Below is our recent interview with Mark Kuhr, Co-founder of Synack:
Q: Could you provide our readers with a brief introduction to Synack?
A: Jay Kaplan and I launched our careers with the NSA and US Department of Defense as technical security experts protecting the country from both kinetic and cyber attacks. While we were at the NSA, we had a shared vision to revolutionize cybersecurity by combining human intelligence and artificial intelligence to create a scalable, effective security solution. In 2013, we started Synack, and trusted crowdsourced security was born.
Synack, now the industry’s most trusted crowdsourced security platform, delivers comprehensive and continuous penetration testing with actionable results. We harness the world’s top security talent and augment their work with an AI-enabled technology platform for security testing that customers trust. That testing yields vulnerabilities, data about the strengths and weaknesses of an attack surface and how it changes over time, and provides documentation for compliance.
The data and analytics from Synack helps security teams find and fix vulnerabilities faster and build more secure code; in fact, Synack customers see a 159% ROI compared to a traditional penetration test. 99.98% of total noise is reduced through our use of AI-enabled scanning technology in tandem with human vulnerability triage and patch verification services. If Synack’s smart crowdsourced security platform were to be used in all penetration testing, it would add 4x more efficiency to security teams.
Headquartered in Silicon Valley with regional offices around the world, Synack protects leading global banks, federal agencies, DoD classified assets, and close to $1 trillion in Fortune 500 revenue.
Q: You’ve recently been named to the 2019 CNBC Disruptor 50 list; could you tell us something more?
A: Yes, being named this year as a CNBC Disruptor marked the 4th time in the last 5 years that Synack has been named to the CNBC Disruptor 50 list. Initially, we were named to the list for being the first to introduce crowdsourced security testing to the market, then we were the first to offer crowdsourced penetration testing, and this year we changed the game again. Continually being named to this list gives us affirmation that we continue disrupting the industry in big ways.
It’s been an exciting year for Synack. Just a few weeks ago, we launched and announced the industry’s first security platform powered by crowdsourced human intelligence augmented by Artificial Intelligence. We also introduced LaunchPoint+, a new platform feature that provides a secure and managed workspace environment with endpoint control for crowdsourced testing of enterprise and government assets. Around the same time, we were recognized as a CREST accredited crowdsourced penetration testing company. These announcements all work as proof points that the Synack solution is the most innovative and the most trusted in the industry.
Perhaps due to the momentum in the crowdsourced security space, the US Department of Defense decided to expand its Hack the Pentagon with Synack in 2018 with a new crowdsourced security contract for $34 million. This followed Synack’s “Secure the Election” initiative in front of the 2018 US midterm elections that offered pro bono security tests on voter registration systems.
This spring, Synack published the 2019 Trust Report, the first report of its kind to measure industries’ and organizations’ trustworthiness from a hacker’s perspective. We based our analysis on proprietary data from thousands of crowdsourced penetration tests on digital assets owned by hundreds of companies across nine industries over several years.
Q: Can you give us insights into your solutions?
A: The reality is, most of our customers have great security teams that are doing their best to protect their customers, but the pace of development and the scale and vendor management needed to secure it is making their job impossible. Synack is a testing and analysis platform that actually allows security teams to stay on top of the threats while also getting visibility and data into their attack surface for more effective and efficient prioritization.
All Synack offerings are cloud-based and can be activated within 24 hours. All year-long subscription models include deployment of the Synack Red Team, Hydra, Apollo™, SmartScan™, LaunchPoint®, Synack Operations, and the Client Portal. We consider our offerings a “stack” and customers can build upon each layer to get more effective and comprehensive solutions.
At the base of all of our testing is the Synack Platform, which provides “always on” security augmentation. The Synack Platform is comprised of our three technology pillars:
■Hydra, our AI-powered scanner
■LaunchPoint, our secure testing gateway with full-packet capture for data privacy
■Apollo, our continuous learning engine
DISCLOSE is our Managed Vulnerability Disclosure Program which allows customers to receive
DISCOVER is our Crowdsourced Vulnerability Discovery solution which is rigorous security testing that harnesses creative hackers and scalable recon technology. Discover includes 2 weeks of active Synack Red Team testing.
CERTIFY is our rigorous Crowdsourced Penetration Testing offering that not only discovers vulnerabilities, but also completes security checklists based on industry standards, including OWASP Top 10, PCI Compliance, and NIST 800-53.
SYNACK365, or Crowdsourced Continuous Penetration Testing 365, is active penetration testing 24/7/365 that includes all lower layers of our product stack and helps customers scale their security enterprise-wide.
Q: The real power behind your company is the Synack Red Team. Who makes your team and what does it take to join?
A: The Synack Red Team (SRT) is Synack’s private network of highly curated, skilled and vetted security researchers who represent over 60 countries from around the world. These security experts undergo the industry’s most stringent combination of screening, interviews, skills testing and vetting to offer our customers the most trusted solution. Only 12% of all applicants are invited to join the Synack Red Team. These talented researchers deliver vulnerability discovery, compliance checklists, triage, patch verification and reports to some of the largest global companies and highly sensitive government agencies around the world.
Synack supports the SRT with purpose-built, patented technology that help researchers become more efficient and effective in finding vulnerabilities in a secure and managed experience. Researchers are rewarded for successful vulnerability submissions and consistent contributions via traditional bug bounty incentives and the SRT loyalty program.
Q: What are your plans for the future?
A: One of the greatest problems facing penetration testing is the ability to scale. We believe the future of cyber security scale is on-demand augmented intelligence, which is utilizing cognitive artificial intelligence technology as an enhancement to human intelligence. It’s Synack’s goal to find the optimal combination of humans and machines, and to provide a solution that uses them both to their strengths. We truly believe that our model is the future of penetration testing.
These components make up the Synack model and what we believe is the future of penetration testing:
●Vetted crowdsourced human talent incentivized to find high-impact vulnerabilities
●Artificial Intelligence for added efficiency and scale, utilizing people only when necessary
●Orchestration of community to bring into the appropriate types of tasks while ensuring comprehensive coverage
●Real-time analytics and performance-based security scores for prioritization and action