Code Red was a beast unlike any other we had seen before. It marked a shift in the threat landscape, demonstrating sophistication and purpose not seen in its predecessors. It wasn’t created out of benign curiosity; its code laid the foundation for future attacks.

Episode 3: Code Red

The worm’s name came from the then-new cherry-flavored Mountain Dew, which researchers Marc Maiffert and Ryan Permeh were drinking when they discovered it. More sinister speculation theorized that Code Red was retaliation for the Hainan Island incident, where an American intelligence aircraft and Chinese interceptor jet collided in mid-air, resulting in an international dispute between the United States and China.

Another theory circled the infamous coding group 29A and a member called Wintermute. Known for creating sophisticated worms, it wouldn’t have been beyond them to create something as complex as Code Red. However, the destructive nature of Code Red wasn’t in line with 29A’s usual creations, casting some doubt on this theory.

The attack’s origin also remains a topic of debate, with some pointing to Makati City, Philippines, and others to a university in Guangdong, China. Code Red’s code contained comments written in English, and its potential test environment was traced back to the Philippines. But without definitive evidence, we can only speculate.

Ultimately, the true origins and creators of Code Red remain shrouded in mystery. However, one thing is sure: it forever changed our understanding of the internet-connected world.

Love this series? Check out the Max Headroom signal hijacking incident or the WANK Worm.

The post Unsolved Cyber Mysteries Volume 3: Code Red appeared first on Bugcrowd.

The UK Government’s spring consultation on updating the CMA was a really important issue for us to highlight because, under the current act, hacking of any kind remains technically illegal in the UK. Dating back to 1990, the act doesn’t differentiate between ‘hacking for good’ and hacking for malicious purposes.

The current act is out of date with reality. In 2023, an ever-increasing number of CISOs and organizations across the world are benefiting from the skills of hackers via crowdsourced cyber security platforms like Bugcrowd. This includes, in the UK, many vulnerability disclosure program (VDP) customers, who have no intention of pursuing the very researchers that seek out vulnerabilities for the public good.

Why it Matters

The letter of the existing CMA law is at odds with current policy statements. For example, the UK Government’s National Cyber Strategy 2022 states that it aims to develop “valuable and trusted relationships with the security researcher community, delivering a reduction in vulnerabilities across the government estate.” However, the appropriate legal protection for researchers and ethical hackers are not in place. 

Bugcrowd founder and CTO, Casey Ellis, has offered advice to the UK Government via his involvement with the Hacker Policy Council. This is a coalition of organizations with deep security expertise that advises legislators around the world, many of which are wrestling with similar issues. The world has simply moved forward and legislators clearly need to react.

Protection for hackers has extensive support from business. In its 2021 report, the State of Cybersecurity Resilience 2021, Accenture found that 81% of business leaders believe the cost of staying ahead of cybersecurity attackers to be “unsustainable.” This perception of a ‘losing battle’ has helped fuel interest in Bugcrowd’s crowdsourced approach to cybersecurity during the last two years.

The Need for UK Legislation to Support Hackers

While many regulators around the world are grappling with the same issues as the UK to create legislation, there’s also plenty of best practice legislation already in place for them to reference. In the US, there have been at least 43 instances since 2014 of vulnerability disclosure programs or bug bounty being mentioned in relation to a bill, law, policy, or directive that was proposed and in some cases established/signed into law. Given the global nature of both bad actors and the security researcher community, consistency between jurisdictions will only help in the prosecution of bad actors and the protection of good-faith hackers.

Following public consultations, the UK Government typically issues a response, usually several months later. After its January 2022 consultation on proposals for legislation to improve the UK’s cyber resilience closed, a response was published in November. We could see the response to the recent CMA consultation any time from now.

It’s part of our mission here at Bugcrowd to stand up for and represent the ethical hacker community, so we’ll be looking at the UK Government’s response carefully on the community’s behalf, whenever it comes. You’ll find Bugcrowd at Black Hat Europe in London this December. Find us there and tell us what you think.

The post New UK Legislation Must Protect Good-Faith Hackers appeared first on Bugcrowd.

It’s time to join Bugcrowd Founder and CTO (Chief Terror Officer) Casey Ellis for another spooky episode about the original act of hacktivism.

