HackerOne's Shot in the ARM

ARM, short for Attack Resistance Management, is the latest buzzword we didn’t know we needed. As part of the next multi-million dollar marketing campaign to push ARM, HackerOne is going all out with the latest iteration of company vision. As revealed in the ARM whitepaper, HackerOne’s full suite of security solutions features not only bug bounty, but also security talent management, continuous reconnaissance, code review, red teaming, dev training, and more. That’s a dramatic shift from their roots as a bug bounty platform, isn’t it?

HackerOne ARM company vision

How HackerOne spins the ARM concept is clever. The chart below shows the coverage a client would get with only Attack Surface Management (ASM). This simple visual now positions ASM as “old world.” Then to the right there’s a much taller bar, where the delta is what HackerOne calls the “Attack Resistance Gap.”

HackerOne Attack Resistance Gap

HackerOne’s ARM, via their entire suite of current and future products, offers a full-service solution to the problem. Just as the competition have launched their own ASM implementations and the space is becoming highly commoditized, HackerOne zags.

HackerOne takes the framing of enterprise security to the next level: For companies it’s no longer enough to achieve 99.99% coverage in their attack surface. That is now table stakes. The next challenge is to build up an immunity to future unknown vulnerabilities to develop an “Attack Resistance.” That’s a beautiful picture they’re painting, one which will hopefully open up customers' wallets.

Why is HackerOne repositioning their product suite as Attack Resistance Management, and adding yet another acronym to the fragmented landscape of infosec products? ARM joins the ranks of ASM, EASM, DRPS, amongst a whole slew of other 3-4 letter terms, as many vendors make feeble attempts to differentiate.

For one, this represents a hope for continued 10X growth and a powerful narrative for their investors. More enterprises are now becoming more mature in their security implementations. Bug bounty is no longer a hot topic or viewed a panacea to a company’s security issues. Beyond bug bounty programs, companies now engage in continuous penetration testing, spend hundreds of thousands of dollars on SaaS security tooling, have built out internal red and blue teams, and so on.

What I like about HackerOne’s ARM marketing campaign is that it attempts to grow the whole pie rather than competing after a zero sum share of security budgets based on the now.

The infosec industry needs a fresh spearhead to drive sales. What defines effective marketing in the infosec industry is what gives firepower to the CISO and internal security teams. As a vendor, you don’t sell to the internal security people; you help those employees sell security to the rest of the C-suite and the board who probably only view security as a cost center and downside risk management.

By HackerOne coining this latest buzzword ARM, they become the self-proclaimed first mover. Now as the pioneer, HackerOne hopes that competitors will hop in the back for the ride, as the VC-backed company dumps millions of dollars into marketing campaigns and memes desperate salespeople from competitors into pitching their own customers with ARM. This serves as a good example for how you can outcompete with capital in a hyper-competitive industry.