TL; DR: In the ’90s and early 2000s, many relied on antivirus software like Norton or McAfee to scan for computer vulnerabilities. But cyberattacks are getting smarter, which means our defenses have to get more creative. That’s where HackerOne comes in. HackerOne serves a global clientele with its carefully selected penetration testers, many of whom have more than a decade of testing expertise. We spoke with Senior Solutions Engineer Josh Donlan about how HackerOne’s crowdsourced approach and expert-driven testing have become a top choice for reliable pentesting.
For nearly 30 years, malware was among the most common attack methods for cyberattackers. Fast-forward to today, and only 25% of recorded attacks contain malware.
So, what does this mean? If anything, it’s a notable trend that suggests cyberattackers are shifting toward more sophisticated methods.
Malware, short for malicious software, is any program or code designed to attack a system. It’s one of the oldest digital attack methods, peaking between the 1980s and mid-2000s. Although malware attacks still occur today, the increased security of the internet and its networks has forced cyberattackers to become more creative.
Unfortunately, traditional software can fall behind in identifying new methods, such as AI-driven attacks and IoT targeting (which only exemplify how cyberattackers have evolved).
As a result, cloud-based software has essentially taken over, allowing experts to monitor 24/7 and quickly apply updates. But at the end of the day, computers aren’t as intelligent as humans — which is where penetration testing, or pentesting, comes into play.
HackerOne is a cybersecurity platform that offers pentesting-as-a-service (PTaaS). It connects companies with a network of experienced, crowdsourced ethical hackers and pentesters who innovatively identify a system’s vulnerabilities, loopholes, and potential attack surfaces.
Josh Donlan, Senior Solutions Engineer at HackerOne, believes the agency’s unique approach sets it apart from traditional pentesting.
“It’s time for people to start engaging more with crowdsourced resources,” said Josh. “Every time you conduct a pentest and don’t get any results, ask yourself, ‘What if someone was just a bit more creative? Are we truly secure — or are we just repeating the same methods we’ve used for the last 15 years?’”
HackerOne aims to be your one-stop resource for pentesters so you never have to ask those questions again.
The Problem with Legacy Solutions
PTaaS is a cybersecurity model that combines on-demand human expertise with automation to identify vulnerabilities within an organization’s systems.
Pentesting is not new, but Josh noted that traditional methods don’t always provide a complete solution. HackerOne has addressed four significant pitfalls of legacy pentesting with its PTaaS model:
- Slow startup and turnaround times: Getting a pentest started can take up to four to six weeks, causing delays in the development cycle and the release of patches and updates.
- Delayed vulnerability detection: Critical vulnerabilities may not be detected until the end of the testing period, ultimately leaving the system exposed.
- Lack of integration with ticketing systems: Reports are delivered in PDF format, which requires manual entry into ticketing systems like Jira or ServiceNow.
- Inconsistent staffing: Pentesting programs often experience frequent staff rotations, sometimes involving multiple vendors. This can lead to inconsistencies and a lack of specialized knowledge.
With that said, HackerOne does things a little differently: It leverages a network of crowdsourced pentesters.
But these aren’t just any testers.
Candidates must undergo a rigorous application process, which includes meeting specific credential requirements, passing criminal background checks, and participating in formal interviews.
Based on its needs, HackerOne selects the top applicants to join a small, exclusive community of pentesters and ethical hackers — and the rest is history.
Real-Time Vulnerability Detection
Rapid response is the name of HackerOne’s game.
As the tester examines your system, you’ll receive real-time updates on any vulnerabilities discovered as they emerge. Unlike traditional pentesting, where results can take several weeks or months, HackerOne’s approach provides immediate feedback.
Its pentesting engagements are typically divided into two 20-hour work segments over a two-week time frame, which equals about 40 hours of pentesting.
The number of hours and testers can be adjusted based on the project’s complexity, but the goal is always to complete the pentest within two weeks to avoid delays or extended timelines.
“As the pentest is happening, you’ll know about those vulnerability details in real-time,” Josh explained. “We’re still giving you the traditional pieces of a pentest, like a methodology report, but you also have a live dashboard to watch as these vulnerabilities start rolling in.”
