Strategy · 2026-05-21

Compress 26 weeks to 8. Run learning and selling in parallel.

A read-through of your business plan and curriculum, the four strategic angles considered, and the synthesis that pulls first paid engagement from Week 22 to Week 4.

Friend-tier review, no charge. Source docs: profile.md, source-business-plan.txt (1pg), source-curriculum.txt (29pg). Read time: 12 minutes. Decision asked of you: keep your plan as written, or adopt the synthesis below.

TL;DR (the one insight)

Your plan is a good textbook. The bug is structural: you buried your unfair advantage (AI/LLM Security Review) at offer position #3 of 4, and your timeline assumes you must complete 20+ weeks of skill-build before invoicing. Both are wrong.

The insight

The AI/LLM Security Review is billable in Week 4 because your thesis IS the methodology, OWASP LLM Top 10 is a finite checklist (not a 200-lab curriculum), and the buyer pool for it has essentially zero credible competitors right now.

Lead with it. Compress 26 weeks of waiting into 8 weeks of revenue while the curriculum continues in parallel. Web app pen-testing becomes the Phase-2 upsell from clients you already have, not the thing you spend half a year preparing to sell to strangers.

The 4 strategic angles considered

Before recommending a path, I worked through the four obvious framings of your plan. Each has merit. Each fails alone. The synthesis at the end picks the best of all four.

Angle 1

Speed to revenue (compress 26 weeks to 8)

Frame. Treat the 20-week wait before invoicing as the single biggest design flaw. Money in Week 4, not Week 22.

What changes. AI/LLM Security Review goes live as the lead offer in Week 1, not as offer #3 in Week 20. First 2-3 paid reviews shipped by Week 10. Curriculum continues in parallel, not as a prerequisite. PortSwigger, PNPT, web app pen-testing all happen, just not as a blocker on revenue.

What is gained. Roughly 16 weeks of cashflow. A real client testimonial by Week 8 instead of Week 28. A live portfolio of 2-3 sanitized LLM reviews by Week 12. Pricing discovery in the actual market 4 months earlier.

What is risked. You sell before "feeling ready", which is a feeling problem, not a competence problem. Your thesis already covers OWASP LLM Top 10 categories. Soft risk that a poorly-scoped LLM review damages reputation, mitigated by tight scoping and the 50/50 payment structure already in your contracts plan.

Why it works. OWASP LLM Top 10 is 10 categories. Your thesis is roughly 80-120 pages on this exact topic. The gap between "thesis-author" and "person who can audit a client chatbot against the same framework" is a sample report, a scoping call template, and a written methodology, 2 weekends of work, not 20 weeks.

Why it could fail. If you genuinely cannot deliver a competent LLM review today, this collapses. The fix is a single 5-day scope on a fake target (Acme AI) to prove to yourself you can. If that works, the angle is live. If it does not, fall back to Angle 3.

Angle 2

Niche-pure (AI/LLM security only)

Frame. Drop generic web app pen-testing entirely. Position yourself as "the AI security guy SMB SaaS founders call before launch." One offer, one buyer, one message.

What changes. Forget pen-testing as a primary revenue stream. The 26-week curriculum compresses to a 12-week deep specialisation in LLM/AI security (your thesis plus current MITRE ATLAS, NIST AI RMF, OWASP LLM Top 10 2025, Anthropic and OpenAI red-team research, recent prompt-injection CVEs). Web app skills are kept only to the level needed to test the surface around LLM features.

What is gained. Sharper positioning. Easier sales conversations. Higher ticket per project ($3.5k to $6k productized) because the buyer is paying for scarce expertise. Stronger inbound from LinkedIn and conference talks because the message is concrete.

What is risked. Smaller TAM. You leave $4k to $8k generic web pen-tests on the table. Harder to scale beyond one person because your edge is non-transferable. If LLM market hype cools mid-2027, you have less of a fallback than a generalist would.

Why it works. Specialists charge more and close faster than generalists. Your master's thesis is unfair advantage as long as you are visibly the LLM security person, not the web security person who also does some LLM work.

Why it could fail. Bets the next 12 months on AI-features-in-SaaS continuing to grow. Probably right, but if it slows, your TAM shrinks faster than a generalist's. Some of your warmest contacts (German SMBs, tax/accounting SaaS) are NOT LLM-first, you would be turning down good fits that are wrong for this pure niche.

Angle 3

Productized-audit-first (your original plan, slightly faster)

Frame. Keep your original plan structure. Lead with the $1.5k to $3.5k 3-day audit. Pen-tests upsell from audits. AI/LLM stays at position 3. Just pull the first sale forward to Week 12 instead of Week 21.

