Synack, a startup that combines software security tools with a network of white-hat hackers to help keep its customers secure, announced a $21.25 million Series C funding round today.
The round was led by Microsoft Ventures with participation from Hewlett Packard Enterprise and Singtel Innov8. Previous investors GGV Capital, GV (formerly Google Ventures) and Kleiner Perkins Caufield & Byers also participated. Today’s investment brings the total raised to $55 million, according to the company.
It’s hard not to notice that is an impressive combination of company and traditional venture capital attention.
Perhaps that’s because Synack takes an unusual approach to enterprise security, going on offense instead of defense, according to company CTO Mark Kuhr. He and his co-founder CEO Jay Kaplan might know a thing or two about going on offense, having previously worked for the NSA before starting Synack in 2013.
Kuhr says they decided to start the company when they saw the defensive tactics companies were using simply weren’t working — as Sony, JP Morgan Chase, OPM, Ashley Madison, Adobe, Target and many others can attest.
“Jay Kaplan and I left the NSA to come up with a different way for offensive security for the enterprise. We noticed at NSA that hackers were coming through all the defenses, taking data and putting malware on the systems,” he said.
Kuhr say his company uses a three-pronged strategy to help protect systems and IP — Command, control and action. “We couple the human element with machines. It’s a man and machine story. We bring in people when we need to,” he said.
In fact the command piece starts with a community of several hundred white-hat hackers from around the world whom the company has vetted to be sure they are ethical and pass a background check.
The control piece is their penetration testing service, which looks for vulnerabilities in an automated way. The action is the plan they come up with to help protect the system once they find a problem. For instance, if they find an open back door in the code, they would recommend that the client close it up.
Kuhr says it’s similar to the strategy they employed at the NSA where they went on offense, getting in the shoes of the adversary and trying to understand what they were doing. But he understands that most private companies don’t have access to the talent they had at the NSA. That’s why they are trying to package that kind of support and protection as a service.
They work on a flat-fee subscription model, running the automated systems and bringing in a team of expert hackers when necessary to root out vulnerabilities. While the friendly hacker approach sounds a lot like the HackerOne strategy, Kuhr says the difference is that HackerOne uses an open model and his company a private one.
The company has around 100 employees plus the network of hackers. That will probably increase this year with the new funding as they look to expand into new markets in Europe and Asia. Currently, they have 100 customers mostly in the enterprise. Kuhr says company revenue has been doubling every year and today’s investment is about keeping that momentum going.