Episode 2: WANK Worm

“Hacktivism” is a form of digital activism that leverages technological expertise to promote social or political change. It operates in a virtual realm, often employing tactics like website defacement or exposure of sensitive information. Hacktivism has become more prominent in the news cycle due to the collective known as Anonymous. Anonymous is a loosely organized group of individuals who engage in various forms of digital protest.

Before Anonymous and Hacktivism was widely known, there was the iconic WANK Worm. WANK Worm is a prime example of how hacking can be used to get your message across. 

The story of WANK Worm begins in 1989, during a year of particular political unrest. Between the Berlin Wall and the Tiananmen Square massacre, many activists were making their voices heard. 

One of the many controversial events of the year was the planned launch of NASA’s Galileo Probe. This was controversial because many saw the plutonium-powered satellite as the first step toward the nuclearization of space. Two days before the mission launched, NASA employees showed up to work to find a bizarre message popping up on their screens. 

“Your system has been officially WANKed.” 

Watch this episode to find out what happened with this giggle-inducing worm, the impact it had on NASA, and the daunting risks and costs of hacktivism.

The post Unsolved Cyber Mysteries Volume 2: The WANK Worm appeared first on Bugcrowd.

To celebrate, we’re excited to launch Bugcrowd’s brand new series, Unsolved Cyber Mysteries. Unsolved Cyber Mysteries is a micro docuseries that retells the real stories of everyday people who were swept up in extraordinary breaches, unexplained leaks, and outbreaks of sensitive data. This hair-raising series, hosted by Bugcrowd Founder and CTO (Chief Terror Officer) Casey Ellis, unites security practitioners and true crime junkies in the astounding, creepy, and downright terrifying stories of cybersecurity gone wrong. 

Episode 1: The Max Headroom Signal Hijacking

The year was 1987. The Simpsons just premiered on The Tracey Ullman Show, U.S. President Ronald Reagan delivered his famous speech at the Berlin Wall, and Guns N’ Roses released their career-making debut album. 

On the evening of November 22, Chicago locals tuned into WGN-TV’s 9 O’clock news. Just as WGN Sports Anchor, Dan Roan, began discussing the Chicago Bears win against the Detroit Lions at Soldier Field earlier that day, TV screens everywhere suddenly went black for 10 seconds. 

An unknown person in a Max Headroom mask appeared on screen for approximately 30 seconds, accompanied with the eerie noise of static. For those who don’t know, Max Headroom is a fictional character debuted in 1985 in the movie Max Headroom: 20 Minutes into the Future. 

The person in the mask appeared to be dancing in front of a swaying metal background. WGN engineers initially thwarted the attack by changing the studio-to-transmitter frequency used to transmit the broadcast signal. The total interruption lasted 33 seconds and left viewers, sound engineers, and broadcasters alike flummoxed. 

About two hours later during an episode of Dr. Who, airing on the WTTW network, the Max impersonator showed up again. This time, the video clip had sound. Viewers heard distorted audio of the hacker speaking and singing, although most of the statements were random and seemingly inexplicable, like quoting New Coke’s advertising slogan, “catch the wave.” 

Unfortunately, this hijack was less G-rated than the WGN one. Instead of just dancing, the Max impersonator raised the stakes, holding up a middle finger, exposing his rear end, and showing themselves getting spanked with a flyswatter. This intrusion lasted longer, for about 1 minute and 22 seconds. 

Feeling mystified? So was the rest of Chicago (and the world). Don’t miss the first episode of Unsolved Cyber Mysteries to learn more about this hijack, the reaction, explanations of possible motivations, and a breakdown of the impact. 

The post Introducing Unsolved Cyber Mysteries and the Case of the Max Headroom Signal Hijacking appeared first on Bugcrowd.

A “threat actor” might sound like a character from some doomed Greek tragedy, but in today’s world they actually inhabit the digital stage, as individuals or groups that attack digital devices, networks or computer systems. 

“Fighting threat actors at T-Mobile is an all-day, everyday team sport,” says Mark Clancy SVP of cybersecurity at T-Mobile. “Like all major companies, we face actors from around the globe with the intent to steal information, abuse our systems, or disrupt our operations. Services we provide to customers and partners on the internet are a frequent target of interest by these actors and ensuring these free from security flaws with our bug bounty program is essential.”

Which is why the company turned to Bugcrowd, the leading provider of crowdsourced security, which provides a platform that uses something called a “bug bounty” program, which employs ethical hackers to locate platform vulnerabilities and address them before bad guys find them. And even just two months into their partnership, Clancy says T-Mobile is benefiting.