What changes. Not much. You skip the PNPT cert until after first revenue. You publish the sample report in Week 6 instead of Week 20. You start outreach in Week 8 instead of Week 21. Otherwise your plan is intact.

What is gained. Lowest cognitive switch from your current plan. You would say yes to this without much restructuring. Roughly 9 to 10 weeks faster to first revenue. Web app audit is a more familiar SMB purchase than "AI security review" so the sales conversation is shorter.

What is risked. You do not actually leverage your thesis edge. You blend into the generic pool of "freelance web security consultants" where you are competing on price, certifications, and proof-of-work portfolios you do not yet have. PortSwigger, PNPT, sample-report-on-Juice-Shop are all great inputs but they do not make you stand out. They make you table stakes.

Why it works. Closest to what you already believe and have planned. Low coordination cost between your head and your calendar. Productized audits are a real SMB buying motion. Founders click, scope, pay.

Why it could fail. Your differentiator (LLM thesis + business fluency) is buried inside a generic offering. You will be selling against people who have 5 years more web app experience than you. Pricing will be a fight. Inbound will be weak because the message is not memorable.

Angle 4

Portfolio-inbound (LinkedIn first)

Frame. Spend the first 90 days writing LLM attack write-ups on LinkedIn and a personal blog. Thesis becomes a 12-post series. Public proof attracts inbound. No outbound until you have 20+ posts shipped.

What changes. First 12 weeks are content production. Daily LinkedIn cadence. Weekly long-form blog. CFP submissions to BSides, OWASP chapters, AI Engineer World's Fair, virtual AI safety meetups. Curriculum continues but at 50% intensity. First paid engagement waits until inbound starts (Week 14-18 estimated, conservative).

What is gained. Compounding asset. Every post lives forever and attracts leads for years. No cold-outreach pain. Strong positioning effect: by the time you DO take an engagement, the client found you, not the reverse. That changes the entire negotiation.

What is risked. Slow revenue. LinkedIn algorithm is unreliable. Requires patience and consistent output even when no one engages for weeks 1-6. You may hit Week 12 with zero leads and have to fall back to outbound anyway, but now 12 weeks late.

Why it works. Public proof is your curriculum's stated principle #2. Your background is unusually content-worthy: thesis + accountant + nomad consultant is a story. The combination of niche (LLM security) + scarcity (few practitioners) + voice (your business background gives a different angle than the typical hacker post) is high signal.

Why it could fail. Pure inbound takes 6 to 12 months to compound, not 12 weeks. The first 30 posts often get 50 views each. If you do not pair this with at least light outbound, you spend a quarter building an audience and zero clients.

Synthesis: the recommended path

The hybrid

Speed + Niche, with Portfolio in parallel. Lead with Angle 1's timeline. Take Angle 2's niche positioning. Run Angle 4's content engine in the background from Day 1. Keep Angle 3's productized audit as the Phase-2 upsell, not the Phase-1 wedge.

This is not a hedge. It is a specific sequence: lead with the highest-leverage offer (LLM Review), use content to compound credibility, upsell pen-testing only to clients you already have.

Week-by-week

Week 1 (this week)

AI/LLM Security Review offer page live at tagwercher.com (or .io, pick one this week, see Open Questions).
Sample sanitized report drafted using a fake target ("Acme AI - SaaS Customer Support Chatbot"). 8 to 12 pages. Real OWASP LLM Top 10 categories scored, 3 to 4 realistic findings, remediation language you can defend on a call.
LinkedIn profile rewritten: headline = "AI/LLM Security Reviews for SaaS Founders" or similar. About section = thesis + business background + offer. Featured section = link to offer page.
First outreach list built: 50 AI-feature SMB SaaS startups. Sources: Product Hunt last 90 days filtered "AI", IndieHackers AI tag, AI Engineer Summit attendee list if findable, ProductHunt AI Top 100.
Domain consistency fixed (tagwercher.io vs tagwercher.com, just choose).

Week 2 to 3

First 20 free-finding emails sent. Each email mentions a specific weakness you found on their public AI feature in under 10 minutes of testing (prompt injection vector, output handling gap, rate-limiting absence, exposed system prompt).
LinkedIn posts 2 to 3 per week. Mix: a thesis insight, a recent LLM CVE breakdown, a "what I look for in a 30-min audit" tactical post.
Domain registered (whichever you chose), Google Workspace or ProtonMail set up, simple Astro or Carrd portfolio site v1 published (sample report download, offer description, contact form).
Curriculum Phase 1 (Wk 1-4 in your plan) continues in parallel at 4 to 5 hours/day instead of 6 to 8. Foundation work is real but not blocking revenue.

