Synack builds intel platform for its penetration testers

Hydra will help Synack's analysts quickly find exploit vectors during penetration tests

Synack, a security company that uses crowdsourcing for penetration testing, has built an intelligence platform that it says will narrow down weak points in a company's network.

Based in Redwood City, California, Synack uses a network of freelance security analysts in 35 countries to probe the networks of companies who've signed up to its subscription service.

The analysts, who are closely vetted by Synack, get paid based on the vulnerabilities and security problems they find, ranging from $100 up to thousands. The subscription offering means companies are continually analyzed.

Jay Kaplan, Synack's co-founder and CEO, said they wanted to build platform that would help its analysts quickly focus their attention on potential trouble spots. Called Hydra, the platform spots vulnerabilities in networks and applications, looks for out-of-date software and other issues.

Previously, analysts had a very open-ended approach when given a project and used their own methodologies. It was largely up to the analysts to decide what to look at.

But large, complicated works can have lots of places to look for problems. Hydra decreases "the amount of time it take to find these exploit vectors," Kaplan said.

Synack's researchers don't work from inside companies but instead act like attackers, looking at externally-facing IP addresses and applications.

"If someone from the outside was trying to break in or trying to steal information from an organization, these are the areas they'd look at first," Kaplan said.

For analysts using Hydra, it could potentially make them more money since they can spend more time looking at areas where there could be problems. If Hydra finds something, the alerts are sent to the researcher, who can then perform a more manual investigation.

Synack plans to add modules that address mobile devices and web applications over the next few months, Kaplan said. For mobile, Hydra will look at a variety of things, from insecure cryptography to embedded passwords and keys. 

Kaplan said his company, founded about three years ago, has taken many cues from how the NSA conducts its vulnerability research. He worked at the spy agency for four years as a senior cyber analyst on offensive cyber operations.

"You can definitely draw a parallel to the way the NSA conducts business on the intel side" Kaplan said. "They very regularly leverage technology for scale --  that's scale on a whole other level -- but they also have a cyber operations workforce that is responsible for intelligence purposes."

The first phase of Hydra has been pushed to Synack's researchers, and it will go live today, Kaplan said.

Join the CSO newsletter!

Error: Please check your email address.

More about KaplanNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place