A big player in one of the buzziest areas of cybersecurity has started offering penetration testing services, entering a market where firms deploy dedicated teams or use automation to perform the same tasks.
Since its founding in 2012, bug bounty program provider HackerOne has made its name by building a stable of freelance security researchers that poke around on client networks. By connecting hackers with customers including GM, Starbucks and the U.S. Department of Defense, HackerOne helps more than 1,200 organizations find and fix security vulnerabilities.
The San Francisco-based firm now says it’s expanding to offer crowdsourced pen-testing, a market CEO Mårten Mickos suggested now stands at roughly $1 billion. It’s a step up from the current bug bounty market, which he pegged at around $150 million.
“Most [penetration testing] companies suck,” Mickos said during a recent interview in New York City. “Our plan is to take the market share from pen test companies.”
HackerOne already is conducting pen tests with roughly a dozen clients, he said. Next, the company plans to recruit experienced penetration testers to boost its ranks, perhaps even by paying employed pen testers to do some work for HackerOne during their free time.
Market research firm Gartner defines penetration testing as going beyond vulnerability scanning, using multi-step and multi-vector attack techniques that not only find bugs, but work to exploit them. Bug bounty testing typically consists of finding and reporting vulnerabilities like cross-site scripting or misconfigured servers, though terms vary drastically depending on the agreement.
The size of the pen-testing market is difficult to pin down. Various forecasters have predicted that figure will grow to anywhere from $2.8 billion by 2023, to a high-end measurement of $12 billion by 2020.
“I can’t comment on the accuracy of any number like that, but the market is large,” said Toby Bussa, a Gartner analyst specializing in security and privacy. “It can be a challenge for companies to decide which vendor to work with.”
Security giants like Symantec and FireEye have offered pen testing for years, and other bug bounty players like Bugcrowd and Synack also conduct crowdsourced pen tests.
But the market is growing thanks in part to a number of compliance rules that require companies to conduct these kinds of services. The Payment Card Industry’s Data Security Standard, for example, explicitly requires penetration testing while other rules, like the Health Insurance Portability and Accountability Act, require companies to conduct a risk analysis. Pen testing usually satisfies that requirement.
Clients typically conduct a handful of pen tests every year. The software company Zenefits conducts at least two the penetration tests every year, the Wall Street Journal has reported, while others, like the security vendor Sumo Logic, a HackerOne client, holds pen tests at least every quarter.
Assessments might last a few hours to more than a week, depending on the terms of the agreement, and cost between $1,000 for the time of a single consultant to a six-figure dollar amount for larger services. HackerOne’s pen tests will be priced competitively, likely in the tens of thousands of dollars, and last between two to four weeks, resulting in a detailed report about problem areas, Mickos said.
“We’re not only doing this for compliance,” he said. “We’re going to find honest customers who really want to know what’s wrong.”