Security startup Synack raises $21m from Microsoft, HPE, Singtel

Synack has announced raising $21.25 million from lead investor Microsoft, as well as HPE and Singtel, to expand its crowdsourced bug hunting platform across the Asia-Pacific region, with the Series C round bringing the total amount raised by the California-based startup to more than $55 million.

Existing investors Google, GGV Capital, and Kleiner Perkins Caufield & Byers also contributed to the round.

Co-founder of Synack Jay Kaplan said the company and its new investors Microsoft, HPE, and Singtel have a "shared vision for the future of cybersecurity", and that there is an opportunity for "alignment in platform development and scaling channels to market".

Synack said the Asia-Pacific region has been "clamouring for new cybersecurity innovation", and it will be entering the region to meet that demand.

The funding will also be used to expand its closed network of security researchers, as well as for continued growth in the US and Europe.

Founded in 2013 by former National Security Agency (NSA) analysts Kaplan and Mark Kuhr, Synack takes the offensive -- rather than defensive -- approach to enterprise security. Its "red team" of security researchers help enterprises understand their exploit factor by finding critical vulnerabilities in their systems before cybercriminals do.

"The best defence is a good offence," Kaplan, Synack's chief executive, said in a statement. "Businesses can only stay one step ahead of the adversary by beating them at their own game."

Unlike Google's vulnerability rewards programs, which allows anyone from the public to report vulnerabilities in its software, Synack offers cash incentives to a select group of security researchers. In fact, the startup claims it selects only the top 10 percent of security researchers who apply to be part of its platform.

Synack provides multiple pricing options to its enterprise customers, ranging from fixed fees for penetration tests to a fixed monthly subscription for continuous testing.

The startup's crowdsourced model is underpinned by the belief that software and artificial intelligence are no match for human ingenuity, and that enterprise security requires both human and machine intervention.

In Synack's most recent Hack the Pentagon program, more than 2,500 hours were dedicated to exploiting sensitive US Department of Defense assets. The first critical vulnerability, discovered in less than four hours, was found in a widely deployed sensitive file transfer mechanism. It was then confirmed, triaged, and accepted by the department within 24 hours.

The startup claims that it has doubled revenue quarterly for 12 consecutive quarters and experienced a 300 percent increase in year-over-year bookings over the last four quarters. While Synack has customers across the board, financial services, retail, and government sectors have been its strongest to date.

Proofpoint chief executive Gary Steele, who is joining Synack's board of directors alongside Microsoft Ventures, said he's excited to assist in the company's growth at a time when security is transitioning from "a 'check the box' IT-centric approach to a proactive, evolving model that seeks out vulnerabilities before bad actors find them".

Synack isn't the only startup to bring the crowdsourced model to security testing: Australian startup Bugcrowd also has a vetted community of more than 27,000 ethical hackers as of August 2016 that test applications on behalf of organisations. Bugcrowd's services have been used by companies such as Fitbit, the National Australia Bank, Tesla, and Western Union.

A Startmate accelerator graduate, Bugcrowd has raised around $24 million to date from investors such as Blackbird, Paladin, and Salesforce.