Bugcrowd recently announced in a press release that it has acquired Mayhem Security. This acquisition represents a significant inflection point in the trend toward AI-augmented testing to improve cybersecurity in software development. The deal combines Bugcrowd’s hacker community with Mayhem Security’s autonomous AI. This acquisition is the latest development in the arms race between software developers and those seeking to exploit vulnerabilities in that software.
AI Is Transforming Both the Offensive and Defensive Sides of Cybersecurity
Artificial intelligence has dramatically affected a wide range of business functions in the modern economy. The cybersecurity industry is no exception to this trend. The MIT Sloan School of Management recently reported that AI has dramatically changed cyberattacks, being used for malware, phishing, and social engineering attacks based on deepfakes.
Attackers use AI to perpetrate attacks, and cybersecurity companies use AI to help fend them off. AI, therefore, has strongly affected both the offensive and defensive sides of cybersecurity. AI can also help fulfill the need for scalable and intelligent vulnerability discovery in software development.
The Acquisition–What Bugcrowd Gains from Mayhem Security
Bugcrowd offers a range of cybersecurity products and services, including penetration testing as a service, red team as a service, and crowdsourced vulnerability discovery. It already claims to leverage AI in its offerings, and the Mayhem Security acquisition extends that capability. According to Bugcrowd, it will combine the capabilities of its existing hacker community with the Mayhem Security AI platform, aiming to “help organizations ship safer software faster, at lower cost, and with greater confidence, while shrinking their attack surface”. This means that rather than AI replacing human expertise, the white hat hackers will be able to use AI as a lever to achieve better customer results.
Mayhem’s “AI Offensive Security”
According to the Mayhem Security website, its offerings include AI-powered code security, API security, and dynamic software bill-of-materials (SBOM). The Bugcrowd press release quoted David Brumley, the CEO of Mayhem Security, as follows: “For over a decade, we’ve built technology that thinks and learns like an attacker to autonomously find new vulnerabilities. Joining forces with Bugcrowd amplifies that mission by combining AI-driven automation with the creativity and expertise of the global hacker community. Together, we’re redefining modern security testing, helping organizations preempt risk, close vulnerabilities faster, and eliminate zero-day threats.”
Mayhem Security lists a range of customer logos on its website, including Rivian, Deloitte, and Cloudflare. It integrates with a variety of platforms relevant to software developers, including GitHub, Slack, and Jira. It claims that its AI identifies software vulnerabilities with no false positives.
A Hybrid Security Approach for Software Vulnerability Management: Human Expertise and AI-Based Automation
Bugcrowd describes a hybrid approach to addressing vulnerabilities in software development. It states ,“The integration of Mayhem’s AI-driven automation with Bugcrowd’s crowdsourced testing redefines how vulnerabilities are discovered and remediated across the software development lifecycle”. Crowdsourcing on its own has proven an effective method for exposing vulnerabilities, and adding advanced AI capabilities to that promises to be a force multiplier.
Bugcrowd quoted its CEO, Dave Gerry, as saying, “This acquisition represents another milestone in our mission to transform the way organizations approach cybersecurity by combining the collective ingenuity of our global hacker community with the machine speed and precision of AI offensive security testing”.
Bugcrowd will not be the only company to take this hybrid approach to software vulnerability management. HackerOne states on its website that its platform also combines the work of human researchers with AI insights. They say they have over two million researchers and that 90% of their customers are using their platform’s AI agent.
Strategic Implications for the Industry
This hybrid approach to finding and remediating software vulnerabilities has strategic implications for the software and cybersecurity industries. It creates the potential for much greater efficiency in DevSecOps pipelines, with continuous security validation. Vulnerability management can become more proactive and less reactive. If vulnerabilities are remediated before the software is even released, they won’t be there for attackers to exploit. Historically, vulnerabilities have been too often discovered only after they are exploited, which means that some damage has already been done. This AI-assisted approach represents a possible reshaping of the practice of software vulnerability management.
Conclusion
The Bugcrowd acquisition of Mayhem Security represents another phase in the evolution of bug bounty programs and may help to redefine the future of vulnerability management for software development. The autonomous hacker assistant will likely be a mainstay of such efforts going forward. The hybrid model in which humans use AI as a lever to do more faster has proven useful in a variety of contexts. As in so many aspects of life and business, AI is changing things for the better by making people more efficient.
