Due to the nature of the application, DarkHorse is not optimized for mobile devices. Please view it on a desktop or tablet for the best experience.
Blog
(words. probably too many of them.)Posts:
What If Things Didn't Have To Be This Way?
Today, I’m releasing into the wild (open beta), the project I’ve been working on over the last six months: DarkHorse.
After leaving Bugcrowd eight months ago, I wanted to (1) do my own thing in some way, shape, or form; and (2) do something that would make the world a better place. And while attempting to help save the polar bears, running for office, or helping clean up the oceans are noble ambitions (and things I may get to someday), I realized that where I can have the largest impact and do the most possible good is by leveraging my skills and abilities where I’m uniquely positioned to do so.
And so, having spent over a dozen years in application and crowdsourced security and having seen the immeasurable value that a well-run bug bounty can provide (as well as the value of crowdsourced penetration testing, and VDPs), I decided to build a platform that offers those services for free, or at as low of a cost as is reasonably possible. All done via a platform-focused approach that minimizes overhead by abstracting out nearly all service components; which, when coupled with virtually no profit margin - allows for the lowest possible cost to be passed on to the end users/clients – thereby making it affordable and accessible to everyone.
This is DarkHorse’s mission: to make crowdsourced and offensive security accessible and affordable for all.
This, in my view (at this time), is the best confluence of my skills / abilities to good use at scale. I’ve done application security as a practitioner / tester, built pentest teams and PTaaS delivery from scratch, launched and managed (probably) more bounty programs than anyone else on the planet, operated at the executive level with strategy / budgets / forecasting, and led a wide array of global services team (including triage / validation, support, community, customer success, solutions architects, and more along the way). Taking all that knowledge and experience and putting it into a platform where it can be made accessible to all organizations at scale seems to me the best way to do the most good with what I’ve got.
For the avoidance of confusion, I’ll say this very clearly: this is NOT a business that aspires to be a billion dollar company. While living that life is very much the Silicon Valley way, I want to see if there’s another way – one that focuses maximizing value, instead of maximizing profits.
By not taking funding, having a board to report to, or having ginormous aspirations for an exit, this moderated approach allows for products to be priced as low as possible, while also focusing on quality, scalability, and sustainability, instead of the "growth at all costs" mindset that creates a culture that often undermines any true sense of mission.
Nobody, including myself, is going to get rich off of this - because I’ve designed pricing in such a way that this is intentionally built to not maximize profit – that is 100% not the goal. While most SaaS businesses want to operate in the range of 75%+ gross margin, my models are structured to have anywhere from 0-15% gross margin... enough to keep the lights on, cover my costs, and maybe invest a little in the future after paying for small marketing or G&A costs.
However, do no mistake this approach as one with no ambition - it is absolutely my plan and goal to grow… just not “growth at all costs”… instead, focusing on sustainable and reasonable growth. Additionally, by having a sustainable design (minimal overhead + no debt / obligations) from the outset, the platform has a unique ability to be self-perpetuating - positioning itself to have longevity and scalability well into the future. Said differently: by design, this will not be a flash in the pan, but is instead designed to last for as long as it has usefulness to the world - which I believe will be a very, very long time.
In a world full of raging corporatism, greedflation, and everything else, it appears to me that the truest representation of the hacker spirit and ethos is to build an antidote to all that. And to that effect, the most counter-culture thing I can think to do in this current climate is to swim upstream and stand behind a belief that maybe the world doesn’t have to be this way.
Perhaps I’m being too idealistic; though, let there be no mistaking – I’m no Karl Marx. I’m an ardent capitalist, and paradoxically, I think what I’m trying to do here is perhaps one of the most free market things anyone could do. I’m also not saying that I won’t ever try to build a more profitable business or anything like that. I’m just saying that with this organization now, I want to see if maybe there's another way.
DarkHorse is live and in open beta at https://darkhorse.sh. There will be bugs, I’m sure (please report them to me via the platform… UI/UX bugs included!); it’s not perfect, but it works and offers a solid chunk of the current functionality that one would otherwise have to spend tens of thousands of dollars to acquire via incumbents in the space. And I’m giving it away for free (or as low of a cost as I can manage, without bankrupting myself in the process). It has been pentested, but as you find bugs or issues (security or otherwise), please let me know. If you know of any organization that could benefit from these free / low-cost services, please share it far and wide. I believe every organization should have access to these services for free or for as low of a cost as possible (without restrictions or limitations in how they can be used). This only has value if people are able to use it. Also, if you happen to be a UI/UX designer and want to help out, feel free to reach out – I am far, far, far from a designer of any sort, and I concede here and now that the site is… spartan in design, to say the least.
Finally, I must stress that the goal of creating this platform is not to compete with Bugcrowd or HackerOne or anyone else in the space. DarkHorse is designed to be an economical choice for any organization, but not everyone’s decision-making is driven by economics… There are many organizations who will find value in using HackerOne or Bugcrowd, just as those with deeper wallets sometimes find value in flying on private jets vs. commercial. Flying private is certainly not economical in most contexts, but people still do it for convenience and other value propositions that are not economic in nature. For those organizations who need the white glove equivalent of flying private, Bugcrowd, HackerOne, Intigriti, and the others will always be there as quality options for those willing to pay the higher price tag for that which they offer. If you’re interested in seeing just how inexpensive (or free) DarkHorse can be for your organization, there are a number of pricing estimators for VDP, bug bounty, and pentesting available on the platform. Our pricing (where there is any pricing) is as transparent and simple as we could make it.
From my perspective, it matters little whether someone goes with DarkHorse or someone else as their provider – all that matters to me is that as of today, everyone has affordable access to these services and solutions. If there is a better option for an organization, I encourage them to take it - so long as the world is becoming more secure in the process, then it's all good by me. I’m not in this to make money or to take market share – my only goal is hopefully put some good into the world with knowledge and skills that I presently possess.
Finally-finally, with the launch of DarkHorse, I’m ecstatic to announce the release of what I believe is an industry first (and what I’m sure will quickly become a positive force in security), a brand-new product (that’s live on the platform!) that I’m calling “Fractional Pentesting” - providing on-demand access to pentesting talent for as much or as little time as is needed. No longer do you have to purchase a pentest to get access to pentest talent… if you need a qualified tester to spend four (or forty) hours testing a specific scope, you can come to the DarkHorse platform, create a completely customizable engagement (scope, hours needed, testing window, methodology, desired artifact, etc), and submit a request for bids within minutes. From there, we'll provide qualified, vetted testers who will submit bids for the work, you select the one you want, they do the work, and that’s it! All of it, from top to bottom, is managed easily and seamlessly in the platform.
This is getting long in the tooth, and I’ll talk a lot-lot-lot more about fractional pentesting (and DarkHorse) in the coming days, but I’m extremely proud of it as a product and a novel solution for the industry. Just so nobody gets the wrong idea: fractional pentesting is not intended to replace getting a pentest. Which is to say that it’s meant to be used ad-hoc, when you quickly need a qualified professional to test something specific - and in doing so is complementary to (but not a replacement for) a traditional penetration test (DarkHorse also offers traditional pentests, high-level assessments, and more). But again, I’ll talk more about this in the coming days; I might be a little too hyped on my own supply, but I really do believe it has the potential to be a transformative and extremely helpful solution for organizations of all sizes and stages! Also, I’m just stupidly proud of the journey of putting this together (regardless of how bad the UI is) over the last six months; there are some other really exciting and industry-first features in there that I can’t wait to talk about as well, but we'll get to those later!
With apprehension, self-doubt, and a healthy dose of fear that comes with putting something like this into the wild,
Sincerely,
Grant McCracken