Synack, a security company that uses crowdsourcing for penetration testing, has built an intelligence platform that it says will narrow down weak points in a company’s network.
Based in Redwood City, California, Synack uses a network of freelance security analysts in 35 countries to probe the networks of companies who’ve signed up to its subscription service.
The analysts, who are closely vetted by Synack, get paid based on the vulnerabilities and security problems they find, ranging from $100 up to thousands. The subscription offering means companies are continually analyzed.
Jay Kaplan, Synack’s co-founder and CEO, said they wanted to build platform that would help its analysts quickly focus their attention on potential trouble spots. Called Hydra, the platform spots vulnerabilities in networks and applications, looks for out-of-date software and other issues.
Previously, analysts had a very open-ended approach when given a project and used their own methodologies. It was largely up to the analysts to decide what to look at.
But large, complicated works can have lots of places to look for problems. Hydra decreases “the amount of time it take to find these exploit vectors,” Kaplan said.
Synack’s researchers don’t work from inside companies but instead act like attackers, looking at externally-facing IP addresses and applications.
“If someone from the outside was trying to break in or trying to steal information from an organization, these are the areas they’d look at first,” Kaplan said.
For analysts using Hydra, it could potentially make them more money since they can spend more time looking at areas where there could be problems. If Hydra finds something, the alerts are sent to the researcher, who can then perform a more manual investigation.
Synack plans to add modules that address mobile devices and web applications over the next few months, Kaplan said. For mobile, Hydra will look at a variety of things, from insecure cryptography to embedded passwords and keys.
Kaplan said his company, founded about three years ago, has taken many cues from how the NSA conducts its vulnerability research. He worked at the spy agency for four years as a senior cyber analyst on offensive cyber operations.
“You can definitely draw a parallel to the way the NSA conducts business on the intel side” Kaplan said. “They very regularly leverage technology for scale — that’s scale on a whole other level — but they also have a cyber operations workforce that is responsible for intelligence purposes.”
The first phase of Hydra has been pushed to Synack’s researchers, and it will go live today, Kaplan said.