Nanalyze

What is Ethical Hacking? A Look at 3 Types of Startups

Remember when actor Matthew Broderick was cool and didn’t have a dad bod? That was the 1980s, when he did movies like Ferris Bueller’s Day Off and WarGames. In the latter, he plays a computer hacker who breaks into a government supercomputer and nearly starts a nuclear war amid some lighthearted hijinks. More than three decades later, computer hackers have appeared in countless movies. The stereotypes vary – the morbidly obese 30-something living in his mother’s basement or the paranoiac former government agent attempting to stay off the grid – but it’s usually some guy banging away on a keyboard and muttering something about a virus while trying to stop the end of the world. While the stakes are rarely that high in the real world, there are people who are gainfully employed to do what is called ethical hacking.

What is Ethical Hacking?

Technically, the “term” hacker refers to someone with some mad computer skills who knows his or her away around software systems. However, it’s more popularly used to refer to people with mad computer skills who break into, or hack, a secure system, usually by exploiting flaws or bugs in the software code. Just like in the Westerns, there are good (white hats) and bad (black hats) hackers, and some that just ride the line (grey hats). Here we want to talk about the white hats – ethical hackers – who use their talents to test the vulnerability of computer systems in order to expose risks rather than start World War III. Penetration testing (or pentesting, to you script kiddies) – probing a computer system’s defenses to detect its weaknesses – is part of ethical hacking.

Image from the movie Wargames with Matthew Broderick.

A simpler era of ethical hacking.

Not too long ago we talked about pentesting in an article about Swiss startup High-Tech Bridge, which has developed intelligent security testing technology for web and mobile applications that uses machine learning. There are lots of companies doing this kind of security testing or ethical hacking. We’ll get to them momentarily, but first, let’s understand a bit more about hacker culture and why we need ethical hacking.

Hacker Culture

If you know what HPVAC stands for, you’re an OG in this game. An entire subculture has grown up around computer hacking. It has its own lingo and a manifesto written by a member of the now-defunct hacker group Legion of Doom, with lines like “This is our world now … the world of the electron and the switch, the beauty of the baud.” It’s not exactly the stuff of the Bard, but you can read the whole thing on the original hacker zine Phrack. It has its own pantheon of revered hackers, people with superhero comic book names like The Mentor (aka, Loyd Blankenship), who wrote the Hacker Manifesto after going to jail, or Condor (aka, Kevin Mitnick, who now runs his own cybersecurity business). Probably the most famous modern-day hacker is Julian Assange of WikiLeaks.

Mayhem: the new face of the Geico commercials, as well as a machine-hacking machine using machine learning.

Mayhem: the new face of the Geico commercials, as well as a machine-hacking machine using machine learning. Credit: ForAllSecure

And, despite the hacker’s anti-establishment streak, there are conferences like DEFCON held around the world where hackers reminiscence about phreaking and who they recently pwned. Even the shadowy government agency DARPA has hosted its own hack-a-thon, the Cyber Grand Challenge, where teams competed to make automated ethical hacking solutions. The winning team created Mayhem, a machine that autonomously identifies and patches software vulnerabilities. AI in cybersecurity is a hot topic that we’ve covered extensively:

Why Use Ethical Hacking?

You only have to take a look at last year’s headlines to see why we need white hat hackers. More than one billion people were affected by corporate security breaches in 2018, according to an article in Fortune. A hacker by the name LimitedResults recently demonstrated how he could hack a smart lightbulb in less than an hour and steal WiFi passwords. That’s the sort of thing that Japan is hoping won’t happen at the 2020 Olympics, so it is actively hacking 200 million of its own citizens’ IoT devices in order to reveal security flaws before the games, which have been targeted by black hat hackers in the past. Not surprisingly, given recent revelations over the last couple of years, the world’s best black hats come from Russia.

One only needs to visit the dark web to hire unethical hackers who are quite happy to sell cyber attacks as a service. An Israeli company called Candiru – named after a notorious parasitic fish in the Amazon that reputedly swims straight into your penis to commit bowel-shaking atrocities to the urethra – was recently outed for its nefarious activities.

