Managed Crowdsourced Security Testing

Synack, the trusted crowdsourced security platform, provides comprehensive penetration testing with actionable results. Synack harnesses an exclusive team of security researchers and proprietary automation technology to efficiently find and fix vulnerabilities before criminals can exploit them to breach customer data, steal money or worse. Synack offers continuous testing solutions and point-in-time testing for security assurance and compliance via a managed platform. Our end-to-end program management and white glove service ensures that we do the work, not our clients.

Synack offerings are cloud-based and can be activated within 24 hours for external testing. All subscription models include deployment of the Synack Red Team, Synack Platform (Hydra, LaunchPoint™, Client Portal), end-to-end program management from the Synack Ops team, and a vulnerability disclosure program. Synack tests web, mobile, host/infrastructure and APIs. Over 100 organizations have used Synack for a more effective, efficient penetration test.

The Crowdsourced Security Platform

Synack’s Crowdsourced Security Platform is the industry’s only platform to harness the best of both human security testers and automation technology to provide a more effective, efficient penetration test on a continuous basis. Proprietary automation technology, Hydra, conducts attack surface reconnaissance and accelerates the Synack Red Team’s vulnerability discovery process. The Synack Red Team creatively hunts for vulnerabilities using an adversarial mindset and security checklists. All testing traffic is conducted through Synack’s secure gateway, LaunchPoint, and managed by Synack Operations (“Mission Ops”). Actionable results are available in near real time in the Client Portal.

Synack Model

The Synack platform powers what we call the continuous security flywheel which helps significantly reduce security risk through a combination of human and machine intelligence. Key components include:

1. Vulnerability Discovery - Find unknown vulnerabilities using a hacker-powered approach that uses a crowd of researchers with greater skill, specialization, and dedication than is typically found in security generalists.
2. Compliance Testing - Using Penetration Testing with a checklist component, get both testing for severe vulnerabilities and compliance-friendly documentation of checks that don’t find vulnerabilities, but still show security.
3. Enterprise-Wide Coverage - Augment your security teams with SmartScan that provides enterprise-wide scale without the noise - our Synack Red Team triages suspected vulnerabilities caught by Hydra, exposing exploitable vulnerabilities with detailed remediation and replication reports.
4. Efficient Vulnerability Management - Easily scale your vulnerability management across 100s of apps through our extensible platform.
5. Remediation & Patch Verification - All of the above results in verified, detailed reports to your dev teams to enable them to quickly remediate any bugs. Go back to the testers and have them verify all patches are truly effective - patches fail 15% of the time, and it only takes one failure to cause a breach.
6. Attacker Resistance Score - Assess your areas of risk and prioritize which areas to focus on first based on those assets’ value to the enterprise.
7. Repeat this process - The process can operate continuously so researchers always have an incentive to shorten your vulnerabilities’ lives.

Integrate with your SDL

This testing can be integrated into a software development lifecycle using Synack, through our integrations with DevOps tools and our LaunchPoint protection which extends to internal or pre-production assets. This can shorten the life of vulnerabilities further and reduce your cost of remediation.

Synack Red Team (SRT)

The Synack Red Team is Synack’s private network of highly-curated, skilled and vetted security researchers from around the world. These security experts undergo the most stringent combination of screening, interviews, skills testing and vetting in the industry to offer our clients only the best, most trusted solution. This team provides the rigor, creativity, and adversarial perspective that make Synack testing so powerful. These talented researchers deliver vulnerability discovery, checklists, and reports to some of the largest global companies and government agencies around the world. Synack supports the SRT with purpose-built, patented technology that makes the researchers more efficient. Researchers are rewarded for successful vulnerability submissions and consistent contributions through bug bounty, task-based payments and SRT loyalty program status. As a result, they are highly motivated to provide rigorous testing.

LaunchPoint™

The SRT members are required to conduct all client asset testing through LaunchPoint, Synack’s proprietary secure gateway technology. LaunchPoint robustly captures all testing traffic data, providing analytics, transparency and auditability to the crowdsourced testing model. Analytics include testing hours logged, attack type analysis, testing coverage maps, and pause/restart capabilities for all testing traffic.

How we engage?