“The key to a good bug bounty program is to find things you did not know about before and mitigate them quickly,” he says. “We have been very happy with the rigor and velocity of execution as we ramped up the partnership.”

So how exactly does a bug bounty program work? Here, on the heels of both companies attending the preeminent cybersecurity conference Black Hat in Las Vegas recently, we talk to Casey Ellis, founder and CTO of Bugcrowd to find out more about bug bounty programs and how his company is working with T-Mobile to help keep its customers safe.

What is a bug bounty program and what kinds of companies have them?

A bug bounty program is a sponsored, organized effort that compensates ethical hackers for surfacing and reporting otherwise unknown network and software security vulnerabilities, enabling the digital connected business to manage and reduce their cybersecurity risks. The combination of the diversity of participants and the “pay on success” model is orders of magnitude more effective than traditional consulting approaches to risk discovery. 

Bug bounty programs have continued to grow in scope and popularity, partly due to current security resource models and cost. They can help close the gap between security and development.

Because of the nature of crowdsourced security, there is a misconception that only tech companies use bug bounty programs. This simply isn’t true. Most industries leverage bug bounty programs, even highly regulated industries such as financial services and government. 

Can you walk us through the concept behind crowdsourced security, and how that drives your particular bug bounty program?

The idea behind crowdsourced security is really a simple one — I wanted to build a platform that connects the latent potential of those who hack in good faith around the world with as much of the global cybersecurity community as possible. Crowdsourced security provides the internet builders and defenders with an army of allies to take back control and outpace threat actors.  

So many of the pain points that inspired crowdsourced security a decade ago still exist today — multiplying attack surfaces, under resourced and overburdened teams, and cutting-edge threat actors.

Crowdsourced security helps organizations stay ahead of attackers before they even think about striking, empowering organizations to proactively safeguard their brand and intellectual property while taking back control.

How does this all work with partnership between T-Mobile and Bugcrowd?

Here at Bugcrowd, we love working with customers like T-Mobile who are so committed to protecting their customers, employees, partners and brand. T-Mobile’s bug bounty program launched in July as an opportunity for hackers to hunt on T-Mobile’s applications and systems in order to find potential security vulnerabilities and report them. From there, T-Mobile evaluates the reported vulnerabilities and promptly takes appropriate action.

To encourage research and responsible disclosure of security vulnerabilities, T-Mobile is inviting ethical hackers to work on this program and have a chance to earn a range of payments, dependent on the criticality of the vulnerability submitted. 

It has been really amazing to watch the success of this program over such a short time since launch — we’re seeing incredibly fast remediation times. We’re proud to partner with T-Mobile to help keep their systems secure.

How do you see cybersecurity evolving over the next few years?

Traditionally in security, we fall back on the fundamentals, which is the right place to start. The simple things are vital for a reason. Do them well and ensure that your organization is capable of “outrunning the other guy” before it attempts to “outrun the bear.”

That being said, we’re really entering a new era of cybersecurity, and I believe security is going to become a lot less predictable. One reason for this is the impact of generative AI becoming mainstream. Aspects of hacking are being automated, creating a swath of new techniques, threats, vulnerabilities and opportunities for impact. A broader variety of threat actors now have access to more powerful tools to create a bigger impact faster. If you want to learn more about this, I recommend checking out Bugcrowd’s newest report, Inside the Mind of a Hacker, which dives into the ways hackers are leveraging generative AI.

What makes you confident that Bugcrowd will be ready for this future, and able to continue to help companies like T-Mobile keep threat actors at bay?

At Bugcrowd, we talk a lot about the “burglars and locksmiths” of cybersecurity. Think of threat actors as burglars and the hackers helping organizations through crowdsourced security programs as locksmiths. Both parties use creative ways to try to open a locked door, but only locksmiths have good intentions.

Even though there are a lot of concerns out there about the ways threat actors are going to leverage generative AI, we can’t forget that the locksmiths have access to the same cutting-edge AI technology. According to the “Inside the Mind of a Hacker Report,” 94% of hackers plan to start using AI in the future to help them ethically hack. I’m really encouraged by the ways I’m seeing the hacker community leverage generative AI as a way to streamline their security research workflows.

It’s exciting to partner with industry leaders like T-Mobile, because together we can really make a difference in cybersecurity. By continuing to empower hackers on crowdsourced security platforms, we start to level the playing field, ultimately helping organizations keep their systems and data secure. 

