28 May 2019

Synack, CREST, and the Implications for Crowdsourced Security


Efficient, effective penetration testing is hard to find. Customers are often forced to choose between price, quality, and scalability. I know this from personal experience as the former Head of Penetration Testing at JPMorgan Chase.

When crowdsourced penetration testing hit the market, I immediately saw that it should form an important part of an organisation’s security assurance program. The rigor of the test from a crowd of security testers, motivated by an incentive-driven model, paired with the scalability and efficiency of a technology platform, can deliver significant ROI to an organization. I knew this approach would set a new standard, and when the opportunity presented itself, I decided to join the Synack team full time.

Several months into the job, I am pleased to announce that Synack has received CREST accreditation and membership in the USA. This recognition reaffirms the technical quality and testing rigor of the model, currently deployed across the Global 2000.

What is a CREST accreditation?

For those who are not across the pond, CREST is a not-for-profit accreditation and certification body that represents and supports the technical information security industry. CREST was set up in 2006 in response to the need for more regulated penetration testing services and is now recognised globally as an important cyber assurance body for the technical security industry. CREST provides internationally recognised accreditations for organisations and professional accreditations for providing penetration testing, cyber incident response, threat intelligence and SOC services. Synack’s accreditation for its penetration testing services has incredible benefits for customers and significant implications for Synack in the Crowdsourced Security Testing market at large.

What are the implications for Synack’s customers and prospects?

  • This is an independent, verifiable third party assessment of Synack’s security testing capability by one of the most respected not-for-profit accreditors in the security industry. This means that services will be delivered by a trusted company with best practice policies and procedures.
  • The work is conducted by highly-qualified individuals with up-to-date knowledge, skill and competence to deal with all the latest vulnerabilities and techniques used by real attackers. Our customers know them as the Synack Red Team – an elite crowd of security researchers vetted for both skill and trust.
  • Finally, the accreditation will provide an additional way to keep Synack accountable to high quality standards across the board. Customers have recourse as both company and individual accreditation are underpinned by a code of conduct and complaints procedure.

As mentioned in a recent article in CyberScoop, Synack has always sold tests not bugs. It started offering and refining its Crowdsourced Penetration Test years ago. Through this accreditation, Synack’s company policies and procedures, testing methods, approach and testing personnel have been given an unbiased gold seal of approval. This accreditation further reinforces that innovation matters, and Crowdsourced Penetration Testing startups can provide a similar or superior level of service when compared to other well respected consultancies using a more efficient and effective approach.