Week 4

First paid AI/LLM Security Review signed. Realistic range: $1.5k to $2.5k for the first one (case-study pricing, your plan correctly identifies this).
Curriculum Phase 1 complete on schedule.
5 to 7 LinkedIn posts shipped. First 1 to 2 should be getting engagement (50 to 200 impressions, a few comments).
Outreach volume increased to 15 to 20 per week now that you have momentum.

Week 5 to 10

2 to 3 more LLM reviews delivered. Pricing pushed from $1.5k to $2.5k after the 3rd sale, then $3.5k after the 6th.
PortSwigger Academy ploughed in parallel (your Phase 2). You will not finish all 200+ labs in 6 weeks at 4 hours/day, that is fine, do the highest-relevance topics first (auth, access control, business logic, web LLM attacks, API testing). The rest can be Phase-2 backfill.
Sample report library grows: one sanitized real report (with client permission) replaces the Acme AI fake by Week 8 to 10.
LinkedIn cadence consistent: 2 to 3 posts/week, one long-form per fortnight.
Insurance in place by Week 6 BEFORE the second engagement, not after.

Week 11 to 15

First productized web app audit upsold from an existing LLM-review client. Pitch: "I noticed during the AI review that your authentication flow has [issue]. Want me to do a full web app audit next month? $3,500 fixed, 5 days." This is a much warmer sale than cold outbound to strangers.
Methodology document and recon pipeline built (your original Phase 3). Now informed by 4 to 5 real client engagements, not just lab work.
Public methodology published on blog/GitHub. Counts as portfolio.
First $3,500 audit delivered.

Week 16 to 20

PNPT taken (or scheduled). At this point you have 5 to 6 paid engagements behind you, so the cert is a credential layered on top of proof-of-work, not the gate for proof-of-work.
First $5k+ pen-test from a referral or repeat client.
Retainer offer floated to month-3+ clients: "$2k/mo for ongoing security advisor, includes one mini-review per quarter, slack access, code-review on request."
30+ LinkedIn posts shipped. First inbound lead from content (typical pattern: happens around post 25 to 40).

Week 21 to 26

Compound. Outbound becomes optional because inbound + referrals carry pipeline.
Target end of Mo 6 = $4k MRR (your original Mo 7 target, hit one month early).
Retainer commitments from 2 clients = baseline revenue floor.
Pricing: AI/LLM Review = $3.5k to $5k. Web app audit = $3.5k to $5k. Pen-test = $6k to $10k. Retainer = $2k to $3k/mo.

Month 7 to 12

Original $4k to $8k/mo target met or exceeded.
AI/LLM Review becomes flagship offer, generic pen-testing becomes secondary.
Conference CFP accepted (BSides, OWASP, AI Engineer event). Speaking = 6 months of inbound.
Consideration of: hiring one delivery contractor, or doubling rates and staying solo. Your call.

What this assumes

You are willing to sell before "feeling ready." Your ROI on year 1 is materially higher if you sell in Week 4 versus Week 22. The skill needed for the LLM Review (OWASP LLM Top 10 + your thesis) is already in your head.
The AI/LLM Security Review is well-scoped enough that you can deliver competently from thesis knowledge plus a weekend of methodology drafting. If you spend 2 hours sketching the offer and feel uncertain, the offer is wrong, not your skill.
You have 4 hours/day for outreach + delivery in parallel with study. Your curriculum allows 6 to 8 hours/day total; this redistributes 4 to business and 4 to study from Week 1.
You will accept that the first sample report uses a fake target (Acme AI). Many consultants do this. Disclose it as "illustrative methodology, real client work under NDA." Nobody penalises this; everyone does it.
You will fix the domain inconsistency (tagwercher.io vs tagwercher.com) in Week 1, not Week 20.

Synthesis vs your original plan

Element	Your plan	Synthesis
First paid engagement	Wk 20-26	Wk 4-6
Lead offer	Productized SMB audit	AI/LLM Security Review
Sample report ship date	Wk 20	Wk 1 (fake target), Wk 8-10 (real)
LinkedIn cadence	"Weekly write-ups"	2-3 posts/wk with a content calendar
Pen-test contracts	Wk 22+	Mo 4-5, upsold from existing clients
Cyber liability insurance	Mo 5 onward	Wk 6 (before 2nd engagement, not after)
Domain decision	Unstated	Wk 1 (pick .io or .com, drop the other)
Pricing strategy	Static ranges	Raise after every 3rd sale until 20% loss rate
Retainer offer	Mo 9 goal	Mo 4-5 floated to existing clients
Curriculum intensity	6-8 hr/day	4-5 hr/day study, 3-4 hr/day business
$4-8k MRR target	Mo 7-12	Mo 6-9

Risks of the synthesis path

Honest list. Each has a mitigation built in.

