Building Attacker Resistance: Ethical Hackers Help Determine Realistic Security Scores

Share Article

Synack Launches New “Attacker Resistance Score” to Help CISOs Realistically Know Their Security Risk.

News Image
Synack’s Attacker Resistance scoring gives security teams a realistic measure of their assets’ susceptibility or hardness to attack.

As breaches continue to increase in number and scale, companies are ditching old and antiquated security solutions for more innovative ones like crowdsourced, hacker-powered testing to better protect their digital assets. Whether referred to as a bug bounty, a hacker-powered program, or crowdsourced security testing, it’s becoming commonplace to harness ethical hackers to combat today’s cyber threats. “Security teams moved from pen testing to hacker-powered bug bounty programs when they realized compliance alone was ineffective at defending against the modern cyber adversary. However, while hacker-powered programs hand off a lot of vulnerabilities to security teams, there hasn’t been a clear idea of the amount of coverage or the level of risk reduction that comes with the testing,” says Jay Kaplan CEO and Co-Founder of Synack.

Security testing evolves an iteration further today as Synack announces a realistic security score based on measurable performance data collected through crowdsourced, hacker-powered testing. “Synack’s testing coverage analytics and Attacker Resistance scoring gives security teams a realistic measure of their assets’ susceptibility or hardness to attack. These security scores can be shared with the C-Suite and/or Board to more confidently measure cyber risk,” Kaplan says.

How is an Attacker Resistance Score Calculated?

Instead of a hypothesis or prediction, Synack’s Attacker Resistance Score (ARS) provides a realistic assessment of assets’ hardness against attack based on actual performance data.

The inputs of hacker-powered scores include:

  • Attacker Cost: How much time/effort was required to discover vulnerabilities in an environment?
  • Severity of findings: The impact and quantity of vulnerabilities discovered in an assessment
  • Hacker Skill: Based on the skill level of the hacker who discovers a certain vulnerability, we can indirectly measure of the level of complexity of the vulnerability.
  • Remediation Efficiency: How efficiently an organization resolves identified issues in your environments

What are the Use Cases of Attacker Resistance?

  • Reduce Risk: Harden assets against attack over time by continuously tracking performance
  • Benchmark Against Peers: Compare testing performance across assets within an organization and against other organizations,
  • Diagnose Readiness & Prioritize Resources: Identify weaknesses in the attack surface and prioritize weak apps for additional hardening and mitigation.
  • Measure & Improve DevOps Security Hygiene: Gain insight into the development team’s adherence to security best practices.
  • CxO Reporting: Create board-level reports with meaningful metrics on the organization’s security risk.

Today, not only can a security practitioner utilize a crowd of ethical hackers to rigorously test digital systems, but a CISO can capture their testing activity to realistically understand the organization’s security score and share high-level insights with the executive board.

About Synack (

Synack, the leader in crowdsourced security testing, provides real security to the modern enterprise. We leverage the world's most trusted ethical hackers and an industry-leading platform to find critical security issues before criminals can exploit them. Companies no longer have to choose between working with the best security talent and a lack of time, resources, or trust. Headquartered in Silicon Valley with regional offices around the world, Synack has protected over 100 global organizations by reducing companies’ security risk and increasing their resistance to cyber attack.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Ellie McCardwell
+1 (765) 620-8547
Email >
since: 10/2012
Follow >
Visit website