Approaches to cybersecurity may need to be fundamentally changed to remain effective against attackers, according to Casey Ellis, founder and chief strategy officer of crowdsourced cybersecurity provider Bugcrowd.
Speaking to Verdict following yesterday’s (23 May) announcement that the company has acquired Informer, Ellis explains: “The ping time between what the cat does and what the mouse does, it’s getting shorter. I think artificial intelligence (AI) is accelerating that feedback loop pretty rapidly. The rate of acceleration of those iterations is going up, and, at some point in time, that iteration circle gets so tight that it’s almost impossible to be inside that loop.
“I do feel like we’re approaching that, and we’re testing those limits at this point in time.”
The Bugcrowd story
Bugcrowd is something of a darling of the tech community, having reached a valuation of $1bn at its last round of funding, when it raised $102m to drive growth through the continued innovation of its platform and bolstering its workforce around the world.
Speaking alongside Ellis, CEO David Gerry says: “The piece that maybe we didn’t give enough credit to when we did the fundraise was how powerful of a partner [US venture capital firm] General Catalyst was going to be both from a leadership standpoint and in terms of putting the right people around the business when we need them the most – but also just being in the trenches with us.
“I talk to a lot of CEOs and I do a lot of funding reference calls and things like that for a lot of different VCs. That’s what I continually tell these folks is, ‘Make sure you have the right partner around the room that’s aligned with the vision,’ because, I will tell you, it makes it a hell of a lot easier when you’ve got the right board and the right investors lined up saying, ‘Hey, we’re bought into the vision that you’ve laid out, and we’re going give you the governance that a board does, and we’re going to help guide you, but, ultimately, we’re bought in’.”
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataFounded in 2012, Bugcrowd is credited with pioneering the crowdsourced cybersecurity category.
“To me, that just made the most sense – the idea of being able to take the latent potential that exists in the white hat hacker community and plug it into as many different cybersecurity problems that we can find,” says Ellis. “That seems to be a really good way to outsmart an army of adversaries. It’s basically connecting an army of allies. That was really kind of the founding thesis.”
The premise of the company is straightforward – its platform connects clients with half a million hackers offering a variety of cybersecurity skills. The flexibility this offers is as much a part of the value on offer as the skills themselves.
“The idea of one person being paid by the hour in the context of pen testing and being expected to outsmart all of the potential bad guys that are out there with all the different skill sets they have – and, meanwhile, defending all of the different possibilities for attack surface that have also been created by humans who are awesome, but imperfect – that that one person is going to fail, and it’s not actually their fault,” Ellis argues. “It’s a math problem.”
The future of Bugcrowd
Bugcrowd’s own math makes for impressive reading. Last year it added about 40% onto its top line, 130 employees, 225 customers and 50,000 hackers to its community.
Gerry says: “We’ll probably add 100 to 120 people this year. We added 20 to 30 just this week. We added another 60 customers in the first quarter, grew the business well over 30% again – so we’re seeing that that growth is now sustainable. We’ve got five or six quarters of really high levels of growth, and 60% of our customers come over from another platform.”
Gerry adds that channel sales accounted for virtually zero a couple of years ago but are now up to around 20% and are targeted long-term at 40-50%.
“And then the last piece is really around the M&A front,” he says. “The fact that we’ve got our first acquisition done just about 90 days after the fundraising announcement certainly is a good indicator, and we’ve got a pipeline of deals to go do as well.”
Attack surfaces
Like others in the cybersecurity industry, Ellis and Gerry believe the attack surfaces of organisations are much bigger today than many realise, and its acquisition of Informer – a provider of external attack surface management (ASM) and continuous penetration testing – is aimed at reinforcing its capabilities there.
Asked whether attack surfaces are growing or organisations are simply unaware of some potential threats, Gerry says: “It’s both.”
He explains: “Now, you have the rapid onslaught of everything is an API, everything is an app, everything is a web property, everything is a portal. Okay, how are we going to keep track of that? There’s no way for organisations to be able to secure everything they have if they don’t know they have it. So, the first foundational piece of this is we need to have a discovery story of what do we actually have out there?”
Another growing cybersecurity threat is, of course, artificial intelligence (AI) – both in the hands of adversaries and through organisations’ own insecure rollouts of AI applications.
“In the hands of defenders and attackers alike, it decreases the time to success and it democratises the access to power,” says Ellis. However, he points to the race to roll out the technology as a major issue.
“In my opinion, what is going to end up being the biggest actual threat is the idea of integrating AI into everything,” he explains. “We’re doing it right now, the idea of slumping an LLM onto an existing system with a great degree of speed because everyone’s trying to compete with their peers to get this kind of technology into whatever it is that they’re doing as quickly as possible. Whenever we’ve seen that in the past, it’s always bad at some point in the future.”
“You’ve got folks trying to move as quickly as they can and making even R&D decisions that end up being pretty badly insecure. So there’s an almost infinite number of things that could go wrong in that domain.”
By way of agreement, Gerry adds: “Businesses are incentivised to get products to market as quickly as possible. Security is still an afterthought, right?”
Do the basics
Such are the rudimentary oversights that organisations make where cybersecurity is concerned – in relation to AI or otherwise – that attacks themselves are not evolving a great deal. They are simply being facilitated in more sophisticated ways.
“If the front door is unlocked, an economically rational bad guy is just going to walk in through the front door,” says Gerry. “They’re not going to bother doing all the fancy stuff if they can get it done simply, right? That’s just economics.”
Ellis expands: “The attacks are actually staying roughly the same. When you look at a lot of the key exploitation that’s happened out of nation-states over the past four years has been exploiting old vulnerabilities. It’s not zero-day. It’s not crazy, sophisticated stuff. It’s just the result of poor hygiene.”
The two implore organisations to simply “do the basics”, but of his contention that doing the basics may not be enough for much longer, Ellis asks: “How will we fundamentally alter the game theory and the economic incentives around security so that we can start to think about it through the lens of being like anti-fragile and resilient by default, not just reactive to what the bad guys are doing?”