So dumb question. How do you make money doing that? Is it that software companies want their security tested so they hire you? (I wouldn't think most companies would be so proactive.)

Every fiscal quarter, tens of products ship (often after millions invested) for every one practitioner that can competantly write a fuzzer. That estimate may actually be conservative by an order of magnitude.

We work for vendors and enterprises (ie, normal companies). Vendors bring us in to beat stuff up before they ship it. Enterprises bring us in to reverse things and beat them up before they get deployed.

Yes, many companies aren't that proactive. But the industry is slowly getting dragged into security; key verticals like financial services and health care are starting to require documentation of penetration testing for anything that gets deployed, and Microsoft, Google, Mozilla, Apple, and IBM all have religion about software security process.