I run a successful security firm, so I feel fairly qualified in saying this: your equity proposal is not financially sound. It's a creative idea that has been considered before, but it's not something I would consider, and it's not something most (any?) of my clients would consider. Frankly, software security services are closer to insurance than they are to contracted software development. You have a variety of obstacles to making this successful.<p>First, investors would be concerned that the founders are offering equity for "non-employees" and "non-core" consulting services. Investors don't like to see independent contractors getting equity to begin with - the only case they'd be okay with this is if the founders need help building the company's fundamental software.<p>Second, your shares would be the first to be diluted when it comes time to see whose shares are not as important. 0.1% equity for a year's retainer? That usually amounts to 12 weeks of actual work, maybe less. This is an amount they will eventually offer to full-time employees over a period of several years. How would you vest it?<p>Third, consider that if your firm is providing security audits for equity, you are self-selecting for startups which have poor business acumen (in that they accepted this deal). Your already poor chances for any equity return at all just became poorer. How long can you provide security services on a "I'll take a hamburger today and gladly pay you tomorrow" basis before you run out of money and need to actually charge market rates? It's not sustainable.<p>Finally, you are basically a de-facto investor, in that you need to select startups you believe will be winners, otherwise your equity will be worthless. You'll have to be both an excellent angel investor with your startup bets and an excellent security provider, and this will be further complicated by the fact that only inexperience or bad founders will be likely to offer equity in return for security.<p>In other words, it's a bad deal, most people won't take it and you'll probably be burned by those that do. It's not sustainable and if you're doing this because you want to get rich, consider that running a successful security firm and doing good work for fair market rates will get you there.<p>To answer your (easier) second question - most startups care a lot about security once users start asking them difficult questions. Then they turn to firms like Sakurity, NCC Group, Optiv, Bishop Fox or my own and outsource an audit, because they don't have the resources for an in-house security team just yet.<p>To answer your other question, startups will start getting audits once they reach their second or third round of funding, though the savvier ones might do it once they have substantial enough seed funding. There is a sweet spot where startups know they need security but won't bother with an in-house team - that's where you market yourself. Alternatively, you can market your services to enterprise companies with both an in-house team <i>and</i> regular independent audits, but that's harder for a beginning firm.<p>That's just the broad strokes though. Some startups need to prove security competency earlier on; some try to hire security teams quickly.<p>More importantly, how much security experience do you have? What is your network of potential clients like?<p><i>edited for formatting</i>