Synack nets $1.5M, so accredited hackers can spot companies’ security shortcomings

Companies with healthy bank accounts can design custom gear, write powerful tools to meet their infrastructure needs and also pay researchers to find vulnerabilities. Far more companies have to live with limited resources, and with new seed funding, a startup hopes to allow more people to employ that same security approach.

Synack, based in Menlo Park, Calif., has raised $1.5 million from some investing heavyweights: Allegis Capital, Greylock Partners, Kleiner Perkins Caufield & Byers, Wing Venture Partners and the CEO of Shape Security, Derek Smith. The new money comes on top of $228,000 raised through TechStars and angel investors.

The startup’s founders, Jay Kaplan and Mark Kuhr, know about security vulnerabilities. At the National Security Agency, they did penetration testing and vulnerability assessments for many applications. They left in February and entered the TechStars accelerator program in Boulder, Colo. Now, following their graduation from the program, they’re looking to bring on engineers and people who can manage relationships between customers and researchers, said Kaplan, the company’s CEO (pictured).

Synack’s hack-offs can begin once a company has signed up for a subscription. Working through virtual private networks, qualified security researchers hunt for issues. Once they lock on to an issue, they need to document the steps they took and show how to remedy the problem. Then Synack applies an algorithm to determine severity and figures out how much money the researcher’s discovery is worth. The customer immediately finds out about the vulnerability in an email and can see what was dug up. The customer can request more information from the researcher, and the researcher can get paid within three days, Kaplan said.

There’s a gamification element, too. Researchers get ranked by the points they rack up for their work.

Synack targets enterprises as customers. Kaplan wouldn’t name initial customers but said companies involved with “pilot engagements” have responded positively to how quickly they can get reports of security issues sitting inside their applications. In one case, he said, a customer ended up paying out “a large amount of money” within the first three hours of a crowdsourced assessment. That’s typical in the crowdsourcing model — a majority of problems are unearthed at the beginning, and more complex ones typically take a longer time to tease out.

Part of the early success has to do with the caliber of security researchers who are part of the Synack army. Some make these bug-bounty programs their primary form of employment, Kaplan said, while others are security engineers at large companies and take on the projects as side work. With more free learning sites popping up and offering education in security, it’s possible the pool of eligible well-meaning hackers will only grow, just as that phenomenon is playing out in the world of data science on crowdsourcing sites such as Kaggle.

Synack is benefiting from strong investor interest in IT security as of late. But it isn’t the only company that crowdsources the search for security holes Bugcrowd does too. Kaplan set his company apart by saying it doesn’t let just anybody participate in the bounties. It vets researchers and can even do background checks, should customers ask for that, although he said the company is refining the process.

Regardless of whether that is enough to deem Synack as the market’s leader, it looks like the crowdsourcing approach will be around for a while, and that means it can thrive along with Bugcrowd.