Outpacing Evolving Cyber Threats: Leveraging Elastic Talent, Intelligence-Driven Feedback, RTaaS, PTaaS, and Human-AI Collaboration

We had a chat with Dave Gerry, CEO of Bugcrowd, who spoke about his journey and the belief that people, not products, scale companies. Gerry initially observed Bugcrowd as a customer, identifying areas for improvement, and subsequently drove those changes as CEO.

As a crowdsourced security platform, Bugcrowd leads the way in helping organizations understand their risks, regardless of current trends. Gerry highlighted topics such as model manipulation, static model adaptability, and building an elastic bench of talent.

He emphasized the importance of crowd-powered defense and dispelled the myth that SMBs do not need comprehensive security like enterprises. He drew attention to the role of Managed Service Providers that goes beyond compliance, and how they use feedback to refine their approach, including attacker emulation.  

Read on to learn about the human inputs essential for adding context to identified vulnerabilities and how an automated Attack Surface Management (ASM) solution is leveraged to equip the Crowd with the tools they need.

Vishwa: Can you share about your early days in your professional journey, scaling innovative businesses, and the most important lessons you have learned about business success? What was your incentive and driving force that led you to Bugcrowd?

Dave: My background’s rooted in scaling high-growth, category-defining companies across cybersecurity and enterprise software. I’ve had the privilege of leading organizations through multiple growth stages: product-market fit, international expansion, funding rounds, and acquisitions.  

What’s stuck with me across all of it: people scale companies, not products. Innovation is critical, but execution wins.

When I first encountered Bugcrowd, I wasn’t wearing the CEO hat; I was the customer. I saw firsthand how its model outpaced traditional security in flexibility and speed.  That experience lit the spark: I knew the future of cybersecurity would require open, continuous, crowd-powered defense, and I wanted to be a part of shaping that.

Vishwa: You believe in 'communicating clear milestones and implementing aggressive but achievable growth targets.' With the recent launch of Bugcrowd’s Managed Service Provider (MSP) offering, what cybersecurity goals are envisioned for small to midsize businesses (SMBs) in terms of meeting compliance? How is it expected to help them? Can you tell us about the enhanced expertise of the Crowd or the ethical hackers offered in this?

Dave: There’s a perception that comprehensive security is only for enterprises. That’s outdated and dangerous. SMBs are just as exposed, often without the same resources or internal expertise. 

What we’re doing with our MSP approach is meeting those organizations where they are: embedding skilled offensive security expertise, risk-prioritized insights, and real-time response into the workflows of the teams they already trust.

Compliance is just the starting point. The Crowd brings a level of adaptive, human creativity that outpaces automated scans.  

Whether it’s aligning to SOC 2, PCI-DSS, or ISO 27001, or defending against business logic attacks, the MSP model puts the right talent and prioritization into reach for smaller teams by leveraging existing, trusted partners in their ecosystem. 

Vishwa: You advocate listening and planning carefully in an industry where new threats emerge daily. What are some of the feedback testing and approving protocols that Bugcrowd has in place? What are your observations about the process of feedback generation from the global hacker community and customers for continuously upgrading services? Can you share how strategic decisions are impacted by them?

Dave: We treat feedback as fuel. Across our platform, ethical hackers and customers can provide structured and unstructured feedback after every engagement. We blend that qualitative input with telemetry from thousands of security tests to continuously tune our approach.

For example, when hackers flag patterns, like evasion techniques or API misuse trends, we correlate that with customer verticals and integrate it into our detection logic and training content.  

That intelligence helps prioritize roadmap investments, especially in platform automation, attacker emulation, and reporting. Good feedback loops are the difference between iterative improvement and stagnation.

Vishwa: Bugcrowd's approach to crowdsourced security contributes to a more open digital ecosystem. Could you share decisions that Bugcrowd has made to help clients navigate regulatory environments or changing threats?