On the dashboard, you get live updates and details about the pentesters working on your test, including a brief overview of their expertise. You can also track the testing timeline, see when the testing is expected to be completed, and know when to anticipate the final report.
The process is so easy to follow that some of the biggest names trust HackerOne, including Adobe, Wind River, and Cresta.
Josh emphasized that while HackerOne collaborates with many enterprises, it’s also an adaptable solution for smaller businesses.
“Our agility allows us to set up and tailor solutions quickly to fit the timelines of smaller organizations,” Josh said. “We’re not limited to big companies with complex needs; we are also well-fit for smaller organizations because of how much of this is self-service.”
A common misconception about smaller businesses is that they are not vulnerable to cyberattacks, often because they assume they have nothing valuable to steal. But this is far from the truth: Cybercriminals are targeting SMBs at an alarming rate.
“The more the technology rapidly evolves, you’ve also got to start thinking about more creative solutions,” Josh said. “We’re always introducing more technical debt, attack surface, and security holes for any type of organization or project.”
Some of the newer methods cyberattackers are implementing include:
- Prompt injection attacks target large language models (LLMs), exploiting their inputs to manipulate responses
- Cross-site scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into web pages to compromise user security
- Improper access control is a system vulnerability that lets unauthorized users gain access to sensitive information they shouldn’t otherwise have
Recently, HackerOne conducted a pentesting engagement focused on war dialing.
War dialing is an older technique in which hackers use automated calls to dial a range of phone numbers systematically. This approach helps them detect and exploit vulnerabilities in devices connected to the public telephone network.
“It’s a very ’80s and ’90s thing,” Josh laughed. “But we could pull it off thanks to the diverse expertise within our pentesting community. We found a few members who knew how to execute war dialing attacks using old-school PBX systems.”
In addition to conducting thorough two-week pentests, you can choose from two testing options: essential or premium.
Essential
This basic pentest is ideal for web applications, external networks, and APIs.
Pentesters are selected based on availability and hold certifications in relevant cybersecurity tools, such as OSCP (Offensive Security Certified Professional) or CEH (Certified Ethical Hacker).
Launching is guaranteed within seven days, and you’ll receive retesting for up to 30 days. Standard reports from your assigned technical manager can be easily integrated with native software development life cycles (SDLCs), such as Jira and GitHub.
Premium
This advanced pentest includes everything essential testing offers, but better suits complex projects, such as internal networks, Android, iOS, cloud, and code security audits.
Pentesters have expertise in several in-depth certifications, including OSCE (Offensive Security Certified Expert), CREST (Council of Registered Ethical Security Testers), and AWS (Amazon Web Services). They are selected based on geolocation, citizenship, and time zones.
Your program is guaranteed to launch within four days, and you get 90 days of retesting availability. Custom reports from your dedicated technical manager include test planning and priority pentester staffing.
HackerOne’s Role in Modern Security
Hai is one of the newest additions to the HackerOne team.
Originally designed to simplify report comprehension and organize your dashboard inbox, Hai is an AI-powered co-pilot that has significantly evolved since its introduction.
Today, Hai offers a range of advanced features, including report summarization, remediation advice, enhanced communication, custom templates, and automated tasks.
For example, when you access your dashboard, you can open a chat tab to interact with Hai. Ask Hai to format reports into a nucleus template based on their type or perhaps translate technical details into business impact summaries for non-technical stakeholders.
“Hai can be used for a lot, but it primarily helps people understand the pentesting method and results,” he added. “Whether you want to use the chatbot to discuss the report or build API automation for regular custom feeds, it’s designed to be self-service.”
“We want to provide companies with individuals with profound knowledge in something extremely specialized.”
Josh Donlan, Senior Solutions Engineer at HackerOne
As for what’s next, Josh predicts cybersecurity solutions will become more bespoke.
“There are many boutique firms offering specialized services with niche applications across various industries, so there will be a big demand for individuals who can take on specific roles,” Josh said. “That’s what we’re trying to do here — we want to provide companies with individuals with profound knowledge in something extremely specialized.”
If you want to go beyond automated security tests, working with experienced pentesters is the next step. Pentesters have the expertise to uncover vulnerabilities and address risks in ways that automation alone simply can’t.