Blog summary

This blog is written for red teamers who are interested in joining Bugcrowd’s red team, Crowdforce. It covers:

  • The process of joining the Crowdforce red team
  • Tips to building your skills in order to join Crowdforce in the future
  • A sign-up link for applicants interested in joining Crowdforce

Bugcrowd has assembled an elite red team called Crowdforce, and we’re seeking to add to the team with the best talent. We aim to create the most skilled, diverse, and innovative team to date. We’re redefining red teaming and inviting you to be part of this evolution.

This represents an exceptional opportunity to join a revolutionary approach within the security industry. As a Crowdforce member, you will have the opportunity to truly freelance, build skills alongside top hackers, and hone in on your own niche skills, not to mention the interesting clients you will be exposed to all while collaborating with talented team members. 

To achieve this, Bugcrowd requires top-tier red teamers to perform at their best and collaborate effectively. The Crowdforce environment is dynamic, emphasizing delegation, teamwork, and clear communication. We are building an industry-leading team of trustworthy red teamers who possess complementary skill sets, enabling collective achievement.

This blog provides an overview of the application process to joining Crowdforce. 

What is Red Team as a Service (RTaaS)?

Let’s rewind. A year ago, Bugcrowd launched RTaaS, the first offering of its kind to bring the scale and power of crowdsourcing to red teaming. We offer various models based on goals, budget, and security maturity, providing the very best for our clients. For our red teamers, it provides an opportunity for reward-driven or time-based incentives, which is a revolutionary approach to red teaming work. 

RTaaS delivers persistent, real-world attack simulations that reflect how today’s threats unfold across people, processes, and technology. Unlike traditional approaches, it gives security teams the flexibility to act on insights and address vulnerabilities before adversaries can exploit them. 

The process of joining Crowdforce

Each Crowdforce team is composed of a red team operations manager, an operator, and ad hoc specialists (more on this later). After applying to Crowdforce, there are two major steps in the process: technical tiering and in-depth solo simulation. 

Step 1 – Tiering

Initially, each applicant is sorted into tiers based on their verifiable technical abilities. These include:

  • Tier 1—Let’s use a metaphor to better understand the tiers. If we were working in a high-end restaurant, members of the Tier 1 group would be highly-skilled professional chefs. Tier 1 Crowdforce members possess an established understanding of red teaming and demonstrable programming skills. They are capable of executing standard attacks during assessments. However, they may not yet be able to develop novel attack vectors or plan complex campaigns. They often have hands-on lab and CTF challenge experience, red team certifications, and programming skills. 
  • Tier 2—In this tier, we’re moving on to the sous chefs, owning important decisions like equipment management, plating, and workforce management. Tier 2 Crowdforce members build upon Tier 1 skills with deep expertise in red teaming tactics and specific attack surfaces. They have participated in numerous simulations and hold advanced certifications. These hackers can formulate novel attacks and execute them across various environments. However, they may not yet be able to manage an entire Red Team engagement. They often have advanced hands-on lab experience and advanced red team certifications. They have knowledge of tradecraft, OPSEC, and risk management to understand the implications of each attack. 
  • Tier 3—Finally, tier 3 members are the head chefs, who think strategically about every aspect of the restaurant as a whole. Tier 3 Crowdforce members possess the advanced knowledge of Tier 2 and the capability to architect full attack sequences, including developing custom attack vectors. They also have the leadership skills necessary to guide a team to a successful operation. A Tier 3 hacker can design and oversee complex simulations, develop bespoke exploits, coordinate team execution, adapt to evolving defenses, and lead the analysis and reporting phases. They often have professional-level lab experience, elite certifications, and advanced training. 

In addition to the skill tiering, we consider additional context about applicants’ skills and experience to facilitate team formation. This includes factors such as operational security awareness, location-specific expertise, and geographic proximity for efficient collaboration.

Regional engagements may require red team members with knowledge of local laws, cultural nuances, and safety considerations. Geographic location also affects team communication across time zones.

These tiers are not fixed and they allow for a variety of skill combinations. For example, a red teamer might only have one of the skills in the list and not all of them, and that is okay. In this case, they would be classified as a specialist and they would be deployed for specific tasks. These tiers provide us indicators of the applicants’ understanding. 

Step 2 – In-depth solo simulation

Qualified hackers will undergo an online simulation to evaluate their knowledge and skills. This simulation presents various red team tactics, techniques, and procedures (TTPs), with the following questions:

  • When is this TTP appropriate?
  • How should this TTP be adapted for different environments and OPSEC considerations?
  • What are the expected outcomes and potential challenges and risks?

Hackers must also utilize multiple TTPs to simulate an attack while evading detection.

Based on simulation results and initial screening, red teamers are assigned to one of three roles:

  • Red Team Specialist: Specialists provide deep domain expertise (e.g., advanced cloud exploitation) to address specific attack surfaces.
  • Red Team Operator: Operators execute attacks across various surfaces, functioning as generalists on the Red Team.
  • Red Team Manager: Managers coordinate operations during live assessments, overseeing TTP deployment, task delegation, and critical decision-making. They are typically highly experienced hackers, often with a CCRTM certification.

Following the assessment, Bugcrowd will assemble teams with managers and operators to cover the entire kill chain. Specialists rotate between teams as needed.

Once all simulations are successfully completed and teams are formed, the red team is operation-ready.

Tips to joining Crowdforce

Joining Crowdforce is designed to be a challenge in itself. Only top-tier performers make the cut. But don’t let that stop you—there are tons of ways to sharpen your skills and land a spot.

To become operation ready takes dedication and practice using available resources and opportunities. Dive into our LevelUp blogs. These are goldmines of technical knowledge, packed with step-by-step tutorials, real-world scenarios, and insider tips from the best in the business. Participating in Hack The Box Cybernetics and APT labs will help you level up in your ability to move covertly throughout an environment. Building your own lab will take you another step further in your ability to truly understand defensive controls.Pair that with our online tutorials, virtual and in-person competitions, and CTF opportunities, and you’ll be well on your way.

But skills are just the start. We’re looking for go-getters with a hunger for success, the ability to adapt quickly, and a dedication to constant learning. That means stepping up to teach, present, and create. We offer regular chances to mentor up-and-coming hackers, speak at conferences, and produce valuable content.

If you’re someone who:

  • Excels in red team operations, management, and/or development
  • Is a master of OPSEC (and know how to bypass the toughest security measures)
  • Lives for covertly compromising hardened organizations using the latest in tradecraft
  • Specializes in other relevant skills such as phishing and social engineering, active directory, cloud exploitation, or binary exploitation and exploit development

Then we want to hear from you! 

Join Crowdforce

As a member of Crowdforce, you’ll have the ultimate freedom to work on your own terms: you’ll dive into cutting-edge engagements, sharpen your skills, earn extra income, and work with a wide and interesting client base—all while collaborating with the most brilliant minds in the game. We are building something unique here at Bugcrowd, by red teamers, for red teamers. Let’s redefine red teaming—together. Fill out this survey to begin the application process.

Tags: