Security firm scouts Black Hat for part-time hackers

Aug. 8, 2014 7:58 AM PT

Reporting from Las Vegas —

At this week’s Black Hat conference in Las Vegas, companies from around the world came to recruit the brightest minds in cybersecurity and offer them full-time jobs.

But one security firm was offering something very different: part-time moonlighting gigs for security experts looking to make some cash on the side legally hacking into computer systems.

The pitch came from Synack, a Silicon Valley-based start-up founded by a couple of ex-National Security Agency employees. Their pitch speaks to the evolving business model for making companies’ networks more secure.

For years, companies have mainly gone one of two routes: Hire a consulting firm, who comes in semi-regularly for an exhaustive but brief vetting, or host a bug bounty that allows anyone with access to a computer to hack away at their systems and get cash rewards if a bug is found.

Synack is betting on a market in the middle: companies that want frequent and wide-scale vetting but don’t want to open up their applications for just anyone to attack. So their recruiting pitch is focused on finding people who have serious day jobs and clean records, and are willing to vet customers’ systems in highly controlled frameworks.

Companies, they hope, will trust them with access to private systems because they weed out the more nefarious hackers that bug bounties don’t, and require them to sign nondisclosure agreements so they can’t publicly brag about the bugs they discovered.

Jay Kaplan, one of the company’s founders, said his biggest red flag during the week’s recruitment process has been applicants who demur when he asks what they do for a living.

“When they say ‘Oh, I don’t have a day job,’” Kaplan said. “Well then how do you get your money? …Maybe that means they’re selling things on the black market...this community can sometimes have problems in the past.”

So far, Kaplan says the company has hired hundreds of researchers across the world. He said one recruit in India has made about $30,000 in the last few months.

“That’s more than a living there,” he said. “What’s a typical salary in India?”

Twitter: @RobertFaturechi