Selling before "ready" damages reputation on a bad delivery. Mitigation: tight scoping on the first 2 engagements. Fixed scope, fixed deliverables, 50% deposit. Underpromise. Deliver a 12-page report when you said 8. Refund clause for clear under-delivery (you will not use it, but offering it converts skeptics).
AI/LLM Review scope creep. Founders will ask "can you also look at our auth?" mid-engagement. Mitigation: written SOW, every additional ask is a change order. Your accounting background makes this easy to enforce without friction.
German market language friction on outbound. US/EU AI founders are mostly English-speaking, but DACH SMBs often prefer German consultants. Mitigation: split your outreach 70% English (US/EU) and 30% German (DACH SaaS). Two versions of the offer page if traffic justifies it later, not now.
Pricing too low because of Chiang Mai cost-base mindset. Mitigation: price for client value, not your cost of living. $3.5k for a 5-day LLM review is below US market rate; do not go lower than $1.5k even on the first deal. Your geographic arbitrage shows up in your margin, not your invoice.
The curriculum slips. If business pulls you off study, Phase 2 (PortSwigger) takes 8 weeks instead of 6, Phase 3 takes 6 weeks instead of 5. That is acceptable. Revenue trumps curriculum cadence in months 1 to 4.
A bad first client (slow payer, scope-creep, post-engagement complaints). Mitigation: 50% upfront non-refundable. Walk away from any prospect who pushes back on this. Your runway lets you afford to be picky.

Why the synthesis beats each individual angle

Beats Angle 1 (Speed alone) because pure compression without niche focus still leaves you selling generic audits to indifferent buyers. Adding the niche positioning gives the speed something to convert against.
Beats Angle 2 (Niche-pure) because LLM-only forecloses the higher-ticket pen-test work that naturally upsells from a satisfied LLM client. The hybrid keeps that revenue without diluting the position. You start as the LLM person, you expand as the trusted security advisor.
Beats Angle 3 (Original plan, faster) because your original plan does not solve the actual bug, which is that your differentiator is buried. Faster execution of a generic position is still a generic position.
Beats Angle 4 (Portfolio-only) because pure content takes 6 to 12 months to convert. The synthesis runs content in parallel with outbound, so the slow asset compounds while the fast asset pays the bills.

What you should do this week

If you adopt the synthesis, the first 5 actions in order:

Pick the domain (.io or .com). Register it. Set up email.
Draft the AI/LLM Security Review offer page (one page, scope, price, sample report download placeholder, contact form).
Write the sanitized Acme AI sample report. 8 to 12 pages. Use OWASP LLM Top 10 as the structure. 3 to 4 findings, remediation, exec summary.
Rewrite your LinkedIn headline and About section around the LLM Security positioning.
Build the first outreach list: 50 AI-feature SaaS startups, $1M to $10M ARR range. Tag each with the specific AI feature you would test.

This is 1 weekend of work, maybe 2. By Monday after next, you have a live offer and 50 prospects to mail.

Open questions still to answer

These block the next layer of detail. Reply when convenient.

Which domain do you actually own, tagwercher.io or tagwercher.com? Or neither yet?
What is your legal invoicing entity (German Einzelunternehmen, future US LLC, Estonian OU, other)? Affects the contracts pack.
Have you ever delivered any paid security work, even informally for friends? Affects how aggressive the first-month pricing can be.
Are you actually open to leading with AI/LLM security and treating web app pen-test as the Phase-2 upsell, or does that conflict with how you see yourself?
What is your LinkedIn URL? I can do a fast 10-minute critique pass on the current profile.
Any existing warm contacts who run or work at SMB SaaS companies with AI features? Warm intros convert 10x cold outreach.

What this critique deliberately does NOT do

Does not promise the AI/LLM Review will definitely sell. It is the highest probability path given your specific edge, not a guarantee.
Does not invent client examples or testimonials. Everything above uses fake names (Acme AI) where examples are needed.
Does not tell you to abandon the curriculum. The curriculum is a strong scaffold and stays. It just stops being a prerequisite for revenue.
Does not make claims about the German market or Chiang Mai nomad scene beyond what your own plan stated.
Does not solve your contracts pack, your sample report, or your LinkedIn rewrite. Those are the next deliverables in this package.