With more people working from home these days and relying on digital services, the security of websites and apps has become even more important to companies. At the same time, many white-hat hackers have had more free time to lend their skills to bug bounty platforms like Synack. Synack uses a highly vetted network of crowdsourced cybersecurity researchers, coupled with advanced technology, to help enterprise clients discover security vulnerabilities before they become exploited.
Synack was already backed by top-tier venture capital firms including Microsoft, Google, Intel and Kleiner Perkins, and clients include the U.S. Department of Defense and General Dynamics. With a boost in demand for its services, accompanied by an availability of “ethical hackers” looking for extra income opportunities during Covid lockdowns, a new set of VCs poured $52 million of funding in to Synack in May 2020. This deal valued the business at almost $500 million.
We are incredibly fortunate that Jay Kaplan, current CEO of Synack, and a former senior cyber analyst at the National Security Agency, agreed to spend some time fielding our questions.
Five years ago you said many companies’ efforts to handle their IT security was on a par with taking a knife to a gunfight. How much have things changed since then?
Well, some companies have bigger knives at this point. Things have definitely improved in the past five years. Collectively, we’re better at identifying threats and defending against attacks through crowdsourced cybersecurity. We’re using smarter and more robust tools and the nation as a whole is waking up to the severity of the cybersecurity threat. But we still suffer far too many hacks — many that are preventable through common sense security measures — and there’s not enough focus on security testing and building a real, robust cybersecurity workforce.
Though while security efforts are improving, the attackers have also become smarter and more cunning. Five years ago, we weren’t facing the kind of ransomware threats and nation-state attacks that we’re seeing today. Consumers’ trust in technology is also suffering and attacks on critical infrastructure could quickly become more dangerous. The tools exist to create better defenses but organizations need to start using them. Crowdsourced cybersecurity gives companies the ability to leverage the best ethical hackers in the world to test digital assets. We can gain an advantage over adversaries when we’re all making smart decisions, deploying code that has been tested and doing the security basics. We’ve got to do everything possible to make it as hard as possible for our adversaries.
When you started Synack, were you happy to take on any clients willing to engage you, or did you have some particular criteria they had to meet?
In the early days of Synack, we were introducing a radical concept to the security marketplace. This notion that you’d let a crowdsourced network of ethical hackers remotely test your assets just wouldn’t fly with some executives. At that time, we were hunting for those security pioneers and first-movers who would evangelize this approach. They tended to be leaders in organizations with more mature security teams and, honestly, more sensitive assets to protect. They saw the value of our crowd of vetted security researchers and helped us grow into a company that today helps protect massive global corporations, financial institutions and government agencies around the world.
Synack’s clients include the U.S. Defense Department and the IRS. How challenging was it to get their agreement to use a crowdsourced group of gig economy hackers?
The Hack the Pentagon program was a game changer for crowdsourced security. In 2016, the DoD’s Defense Digital Service was advocating for the Pentagon to adopt more innovative solutions to increase its own cybersecurity capabilities and to show the value of ethical hacking for the entire federal government. Hack the Pentagon showed the way and it became a success, leading to more adoption of crowdsourced cybersecurity across the entire U.S. government.
Today, we work with 22 federal agencies and they are some of our most active and engaged customers. As a result, we’ve found thousands of vulnerabilities across the federal space and worked with DARPA on the most technically advanced bug bounty program to date.
As Synack has grown, have the types of people who want to do the work changed from the early days?
We’re continuing to attract amazing talent both for the Synack Red Team, our global network of ethical hackers, as well as on the blue team side. Over the years, the bar has risen for our Red Team hackers. Since we attract the best, that means that the majority of people who apply to join our community don’t have the technical chops to make it. We’re committed to keeping standards high to provide our customers with the most rigorous and thorough testing possible. Synack doesn’t have the biggest crowd — nor do we want that — but we have the best and most talented one.
Do you have an idea of what proportion of your hackers regard Synack as their main source of income?
