email + website | Planned Wk 1 ($60/yr) |
| Cyber liability insurance | Planned from Month ~5 (~$60/mo via Hiscox/Embroker) |
| Mullvad VPN | Planned ($5/mo) |
Self-assessed skill position (from his curriculum)
"Your starting position is unusually strong for someone breaking into offensive security."
His framing of strengths
- LLM cybersecurity thesis (rare, premium niche)
- Business admin + tax accounting (rare commercial fluency for security)
- 12+ month runway + stock buffer (no pressure to take bad first engagements)
- Geographic arbitrage (Chiang Mai cost base)
- Burp installed, Firefox proxy ready
His framing of gaps (implicit in curriculum)
- No public portfolio yet
- No certifications yet (PNPT in progress)
- No client work yet
- No paid bug bounty payouts yet
Commercial realities
- Cost of living arbitrage: ~25% of US client cost base. Margins should be premium, not pricing aggressive.
- No employees, no overhead beyond tools + insurance. ~$1,000 to $1,500 of fixed cost per year.
- Tax accounting background: can handle his own books, invoicing, contracts language without outsourcing.
- German-speaking edge: opens DACH market (Germany, Austria, Switzerland) where AI/LLM security awareness is rising and English-only consultants face friction.
What he asked for
Email of 2026-05-21:
"I enjoyed very much talking to you yesterday, you seem like an experienced guy who knows what he's doing. Attached you can find the curriculum I'm working through (I'm still very much at the beginning) and also a business plan I drafted. Feel free to reach out with any suggestions for improvements/adaptions."
Open invitation to critique + suggest improvements. Friend-tier, no commercial expectation. Donal's intent: ship a high-leverage package as a co-working-community goodwill investment.
How this package frames the engagement
This is NOT a paid engagement. Donal is NOT delivering pen-testing or AI security work FOR Sebastian. The package is:
- A critique + sharpening of the plan he wrote (council methodology)
- A revenue-compression argument (Week 4 vs Week 20) with the supporting offer + ops kit to make it real
- A starter operational kit (sales scripts, LinkedIn rhythm, sample report, contracts) so he doesn't build from zero
- A deployed portfolio surface at
tagwercher-orb.pages.devhe can share when introducing himself