I swap my time for problems, I like consulting and participating in collective efforts, there's more room for shared learning and resolving, as apposed to being thrown into a problem in silo (i'll do that too if you pay me, yes, shameless contractor.)
Adversarial Architect - Consulting
Best suited supporting security leadership, CISO-Office function and other far reaching security verticals within organisations, generally spanning security assurance, vulnerability managment, security architecture support such as chaperoning programs from testing of a solution, through to go-live, and more importantly or often most valubly, being a part of the conversation, concerning myself with security.
Everything else below is a subset of this parental title. also important capabilities, if the requirement is there.
Application Security Specialist
If you need some offensive support within your applications journey to live, I bring a sharp eye to application security, having worked in this space dedicated for many years, a former CHECK Team leader (that means something in the U.K.) a competent bug hunter and I've held Appsec Principle posts within the banking space, while I wasnt an awful contractor.
Simarly to my Appsec role, I've spent most of my time breaking into things by means of poor configuration, excessive access and new or novel exploits based on to be improved development practices. While pentesting used to be my world, I see it more as a component that has a place, 'pentesting' everything isnt the best move, but often it's the only move you have where maturity is still being agreed, or not present.
Offensive Security Practitioner
You could call it 'RedTeam' work but there's only one of me, but it's enough. Attack Simulation is a really fun way to push boundries on attack paths, defence capabilities and most importantly, control validation, attack visibility and defence capbility.
This kind of work can be red or purple, it's nice to work with the blue team to simulate and have them monitor and build out response capabilities.
Vulnerability Managment Specialist
I know what you're thinking, you're thinking 'John, please, one man can only be so good at so manythings' but wait... Vulnerability managment is a huge space and has been a pleasure for me to think about over the years where I've deployed small and large roll-outs - If you want insight to my thinking here's a post with my views on vulnerability managment as an organisational vertical, creativly titled 'Vertical Vulnerability Managment'
Ways of working
It's one of two ways, depending on the nature of the work needed, emergency work and properly scoped work will usually sit within the set deliverables space, a pentest, a focused rapid assesment, or other support capability, but for those that bring me onboard to share their challenges outside of generic securiyt assurance, it's sensible to cut out blocks of time from me per quater, or similar, where quick meetings and support is needed but the scope isnt quite clear, what's clear is time being spent, and the knowledge that I'm probably going to bring value participating.
I operate outside of IR-35, unfortunatly that's how it will always be, until government are more accomedating.