Ethical Hacking Startups

Fortunately, one only needs Google to find companies engaged in ethical hacking. And there are plenty of them. Below we highlight five startups in three different categories of hacking.

Crowdsourced Security: The Bug Bounty Startups

Click for company websiteFounded in 2012, San Francisco-based HackerOne has taken in $74 million for its bug bounty platform that rewards ethical hackers for exposing vulnerabilities in its clients’ digital assets. Customers include high-profile names like General Motors, Starbucks, and Airbnb. HackerOne says its community of white hats has earned about $30 million to date. It’s not just about the money. HackerOne maintains a Leaderboard of its best hackers, who not only get bragging rights but the most successful get access to “juicier targets.”

The best bounty hunters among the HackerOne hacker community.

The best bounty hunters among the HackerOne hacker community. Credit: HackerOne

HackerOne also emphasizes education, and recently acquired Breaker 101, a Denver-based startup that designs education courses for ethical hackers.

Click for company websiteFounded in 2013, Synack in Silicon Valley has raised about $60 million from some pretty well-known names in both venture capital and corporate circles, including Intel, Google, Kleiner Perkins, and HP. Like HackerOne, Synack runs a crowdsourced security testing platform using hackers, which it refers to as “researchers.” The best of the best of its researchers can work their way into the elite Red Team, a squad that not only earns money for finding vulnerabilities but completing specific missions or security goals for the company’s clients. Synack accepts less than 10% of applicants, with payouts as high as $30,000.

Only the best of the best make the Red Team.

Only the best of the best make the Red Team. Credit: Synack

Synack claims a greater than 95% signal to noise ratio, meaning the ratio of useful information to irrelevant information. In the hacker world, it refers to the ratio of reported valid vulnerabilities and false positive results. The startup claims its solutions are used by a third of major banks and three-quarters of credit card companies, as well as the U.S. Department of Defense and IRS.

Breach Simulation Startups

Click for company websiteWho best to fight the penis parasites black hats at Candiru? An elite squad of former Israeli spies led by the retired head of Mossad, which is kind of like the FBI and CIA combined into a matzo ball of death. Founded in 2016, Tel Aviv-based XM Cyber has raised $32 million, including $22 million last year, for its automated breach and attack simulation platform called HaXM, which is also Yiddish for “You shall not pass.” HaXM replicates the work of human hackers, but 24/7, which is only a couple hours more than most human hackers stay awake on a steady diet of Cheetos and Diet Coke.

Click for company websiteFounded in 2014, SafeBreach out of Silicon Valley has raised about $34 million from the likes of Sequoia (the Israeli branch), PayPal, Deutsche Telekom, and HP. SafeBreach has also developed a software platform that simulates breach methods with fanciful names like CryptoLocker and Gozi, incorporating The Hacker’s Playbook. The company’s SafeBreach Lab, based in Tel Aviv, consists of an “elite team of offensive cybersecurity experts” who monitor the hacker underground to continuously update its hacker simulator platform.

A White Hat Consultation Company

Click for company websiteFounded in 2005, Phoenix-based Bishop Fox just raised its first round of venture capital last month, a $25 million Series A. The hired team at Bishop Fox conducts penetration tests and security assessments on everything from products and applications to networks and the cloud. For example, Bishop Fox helped ensure an Industrial IoT startup called ioTium, which helps its clients monitor the health of machinery in various industries, was providing a secure connection so hackers couldn’t turn a wind turbine into a killing machine. Or something like that. Bishop Fox claims to provide consulting services to more than 25% of Fortune 100 companies.

Conclusions

In the course of our research, we came across a number of ethical hacking startups (and even a few public ones), so the list above is not meant to be comprehensive but representative, so for anyone left out, please don’t hack our website. If the article is popular, we’ll bring you an even longer list of startups and highlight some ethical hacking companies that investors can put money into now. The increasing digitization of our world means that cybersecurity – an industry currently pegged at $25 billion – will only become more necessary as billions of devices are networked and connected. And then hacked.

Worried about transaction costs when you're buying stocks every month? Ally charges just $4.95 a trade which is one of the cheapest prices of any broker out there. Saving money makes sense.

Computing insights that aren’t written in nerd

Get our insights on tech investing once a week.