13 February 2017

Hack the Pentagon: Critical Systems Results Revealed

Mark Kuhr

Synack & US Defense Department Take a Bold Step Forward

On February 7, 2017, our office broke out in high fives and sighs of relief as we brought our most recent challenge to a close. This was a challenge unlike any other for both us and our customer. For the first time, we were bringing our crowd of skilled ethical hackers in to test one of the most complex systems in Synack’s history… and in the country. Through the Hack the Pentagon program, The Department of Defense (DoD) had asked Synack to look for vulnerabilities left undetected by traditional security solutions in one of their highly complex and sensitive systems. The DoD was going to push the limits of security beyond that of most enterprises, and we wanted to meet the commitment with the trust and quality that is now synonymous with Synack. Neither Synack nor the DoD knew what we would find, but we at Synack knew our crowd of top talent would be up to the challenge. To say the results were surprising would be an understatement.

[bctt tweet=”The Department of Defense (DoD) had asked Synack to look for vulns in one of their sensitive systems.” username=”Synack”]

This project is the most recent chapter in a much longer journey for the Defense Digital Service, the program lead within the Pentagon. The parent program, Hack the Pentagon, first kicked off with a pilot in the spring of 2016. This innovative initiative proved that a crowd of hackers could find vulnerabilities in DoD web applications that had gone undetected by all other security solutions before them. After the results of this program, the DoD was curious what else a crowd of hackers could do. They decided that they would take this program a step further and test some of their mission critical systems.

For their first mission critical challenge, the DoD selected a sensitive system on which servicemen and women across the world rely to do their job – if it fails, the mission fails. But unlike the pilot, the DoD needed a private, managed way to harness the skills of the crowd for such a sensitive target. And it needed top talent – a group of highly trained, vetted security researchers that have spent their careers building and analyzing complex IT systems and architectures. So when the DoD approached us with this project opportunity, we, of course, said game on. Not only were we honored to serve our country in this way, but we also were ready to put the platform that we have been building for the past 4 years to the ultimate test.

[bctt tweet=”We were ready to put the platform to the ultimate test.” username=”Synack”]

When Jay and I were at the NSA, we saw firsthand that adversaries were swimming through our networks with ease. In many cases, they used known vulnerabilities as their points of entry, but in others they leveraged common vulnerabilities that should have been discovered by a testing team. Traditional solutions leave undiscovered vulnerabilities on the table. We knew that if we united a crowd of talented security researchers, and enabled them with proprietary vulnerability intelligence technology, we could provide an adversarial perspective on a system’s security that would uncover those “unknown” vulnerabilities. We believe strongly that you have to train like you fight. Through this scalable solution, we knew we could outpace the adversary.

[bctt tweet=”We believe strongly that you have to train like you fight.” username=”Synack”]

Finally, after four weeks of testing this sensitive DoD target, we are immensely proud to see that the results of Hack the Pentagon: Critical Systems truly do speak for themselves. Within a matter of hours of kicking off the project, we started to report critical vulnerabilities found in the target. Our elite team of 80 researchers on this project truly delivered. All of this adversarial intelligence was provided to our government customer at a fraction of the cost of a traditional contractor. These are the kinds of moments that make all of the hard work over the past 4 years worth it. This is the kind of real impact and value we aim to provide every one of our customers across the government, financial services, healthcare, retail, and technology sectors.

As a company, we are thrilled to see the government lead from the front in this effort. It takes a huge amount of courage and innovation to open your valuable assets to a new security approach, but this just speaks to our Defense Department’s commitment to doubling down on security. While this challenge was uncharted territory for both sides, we are coming out of this project with a renewed focus on our shared mission to keep our nation secure. With even the most sophisticated security organizations like the Pentagon realizing the value of crowd security intelligence, we know that we are on the brink of disruption. We cannot wait to see what comes next.


Interested in learning more about how a crowd of hackers helped secure our nation’s sensitive digital assets? My co-founder, Jay Kaplan, will be talking about Crowdsourced Security at the Government Level at 2:45pm on Wednesday, February 15 at the RSA Conference. Join live or watch the video here.