Bugcrowd, known for its crowdsourced cybersecurity platform that helps organizations identify and fix software vulnerabilities, is now offering its red team capabilities as a service.
The company announced its new red-team-as-a-service (RTaaS) offering today at the opening day of the RSA Conference in San Francisco. RTaaS isn’t new – there are a number of cybersecurity firms that offer such a service – but Bugcrowd is the first to offer one based on crowdsourcing, which company executives said delivers greater scale and agility.
“At Bugcrowd, we’ve seen the power of crowdsourced security in overcoming security skills shortages and providing continuous protection,”
Julian Brownlow Davies, global vice president of advanced services at Bugcrowd,
wrote in a blog post. “By harnessing the collective skills and expertise of the hacker community, organizations have seen resounding success in detecting novel vulnerabilities and efficiently scaling coverage.”
Davies added that “now, we’re applying all the benefits of crowdsourcing to red teaming – bringing scale, agility, and rewards-driven results to make red team exercises accessible to all organizations.”
For Organizations and MSSPs
Those operations include not only organizations but also MSSPs and other channel partners that want to leverage them.
“Ultimately, the MSSP [and] VAR has the ability to both augment their delivery – use Bugcrowd to service excess capacity – or retain the service engagement – let us do the work – when the customer requires a different delivery partner,” Bugcrowd CISO Trey Ford told MSSP Alert.
Simulated Attacks
A red team – which essentially is a group of ethical hackers – simulates a cyberattack on an organization to test their security tools and processes, help close gaps that are found, and improves the customer’s resilience. RTaaS is another way to give enterprises and SMBs access to red teaming, which Davies said is a critical but underutilized tool at a time when cyberthreats are becoming more sophisticated and difficult to detect.
He cited a
Forrester Research report showing that red team assessments can result in 25% fewer security incidents and a 35% reduction in the cost of such events.
However, there are challenges with deploying red teams, Davies wrote. Traditional red team companies rely on a small group of highly skilled operations dealing with a constant stream of intense projects, making it difficult to field and hire such teams. It is also difficult to find the necessary expertise, and even organizations that have the time and resources to invest in red teaming often struggle to act on the groups’ findings.
“As a result, red teaming has failed to live up to its full potential and deliver the expected security ROI,” he said, adding that crowdsourcing pulls together “the collective skills and expertise of the hacker community [and] organizations have seen resounding success in detecting novel vulnerabilities and efficiently scaling coverage. Now, we’re applying all the benefits of crowdsourcing to red teaming.”
Growing Number of RTaaS Offerings
There are multiple vendors with RTaaS offerings, including Synopsys, CyberArk, BreachLock, Group-IB,
Rapid7, and RedBot. On the supply side of the equation, a crowdsourced RTaaS offers protection against a skilled member leaving the team, Ford said, adding that for MSSPs, Bugcrowd can “stand in that gap, and augment their ability to deliver these services for the customer.”
For customers, “auditors want to see a variance in who delivers these offensive security services every couple of years,” he said. “Powered by the crowd, we have the ability to make sure there are different folks at the keyboard every engagement.”
Those benefits go for organizations and MSSPs alike.
Three Delivery Models
RTaaS features on Bugcrowd’s platform – which is available now – including threat intelligence that’s aligned with realistic scenarios, real-world adversarial tactics, specialized operators, and an integrated platform and workflows. The service also includes high ROI, with flexible pricing options that include day rates, reward pools, and continuous programs.
Additionally, there are three delivery models, starting with the
Assured model that offers traditional red team approaches and incorporates crowdsource expertise. A team of operators runs a full-spectrum simulated attack, works with a designated control group of security experts, and generates a final report afterward. The
Blended model includes both traditional red teaming with a private bug bounty-like test for intelligence-led simulations, which the San Francisco-based company said, aimed at firms that want to try out continuous red team assessments. The
Continuous model provides persistent testing tailored to the needs of the customer, with small, rotating teams of experts. If one team is unsuccessful trying to infiltrate the client’s systems, the second team will take its place.
