Hacker-Powered Security Platform

Synack helps clients efficiently find and fix vulnerabilities before criminals can exploit them and inflict critical damage. Synack finds, assesses, and ranks these critical vulnerabilities in even the most sophisticated, compliance-driven companies. Synack is committed to partnering with you to achieve not just compliance, but real security. With our global crowd of security experts, we bring you a hacker-powered approach to security to resist attack and reclaim the upper hand against the adversary.

Synack

Synack

What’s wrong with penetration testing?

  • Combining human ingenuity with the scalability of technology
  • An adversarial approach to exploitation intelligence
  • Tapping into the highly-skilled talent pool of security experts
  • True visibility into the scope of your security testing
  • Assurance and audit logging provides transparency and trust

Standard penetration testing fails on three major fronts: visibility, scalability and process.

Visibility - with a standard penetration test, security experts complete a checklist of testing objectives and produce a single report of their activity as the final deliverable. As the customer, you get only the results without any visibility into the process. A penetration report lacks important testing information about how effectively your attack surfaces were evaluated. Synack solves this problem through its secure gateway technology, LaunchPoint, which captures all testing traffic data through the platform.

Scalability - with a standard penetration test, you rely on a very limited diversity of skills and approaches (1–2 people per team) to test your systems thoroughly. Many security organizations will contract multiple vendors in order to ensure diversity and thoroughness in their testing. This approach can’t scale to defend against growing attack surfaces and increasing complexity of attacks. Synack addresses this challenge by utilizing the Synack Red Team, a diverse crowd of hundreds of the world’s top researchers who are highly vetted for skill and trustworthiness. The Synack Red Team is enhanced by scanning technology software, Hydra.

Process - with a standard penetration test, the expected outcome is achieving compliance through regulatory standards and the compensation model is based off a tester’s time and materials. This system proves to be impossible in incentivizing testers to find exceptionally severe vulnerabilities that have significant business impact. At Synack, we prioritize finding and fixing business-critical vulnerabilities that could have major implications to your brand and operability. We utilize a dynamic, incentive-based model that pays our researchers only for vulnerabilities found.

Our offerings?

Synack offerings are cloud-based and can be activated within 24 hours for external testing. All subscription models include deployment of the Synack Red Team, Synack Platform (Hydra, LaunchPoint™, Client Portal), end-to-end program management from the Synack Ops team, and a vulnerability disclosure program. Synack tests web, mobile, host/infrastructure and APIs. Over 100 organizations have used Synack for a more effective, efficient penetration test.

Synack offers several ways to engage our capabilities

  • Synack Platform: Always-On Security Augmentation, including Smart Scanning - included in all offerings
  • Disclose: Vulnerability Disclosure Program - included in all offerings
  • Discover: Crowdsourced Vulnerability Discovery
  • Certify: Crowdsourced Penetration Testing
  • Synack365: Crowdsourced Penetration Testing 365

Synack Platform

The Synack Platform comprises our proprietary technology, including Hydra, LaunchPoint, and our unique algorithms and intelligence that are used in SmartScan. SmartScan uses Hydra's automation technology to continuously monitor for potential vulnerabilities and engages the SRT to triage and validate these types of vulns via alert so we don't waste your valuable time on low quality intelligence. The results include accelerated remediation and discovery processes, augmented security teams, and new insights and security metrics on a 24/7/365 basis.

Discover: Crowdsourced Vulnerability Discovery

Harnessing the Synack Platform and SmartScan, Discover finds vulnerabilities by setting creative hackers on an unstructured hunt in web, mobile, and host/infrastructure assets. Our vetted crowd of top-notch security researchers, the Synack Red Team, is unleashed through a secure platform to test selected client assets. They are armed with proprietary recon techniques from Synack Hydra™ to help researchers avoid duplicate or blind alley research. Synack Red Team researchers are incentivized through a fast-paying bug bounty model to find vulnerabilities and submit reports on their findings for verification and remediation. The unstructured testing methodology of Discover: Crowdsourced Vulnerability Discovery mimics actual attack attempts that adversaries use to exploit vulnerabilities. This type of testing addresses the weaknesses of many defense-first strategies that can only prevent attack types that have been understood and fingerprinted.

Discover and all Synack offerings include an Attacker Resistance Score, a key method for determining the ground truth of how vulnerable your organization is from the only eyes that matter - attackers. See below for more information about ARS and how it can be used to manage an application through its security maturity lifecycle.

During a Discover engagement, the SRT actively hunt for vulnerabilities for two weeks, supported by SmartScan. After these two weeks, SmartScan continues year-round. As part of the engagement, clients receive a fully managed service that includes a dedicated program manager, scoping services, program management and vulnerability triage, vulnerability notifications, patch verification, vulnerability disclosure program management, and detailed data analytics and reporting.

Certify: Crowdsourced Penetration Testing

In addition to all of the features of Discover, Certify tests provide checklist-style task completion in addition to the crowdsourced vulnerability discovery methodology. Certify yields documented proof that specific security checks were completed at a point in time. Synack Red Team researchers, complemented by Synack’s intelligent scanning technology, are incentivized by a bounty model to find vulnerabilities and to complete compliance checklists. Completing regular Crowdsourced Penetration Testing ensures that an entire organization’s security practices are working correctly and improving over time. Each check is performed by a qualified SRT member who handles 1 or more items based on lists from OWASP or PCI.

The result of compliance checks via Certify is a documented report of security testing that was performed, regardless of whether a vulnerability was found.

During a Certify engagement, the SRT actively hunts for vulnerabilities for two weeks, supported by SmartScan. After these two weeks, SmartScan continues year-round. As part of the engagement, clients receive a fully managed service that includes a dedicated program manager, scoping services, program management and vulnerability triage, vulnerability notifications, patch verification, vulnerability disclosure program management, and detailed data analytics and reporting.

Synack365: Crowdsourced Penetration Testing 365

For maximum testing rigor, Synack365 provides active, SRT-led testing and coverage for 365 days of the year, supported by SmartScan. Synack365 is the industry’s only penetration test to seamlessly orchestrate technology with crowdsourced human intelligence. A subscription-based yearly engagement includes a fully managed service with regular compliance verification, a dedicated program manager, scoping services, program management and vulnerability triage, vulnerability notifications, patch verification, vulnerability disclosure program management, and detailed data analytics and reporting.

For more information, call our security consultants at +31 (0) 345 506 105 or send an email to info@isoc24.com

Vendors

Sourcefire, Niksun, Netwrix, Redsocks, Rapid 7, Unomaly, Logpoint, Isight Partners