Start with Bug Bounty programs. You can do that while still doing what you do to make money. See if you like it and any good at it.
This will tell you in a year if you like it, make some money and take the dive, or not.
Pentesting (except for the really smart cookies) is the dumbest thing ever, nowadays. You spend a day running your scanner, 3 to PowerPoint your (low hanging fruit) findings, a half to present your PowerPoint to 'managers' who are just hackling about the rating of said findings, a couple of calls / email to try to explain the findings to the developers and on to the next. It sucks and is mainly done for compliancy reasons.
This will tell you in a year if you like it, make some money and take the dive, or not.
Pentesting (except for the really smart cookies) is the dumbest thing ever, nowadays. You spend a day running your scanner, 3 to PowerPoint your (low hanging fruit) findings, a half to present your PowerPoint to 'managers' who are just hackling about the rating of said findings, a couple of calls / email to try to explain the findings to the developers and on to the next. It sucks and is mainly done for compliancy reasons.