Dave: Security isn’t static, and neither is regulation.  We’ve supported clients through changes to SEC cybersecurity disclosure rules, GDPR/CCPA implementation, and evolving standards in cloud security assurance.  

Often, that means helping organizations understand where their greatest actual risks are, not just the ones that make headlines.

One example: when we saw increasing regulatory scrutiny around software supply chain risk, we enhanced disclosure program templates and analytics to make it easier for organizations to track, validate, and report vulnerabilities found by the Crowd - even those outside their traditional perimeter.

Vishwa: In terms of execution, can you share Bugcrowd's process, perhaps involving its AI capabilities, that leads to the discovery and rapid remediation of critical vulnerabilities?

Dave: We’ve seen AI accelerate both attack and defense, but it’s not a magic bullet. Our approach pairs algorithmic signal detection, think pattern recognition, predictive alerting, deduplication, with human creativity.

That combination helps identify not just vulnerabilities, but the risk context around them.  For instance, a critical RCE in a sandboxed system isn’t as urgent as a medium-level flaw in a public-facing, high-value target. 

We use AI to sift noise, and human researchers to make sense of it. That triage leads to faster remediation.

Vishwa: The ever-growing AI threat has become a global concern. Can you discuss the key areas that need immediate attention and the expectations from the larger community to fill security gaps collectively?

Dave: AI-generated exploits and misinformation are already here. The big risk isn’t just technical, it’s trust erosion. The security community needs to zero in on model manipulation (prompt injection, fine-tuning abuse), model output validation, and adversarial testing of AI systems.

This is where crowd-led testing matters most. Static models don’t adapt well to evolving tactics, but diverse human researchers do. Initiatives that bring together defenders, researchers, and builders (like VDPs and responsible disclosure programs) are crucial. 

We need more incentives for constructive interference—helping the AI ecosystem improve by breaking things safely.

Vishwa: Please share your plans for the pool of highly skilled ethical hackers that work on projects including Penetration Testing as a Service (PTaaS), Attack Surface Management (ASM), and Vulnerability Disclosure Programs (VDPs).

Dave: Our goal is to give customers seamless access to a diverse pool of vetted, specialized researchers, from cloud config experts to red teamers to IoT reverse engineers.  What we’re building is an elastic bench of talent that customers can tap without building massive internal teams.

That’s what powers PTaaS, ASM, and VDPs on our platform: the same researcher might move from a proactive pentest to a bug bounty to an intelligence-led assessment, depending on where they’re most impactful. 

It’s the Crowd as a force multiplier, not a siloed engagement. By leveraging an automated ASM solution, we arm the Crowd with the right tools to be most effective for clients. 

Vishwa: What are your findings on how cybercriminals are streamlining methods for vulnerability exploitation? Do take-downs change their activity?

Dave: Criminal groups are operationalizing like startups. We see affiliate models, SaaS tooling, and even customer support. The days of opportunistic lone wolves are largely behind us - oftentimes, these are structured operations.

Law enforcement takedowns do create disruption, but the rebound is fast unless the root infrastructure and economic incentives are dismantled.  

That’s why initial access brokers and malware loaders are key targets; they’re the enablers.  The community needs to stay focused on those layers of the kill chain to cause real friction.

Vishwa: How is Bugcrowd's crowdsourced Red Team as a Service (RTaaS) positioned to prevent zero-day attacks? What is the bigger picture?

Dave: RTaaS mimics what adversaries do best: think outside the box. It brings together curated researchers, threat intel, and dynamic scoping to simulate real-world attacks, not just generic pentests.  

That’s what makes it effective at surfacing blind spots that traditional methods miss.

We’ve seen RTaaS engagements uncover zero-day-level exposures in authentication workflows, session handling, and application logic. The key is how we tune the scope with intel inputs, customer goals, and evolving attacker patterns.

The bigger picture? By running RTaaS continuously, not once a year, we help clients stay ahead of where zero-days could happen, instead of reacting after they do.