Bug bounty startup Synack valued at $500 million to boost 'white hat' hacking from home

In 2018, Wes Wineberg decided to take the plunge and make his side hustle—hacking companies for pay—a full-time gig.

Wineberg was a senior security software engineer at Microsoft. He was a member of one of its “red teams,” units tasked with hacking into the company’s systems to find vulnerabilities and shore up its defenses. But he had an itch. He wanted to move from Seattle back to Vancouver, his hometown—a transition to remote work his bosses wouldn’t allow. So he struck out on his own.

Well before the COVID pandemic struck and many companies were forced to allow their sheltered-in-place employees to work from home, a subset of cybersecurity professionals and hobbyists were ahead of the virtual trend. Bug bounty hunters, the guns-for-hire of the information security industry, tended to make their own hours. The vast majority of people participate in their spare time—but some, like Wineberg, were good enough to go pro.

Now with more people working from home and relying on digital services, the security of those websites and apps has become even more important to companies. At the same time, side-gig hackers have more free time to lend their skills to bug bounty platforms—like Synack, the one Wineberg prefers most.

“On the researcher side, we’re seeing more activity than we ever have before,” says Jay Kaplan, a former senior cyber analyst at the National Security Agency and current CEO of Synack. To wit: The company’s “red team” hackers discovered 250% more vulnerabilities in March versus the same period last year, and their hacking work increased 70%.

The increase is “due to new vulnerabilities surfacing from work-from-home changes and also a growth in our business,” says Mike Farrell, a Synack spokesperson.

Synack is enjoying the attention. A new set of venture capitalists is pouring a fresh batch of venture capital funding—$52 million—into the seven-year-old startup. The deal, news of which Fortune broke Thursday morning, puts the company’s valuation near $500 million, according to a source familiar with the financing.

The new backers include B Capital, a VC firm launched by Facebook cofounder Eduardo Saverin, and C5 Capital, a tech investing firm based in London. Rashmi Gopinath, an investor at B Capital who co-led the deal, says the new reality of the pandemic “further demonstrates the importance of a remote, crowdsourced model for cybersecurity.”

Synack is working with a number of businesses battling the COVID pandemic on the front lines. One customer, according to public records, is the U.S. Department of Health and Human Services. Biopharmaceutical companies and drugmakers involved in antibody testing and vaccine development are among the firm’s customers too.

“As soon as organizations started realizing everything was about to change due to the pandemic, we started getting calls and inquiries from customers about testing COVID-19-related recovery apps,” Kaplan says. The work “is highly sensitive, so we just can’t talk about those efforts right now,” he adds.

Customers, such as the Department of Defense and General Dynamics, who are among the ones the company can name, pay Synack to scan for vulnerabilities and to host bug bounty programs. Synack then doles out a portion of the funds to hackers, the size of the payday depending on the severity and number of software flaws they report.

Synack last raised venture capital in 2017 at a private valuation of $150 million, including the money raised, according to data from the industry tracker PitchBook. Adding the new funding, the company has raised $112 million total to date.

Synack competes with other bug bounty startups. Notable rivals include HackerOne, which is bigger by number of hackers, and Bugcrowd, which recently raised new funding of its own.

The trio of companies is angling for a greater share of the cybersecurity market once reserved for penetration testing, a segment expected to grow to $4.5 billion by 2025. Many industry professionals say that mercenary forces, like bug bounty hackers, are best considered a supplement to, rather than replacement for, in-house security staff.

Wineberg says he likes Synack the most because it offers a diverse set of targets, and the team is highly responsive to his inquiries. If he submits a bug, he’s confident he will learn quickly whether it entitles him to a prize, or whether someone else beat him to the punch.

Although Wineberg declines to reveal the amount he gets paid, he says he’s making at least as much as he did at Microsoft—and sometimes plenty more. “I think it pays just as well or potentially better than having a normal full-time job in computer security,” Wineberg says.