T-Mobile and Bugcrowd launched a revamped public bug bounty program on August 30, 2023. Security researchers can earn up to $10,000 per vulnerability found. To learn more or sign up, check out Bugcrowd.com/T-Mobile.

The post How T-Mobile Is Using a New Bug Bounty Program to Keep Customers Safe from Harm appeared first on Bugcrowd.

In this 3-2 vote, the SEC approved major steps forward, including organizations being required to disclose cyber incidents within four days of determining the criticality of the incident. The final requirements can be found here. 

Key Takeaways

There is a lot to absorb in this ruling, so we’ve highlighted a few key, high-level takeaways from the final rule here. 

1. Organizations must disclose material cyber incidents within four days of determining the criticality of the incident. Exceptions do exist, including in the event that the Attorney General determines there is a public safety or national security, in which case the Attorney General can request a delay.
2. Organizations must outline, “in sufficient detail for a reasonable investor to understand those processes,” what processes are in place for “assessing, identifying, and managing material risks.” 
3. Organizations must disclose board oversight for cyber risk(s) and any committees in place to specifically focus on it. 
4. Disclosure of the management team’s expertise, in addition to processes that exist internally, for identifying and remediating cyber risk to the board. 
5. Disclosure of if and how the management team reports on cyber risk to the board.

Impact

To be in a position to responsibly comply, it is imperative that organizations have the process, plans, and policies in place to identify, assign criticality to an incident, and quickly mitigate and remediate the weakness exploited to ensure they can meet the four-day reporting requirement. Among other things, that could require organizations to:

• Provide a clear, unambiguous method for the public at large to report vulnerabilities under safe harbor, as well as a process for validating, prioritizing, and remediating them.
• Do continuous, proactive stress testing of the attack surface to uncover hidden risk–going beyond what passive scanning can achieve today.
• Do high-intensity (human-driven) penetration testing more frequently, going beyond traditional compliance-driven goals.
• Install a remediation process that keeps pace with today’s continuous development cycles. 
• Adopt rich reporting and analytics to enable KPIs for tracking all of the above.

According to Bugcrowd CTO and Founder Casey Ellis, “the balancing act between transparency and security underpins the complex landscape of modern digital threats, and to see the SEC acknowledging this fact and driving policy in this direction is a hugely positive thing, despite the complexity it involves. The SEC’s new rules around heightened cybersecurity transparency for publicly traded companies are a double-edged sword—while the drive for standardized disclosure is a positive step in risk management, enhancing investor awareness, and bolstering corporate governance and public confidence, the regulation’s insistence on rapid public reporting of material cyber incidents potentially introduces a significant security threat, and incentivizes a range of other unintended consequences. Disclosure before a breach has been adequately contained or mitigated could provide attackers with crucial information, exacerbating the breach’s damage and the improving an attackers ability to evade prosecution. As companies adjust to these new standards, the onus is on corporate communications, legal, and security teams to collaborate effectively, ensuring robust risk management processes are in place, while also being prepared to act swiftly when breaches occur.”

As hackers continue to play a vital role for organizations looking to deploy security solutions, increased regulatory action will continue to provide more opportunities to do so. The need for hackers has never been higher in organizations, as the collective creativity and expertise of hackers helps organizations expand their security capabilities quickly.

How Bugcrowd Can Help

A “checkbox” approach to security is no longer good enough. Organizations should adopt risk-reducing security measures such as Bug Bounty programs, high-impact Penetration Testing as a Service, and Vulnerability Disclosure Programs (VDP) to support a security strategy that is as relentless as the constant threat landscape–ideally, via a unified SaaS platform that is fully integrated with DevSec workflows. Find out more about how Bugcrowd can help you stay compliant with this SEC rule here. 

The post Breaking News: SEC Adopts New Rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure appeared first on Bugcrowd.

In 2023 alone, Bugcrowd, and in particular these new PTaaS capabilities, has won five distinct industry awards. This recent string of wins demonstrates Bugcrowd’s persistence in delivering industry-leading solutions to the market and validation as an accomplished and preeminent organization throughout cybersecurity.

Most recently, our team was recognized by Cyber Defense Magazine’s Global InfoSec Awards as a Hot Company in the Penetration Testing Category for our PTaaS capabilities, along with being recognized as a Gold Winner in the 19th Annual Globee® Cyber Security Awards for the technology. Additionally, Bugcrowd PTaaS was recognized as the Gold Winner in the Pentest-as-a-Service category in the 2023 Cybersecurity Excellence Awards among North American companies between 1,000 and 5,000 employees.

