It’ s harder than ever to differentiate a nation state actor from a cybercriminal gang. The cybercriminal gang is now acting with a level of sophistication in their attacks that we haven’ t seen before.

A lot of that is driven by AI. Any of us can very quickly become a talented cybercriminal just by leveraging AI and having it develop some of that. A great example is when patches come out – AI can quickly reverse engineer them to understand where an exploit exists, build an exploit package for it, and execute it.

What used to take an individual a week to do, AI is now doing in an hour. So as we think about how we help our customers – really simply, it’ s about acting as an extension of their team. The defender has been outmatched for years, and AI is only accelerating the asymmetry that exists in that kind of battlefield. Helping to bring ethical security researchers to bear on behalf of customers is something they’ re getting a lot of value from, and we’ re starting to level the playing field.

Justin Gardner AKA Rhynorater, Ethical Hacker

What tools or AI techniques do you use to improve your testing capabilities?

The use of AI is really revolutionising bug bounty at the moment. Tools like ChatGPT, Claude, Cursor, Shift and many others have become pivotal to the methodology of the hackers on the frontlines – the bug bounty hunters. A lot of hackers nowadays fear that AI will greatly impact their job, but the true hackers know that AI is just another tool in their toolkit and will adapt to use it appropriately. AI certainly cannot be ignored, it must be assimilated into our workflows and make us more efficient.

What do you wish more companies understood about working with ethical hackers?

In a lot of ways, the bug bounty hunter is an extension of your security team. Sure, you can’ t give us the keys to the kingdom, but any additional insight and access you can provide will reduce the friction to finding a vulnerability and make your bug bounty program stand out from the pack.

Another big thing is that we’ re more than just a ticket – treating bug bounty hunters like humans will go a long way with building rapport and making sure your program always has bugs in the queue.

Dave Gerry, CEO, Bugcrowd

What are the biggest misconceptions among security leaders about crowdsourced security – and how do you address them?

There’ s always this misconception that a hacker is somebody with a hoodie in the dark in the basement and I think what we’ ve really tried to do is shine a light on the amazing skill set that exists, the fact that these are professionals that have full time jobs in many of the top brands in the world.

We’ ve tried to shed a light on the diversity that exists within that group. One of the things I’ m most proud of is seeing, every year in our Inside the Mind of the Hacker report, what percentage of the population – what percentage of the crowd – are kids under 18, who are self-taught, doing this to learn new skills. Maybe it’ s something they ultimately leverage in a university program, or maybe they skip university altogether and go directly into working in cyber.

I think we’ ve had this misconception as a society that hackers are bad, and I think what we’ ve helped to do is shine a light to say these are people that are ultimately going to help protect you that are an extension of your team, and we can do that in a few different ways. One is we try to put hackers front and centre. At a recent event we were trying to show,‘ Hey, these are really smart, capable, talented folks that ultimately have the ability to make impactful changes and differences for our customers’, and we’ re going to continue pushing that forward.

We believe that for organisations to be more secure, they have to leverage the power of the ethical security research community, and we’ re the way in which they can do that.

For CISOs sitting on the fence, what’ s your advice for making their first move into crowdsourced testing?

Don’ t wait. You’ re missing out if you’ re not leveraging the power of the crowd. The analogy I like to use here is: if you’ re not working with the crowd, you can guarantee that the bad actor is already doing the testing for you. So you’ d better leverage the power and ingenuity that exists within the hacker community to find those before the bad actors do. Very simply, don’ t wait – because you’ re falling behind.

We’ ve had this misconception as a society that hackers are bad.

WWW. INTELLIGENTCISO. COM 53