Flags from European Parliament
31 August 2022

Building Trust with a Vetted Team of Security Researchers

Kirsten Gibson

It’s natural to wonder who makes up the Synack Red Team (SRT), our dedicated team of 1,500+ security researchers, and how they ended up finding vulnerabilities in our customers’ IT systems (with permission, of course). 

Companies want assurance they’re not opening the front door to just anybody. Much like you wouldn’t want a stranger in your home without a warm introduction from a mutual friend, we’ll explain how SRT researchers become part of an elite, global community of ethical hackers with diverse skill sets. 

Becoming an SRT Member Requires Building Trust 

One of the strengths of the SRT comes from its diverse community; our SRT members are top researchers in their respective fields—academia, government and the private sector. They hail from countries all around the world, including the United States, the United Kingdom, Canada, Australia and New Zealand. Human ingenuity takes many forms, and it’s that richness of difference that makes the SRT able to take on a seemingly endless list of security testing and tasks. 

Before joining the team, each prospective SRT member must first complete a 5-step vetting process that is designed to assess skill and trustworthiness. Historically, less than 10% of applicants have been accepted into the SRT, as we strive to add only those trusted individuals who will contribute positive results without excess noise to the platform. While our process loosely resembles bug bounty models, Synack sets the bar higher. 

Synack’s community team monitors online behavior from SRT members and removes SRT members immediately when required. Synack maintains a common standard and reward level across the SRT, allowing our clients to benefit from the clear understanding and agreement between SRT members and Synack for what constitutes a thorough report deserving of a high reward. They have collectively earned millions of dollars and have found thousands of vulnerabilities for Synack clients, including the U.S. Army and Air Force, the Centers for Disease Control and Protection and the Internal Revenue Service. 

Baking “Trust But Verify” Into the Process 

The Synack Platform ultimately powers our researchers. Synack works closely with clients to accurately scope testing and instruct them on how to use the Platform effectively. 

The Platform is also where SRT researchers submit findings to be triaged by our Vulnerability Operations team. VulnOps ensures that quality results are delivered to the client in a variety of formats (e.g. easily digestible reports, integration of data into existing security software). Clients are also able to communicate directly with researchers for questions or follow up. 

All SRT traffic goes through Synack’s VPN LaunchPoint to provide control and assurance around pentesting traffic. LaunchPoint focuses penetration testing traffic through one source, pauses or stops testing at the push of a button, provides complete visibility into the researcher’s testing activity with full packet capture, time-stamps traffic for auditing purposes and allows for data cleansing and deletion of sensitive customer data by Synack after it is no longer needed for testing.

Synack Works with Top Government and Private Sector Clients

Setting the bar higher allows Synack to work with clients who need additional assurance. Recently, we completed the requirements to achieve our FedRAMP Moderate “In Progress” level, which allows us to work with almost any U.S. federal agency. In past years, we’ve participated in Hack the Pentagon and several public hacking competitions for U.S. defense agencies, such as a 2019 effort in Las Vegas to find critical weaknesses in the F-15 fighter jet.

Malicious actors don’t need any clearance to hack into systems. Synack takes the task of combatting those bad actors seriously and our teams–from the Red Team to VulnOps–have worked to ensure that our clients receive vulnerability reports with actionable, secure information. We continue to innovate in the security testing and pentesting-as-a-service industry, ensuring privacy and security for all our clients while providing clear visibility into all testing through our trusted technology.

Interested in our work with the public sector? Click here.