Search

Last Updated: December 18, 2025

The Synack Platform: A Guide to Key Features and Benefits

Sara Pentest

SynackST/ST+
Penetration Test

SYNACK14
Penetration Test

SYNACK90
Continuous Penetration Testing

SYNACK365
Continuous Penetration Testing

API

Assessment Window

2-3 days

ST: 5 days
ST+: 5-10 days

14 days

90 days

365 days

Varies based on quantity in-scope endpoints

Test Methodology

Open Vulnerability Discovery

Guided checklist-based assessment

Open Vulnerability Discovery

Open Vulnerability Discovery

Open Vulnerability Discovery

Headless API endpoint testing and reporting

Smartscan

Yes

No

Yes

Yes

Yes

N/A

Testers

AI agent driven

Assigned researcher

Pool of researchers

Rotating pools of researchers

Rotating pools of researchers

Pool of researchers

Asset Types

External Web or Host

Web or Host

Web, Host, Mobile, or LLM/AI

Web, Host, Mobile, or LLM/AI

Web, Host, Mobile, or LLM/AI

Headless API

COMPLIANCE

Detailed Pentest Report

Yes*

Yes*

Yes

Yes

Yes

Yes

Industry Standards Testing

Optional Add-on checklists (OWASP, NIST 800-53)

OWASP checklist

Optional Add-on checklists (OWASP, NIST 800-53)

Optional Add-on checklists (OWASP, NIST 800-53)

Includes 2 Premium Checklists (OWASP, NIST 800-53)

Proof of coverage report included

The Synack Platform: Key Features and Benefits

ATTACK SURFACE DISCOVERY, POINT-IN-TIME
Not available in FedRAMP

Self-Service Discovery of New Assets for 30 Days

Seed Groups to Help Organize Assets and Control Access

Limited Discovery of Assets to Surface Testing Candidates

Discovered Asset Reporting Dashboard

REPORTING AND ANALYTICS

Tracking for Researcher Testing Hours

Real-Time Reporting on Exploitable and Suspected Vulnerabilities

Attacker Resistance Score

infoTrack holistic security performance overtime with a risk score

Coverage Analytics

infoProvides real-time information on what, when and how assets are tested

Testing Data History & Retention

Asset List That Catalogs All Tested Assets

Fingerprinting of External Assets to Inform Further Testing

Asset Details Highlighting Previous Testing Results

API AND INTEGRATIONS

Synack API

Synack Basic Integrations (Jira, ServiceNow, Microsoft, Splunk, etc.)

MANAGED COMMUNITY ACCESS

Researcher Vetting

Proactive Researcher Rotation

Access to Researchers and Vulnerabilities

Fully Managed Researcher Payouts

infoSynack has an incentive-based model, which means Synack compensates researchers for high quality findings for clients
AUTHENTICATION & AUTHORIZATION

Single Sign-On (SSO)

Role Based Access Control (RBAC)

PLATFORM TEST CONTROLS

Self-Service Pentest Creation

infoUse Synack’s self-service assessment creation tool to launch pentests on your schedule

AI Scoping Bot

Pause Testing at the Click of a Button

infoPause testing on a single assessment at any time using a button in the client portal

Synack-Owned Virtual Security Researcher Workspaces

infoSynack provides each Synack Red Team member with a virtual workspace hosted in GCP

Enhanced Security with Testing Data Stored in Synack-Owned Endpoints

infoAll researcher testing data is stored in the virtual, Synack-owned workspace

Data Cleansing Available on Customer’s Request

infoCustomers have the option to ask Synack to delete their data.