The Synack Red Team is a mix of full time freelance security researchers and those who hack part time. Many of them have regular careers in tech companies, others come on the platform when they need extra income. One of the amazing things about this community is that it’s such an eclectic group. Even if they aren’t hacking on the Synack platform as their main source of income, we’re able to offer the kinds of financial rewards that provide more freedom and flexibility anto do what they love while living anywhere in the world.
They are also working on some of the most interesting and rewarding projects, helping to secure the technology that some of the most critical industries, organizations and government agencies depend on to carry out their work and deliver their services. And they can do this work wherever they want and whenever they want. That’s such a valuable and rare opportunity and the SRT community really values that flexibility.
In 2016 you said the highest bounty paid to a hacker for a single vulnerability was
$25,000. What’s that figure today?
It’s roughly around $50,000 today.
How important is personal reputation to the hackers, as well as the ability to earn bounty payments?
Both are extremely important. We spend a lot of time fostering deep relationships with our community of hackers. We make sure they are rewarded financially for their hard work and contributions to the overall Synack ecosystem. We’re also helping them build their personal brands as elite hackers. The relationship between our Community team and the Synack Red Team is vital to everything we do.
Trust has been Synack’s focus from the beginning and it is the essential ingredient to make crowdsourced cybersecurity work at scale. Hackers need to trust they’ll be treated fairly and paid quickly for their work. In return, Synack trusts them to operate responsibly and ethically to serve the customer’s best interests. Without that mutual trust, it is safe to say that the world would be a far less secure place.
You clearly learned to create processes and manage a team of global remote workers to scale. But how challenging was that to do as a pioneer in your sector?
Managing a dispersed global network of hackers definitely took some ingenuity and creativity. Thankfully, ethical hackers typically work remotely with customers and organizations located across the globe. But we needed to build a platform that would allow them — wherever they are — to carry out testing in a remote environment that was still fast, responsive and secure. This was no easy feat. Customers also need to have assurance that the remote testing platform is bulletproof. We’re constantly refining and retooling so that we give our customers the best and fastest testing results while our researchers can seamlessly carry out those tests from anywhere in the world with an internet connection.
We recently took a look at Smart Cities. The amount of smart technology provides ample opportunities for hackers, and any success they have undermines citizen confidence in the government officials and agencies, as well as costs some of their taxes they have paid. Is this a growing sector for Synack?
Absolutely. We’re working with more and more customers in sectors such as energy or transportation that rely on connected devices to carry out operations and service their customers. But the more internet-connected things that are brought into the enterprise, the more risks we’re introducing across the attack surface. This isn’t just putting the organization that uses smart technology at risk, but their entire customer base.
Ultimately, the makers of IoT devices need to carry out rigorous testing to make sure their smart equipment doesn’t contain vulnerabilities that hackers can exploit. Any organization that plugs in a smart device to their network needs to be on guard, too, and make sure the devices are protected with strong passwords and are running on the latest firmware. Beyond that, keeping untrusted devices in a segmented enclave of the network keeps sensitive data secure. It’s amazing how often those simple security precautions aren’t followed — and they are so incredibly important.
You started Synack in 2013, and in 2020 it was valued at almost $500 million. How do you feel?
It feels amazing. Everyone at Synack has worked so hard to increase the value of the company to where it is today. The valuation is a solid endorsement of the importance of Synack and our crowdsourced cybersecurity model, which is now an industry best practice (certainly that was not the case eight years ago). We’ve also been incredibly fortunate to work with the best investors, customers and partners who have enabled us to reach new markets and expand our services. We’re always innovating so that as many organizations as possible can take advantage of the Synack platform without sacrificing any of the exceptional quality and service that we’ve become known for in the industry.
What’s next on your development plan, and is your crowdsourced network of hackers sustainable?
We’ll keep scaling and keep helping organizations find and fix vulnerabilities to make sure they are as secure as possible. Our ultimate goal is making the world a more secure place. We’re doing that by continuing to deliver results and providing an offensive approach to security testing. The cybersecurity threat we all face today isn’t going away and organizations around the world just can’t find enough talent — or the right talent — to meet their cybersecurity needs. That’s just not acceptable anymore. Crowdsourced security is solving that problem. Synack isn’t just a sustainable business and approach to information security, it’s more essential than ever.