HackerOne is a global leader in finding and fixing critical vulnerabilities and AI safety issues. It harnesses the creativity of the world’s largest community of security researchers with cutting-edge AI to protect your digital assets. Pulse 2.0 interviewed HackerOne Security Solutions Architect Shobhit Gautam to learn more about the company.
Shobhit Gautam’s Background
Could you tell me more about your background? Gautam said:
“With around 15 years of experience in securing applications, cloud environments and infrastructure, I am passionate about identifying and mitigating risks through thorough design reviews, penetration testing, and security audits. I firmly believe in nurturing a culture of security awareness and am committed to developing strong, effective solutions for a safer digital future.”
“I have led security and mentored security teams, awareness initiatives while also responsibly disclosing vulnerabilities to improve industry security. Engaging with the security community has been rewarding, including attending, speaking and volunteering at conferences like Nullcon, BlackHat and DefCon.”
“My technical expertise and strategic outlook help organizations navigate the evolving threat landscape. I stay ahead of emerging threats and translate complex security concepts into actionable strategies, aiming to strengthen security postures and promote a safer digital environment.”
Formation Of The Company
How did the idea for the company come together? Gautam shared:
“HackerOne was founded in 2012 by Michiel and Jobert because of their passion for making the internet safer. The idea behind HackerOne stemmed from a belief that cybersecurity could be a collaborative effort between security researchers and businesses. We leverage the creativity and intelligence of a global community of expert security researchers combined with AI efficiency to help organizations continuously eliminate security vulnerabilities and AI safety risks.”
Favorite Memory
What has been your favorite memory working for the company so far? Gautam reflected:
“When I first joined HackerOne, it seemed a bit different from any other place I have worked. HackerOne seemed very transparent, and it was refreshing to see that everyone believed in the mission and was committed to the company’s values.”
“One of my favorite memories from working with the company is attending Empower, our in-person all-hands event. During this event, I had the chance to interact personally with the co-founders and the leadership team, gaining insight into what drives them. I also had an enlightening one-on-one session with our former CEO Marten Mikos, where we discussed personal growth and its significance for the company’s success.”
“The culture of transparency, collaboration and talent at HackerOne has truly been unparalleled.”
Core Products
What are the company’s core products and features? Gautam explained:
“The HackerOne Platform combines the most creative human intelligence with artificial intelligence so customers reduce threat exposure at all stages of the software development life cycle.”
“Central to the HackerOne Platform are Vulnerability Disclosure and Bug Bounty Programs, which facilitate continuous vulnerability reporting by independent security researchers. This layered, defense-in-depth approach is crucial for uncovering high-impact vulnerabilities. In addition, HackerOne’s Pentesting as a Service (PTaaS) offers on-demand in-depth security assessments that surface vulnerabilities in real time for remediation. Each of these services is a critical element on its own, but also offer unique insights that inform and refine the effectiveness of the other layers — creating a virtuous feedback loop across the SDLC.”
“HackerOne also provides Code Security Audits to uncover complex vulnerabilities that scanners alone can’t. HackerOne’s cutting-edge platform’s automation and manual review from 600+ experts proactively eliminate vulnerabilities before attackers have a chance.”
“All platform insights are augmented by HackerOne’s AI co-pilot Hai, which continues to save customers time as they evaluate their program findings and cybersecurity strategies. In addition, the platform provides robust customer support, advisory and triage services, and community events that help organizations optimize their security programs and engage effectively with the security researcher community.”
Challenges Faced
Have you faced any challenges in your work sector recently? Gautam acknowledged:
“The past couple of years have been really interesting times to work in the security industry. We have seen a rise in the popularity of newer technologies and a great shift in how things are done. Here are a few major challenges and how I tackled them:
1.) Increase in the attack surface for organizations: As businesses expand and adopt newer technologies and hardware, we see a significant increase in their attack surface (web, mobile, cloud, IoT, etc.) and a backlog in identifying and remediating issues.
