While SOC teams are overwhelmed by security alerts, unable to keep pace, maintain tools and improve detection capabilities, the bounty model enables them to benefit from a community of thousands of talented cyber analysts from all over the world, to finally operate at full capacity.
L2 and L3 analysts who were forced to do the triage work can refocus on their high-value-added tasks, improving detection capabilities, investigations and incident response.
Defensive crowdsourcing reimagines bug bounty principles by engaging cybersecurity analysts to proactively hunt for threats, validate alerts, and develop detection rules.
Threat Bounty offers the same advantages as Bug Bounty, and provides a simple, fast and flexible response to the many challenges facing security teams.
Benefits #1: Threat Bounty campaigns are for all companies
Threat Bounty campaigns can be defined to restricted or wide perimeter, meeting the needs and resources of all type of companies, from startup to corporate.
Whether it’s to triage alerts from a particular scope, the whole SIEM or to hunt down the latest infostealer, it’s possible to address companies having only EDR as first line of defense or the ones with the most mature SOC with the full panoply of cybersecurity tools and processes.
The key concept is to send only alerts categorized as true positives to the company, or hunt reports dealing with real, qualified threats, so that even the smallest teams will just have to focus on response and remediation.
Even if your maturity, budget and capabilities are modest, the flexibility of the Threat Bounty model will surely enable you to tailor a service to your needs.
In fact, Threat Bounty’s pay-per-alert/pay-per-threat particularly suits smaller firms, cybersecurity team that are gaining new skills, or companies that want to develop new offer/services for their client.
By contrast, create an internal SOC team, able to work on different shift for 24/7 triage is far more complicated and requires a significant budget, even for a small company with low volume of data and alerts.
Benefits #2: Cost-effective and transparent model
Similar to Bug Bounty where we can find rewards going from six-figure amount (but rare) by GAFAM to few dozens of dollars for the less critical vulnerabilities, the rewards for threats and alerts can cover a wide range of amounts and therefore be adapted to all budgets.
A Hunter can be rewarded €400 for a report on the discovery of an infostealer, which is much less than the impact of an attack that will be carried out thanks to the credentials collected by this infostealer. Even for small businesses, it’s money well spent.
Bug bounty program can lead to substantial long-term cost savings because the cost of addressing a security breach far exceeds the cost of a $20,000 (Which is the higher-end reward) bounty payout: Per the Cost of a Data Breach Report 2023, the average total cost of a data breach is well over $4 million. (Why Bug Bounty Payouts Are Worth Far More Than Their Cost)
This model also enables transparent billing: the community has handled 113 alerts for you? You pay for 113 alerts. A hunter has found the beginnings of a compromise that could lead to the execution of ransomware, you pay a bounty and get a precise report to respond to the incident and improve your detection capabilities.
Benefits #3: A model designed to build trustworthy community
At first sight, it may seem scary to give access to your SIEM to an external community of analysts to process security alerts or threat hunting campaigns.
In reality, this is already what MSP/MSSP/MDR or internal SOC are doing when they outsource part of their alert processing to foreign IT services or other companies. You don’t even know the identity of analysts, but the IT services company acts as a trusted tier.
Then as Bug Bounty platform or any other IT services company, analyst registration goes through a KYC and KYB process, so their ID and background are checked. There is also a Dojo platform in order to simulate enterprise data and alerts, so we can test analyst skills and be sure he will handle alerts in the right way.
In addition, there are of course the usual legal documents, NDAs, code of conduct, general conditions of use, terms of service, etc.
An algorithm is also used to detected suspicious behavior, like an analyst closing dozens of alerts per minute. In this case, the analyst in automatically blocked and banned, and alerts are going back to the list of alerts to handle.
Some alerts are also picked randomly for another triage by another analyst, which is helpful to check the work of an analyst and double check the result of triage. In case of too many errors by an analyst, this one will be banned from the community as well.
As analysts and hunters are ranked, we are able to create pool from the community based on origin country and analyst score. With this solution we can provide group of analysts specifically selected for a client having special requirements (Ex: analyst with the best track record, only from France).
This is what the biggest US Bug Bounty platform is providing with HackerOne Clear.
On average, our Clear hackers have been active on the platform 25+ months, and submit 24x more high and critical reports and 205x more valid high and critical reports than non-Clear hackers.(HackerOne Clear)(HackerOne ID & H1Clear verification)
Finally, on all modern SIEM/XDR platform, it’s possible to hide or pseudonymize fields like username, or other sensible information. Technical solutions are also here to help.
Benefits #4: Tackling alert fatigue
SOC teams are completely overwhelmed by the number of alerts they are getting, and they have to handle. The idea behind Threat Bounty is not to add another tool to configure, maintain and exploit but on the contrary to relieve analysts by providing the missing human resources.
62% of the alerts received by the SOC team are ignored. We keep hearing about the problem of alert fatigue. (MSSP Market News)
This way, the internal SOC team has more time to finetune detection rules, to make them more precise, avoid false positive, so get more time to work on high value-added tasks like new rules creation, deep investigation or hunting.
Benefits #5: Enhance your maturity level
The flexibility of Threat Bounty model suits organizations with various cyberdefence maturity. Even if you are a small organization, starting with basic security tools, you can benefit from hunting campaigns to find gaps in your security and monitoring. You can start to harden your security by running campaign on restricted scope, so the number of reports stay align with your patching capacities.
Then, as your teams become more accustomed to handling incoming reports and alerts, you can expand the scope to cover more attack surface, continue to patch, and enhance your capabilities with new tools.
Conclusion
What’s clear is that neither your maturity nor your budget is an obstacle to adopting the Threat Bounty model. Improving your defensive capabilities must be taken seriously at an early stage. In most cases, it’s too late: the company’s confidential information, credentials and data have leaked onto the Internet.
Whether you’re an MSSP looking to expand your customer base, an MSP looking to expand your service offering, a SOC looking to handle alerts 24/7 or you want to improve your maturity level, Threat Bounty is the answer to your needs.