About DarkHorse

DarkHorse is an organization whose mission is to help make proactive security accessible and affordable for organizations of all sizes. We do this by eliminating unnecessary costs, reducing our profit margins to pass the savings on to you, and offering an easy-to-use, streamlined platform-first aproach.

We offer five core services to help secure organizations:

• Penetration Testing - The industry standard for securing assets. Required as a part of PCI, HIPPA, SOC2, and more. A qualified tester goes through a comprehensive methodology and tests your scope for vulnerabilities for a set amount of time.
• Application Logic Assessments - A high-level, human-driven security assessment of your scope by a qualified tester. Not as in-depth as a penetration test, but generally finds 70-80% of the results of a pentest in a fraction of the time.
• Platform-Managed Vulnerability Disclosure Programs (VDPs) - Every organization needs to have a way for outside parties to be able to responsibly report vulnerabilities. Our platform streamlines that process - saving your team time and money.
• Platform-Managed Bug Bounties - For organizations serious about reducing risk, running a bug bounty program is the most effective means of identifying vulnerabilities at scale.
• Fractional Pentesting - Access to penetration testing talent when and how you need it. Sometimes you don't need a full pentest, but want access to a penetration tester. Fractional pentesting allows for exactly that.

We like to think there are lot of things that make us different, but we'll do a quick run-down here...

• Our Motivations - We're here to make the world a more secure place. Every other player in the space is focused on maximizing profit. Not us.
  
  Because we're not focused on profit or arbitrary quarterly numbers to impress investors, we're able to focus on what matters: helping make you and the world a more secure place. We take less profit margin for ourselves, and pass those savings along to you.
• Free Bug Bounties - Other Bug Bounty platforms in the space charge tens of thousands of dollars for what we offer for free. And even beyond the free tier, our bug bounty programs cost a fraction of a fraction of what other organizations charge. We strongly believe in the efficacy of bug bounty programs, and want everyone to be able to run one. To do that, they need to be affordable for everyone, which is what we're doing!
• Lean, For Real - For most organizations in the space, there's something like ten(!) or more people who touch every account (account executive, sales development rep, sales engineer, solutions architect, account manager, customer success rep, support personnel, onboarding engineer, all their managers, and so on!).
  
  Every organization claims to be lean, but we all know there's a ridiculous amount of bloat in just about every organization on the planet. By building DarkHorse how we'd want to run a company, we've successfully omitted all the bloat we could think of, and as a result, are able to pass along all those savings to you (as opposed to pocketing the difference).
• Platform-First Approach - We're able to successfully omit all of the above roles because we have a true platform-first approach. Most other platforms in the space are services teams that are supported by a platform. We're a platform that's supported by the platform.
  
  To be clear, this does mean that there's less hand-holding here at DarkHorse. That is true. For organizations that need a significant amount of hand-holding, they may be better served by the more expensive options in the market. We're happy to also add on a consultative layer (should it be so desired), but that's not baked into a base costs.

The wikipedia entry for "dark horse" starts with "A dark horse is a previously lesser-known person, team or thing that emerges to prominence in a situation, especially in a competition involving multiple rivals, that is unlikely to succeed but has a fighting chance..."

In our view, that's a perfect encapsulation of who we are. We're an upstart in the space, but despite having a large disadvantage in terms of starting position, we really do feel that we have a shot at making a mark on this industry. And for that reason, we believe we're literally and figuratively a Dark Horse. Also, it sounds cool. Or at least we think so.

If you've got a feature you've been waiting on from your current platform / provider, we'd love to build that for you. One advantage to being a smaller organization, is that we're able to have a tighter loop with our clients and what they need.

If we sell you on a feature and that feature doesn't get delivered; you don't pay. It's that simple.

Nope; we don't!

Will we offer it? It's not in the plan.

We did the math on it, and don't think it's a good value for you, the client. We'll explain...

1. We don't believe it's as economical for organizations as you may have been led to believe. We started building out a triage function for DarkHorse, but quickly realized that it's actually not as advantageous as we initially thought. Take this quick thought exercise:
• 20-30% of reports wind up being valid. This means that out the gate you still have to do at least 20-30% of the total work involved in triage, since you need to validate those reports yourself, etc.
• Anyone who has managed a program also knows that there's a number of reports that need their input pre-triage as well... with questions from the triagers asking if things are in scope, if it's intended, and so forth. We'll call this and additional 10% of reports.
• Finally, there are a small percentage of reports that get mis-triaged, and need your oversight. We'll call this another 5% of reports.
• So, even with triage in place, we're up to touching approximately 35%-45% of all reports, no matter what.
• Then also remember that the other remaining reports are duplicates, out-of-scopes, not-applicaples, and so forth. And then also keep in mind that those types of reports tend to take less than half the effort of evaluating a valid report.
• Adjusted for effort, triage is charging for 100% of the work, but despite that, you are still required to do over 50% of the work in the end. So your real adjusted savings in paying for triage is closer to 50% (or less), in terms of work reduction.
• While your mileage may vary, in our opinion, getting 50% of the value for 100% of the price isn't particularly economically efficient. And for that reason, we don't offer triage by default. Were it our security program, we'd put our funds to use elsewhere, and want to offer our clients the same courtesty.
2. Secondarily, the mission of DarkHorse is to make crowdsourced and offensive security accessible and affordable for everyone. In our view, building a services organization is antithetical to that goal. Running services means having to handle more personnel, and the issues that come with personnel, etc - and before we knew it, we'd be spending all our time managing the services org... instead of staying true to our mission. So this is us staying true to our mission. Nothing against triage - and it's immensely valuable for many, many organizations. It's just not what we're focused on right now.

1. A lot less than every other provider in the space.
2. Less than you'd think (it's free in a lot of cases!).
3. You can review our pricing on our pricing page.
4. If that pricing is still out of your range, reach out and we'll try to figure out a way to work together. Our goal here is to make security accessible and affordable for all - you included!

Glad you asked!

1. Click the "register" button in the upper right hand corner of the page.
2. Register as a client. Ensure the button to also create an organization is checked.
3. Once logged in, under 'create new', select the type of engagement you're interested in running.
4. Follow the onboarding flow, and you should have your engagement up within a matter of minutes!
5. If you have any questions at any point, do not hesitate to reach out to info[at]darkhorse.sh.