To proactively identify, validate, and remediate vulnerabilities, we developed a framework to prioritize the protection of sensitive data and critical assets. By quantifying vulnerabilities reported by security researchers and analyzing trends and patterns, we can provide actionable recommendations to fix vulnerabilities and implement security by default.
2.) Rise and quick adoption of AI: There’s growing interest in AI technologies, with many organizations adopting them to enhance operations and reduce costs. While this trend provides a competitive edge, it also poses risks, some of which may be unforeseen. The complexity of AI algorithms can make vulnerabilities hard to identify, but with awareness, we can navigate these challenges and harness the benefits of AI effectively.
To address the emerging and evolving threats associated with AI, we collaborate closely with organizations to design customized engagements that focus on both the safety and security of AI systems and their data. Our goal is to identify and rectify weaknesses before they can be exploited by malicious actors. Through these engagements, we develop threat models and uncover biases and errors in AI models. Additionally, our bug bounty programs contribute to improving the accuracy and reliability of these systems. Ultimately, we provide a cost-effective solution for identifying and fixing vulnerabilities.
- Budget cuts and Layoffs: The cybersecurity industry has not been immune to the recent wave of layoffs and budget cuts that have affected many tech sectors. Organizations may look to cut costs by viewing cybersecurity as optional, prioritizing immediate needs over essential security investments.
As a provider of bug bounty programs and security testing services, we must demonstrate our relevance and the value we bring to our customers’ organizations. We achieve this by focusing on critical areas, automating tasks and consolidating tools. Additionally, we collaborate with internal teams, offering strategic insights for long-term security enhancements and emphasizing the business impact and ROI.”
Evolution Of The Company’s Technology
How has the company’s technology evolved since its launch? Gautam noted:
“The company’s technology has continued to evolve and innovate since launching. New, specialized solutions on the HackerOne Platform include security testing within the Software Development Lifecycle with Code Security Audit, which integrates into a developer’s workflow so they gain an expert code reviewer checking their work to improve code and find security flaws to catch potential issues early and improve source code quality.”
“This year, HackerOne launched AI Red Teaming, which addresses AI safety and security challenges. AI Red Teaming for safety focuses on preventing AI systems from generating harmful content while security testing finds vulnerabilities that could be exploited to compromise an AI system or data’s integrity.”
“HackerOne AI Copilot (Hai): Hai offers a deeper and more immediate understanding of your security program, enabling you to make quicker decisions and implement fixes more efficiently. Effortlessly convert natural language into precise queries, enhance vulnerability reports with relevant context, and utilize platform data to generate insightful recommendations. As we continue our exploration of AI, we will release more features to help create custom automations, further refine our platform’s utilization, and generate insights from platform data.”
“HackerOne Security Advisory Services: HackerOne Security Advisory Service is designed to optimize the outcomes of your continuous security strategies and ensure your security safety net is strong. It is delivered by our Solutions Architects — an elite team of accomplished security professionals with career success establishing security programs at Fortune 500 companies and experience shaping standards. Their security practices including Incident Response, Secure Software Development, Vulnerability Management, and Strategic Security Planning, in addition to supporting specialized engagements, can all be strengthened by incorporating program findings into core workflows.”
Significant Milestones
What have been some of the company’s most significant milestones? Gautam cited:
– Community Expansion: Since its launch, HackerOne has created the world’s largest community of security researchers, which includes 2+ million registered ethical hackers.
– $300 Million in Bounties Paid: As of October 2023, HackerOne has paid out over $300 million in bounties to ethical hackers. This milestone underscores the platform’s success in leveraging the skills of its hacker community to enhance cybersecurity. To date, we’ve now paid out more than $380 million in bounties.
– Customer Success: HackerOne is the most trusted provider of offensive security solutions for Fortune 1000 companies and public sector organizations, including the U.S. Department of Defense, U.K. Ministry of Defence, PayPal, Capital One, Adobe, Snap, Salesforce, Hyatt, and more.
– Product-Led Growth: The company has achieved 200% product growth in its pentesting and AI red teaming business and 120% growth in vulnerability findings and hacker rewards in the past 12 months.
