At Bugcrowd, our mission is to help customers reduce cybersecurity risk and improve security ROI by bringing the collective power of the global security research community (“the crowd”) to common security use cases like Pen Testing, Attack Surface Management, Vulnerability Disclosure, and Managed Bug Bounty. At the same time, we’re committed to giving the researcher/white-hat hacker community more lucrative (and interesting!) options for using their skills than any other crowdsourced security company.
We don’t take that mission lightly. It requires a SaaS-based, crowdsourcing-powered cybersecurity platform that encompasses:
- Precise, automated matching of trusted researchers to customer programs based on skills, environment, and use cases (Pen Test, VDP, ASM, etc.)
- Global, in-house validation and triage services to quickly assess and prioritize risk
- Built-in security workflows that extend into your SDLC for optimal incident response
- State-of-the-art data infrastructure to power real-time analytics and visibility, as well as a rich security knowledge graph that continually informs and brings contextual intelligence to every risk-management decision.
In this post, I’ll explain how our platform investments in a vast security knowledge graph are paying off for customers today, and offer a brief preview of how we expect them to pay off in the future.
Solving a People Problem with Data
Like data science, cybersecurity is a people challenge as well as a technology one. Historically, the only solution was to hire in-house security experts, which is not only expensive but also very difficult to do, given our worldwide talent shortage–a gap of at least 3 million, according to the 2020 Cybersecurity Workforce Study from (ISC)².
In the last several years, many cybersecurity providers have responded to that pain with one of two types of offerings:
- Conventional crowdsourcing: With this approach, the provider has access to a large crowd of researchers and does manual vetting for matching them to programs. Having timely access to a large crowd has its advantages, but only if the right researchers can be efficiently activated and focused on the requirements of the target programs. In contrast, coarse segmentation of a large crowd and poor activation leads to noisy, lower quality submissions, where you either spend time and resources to validate and triage submissions, or you pay a premium for those services from the provider. This approach is expensive, has a low signal-to-noise ratio, and offers poor ROI because the resulting coverage is wide but shallow.
- Consulting & “specialized crowds”: Security consulting has been around forever, but recently, new variants of crowdsourcing have surfaced where the provider uses small, highly specialized crowds as a new spin on the traditional consulting approach. Although the specialization you get in either case has its benefits, it’s also expensive, slow, and has poor ROI because the resulting coverage is narrow.
At Bugcrowd, however, we’ve invented a better way to address the problem.
How Bugcrowd Does It
The genius of the crowdsourced security model is that it taps into a global community of human talent to solve the constrained resources problem–but it’s only efficient if precisely the right trusted researchers are matched and activated for your goals, environment, and use cases at the right time, and that requires a deeply data-driven approach that works at scale.
Because a modern, scientific approach to cybersecurity is critical for customers, we’ve made it a key differentiating feature of the Bugcrowd SaaS Platform. Thanks to a massive graph of researcher, vulnerability, interaction, asset, and remediation data developed over a decade of experience and thousands of customer programs, the platform is equipped to add contextual intelligence to every use case, task, and workflow.
The first example of that capability is a proprietary ML recommendation engine called CrowdMatchTM. Instead of a shallow or narrow approach, CrowdMatch enables real-time auto-curation of crowds based on our rich knowledge graph to find the best possible match between specific customer needs, environment, and use cases on one hand, and researcher skill sets, interests, and availability on the other (hundreds of dimensions). Furthermore, because researchers are more motivated by projects that are aligned to their interests, CrowdMatch helps them be more active and productive. Read about best practices that help researchers get the most out of CrowdMatch in this post.
CrowdMatch does real-time auto-curation of crowds to enable the best possible match between specific customer needs and researcher profiles
That leads to much more thorough review (and thus higher-quality/more accepted submissions) than you would get from other providers, and, combined with the Bugcrowd Platform’s integrated Validation & Triage services, faster discovery and remediation of critical vulnerabilities. Along with other aspects of the platform, it all translates into a much better understanding of risk and better ROI–which, for Pen Testing as an example, can be 491% over three years per IDC.
The Difference is The Platform
CrowdMatch is the first milestone in a long roadmap of investment in our knowledge graph that will power more contextual intelligence in the Bugcrowd Platform. For example, we foresee the ability to provide automated guidance based on benchmarking, key metrics, and vulnerability trends, as well as contextual alerts and more detailed remediation advice. The journey has only just begun!