As an organization, we took home two more wins in the Cybersecurity Excellence Award program with recognition as Gold Winner for Cybersecurity Provider of the Year and Silver Winner for Best Cybersecurity Company.

For one, I am so proud to see all of these incredible wins. It’s a huge testament to our stellar team and technology! At Bugcrowd, we are committed to delivering the very best crowdsourced solutions to our customers and ultimately fulfilling our mission to democratize security testing for all.

Our team has taken major strides over the course of the past year to walk out this mission, including a major upgrade to our PTaaS offering, all aimed at staying at the forefront of innovation and leadership within a very saturated cybersecurity market. With a surge of vendors offering security testing solutions, a common concern that we hear is that vulnerability assessments in the market today are often shallow and low impact. 

Our goal was to provide a human-driven, high-impact pen test with a team matched to their precise needs with just a few clicks, cutting configuration time from days to hours. These recent award wins validate our work and the direction we’ve been laser-focused on. By focusing our priorities on our employees, the hacker community, partners and vendors, we are excited to build upon this momentum throughout 2023!

To learn more about our award-winning PTaaS offering, which is now available globally, visit https://www.bugcrowd.com/products/pen-test-as-a-service/.

The post Bugcrowd PTaaS Takes Home Five Awards for Cybersecurity Excellence appeared first on Bugcrowd.

In technology circles, it’s a well-known and often lamented fact that technology and cybersecurity have a habit of moving at a much faster pace than policy. “Hackers on the Hill” (HotH) is a program that works to bridge this gap by bringing hackers and policymakers together to address technology policy matters, learn how to understand and communicate with each other more effectively, and hold breakout sessions with Congresspeople, Senators, and their aides and staff to work on specific issues.

The Hackers on the Hill contingent gathers in the Indian Treaty Room of the White House Campus

This year’s HotH was a little different, and it was an exciting evolution from my perspective as a career advocate for hackers as part of the solution, not just the problem. After the morning sessions on Capitol Hill, Bugcrowd was proud to be invited into a smaller group that headed across to the White House.

The White House West Wing, otherwise known as “The Most Surveilled Piece of Land on Earth”

On a gray DC day just over a month ago, myself and around 30 other hackers went through security screening at the southwest entrance of the White House — with varying degrees of difficulty, but all with eventual success. Once that clearance was behind us, a thoroughly surreal and incredibly significant event was about to take place: The first “Hackers on the Hill” group was to meet with the Office of the National Cyber Director (ONCD), and ultimately provide input on the National Cyber Strategy. 

Casey Ellis and Beau Woods, security researcher, in the White House

On a personal note: Aside from the thrill that comes from setting foot in the White House, the thing that struck me first is also why I think this was such an important milestone: These are people I’ve worked with to help reform the popular understanding and opinion of hackers for, in some cases, decades, and now we were experiencing the opportunity to explore and influence the North American seat of power as a community. Over the last 10 years, there have been a growing number of events that have validated, legitimized, and promoted hackers as an important part of the Internet’s immune system. This event brought the input of security researchers to the very top of Western power, as a collective.

Just some White House tourist things before getting down to business… 

There were Chatham House sessions with members of the ONCD, Clare Martorana (the Federal CISO), and Chris Inglis (the former director of the ONCD), a panel on “A Day in the Life at the EOP” with representatives from the ONCD, OMB, and the NSC, and an overview of the draft National Cyber Strategy. Overall, it was a great introduction to the Executive Office of the President (EOP) and the strategy itself, and it set the stage for the working groups. Bugcrowd was asked to join the working group that was working on coordinated vulnerability disclosure, which was one of the main parts of the strategy.

The National Cybersecurity Strategy document on which we provided input was released today. For Bugcrowd, the significance was squarely around the opportunity to participate and provide input on a document that is sure to set the expectations and tone for the relationship between builders and breakers – rebalancing the responsibility for cybersecurity, and elevating it from a niche domain to one that is truly approached as a team sport, including soliciting the input of the hacker and security research community itself.