Exploits Requiring Callbacks

Synack Command and Control Infrastructure to Contain Traffic Stemming from Exploits Requiring Callbacks

VULNERABILITY MANAGEMENT

Active Communication with Researchers

infoChat directly with members of the SRT through the platform

Patch Verification

Synack On-Demand Security Testing Catalog Access

infoLaunch security testing at any time, including OWASP vuln checklists, zero day tests, and other targeted testing

Internal and External Testing

Number of VPN Connections

infoSynack provides site-to-site VPN setup for internal testing

3, Add-ons available

CUSTOMER SUCCESS

Proactive Identification of Test Issues

Customer Success Personnel

infoSynack provides a client portal for customers to view vulnerability data and generate PDF reports

Pooled CSS

The Synack Platform: Add-Ons

MANAGED VULNERABILITY DISCLOSURE PROGRAM

Vulnerability Disclosure Program Webform

Triage for 200 Vulnerability Submissions Per a Year (Each Additional Submission Is 1 Credit)

infoSynack will triage vulnerabilities the public submits through your program

External Researcher Management

infoSynack will manage relationships with members of the public that submit vulnerabilities

Real-Time Reporting

infoSynack provides a client portal for customers to view vulnerability data and generate PDF reports
ATTACK SURFACE DISCOVERY, CONTINUOUS
Not available in FedRAMP

Self-Service Discovery of New Assets for 365 Days

Seed Groups to Help Organize Assets and Control Access

Weekly Discovery of Assets to Surface Testing Candidates

Discovered Asset Reporting Dashboard

SARA TRIAGE
Not available in FedRAMP

Includes 100 AI-Powered Vulnerability Exploit Validations (Each additional set of 10 triaged vulnerabilities requires 1 credit)

Threat Intelligence Integration

Human Validation of Exploitable Risks

On-Demand SRT Capacity

Additional Details

  • ST/ST+ & Sara Pentesting Reports: “*” indicates AI-generated summaries of reported findings.
  • Asset Types and Scope: The following asset types and scoping parameters apply to each test type below. Customer may select the Customer Product for testing, and each Customer Product selected is subject to approval by Synack: 
    • ST: one low complexity*** web application, 20 unauthenticated URLs, or 100 host IPs. 
    • Sara Pentest: one authenticated web application, or up to 250 IPs. 
    • Sara Pentest, ST+, Synack14, Synack90, and Synack365: One of the following asset types: One web application, up to 50 unauthenticated URLs, one mobile app (iOS and Android), or up to 250 host IPs.
    • API: One API with up to 25 endpoints (add-ons available for more).

Web application complexity will be determined by Synack based on factors including tenancy, user roles, and other factors.

  • Subscription Period: Except as otherwise stated above, all services will be provided during the subscription period set forth in the customer’s order form.
  • Open Vulnerability Discovery: Incentive-based open vulnerability discovery testing performed by the Synack Red Team (SRT) on in-scope test assets pursuant to agreed upon rules of engagement and testing timeline.
  • Guided Vulnerability Discovery: Structured vulnerability discovery is performed by a single vetted SRT member following a methodology based on industry-recognized standards on in-scope test assets pursuant to agreed upon rules of engagement and testing timeline.
  • Synack Catalog: With the purchase of Synack Credits, customers can launch additional tests and checklists within the Synack Platform. Synack Credits must be purchased separately.
  • Attack Surface Discovery, Point-in-time: For 30 days, new assets are discovered weekly and fingerprinted daily. Discovered assets are limited to 25,000 assets. Additional assets can be added for an additional fee.
  • Attack Surface Discovery, Continuous: For 365 days, new assets are discovered weekly and fingerprinted daily. Discovered assets are limited to 25,000 assets. Additional assets can be added for an additional fee.

Additional Offerings

  • Managed Vulnerability Disclosure Program: Synack receives, investigates and validates vulnerability reports submitted by public security researchers (“Finders”) through a public managed vulnerability program. Finders are not Synack Personnel. Synack disclaims all liability arising from or related to the activities of Finders.
  • Synack Credits: Synack Credits are redeemable for the services listed in the Synack Catalog available in the Synack Platform. Catalog offerings and credit prices are subject to periodic change. Synack Credits are redeemable only for Catalog offerings. Synack Credits have no cash value, are non-transferable and non-refundable. Synack Credits are only valid during the customer’s subscription period, and any unused credits will expire at the end of the subscription period.