For crowdsourced security startup, a carrot and a hack
FORTUNE — What do you get when you bring a couple of former National Security Agency analysts to Silicon Valley? A crowdsourced platform for hacking into customers’ security holes and $7.5 million in funding.
Synack, the Menlo Park, Calif.-based company started by former NSA agents Jay Kaplan and Mark Kuhr, announced this morning that it secured Series A funding from the storied Silicon Valley venture fund Kleiner Perkins Caufield & Byers, along with Google Ventures, Allegis Capital, and Derek Smith (the CEO of another KPCB-backed company, Shape Security).
The startup is unique not only because of its founders’ background, but also because of its business model.
Here’s how it works: Synack finds and vets a worldwide network of security specialists — you might know them as “white-hat hackers” — and gives them financial incentives to find security holes. The researchers, some of whom are other former NSA employees, then use a controlled testing environment to try and infiltrate customers’ systems and pinpoint vulnerabilities. Synack makes money by charging a flat subscription rate to its customers, regardless of the researchers’ findings.
“The fact that we can’t find something doesn’t mean our researchers aren’t working,” says Kaplan, Synack’s CEO and one of its co-founders. “And we haven’t really seen a case where [vulnerability] submissions start dropping off.”
The idea of enlisting outsiders to find vulnerabilities isn’t exactly new — Google’s (GOOG) “bug bounty” program pays independent researchers who find security flaws in its products. But, says Kaplan, most companies neither have the desire nor the know-how to publicly engage with a worldwide network of security specialists. By finding and vetting the researchers and providing safe, super-secret testing tools, Synack could provide an attractive alternative to enterprises struggling to find and patch their security risks — a broad and lucrative potential customer base.
Unsurprisingly, the company won’t actually name any customers. But KPCB general partner Ted Schlein is convinced that, given the heightened awareness of security risks, Synack will get some big names on board. “What’s happening now is the stakes are so high,” says Schlein, who also invested in security companies AlienVault and Ionic Security, among others. “Rather than being an operational nuisance, the losses today can be astronomical.”
That’s why companies are spending more money on security. And while the NSA may have a bruised reputation in light of recent domestic surveillance programs, its analysts are known to be some of the best in the business.
“The people who come out of the NSA are very marketable,” says Dan Manson, a professor in the computer information systems department at California State Polytechnic University, Pomona (who also organizes a cyber-defense competition). “You get to work with the best tools and some of the most cutting-edge projects in national security. It’s a great training ground.”
Synack’s founding team has been able to attract some of that talent. The company currently employs about 15 staffers and “hundreds” of independent researchers, but will use some of its new funding to hire more people. “There’s great talent moving out of the NSA for probably obvious reasons,” says KPCB’s Schlein.
Right now, Synack’s biggest selling point is probably the caliber of researchers it can pull together. But while there’s not a whole lot of intellectual property involved in its offering, chief executive Kaplan says they have developed a technology platform to handle its interactions with customers and of course to provide a safe and private testing ground for its researchers. Synack also provides analytics and data to its customers, and Kaplan plans to develop and sell more products and services in the near future. With no shortage of cybersecurity risks plaguing corporate customers, Synack and its army of super-secret security specialists could find themselves in a growing business for years to come.