Why It Matters

The focus of the strategy is rebalancing responsibility. From its inception, Bugcrowd’s vision has been to “level the cybersecurity playing field” by helping defenders engage the creativity of the good-faith hacker community to shift the resourcing and economic advantage away from the attacker. To defeat an army of adversaries, you need an army of allies, and the inclusion of Coordinated Vulnerability Disclosure in the National Cyber Strategy as well as the invitation to the hacker community to give input into its formation bode well for the future of crowdsourced security.

Bugcrowd, representing the global ethical hacker community, in the White House – something we can all be proud of!

The post Hackers in the White House appeared first on Bugcrowd.

But put those facts in the context of the current threat landscape, as evidenced by all the recent high-profile hacks and incidents, and the action items are not what they seem. If there is any single investment area that should be exempt from that policy, it’s cybersecurity–because in that case, preparing for the worst by cutting budgets can be a self-fulfilling prophecy. In fact, there is plenty of evidence that companies already spend too little on cybersecurity, and that cutting or even maintaining cybersecurity budgets in 2023 is going against the grain of industry peers. Even the U.S. Federal government is spending more money on cybersecurity this year, including $2.9 billion for the Cybersecurity and Infrastructure Security Agency (CISA)–a 12% increase–and $1.6 billion for the National Institute of Standards and Technology (NIST), a 33% increase.

Short-Term Pain, Long-Term Damage

There’s an old proverb in cybersecurity: “It takes 20 years to build a reputation, and a few minutes of a cyber incident to ruin it.”

We can probably all agree that we’re living through the worst Cybersecurity Crisis in history with respect to the threat environment: Gartner predicts that by 2025, nearly half of all software supply chains will suffer an attack, a 3x increase from 2021. Even worse, the talent needed to address it is as scarce as ever.

The short-term cost of a breach is well understood: The average cost of one was $4.35 million last year, and the global cost of cybercrime is estimated to hit $10.5 trillion annually by 2025. But the costs only start there. Outside the immediate tactical fixes and uplift and remediation costs associated with patching the root cause of a breach, also consider the ones with a longer tail:

• Long-term brand damage. Don’t discount the long-term and accelerating impact of a breach on brand and reputation as measured by stock price. A 2021 study of 34 public companies that had suffered a breach found that one year later, their share prices had underperformed NASDAQ by -8.6%. After two years, they underperformed by -11.9%. And after three years, the figure was -15.6%.
• Regulatory fines. Fines can be extremely expensive. As a result of its 2019 breach, Equifax agreed to pay at least $575 million in fines as part of a settlement. T-Mobile collectively paid $350 million as part of a settlement following a 2021 breach. The list goes on.
• Legal fees. The cost of defending or settling lawsuits is hard to quantify because that information is always private, but anyone who has ever hired an attorney can do the math there.
• Insurance impact. The average cost of cybersecurity insurance in the U.S. rose 79% in Q2 2022, after more than doubling during each of the previous two quarters. A breach can lead to an even more expensive premium at best, and outright cancellation at worst. 

Reject Unacceptable Risk

In summary, the cost of cutting investments in cybersecurity is not only risky in the short term, but in the long term, as well. And given the current threat and fiscal environments, that hardly seems like a risk worth taking.

The post This is No Time to Retreat In Cybersecurity appeared first on Bugcrowd.

The report assesses PTaaS vendors to help security decision-makers select the best fit for their business and use case requirements pertaining to penetration testing. Report author Chris Ray observes that “While pen testing is quite mature, the PTaaS space is young. For this reason, the definition of PTaaS—and PTaaS solutions—will likely evolve over the next few years as the space matures.”

In the assessment, Bugcrowd earned “Exceptional” scores for key criteria such as Automated Workflows and Use of Crowdsourced Pentesters, as well as for Solution Ecosystem, Feature Set, and Speed. Per report author Ray:

• “Bugcrowd, a long-time player in the bug bounty space, has extended successfully into the PTaaS market and brings with it years of engineering experience.”
• “Automation is a central component of a good PTaaS solution, and Bugcrowd has made it a priority to use automation to streamline as much of pen testing as possible.”
• “The Bugcrowd PTaaS solution delivers strong automation capabilities that achieve real-world time savings for clients…Bugcrowd is a feature-rich, broadly applicable PTaaS solution.”

View the full report to learn why GigaOm calls Bugcrowd a Leader in this modern, innovative approach to penetration testing that leaves the limitations of consultative approaches behind.

The post Bugcrowd Named a Leader in GigaOm’s Pen Test as a Service Report appeared first on Bugcrowd.