Threat Bounty Program: First Steps to Monetizing Your Detection Engineering Skills

SOC Prime Threat Bounty Program has been connecting skilled freelance detection engineers for over three years and has undergone many changes and improvements. Today, the Program is a unique opportunity to improve Detection Engineering skills, monetize the created detections, and make a personal portfolio with the leading Detection as Code platform.

Introduction to Threat Bounty

SOC Prime Threat Bounty is a program where skilled freelance detection content creators can submit their own detections for publication and receive repeated payouts for these contributions. Although it may all sound simple and quite familiar, let us clarify some highly important moments.

Individual Contribution

Each application for participation gets validated by SOC Prime admins, and we approve only individuals with a proven security background and expertise. What exactly do we mean by this? 

I recommend that content authors register for the Threat Bounty Program exclusively with a personal email address, as outlined in our license terms. Among other factors, it is one to avoid a situation when such Content is considered “created for hire” with the consequence that all copyright rights in the developed Content pass to the employer, including rewards. “Work for Hire” is a doctrine created by the United States Copyright Law that treats your employer or the company that commissioned your work, and not you, as the author and automatic copyright owner of the content you create, including non-commercial rights. And in general, if work was created at the initiative and expense of an employer (or employer), it is more likely to be considered work created for hire. Thus, one way of refuting the claim that the work was for hire is to establish that the creator acts as an independent contractor who provided his or her own tools, worked without daily supervision, and had absolute freedom to decide when and how long to work.

Mariana Melanchyk, Legal Counsel at SOC Prime

So, before approving your application request, we make sure that your participation in Threat Bounty is not in any way a representation of any of your employers. Besides, we clearly state that your participation in the Program does not create any employment relationship between you and SOC Prime or SOC Prime representatives.

Detection Engineering Skills

Creating detections requires a certain level of expertise and practical knowledge about logging sources and data collection, network traffic, operation systems, SIEM systems and cloud environments, along with the proficiency in SOC analytics and forensics. To ensure that your expectations for monetizing your detection content with Threat Bounty meet our quality standards, all the applications undergo a verification process, as it was mentioned earlier.

With the Threat Bounty Program, skilled detection engineers gain the opportunity to expand their professional background and enrich a personal portfolio with the leading Detection as Code Platform by creating detection rules that are carefully reviewed by SOC Prime experts before publication. 

To make your first steps with Threat Bounty more confident, we recommend exploring this SIGMA Rules: Beginner’s Guide as the initial and the most reliable source of information for self-improvement. 

Besides, we recommend watching the SOC Prime webinars dedicated to Sigma rules – All About Sigma and Future-Proof Your Threat Hunting With SIGMA. 

Verified Detections

SOC Prime Threat Bounty Program provides you with a unique opportunity to earn money with your detections even when you sleep, while your detections are being used by 7,500+ companies globally. 

You can only monetize your detection content that you submit with the Threat Bounty Program and which has passed the verification by the SOC Prime Team experts. To increase the chances for your detections to be published for monetization, consider the following recommendations:

1. Make sure that the threat detection rule that you are going to submit is your individual work, doesn’t violate any rights of any 3rd party, and that you indicate all co-authors of your rule as per the Sigma Detection Rule License. Also, it should be a unique detection never posted elsewhere (nor by anyone else).
2. Submit a detection that is fully operative and is not entirely built on Indicators of Compromise (IoCs). Make sure that you add relevant MITRE ATT&CK® tags and links to public resources pointing at information about the malicious activity that your rule is meant to detect.
3. While submitting your Sigma rule via Threat Bounty, check it with the automatic Sigma Check Tool. The interactive responses prompt you about common syntax issues, missing fields, possible content duplicates, etc. