Going from zero to independent consultant in appsec is going to be difficult. There's a lot of work that needs to be done, more than all the serious firms can handle, but every good project has multiple bidders. For any project you'd actually want to work on, you're not going to be competitive as a fledgeling indie consultant going up against Accuvant, NCC, IOA, and Leviathan.<p>My advice is, take a job with a consulting firm to learn the ropes. Then decide whether you want to sink several years of your life getting a new consultancy off the ground. I didn't reliably match my FT salary after starting Matasano for several years.<p>In any case, if you're looking for things you can do to make yourself marketable as a security consultant:<p>* (Easiest, but least-bang-for-buck): file bugs, particularly for companies with bug bounties that will credit you. Don't look for bugs in companies that don't offer public permission to test, though.<p>* Go looking for a vulnerability in a framework, programming language, or major library. By the time you find one, you'll have expertise in that technology, which you can (a) add to your bio and (b) use as lead-gen for work.<p>* Find a pattern of vulnerabilities. If those vulnerabilities aren't novel, design some countermeasure that fixes them all. If they are novel, you can stop there. Now put together a talk and submit at security conferences. In rough order of prestige, and certainly having left several out: Black Hat USA, CanSec, CCC, Black Hat Anywhere But USA, DefCon, Recon, Toorcon, RSA, Derbycon, OWASP.