Refer Clients, Get Paid: The Breach Craft Referral Program for Security Practitioners

You’re already a partner; we just want to pay you

Cybersecurity is a trust and relationship business. The bulk of our work comes through people who already know our team, the kind of work we do, and how we treat clients. Most practitioners we know have stories like these:

A friend in security vents over coffee about a bad experience with a previous pen test firm and mentions they have another test coming up. You think of us, and you want to help them avoid the same headache.

You catch up with an old manager and they admit they’re overwhelmed trying to get ahead of their compliance requirements. Or worse, they’re not sure their team could handle an incident if one hit tomorrow.

You make the introduction. Maybe you sit in on the kickoff call to make the handoff feel warm. The firm scopes it, closes it, delivers it. You get a thank-you note. Nothing else moves.

We launched the Breach Craft Partner Portal to give those introductions an actual home, with the part where you get paid included. The referral side of the portal is built for practitioners who are already doing this informally and would like to do it on the record. Sign up, register the lead, get paid when it closes. That’s it.

You’re already a partner. We just want to pay you.

Who this is for

The referral program is built for people who share a few things in common: they have a network that occasionally needs cybersecurity work, they have credibility with that network, and they don’t currently have a clean way to convert those conversations into income. Specifically:

• Independent security consultants who do strategy or specialized work and refer larger engagements out
• Virtual CISO contractors with multiple advisory clients, some of whom need offensive testing or compliance assessments
• IT practitioners whose clients or peers ask security questions outside their wheelhouse
• Anyone in adjacent fields (compliance consulting, software development, MSP work) with clients who have security gaps
• Anyone with peers in the community who hears “we need a pen test” once a quarter and forwards the message to a friend

If that’s you, the referral side of the portal is for you. If you’re not sure, sign up anyway. We’ll figure it out together.

If you run an organization (MSP, MSSP, VAR, systems integrator), the organization partner program post covers the deeper relationship including co-selling, resell, and team management.

How the referral program works

The referral program has four steps. None of them take long.

Sign up. Email, name, basic profile, agree to the partner agreement (signed in-portal so you don’t have to chase a PDF), and you’re in. The whole thing takes a few minutes. We don’t ask for tax forms upfront because that adds friction; we’ll handle the W-9 conversation when it’s time to actually pay you.

Register the lead. When you have a referral, you go to the portal and click “Register a Deal.” Add the client’s email, basic context on what they need, and your read on timing. Budgetary pricing returns on the spot, so you can share a number with your friend or your old manager if they ask. Submit. The deal lands on our team’s radar with you tagged as the source.

We work the deal. Our team picks it up, reaches out to the client (or coordinates with you if you’d rather make the warm intro), scopes the engagement, contracts, and delivers. You can stay involved as much or as little as you want. Some practitioners hop on the kickoff call and then disappear; others stay close for the duration. The portal shows you status updates either way.

You get paid. Once the deal closes and the client payment lands, your commission moves from accrued to payable. We pay monthly by ACH or direct deposit. Commissions on referral deals fall in the 5–20% range, scaling with your volume over time. The detailed tier breakdown is visible inside the portal once you’re active. The partners page covers the high-level model.

Throughout, you have access to an enablement library inside the portal: service descriptions, our approach to each engagement type, our differentiators, and guidance on scoping. Useful when a contact asks “what does a pen test like this even cover?” and you’d rather answer than punt to us. We’re publishing more of it over time.

No spreadsheets. No follow-up emails asking when your commission will land. The math is in the portal, in front of you, the whole time.

Walking through the portal: signup to your first commission

Day one is shorter than you’d expect for a partner program. Here’s the actual path.

You sign up at partners.breachcraft.io. Email, basic profile, partner agreement, done. Most practitioners are through this in under five minutes. The longest part will be reading and signing the agreement, which is short and uses RabbitSign so you don’t have to print or scan anything.

After signup you land on a dashboard scoped to you. Active deals you’ve registered, commission balance pending and paid, a quick “Register a Deal” button up top, and any portal news worth knowing about. The dashboard isn’t trying to drown you in pipeline data, because as a referral partner you typically have a small handful of deals at a time, not fifty.

To register a deal, click the button, fill out a short form, get budgetary pricing back on the spot. You can do this from a phone in five minutes, exactly the kind of micro-task you’d do between meetings. The flow is the same on mobile and desktop because we expect partners to use both.

As your registered deals progress through scoping, contracting, delivery, and invoicing, each one shows you exactly where it is and what the commission is at that stage. When the deal closes and the client payment lands, the commission moves from accrued to payable. You see it. You don’t have to ask.

That’s the full loop. Sign up. Register. Track. Get paid.

Why Breach Craft is a partner you can stand behind

When you refer someone, your name is on it. The work has to land or the next time you make an introduction, you’re going to think twice. Here’s what your contact actually gets when they engage Breach Craft.

Engagements run on documented methodology, not improvisation. Our penetration testing reports include an attack narrative, framework-mapped findings (CIS Top 18 by default), severity ratings calibrated to actual business impact, and positive observations alongside risks. You can browse our case studies for examples of how this lands across different industries (water utilities, city government, financial services, healthcare, manufacturing). The reports hold up.

We don’t disappear after the report. Findings get a verification window. Critical issues frequently get worked through the engagement itself rather than left to the client to figure out post-delivery. Questions after the fact get answered. The reputation we’ve built is as much about what happens after the report as during.

We’ve sat in the seats your contact is sitting in. We were the consultancy doing the work, the MSP routing it, the client trying to make sense of a vendor’s findings. We know what good looks like because we’ve delivered it and received it. That’s the standard we apply.

Frequently asked: payment, taxes, the boring stuff

Payment timing. We pay monthly by ACH or direct deposit. The cycle starts after a deal closes AND the client payment lands; if the engagement is invoiced over time, your commission accrues over the same schedule. For most engagements that means the first commission payout happens 30 to 90 days after deal close.

1099 vs. corp-to-corp. Both work. If you’re an individual, we’ll send a 1099 at year-end. If you’re a sole proprietor or LLC, you can be paid to your business entity with a corp-to-corp arrangement. We handle the paperwork either way.

NDA and confidentiality. Standard NDA gets signed during onboarding through the portal’s RabbitSign integration. Anything sensitive about a referred client (industry, environment, security posture) is covered. We don’t share details outside the deal team without clear permission.

The Cybersecurity Community

We started this post saying cybersecurity is a trust and relationship business. The Breach Craft Partner Program is how we honor that. The community made us who we are. Practitioners refer because they trust us; we treat the people they refer like the people who referred them. That’s the entire model.

If that fits how you operate, sign up at the portal or read the launch announcement for the full picture. And if a deal comes up tomorrow, you’ll already be set up to register it.