20 May 2021

Cyrex CSP: Best of Both Worlds

When it comes to cybersecurity testing, you have two choices. There is the bug bounty approach and the penetration testing route.

While these both have their own unique strengths and weaknesses, the team at Cyrex aren’t one to sit idle, having recently launched a new program for indie developers. To continue that push, we're now offering the Cyrex Cybersecurity Program (CSP). First, let’s break down how things normally work.

Putting a bounty out

A bug bounty program is a straightforward concept. You want to test your security and you put the call out for people to test it. You offer a sum of money as a reward for those who can find and reliably replicate a vulnerability.

The strength of a bug bounty is two-fold. A huge, diverse range of testers. And you only have to pay for vulnerabilities that are found. It allows a company to have many testers with no time limits or short schedules. Communities of hackers will pit themselves against your system to find as many vulnerabilities as possible.

The negative side of bug bounties is that, with so many testers, you don’t have the guarantee of proper quality assurance (QA) and professionalism. You may get false positives or discoveries of exotic vulnerabilities that would be unlikely to be exploited by a typical hacker. And, without penetration testing, you may find it far more expensive than the alternative.

A professional approach

The other common approach is a security service – usually providing a single security engineer to professionally test and validate any flaws found. These would be professional ethical hackers in an established position with strict methodologies and workflows.

Here you have the guarantee of proper QA and a set timeframe. The former is a huge benefit, while the latter can be both. With a set timeframe, you can have a stable timeline to work with. But the security engineer is also limited by the time they have to work with.

In addition, a single security engineer is working alone and therefore cannot cross-validate any findings with another tester. The diversity found in droves in bug bounties is absent here, as all testing derives from a single source.

Can you have the best of both worlds?

That was a question we asked ourselves. Can you merge the diversity of bug bounties and the proper QA of a professional penetration test?

That was our goal with the Cyrex CSP. The concept merged almost immediately with our typical workflow. Our patented pair hacking method blends perfectly with the bug bounty level of diversity and helps to further counter the issue of a solo security engineer.

With Cyrex CSP, we can offer the benefits of bug bounties without the false positives or lack of proper QA. With our pair hacking and rotating teams through multiple iterations, we simulate the exposure and diversity a bug bounty program offers. All the while, maintaining the high-level quality as professional penetration testers.

Cyrex CSP assigns multiple teams to switch out on a consistent basis across the iterations of testing, allowing fresh eyes and growth of past experience from the previous time and work.

Value across the board

The teams at Cyrex are professionals, managed by world-class cybersecurity experts. We know what to look for, we’ve seen it all. We have the experience to work with a wide variety of protocols, technologies, architectures, and frameworks to enable us to jump straight into work.

While penetration tests are often a time-sensitive process, our pair hacking approach and expertise means we can complete and cover your scope in half the time. We’ve dealt with the pressure of time-limited projects; we’ve been put down to the wire and come out swinging every time. Deadlines aren’t something we struggle against, they’re something we beat.

Workflow and communication

Our workflow is flexible and adaptable to your needs, but we typically follow a 3-step process. It allows us to maintain a clear focus that easily retains momentum across multiple teams and iterations.

  • Reconnaissance – Mapping of existing assets. This offers us a clear understanding of your system and assets and their importance. Testing is focused on a sliding scale based on importance as valued by you.
  • Penetration Testing – Multiple iterations of testing based on needs. Full, clear, and comprehensive reports provided after.
  • Priority Testing – In the event of urgency and/or new priority – we can immediately switch focus to a newly designated asset.

These are always followed up by regression testing, once our client’s technical team has finished patching.

Finally, communication is always a top priority at Cyrex. This program allows the communication of a professional penetration test alongside emulating the exposure of a bug bounty program. Direct communication with a client expedites the entire process and allows for limitless collaboration.

With Cyrex CSP, there’s no longer a choice between large-scale exposure and high-quality testing. Instead, you get a consistent and accessible team of professional security engineers to provide the results to give you proper peace of mind.

If you’d like to learn more about Cyrex CSP, get in touch with us directly. You can also find more details on our penetration testing for games and applications on our website, as well as some of our previous clients!