HackerOne CEO: ‘We’re Bringing Offensive Security Into The Development Process, Not Just After The Fact’
‘AI can dramatically increase the reach, speed and precision of security teams, especially in offensive security. We need to shift from seeing AI as a threat to viewing it as an enabler of smarter, faster defense,’ says HackerOne CEO Kara Sprague.
HackerOne’s Kara Sprague took the reins as CEO in November 2024 and hit the ground running. In the months since, she’s led the company through a transformational period marked by the integration of AI into offensive security workflows, the rollout of the PartnerOne Technology Alliance Program and a deeper push into collaborative cybersecurity.
“When I came on board, I saw that synergy as our greatest path forward: leveraging automation for efficiency but keeping human ingenuity at the core,” Sprague told CRN. “This vision is driving both the scale and depth of HackerOne’s offensive security offerings, aiming to provide customers with continuous, intelligent security testing without sacrificing creativity or context.”
The PartnerOne program simplifies the partner experience by providing benefits in enablement and go-to-market collaboration. MSPs can build direct integrations with HackerOne’s AI-driven platform, enabling joint customers to detect and respond to vulnerabilities more quickly and effectively.
For HackerOne’s partners, the biggest challenge is expanding their strategic value to customers, the CEO said. And many are turning to offensive security to fill that gap. “Partners want to deepen strategic relationships with their customers and offer a broader range of services. Offensive security is increasingly recognized as a must-have component in any serious security strategy,” she said.
The San Francisco-based cybersecurity company offers a suite of offensive security capabilities that span the software development life cycle, from coding to production. This includes pen testing, bug bounty programs and, increasingly, direct code security.
A key innovation powering this strategy is Hai, HackerOne’s AI security agent. Hai is embedded across the platform, enhancing how researchers structure reports and improving the triage process by filtering out noise and helping customers analyze vulnerabilities more intelligently. One new feature is report insights, which reviews a customer’s past vulnerability data to provide a confidence score.
The company also recently unveiled Hai Triage, an enhanced AI-powered vulnerability triage service that fuses advanced AI agents with human expertise.
CRN spoke further with Sprague on how HackerOne is evolving, the biggest threats facing organizations today and what role AI and ethical hackers will play in shaping the security landscape.
You’ve been CEO since November 2024. What challenges and opportunities have you encountered, and how have you translated those into growth?
There’s been a huge opportunity in integrating the strengths of our human security researcher community with the power of AI. That combination has the potential to provide both scale and continuous security testing coverage. When I came on board, I saw that synergy as our greatest path forward: leveraging automation for efficiency but keeping human ingenuity at the core. It’s about expanding the breadth of what we can cover without sacrificing depth.
So what are the biggest pain points you’re hearing from partners today?
It’s pretty universal. Partners want to deepen strategic relationships with their customers and offer a broader range of services. Offensive security is increasingly recognized as a must-have component in any serious security strategy, so partners are looking to us to fill that gap. We’re helping them embed those capabilities in ways that complement their existing stack whether that’s through pen testing or vulnerability disclosure programs.
And what about end customers? What are their biggest concerns?
A big one right now is the growing use of AI-generated code. On the surface, it’s fast and efficient but research has shown it’s actually introducing more vulnerabilities than human-written code. That, combined with AI-powered attacks by cybercriminals, is escalating the backlog of bugs across the tech landscape. Organizations are deploying AI into production at a rapid pace, and many don’t fully understand the new security risks they’re introducing. We’re helping them close that gap.
So then how is HackerOne ensuring that AI-generated code is held to the same scrutiny as traditional code?
We offer a full suite of offensive security capabilities that span the software development life cycle. Whether it’s during coding or production, we’re helping organizations test, validate and remediate vulnerabilities continuously. That includes bug bounties, pen testing and now code security. We’re bringing offensive security into the development process, not just after the fact.
Tell me about Hai, HackerOne’s AI security agent. How is it changing the way security teams operate?
Hai is deeply integrated into our platform and is transforming how both researchers and customers work. For researchers, it helps structure and enhance the quality of vulnerability reports. For our triage team, it reduces noise, identifying which reports are high-signal and routing them more effectively. On the customer side, Hai helps with everything from benchmarking and payout optimization to program recommendations based on historical bug patterns.
One exciting new capability is report insights. Hai analyzes a customer’s historical reports and provides a confidence score for each new one, offering evidence and context for whether the vulnerability is likely valid. Some customers have already reported a 75 percent reduction in time spent reviewing reports, which is huge.
You’ve said offensive security teams need to embrace AI as a ‘force multiplier.’ Can you elaborate on that mindset shift?
Cybercriminals are already using AI, and they’re not pausing to worry about the ethics. They’re scaling their operations with it. We need defenders to adopt the same mindset, but responsibly. AI can dramatically increase the reach, speed and precision of security teams, especially in offensive security. We need to shift from seeing AI as a threat to viewing it as an enabler of smarter, faster defense.
How do you see the role of ethical hackers evolving over the next few years?
They’re going to remain absolutely essential. There’s a global cybersecurity talent shortage of nearly 5 million people. Our researcher community helps fill that gap and, more importantly, they bring creativity and diversity of thought that machines just can’t replicate today. Even in a future with more intelligent AI doing continuous testing, ethical hackers will play a central role. I don’t see that changing even on a 10-year horizon.
Outside AI and AI-generated code, what other trends are you watching closely?
A lot are still related to AI, actually. One area is the emerging concept of the agentic SOC, that’s the idea of applying AI agents within the Security Operations Center to handle detection, triage and even some response functions. It’s not quite our core space, but it’s definitely adjacent. Also, things like agent identity and identity management in multi-agent environments, that’s going to be a big challenge to solve.
And finally, what can partners expect from HackerOne through the rest of 2025?
We’re continuing to expand the partner program and build out technology integrations that make offensive security more accessible. Our goal is to embed [our technology] into the security and development stacks of our customers, meeting them where they are and helping our partners grow with us. Offensive security is no longer optional, and we’re making sure our partners can lead with it.