– Annual Hacker-Powered Security Report: In its eighth-annual 2024 Hacker-Powered Security Report, HackerOne delivers data from its vulnerability database and insights from HackerOne customers, a panel of 500 global security leaders, and more than 2,000 hackers on the platform.
Customer Success Stories
When asking Gautam about customer success stories, he highlighted:
“We’re lucky to work with some of the biggest organizations in the world, who use the HackerOne Platform for their vulnerability coordination, bug bounty programs, penetration testing and more. Below PayPal and the U.S. Department of Defense elaborate on their experience with HackerOne:
‘In addition to some amazing, creative submissions, we’ve received some incredible feedback from researchers. In just a few short months, we’ve used that feedback to make substantial changes to our scope, payments, and transparency. We want hackers to challenge and educate us, and build trusting and respectful relationships that goes both ways.’ – Pax Whitmore, Security Engineer, PayPal.
‘We know for a fact that sending a wide variety of hackers into a wide environment will result in something meaningful. It is a fact. We cannot hire every amazing hacker and have them come work for us, but we can do these crowdsourced bug bounties. I’m done with being afraid to know what our vulnerabilities are. That’s not okay.’ – Chris Lynch, Director, DDS, U.S. Department of Defense.”
Funding
When asking Gautam about the company’s funding details, he revealed:
“HackerOne has raised a total of $159.7 million over six funding rounds, with the latest being a Series E round in January 2022.”
Total Addressable Market
What total addressable market (TAM) size is the company pursuing? Gautam assessed:
“The global cybersecurity market size was estimated at $222.66 billion in 2023 and is projected to grow at a compound annual growth rate (CAGR) of 12.3% from 2023 to 2030. With the cost of cybercrime estimated at $8 trillion in 2023 — translating to over $250,000 per second, the demand for cybersecurity solutions like HackerOne has not slowed down.”
Differentiation From The Competition
What differentiates the company from its competition? Gautam affirmed:
“HackerOne stands out due to its large community of security researchers, technological innovation, and strong customer success. Our defense-in-depth approach enables crowdsourced security testing that progressively secures every layer of an organization’s software development lifecycle, providing a diverse range of insights and expertise. Additionally, the HackerOne Platform is designed to facilitate easy interaction between organizations and security researchers, which enhances the overall efficiency of vulnerability management.”
Future Company Goals
What are some of the company’s future goals? Gautam emphasized:
“In the future, HackerOne is focused on continuing to grow its market space, particularly in high-growth areas such as AI red teaming and penetration testing as a service for large enterprises. HackerOne expects to continue to innovate its platform to meet customer expected needs.”
“In addition, HackerOne plans to further expand its security researcher community by providing more opportunities for engagement through its trusted platform. Specifically, the company aims to provide more opportunities for researchers to engage with various threat surfaces and establish partnerships through the technical expertise of the researchers.”
Additional Thoughts
Any other topics you would like to discuss? Gautam concluded:
“Recently, HackerOne launched its eighth-annual 2024 Hacker-Powered Security Report, which revealed that in the last 12 months, the security researcher community has further matured its skill sets to meet customer demand. Nearly 10% of security researchers now specialize in AI technology as 48% of security leaders consider AI to be one of the greatest risks to their organizations. Additional insights include:
– AI is a threat and an opportunity: More than two-thirds (68%) of security professionals said an external and unbiased review of AI implementations is the most effective way to mitigate AI safety and security risks overall. There has been a 171% increase in AI assets in scope on the HackerOne platform, with 55% of all AI vulnerabilities reported being AI safety issues.
– Income and education opportunities are top motivators for researchers: While security researchers predominantly hack to improve their income potential (77%), the opportunity to learn new skills and further their abilities motivates many (64%).
– High-impact bug bounty programs work with fewer researchers for more results: The report found that high-impact bug bounty programs — those with over 30% of valid vulnerability submissions rated as high or critical — work with fewer researchers; the average number of researchers on a high-impact program is 56 vs. 97 for a lower-impact program.
