Becoming a Detection Engineering Contractor, Part I — The Motivation
So you wanna become a contractor (freelancer, independent consultant) in the Detection Engineering space? Here I share my impressions.
Nowadays, capturing readers’ attention requires being really concise. To make this easier, I’ve divided this series into three parts, while covering many additional details and nuances in between.
In this article I cover the first part of this series: Motivation.
One of my favoritesThe Topics
- Motivation: Why working as a contractor in this space?
▶ Market Demand
▶ Salary / Rates
▶ Schedule Flexibility - Preparation: What are the requirements to land a job?
▶ Hard/Soft Skills
▶ Technologies x Products
▶ How to find a project? - Practical Tips
▶ Get Inspired
▶ Get data fluency
▶ Get Exposed
Motivation
Since I began sharing insights about my work in the field of Detection Engineering, I’ve frequently been asked how to break into this area.
That’s a challenging question to answer concisely, as the path can vary greatly depending on one’s background and interests.
I hope this article will shed some light on the path, whether you’re just starting out in freelancing or you’re an experienced professional looking to transition into Detection Engineering.
Market Demand
This is where the ‘Evolving Threat Landscape’ comes into play — cyberattacks are becoming increasingly sophisticated. I’ll assume you’re already familiar with this concept, so let’s focus on more practical points.
While threat detection technologies like NIDS have been around for over 20 years, the real game-changer has been the recent explosion of data (logs) in our industry, driven largely by the evolution and consolidation of the SIEM market and technologies.
However, the practices of Detection Engineering (DE) and Security Analytics, as we know them today, have only started gaining mainstream attention in recent years.
For example, my decision to fully transition to freelancing came in 2017, after leaving the Professional Services organization at Splunk, which remains one of the leading players in the market.
It has now been a fulfilling 7–8 years fully dedicated to this practice.
At the time of writing, LinkedIn listed over 3,000 job openings in the past month matching the keywords ‘detection engineer SIEM.’
LinkedIn Job Search resultsIs that a lot? You’d likely find even more results searching for ‘SAP,’ but I can assure you that five years ago, there would have been only a handful of job listings for Detection Engineering.
What does this mean? The market for Detection Engineering is rapidly expanding, and demand continues to grow steadily — much like any other data-driven practice. So no surprises here.
Are you into Threat Hunting or still doesn't know if DE is a good fit for you, perhaps worth checking another article I wrote about the topic:
Navigating the crossroads of Threat Hunting & Detection Engineering
Salary / Rates
I understand that this is likely one of the primary drivers for considering such a change, if not the main one. That said, there are many moving parts involved, and I’ll do my best to address them.
Before diving into the numbers, let’s clarify a few basics. Apologies if some of these points seem too obvious, but I want to ensure this is accessible to readers of all experience levels.
- Compensation is based on an hourly rate, with no fixed salary.
As a consultant, your primary product is your time — no time allocated, no money. This is often one of the biggest factor deterring professionals from leaving the security of a full-time job. While most clients prefer to be billed on a daily basis, the smallest billable unit is one hour. - Subcontracting is the norm, not an exception.
In the enterprise market, direct consultant-to-customer invoicing is rare. Instead, subcontracting is typically handled through 3rd companies, such as body shops or MSPs. Main reason for that is to reduce contract management overhead and liability while accessing multiple consultants.
In most cases, the rate is pre-negotiated between the outsourcing company and the client. However, exceptions exist, such as when the client has the flexibility to hire a (senior) consultant based on their proposed rate.
That said, it’s important to account for a small fee — typically between 2–4% of your project income — that goes to the third-party company. Additionally, payments are usually made within 7–30 days after the invoice is submitted.
Nevertheless, consider that some companies self-invoice or work with PO (Purchase Orders) which might change the dynamics a bit.
Also, there are more extra costs (or rather, investments) to consider here:
- Training, Conferences, Books.
