Originally launched to establish bug bounty programs in Switzerland, Bug Bounty Switzerland has evolved into a tech company that orchestrates human and machine hackers with the help of AI. CEO Sandro Nafzger explains how this symbiosis works and why humans remain irreplaceable.
Bug Bounty Switzerland started in 2020 with the goal of establishing bug bounty programs in Switzerland. How close are you to achieving that goal?
Sandro Nafzger: We have largely achieved this goal. Since April 2023, collaboration with ethical hackers through bug bounty programs has been officially anchored in the National Cyber Strategy (NCS). In addition, we have implemented our plan to make this type of security testing accessible to all Swiss companies. In November 2024, we fully transformed our offering into a simple plug-and-play product—usable without prior knowledge, without internal security resources, and at a clearly calculable flat rate.
What are your learnings from the past five years? What works well—and what doesn’t?
The past years have shown how powerful the bug bounty method is. Basically, anything exposed to the internet can be tested—from multinational corporations and government systems to individual products, subsystems, or code. I know of no other method that allows you to activate the best experts worldwide at the push of a button—and in a highly scalable way. It’s a model that creates great value for all parties and is fun. The central question is therefore not whether bug bounty, but how to use this method most effectively—and that’s where the biggest challenges lie.
What challenges are those specifically?
Simply acquiring a bug bounty platform is not enough. It’s ultimately just a tool—and tools are of little use without the right know-how, personnel, time/learning curve, and budget. Most organizations simply lack the necessary resources and capabilities to derive sustainable benefit from it. In addition, companies can usually only look at their own data—whereas a comprehensive situational picture is needed to recognize connections and make the right decisions. Manually controlling everything is also far too slow. Another problem: many companies don’t even know exactly what, where, and how they should test. Almost every large company conducts security tests, but usually based on an internal, incomplete perspective and assessment. What matters, however, is the external view—from real hackers who understand what’s happening now and what will matter tomorrow. This environment is changing rapidly. And yet, security testing strategies today should be based on such real-time information—continuously adaptive and ideally executed autonomously.
What role does AI play in this?
A central one. Artificial intelligence brings enormous speed, contextual understanding, and automation—enabling intelligent, data-driven decisions in real time. For bug bounty programs, this means they can now be operated completely data-driven, highly efficient, and sustainably impactful. Large, complex attack surfaces can be continuously monitored, while very specific questions are addressed immediately as they become relevant. For example, the scoping and planning of a test can be automatically generated and continuously optimized—based on a semantic understanding of the organization and its entire context. To achieve this, we create a “Semantic Living Digital Twin”—the digital brain of an organization that learns and improves with every test iteration. Intelligent orchestration of hackers is also AI-driven: our AI matchmaking ensures that the right experts are activated at the right time, in the right place, with the right task. Complex technical findings are prepared so that all levels—from developers to the board—receive a context-appropriate situational picture. Instead of hundreds of technical reports, clear, prioritized action recommendations emerge—in natural language, with business relevance. With Agentic AI, we can now automate much of what we perfected manually over the past five years. The keyword is: Service-as-Software.
Sounds almost like you’re a technology company today.
Absolutely. We’ve considered ourselves a technology company for a long time. In 2021, we launched the first Swiss bug bounty platform, and in 2023, we began integrating AI. Thanks to our participation in the Microsoft for Startups program, we received targeted support and privileged access to Azure OpenAI—which opened up enormous technological possibilities for us. Since then, we’ve focused on continuously developing our technology and our unique data foundation—collecting, labeling, and structuring it to unlock its full potential with AI. Five years ago, our goal was to bring bug bounty programs to Switzerland. In the next five years, our mission is to redefine collaboration with ethical hackers in the age of AI—and to rethink and implement security testing globally.
That sounds ambitious. Where is the journey headed?
Yes, our ambitions have grown—as have the technological possibilities, our market understanding, and the role we can play. The global security testing market is growing rapidly—with an average annual growth rate of around 25 percent and an expected market size of 50 billion US dollars by 2030. Drivers include exploding attack surfaces, the complete shift to cloud and SaaS models, and increasing regulatory pressure. At the same time, the market is highly fragmented, complex, and far too slow—especially in planning and evaluating tests, where much is still manual. The speed gap between attackers and defenders continues to grow. Moreover, tests often run very statically—exactly as originally planned. Yet it’s crucial to incorporate every new insight continuously so that the ongoing test becomes more precise every day. We’ve solved this problem: our platform integrates the entire security testing process end-to-end, continuously learning and becoming more efficient. This has created an intelligent flywheel that continuously cycles through the following steps: Scope → Match → Execute → Validate → Learn.
Will we even need human hackers in the future?
Yes, more than ever. The more technological and intelligent everything becomes, the more important humans remain—with intuition, heart, creativity, and critical thinking. Machines cannot replace that. Our hackers constantly develop new attack techniques and patterns—these high-quality, human-generated data are the foundation for strong AI systems. And this perfect symbiosis between collective human intelligence and cutting-edge artificial intelligence is what we work toward every day. What makes us unique is our context-based matchmaking and orchestration capability. This allows us to deploy ethical hackers more precisely and effectively than any other provider. Especially now, as offensive AI agents are popping up everywhere and testing execution capacity becomes increasingly accessible and automated, intelligent orchestration is essential. This is where the greatest need will arise—and this is where we deliver the greatest value: we orchestrate the best hackers—human and machine.