Synack offers various Crowdsourced Security Testing products for your web and mobile applications, host infrastructure, and APIs built on our Platform and smart scanning capability.

Synack offers several ways to engage our capabilities:

• Synack Platform: Always-On Security Augmentation, including Smart Scanning - included in all offerings
• Disclose: Vulnerability Disclosure Program - included in all offerings
• Discover: Crowdsourced Vulnerability Discovery
• Certify: Crowdsourced Penetration Testing
• Synack365: Crowdsourced Penetration Testing 365

Synack Platform

The Synack Platform comprises our proprietary technology, including Hydra, LaunchPoint, and our unique algorithms and intelligence that are used in SmartScan. SmartScan uses Hydra's automation technology to continuously monitor for potential vulnerabilities and engages the SRT to triage and validate these types of vulns via alert so we don't waste your valuable time on low quality intelligence. The results include accelerated remediation and discovery processes, augmented security teams, and new insights and security metrics on a 24/7/365 basis.

Discover: Crowdsourced Vulnerability Discovery

Harnessing the Synack Platform and SmartScan, Discover finds vulnerabilities by setting creative hackers on an unstructured hunt in web, mobile, and host/infrastructure assets. Our vetted crowd of top-notch security researchers, the Synack Red Team, is unleashed through a secure platform to test selected client assets. They are armed with proprietary recon techniques from Synack Hydra™ to help researchers avoid duplicate or blind alley research. Synack Red Team researchers are incentivized through a fast-paying bug bounty model to find vulnerabilities and submit reports on their findings for verification and remediation. The unstructured testing methodology of Discover: Crowdsourced Vulnerability Discovery mimics actual attack attempts that adversaries use to exploit vulnerabilities. This type of testing addresses the weaknesses of many defense-first strategies that can only prevent attack types that have been understood and fingerprinted.

Discover and all Synack offerings include an Attacker Resistance Score, a key method for determining the ground truth of how vulnerable your organization is from the only eyes that matter - attackers. See below for more information about ARS and how it can be used to manage an application through its security maturity lifecycle.

During a Discover engagement, the SRT actively hunt for vulnerabilities for two weeks, supported by SmartScan. After these two weeks, SmartScan continues year-round. As part of the engagement, clients receive a fully managed service that includes a dedicated program manager, scoping services, program management and vulnerability triage, vulnerability notifications, patch verification, vulnerability disclosure program management, and detailed data analytics and reporting.

Certify: Crowdsourced Penetration Testing

In addition to all of the features of Discover, Certify tests provide checklist-style task completion in addition to the crowdsourced vulnerability discovery methodology. Certify yields documented proof that specific security checks were completed at a point in time. Synack Red Team researchers, complemented by Synack’s intelligent scanning technology, are incentivized by a bounty model to find vulnerabilities and to complete compliance checklists. Completing regular Crowdsourced Penetration Testing ensures that an entire organization’s security practices are working correctly and improving over time. Each check is performed by a qualified SRT member who handles 1 or more items based on lists from OWASP or PCI.

The result of compliance checks via Certify is a documented report of security testing that was performed, regardless of whether a vulnerability was found.

During a Certify engagement, the SRT actively hunts for vulnerabilities for two weeks, supported by SmartScan. After these two weeks, SmartScan continues year-round. As part of the engagement, clients receive a fully managed service that includes a dedicated program manager, scoping services, program management and vulnerability triage, vulnerability notifications, patch verification, vulnerability disclosure program management, and detailed data analytics and reporting.

Synack365: Crowdsourced Penetration Testing 365

For maximum testing rigor, Synack365 provides active, SRT-led testing and coverage for 365 days of the year, supported by SmartScan. Synack365 is the industry’s only penetration test to seamlessly orchestrate technology with crowdsourced human intelligence. A subscription-based yearly engagement includes a fully managed service with regular compliance verification, a dedicated program manager, scoping services, program management and vulnerability triage, vulnerability notifications, patch verification, vulnerability disclosure program management, and detailed data analytics and reporting.

By implementing continuous security testing, organizations can align their security with their continuous integration/ continuous deployment (CI/CD) development practices, shorten and/or eliminate the life of exploitable vulnerabilities, and continually increase systems’ resistance to cyber-attack.