Dumbest apple fanboi I've seen today and it's 9AM. Apple just oversells security and "cool" design. But in reality its just expensive garbage, no real hardware power, no real security
First you need to work for established infosec companies. They get pentest projects every day, easily. You can't be like them day 1. So when you work through those companies and do pentest for a client, show yourself. In our team, maybe 10 people were working with me on pentest projects, but if you ask clients now after years, they probably ONLY remember my name, because they know and understand who did what. So after years and years of good reputation, it's super easy to expand your client base, do for yourself, ask for top $, reject offers might be a dream salary for some. But just like everything else, you start slowly and gradually "level-up"
I found critical flaws in systems 4 previous pen test companies didn't find. I found bugs in a security camera DVR platform for a big company, I found critical flaw on numerous custom web portals, I found all these bugs after they went through at least one pentest by another vendor. I usually don't miss bugs in pentest and/or source code analysis. When I analyze malwares, I usually do it quick and I analyze them extensively and write good and detailed reports. I'm 28 but I built my reputation over sometime with quality work. (very sorry if my post have bragging tone, I don't mean to, I just wanted to share)
I have around 70-80hrs a week. ~40 hrs for each of my clients. It doesn't have to be exact 40, as long as I do what I'm supposed to do, it's fine. It's not like 9-5 job
I have long term contract with two companies, for one of them I do application security review, I analyze source codes and point out vulnerabilities. For the second one, I do penetration testing, forensics, malware analysis, and... One is paying 230k the other one is paying 190k.
I have other contacts and other offers too, but these two jobs are taking all my time. I can switch and work with a new client anytime.
People might not like your comment and have different opinions, but as person who did exactly what you said and now making around 420k/yr for cyber security consulting, I have to say, you are 100% right.