Attending a conference isn’t just about taking a day off — you’re also paying for it. That’s why it’s essential to carefully plan where to invest your time and money. Early in your career, prioritize earning market or product certifications and building home labs. As you progress, conferences can become invaluable for gaining inspiration and expanding your professional network. - Software, Hardware (laptop, mobile phone), Internet, etc.
Make sure you get those in a shop/location that does provide your tax identification to make it easier to claim expenses later. Since I work more than 90% of the time from home, investing in a high-quality chair and a good monitor has been well worth it. - Tax Accounting Services
This is likely the most important aspect to focus on, as calculating income tax as a freelancer can be quite complex. For example, in Portugal, during your first year as a freelancer, you keep 50% of your taxable income if you earn up to €200k/year — and the benefits are even greater for higher earnings! To avoid headaches, do yourself a favor and hire a trustworthy, experienced tax advisor. - Insurances & Investments
Besides the Social Contributions, it's always good to have life, accident and other insurances. I had a customer in Scandinavia requiring an insurance that would cover any issue while in the office. Also, consider that once the money is in, you should know how to invest it. Different from a pension scheme where your employer does it for you, you are fully responsible for planning and securing your financial future.
Now, to the real deal: what's the rate charged by a Detection Engineer?
It’s hard to provide a specific range, as rates vary based on factors such as market location, resource seniority, project urgency, and allocated budget.
A senior freelancer is likely earning similar rates to a senior vendor consultant. For example, hiring a Subject Matter Expert (SME) from Splunk typically falls within the USD 200–350/hour range, with slight variations depending on the market (Gov/Fed, San Francisco, or New York).
Projects requiring ‘SIEM Engineers,’ typically focused on admin tasks or data onboarding, generally fall within the USD 80–100/hour range. However, content engineering work, particularly in threat detection, tends to command higher rates and is typically offered by larger enterprises.
I typically agree on a rate based on the following criteria:
- Project Length & Renewal potential: I tend to have 3-6 months long projects with a few days per week allocated, all subject to renewal.
- Tech Stack: if Splunk/Defender/CrowdStrike is involved, I give it higher priority not only because they are great tech enabling me to deliver Detection as Code (SPL, KQL, LQL), but because these customers usually pay higher — no need to hide it here, it is what it is.
- Project Type: I usually deliver a mix of development (hands-on), enablement and advisory services. If it's advisory only or a dedicated workshop, sometimes better to charge as a fixed price.
Schedule Flexibility
I'm usually consulting with 2–4 projects, no more than that. Of course, the content development focused projects do require more days allocated but usually with no more than 2 or 3 days per week.
What I really like about this schedule flexibility is that if I need to take one day off, it just takes a moment to sync with the customer team to have it booked. Most of them simply want the day off flagged in the team calendar.
However, that flexibility comes with a price: calendar management overhead. You need to account for distinct timezones, client calendars, different countries holidays, etc.
I also avoid doing half-days as shifting focus between tasks isn’t always easy — or healthy. I occasionally make exceptions to handle personal matters.
A few other sub bullets worth highlighting here:
- Holidays, vacation, days off == zero pay.
As mentioned earlier, the more days you work, the more you earn — a flexibility that’s not always possible with a full-time job. However, be mindful of burnout! Over the past 3–4 years, I have been taking around 35–45 days off per year which is already above the average in Europe. - Start with a single, long-term project.
Managing multiple projects can be rewarding, but it’s best to take on this challenge once you’ve gained sufficient experience. Transitioning from one long-term project to another is easier to handle and allows you to develop ideas that require more time to fully execute, such as Threat Detection frameworks and models.
Written by Alex Teixeira
My new stories don’t require membership for the first 24h after publication. So don’t forget subscribe to get notified when new articles come out!
Becoming a Detection Engineering Contractor, Part I — The Motivation was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
Article Link: Becoming a Detection Engineering Contractor, Part I — The Motivation | by Alex Teixeira | Jan, 2025 | Detect FYI