I wouldn't say it's a niche line of work per se but it's very hard to find good pentesters. A lot of companies tend to hire external firms to pentest their products and get the "stamp" for compliance reasons. Offensive security is absolutely not for everyone as it requires you to think outside the box in very odd ways sometimes.

I've known a lot of absolutely genius devs that could whip out the most complex algorithms without sweating it but they had a very hard time imagining "well if I chain X with Y and finally Z it can easily lead to compromise of A". I'd probably make a shit full time software dev but boy can I break their stuff hahaha

> Are you guys typically contracted to audit the companies rather than work with their IT teams?

I would be tempted to say yes. It's important to keep in mind that most tech companies out there don't have a giant budget and 1000 employees so they often can't afford a red team. This in turn creates a big demand for external contractors such as Cobalt. I personally, however, prefer to work for the company itself rather than being a contractor as it lets me not only find the problem, but help them fix the issue.