u/RazzmatazzFlat2808

Been doing CyberArk for 10 years, last few doing independent health checks on the side. Sharing the pricing mistakes that actually cost me money, in case it helps anyone here thinking of going independent.

1. Charged hourly the first time. Finished in 9 days what I'd quoted as "around 2 weeks". Made half of what the work was worth. Go fixed-fee.
2. Quoted without scoping. "We have CyberArk, can you review it?" turned into a Vault cluster + 4 CPMs + a PSM farm + Conjur. Now I do a 30 min scoping call before any number leaves my mouth.
3. Bundled remediation into the health check. Once you find 40 issues in a fixed-fee report, guess who fixes them for free. Two engagements, always.
4. Underpriced because "it's just a review". The report is what lands them their next big remediation project. Started at 3k, my floor now is 12k.
5. Did a free "quick look" before quoting. Wasted 4 hours, client ghosted. Paid scoping or nothing.
6. Wrote the report too technical. 60 pages of CPM error codes. CISO didn't read past page 2. Now: 1-page exec summary up front, technical stuff in appendices.
7. Treated the exec readout as "included". That 1h call is where the follow-on work gets sold. Charge for it.
8. No scope-creep clause. "While you're at it..." used to mean free work. Now every SoW has an out-of-scope list and a CR rate.
9. Quoted in the same call. Said a number, it became the ceiling. Now: "I'll send a proposal in 48h." Every time.
10. Didn't follow up after delivery. ~70% of my follow-on work comes from a 30-day check-in email. People don't come back to you on their own.

Wrote all this up properly (frameworks, templates, the actual SoW I use) as a playbook. Not going to drop a link, DM me or check my profile if you want it.

What would you add?