It means a good security research company might make $500k for a good researcher, if they could bring in enough work to keep them 100% utilised. Less actually, given paid time off.

Sick leaves, maternal leave, underutilized for sure (toilet, meetings etc).

Just for reference, I have had an audit from PwC and they were skeptical about our 65% time utilization because usually anything above 60% is fake at least partly. LOL, I thought, they were right, we ended up just about 60%.

Which, if past experience still hold, translates to something more like ~$165/yr + benefits.

That seems very reasonable to me. It seems like the pentest companies I have worked with in the past charge that much and just do a lazy nmap/metasploit scan and wrap it into a nice PDF.

> so much GPU power was needed

In post-LLM age one hour of compute on a 4090 is closer to "so less" than "so much". You can have that for less than $1.

2^(12*4) is 281,474,976,710,656 possible 12 character strings so seriously impressive that it can look through that many in an hour.

A bit over 4 hours at 18 billion per second, but yea. Impressively fast and also a completely reasonable amount of time for an attempt - the CPU version was 10m per second, which is most of a year to search the whole space.