Synack’s approach is to combine human and AI (Artificial Intelligence) to provide continuous security scaled by the world’s most skilled ethical hackers and AI technology.
Where does the name Synack come from?
The name Synack comes from the foundational protocols of the world’s online networks. SYN-ACK is the “handshake” that transfers data packets between sender and receiver.Synack.com
On their Solutions page there is a grid showing the company’s 4 main offerings and the platform features each of these provide. SmartScan is the entry point and Synack365 is their most comprehensive offering:
- SmartScan – Intelligent Vulnerability Assessment
- Discover – Crowdsourced Vulnerability Discovery
- Certify – Crowdsourced Penetration Testing
- Synack365 – Crowdsourced Penetration Testing 365
The platform features are grouped together into 5 main categories covered in the following sections:
Synack Testing Pillars
This covers the tools within the platform that are made available such as Hydra, LaunchPoint, Apollo, Client Portal and APIs & Integrations. There is also access to the SRT (Synack Red Team), Ops (Program & Researcher Management), plus Disclosure (Managed Vulnerability Disclosure Program).
Hydra is Synack’s AI-powered scanner which carries our reconnaissance in an automated manner. LaunchPoint is their secure testing gateway which captures traffic data, provides analytics, and more. Apollo is their continuous learning engine which uses “data science and machine learning to automate repeatable tasks”.
Results + Analytics
There is Standard Reporting of the Suspected & Exploitable Vulnerabilities plus coverage of what was in scope. Comprehensive Reporting is also available together with Human-Written Analysis as opposed to just system generated. An ARS (Attacker Resistance Score) is also made available.
SRT Management covers the recruiting, retaining, engaging & compensating of Penetration Testers. Vulnerabilities are triaged or verified. Patches can be verified. Recommended Remediation Guidance is also provided.
This involves testing of the adherence to industry standards such as:
- PCI – Payment Card Industry
- NIST – National Institute of Standards and Technology
- OWASP – an Application Security Verification Standard
This involves a Business Review, providing a Dedicated Program Manager, and SLOs (Service-Level Objective) . SLOs form a key element of an SLA (Service-Level Agreement).
This is the team of pentesters and ethical hackers who form the cybersecurity researchers behind the Synack platform. They are recruited based on their skill and trust.
The SRT Levels program provides rewards based on participation, ‘hacking chops’, and the impact made by vulnerability discoveries.
Level up to earn community status, bragging rights, and access to exclusive targets, challenges, and events.Synack.com
SRT Researchers can earn from bug bounty payments (finding vulnerabilities) or executing compliance checks for mission payments.
In order to become an SRT every candidate goes through a vetting process once an application is received. This is a multistage process that includes a video interview, skills assessment, and background check. The success rate of going from application stage to becoming a member is 12%.
Are you a member of Synack who performs bug & bounty hunting and bounties or customer who has used their services? If so please comment below to share your experiences and any tips you have.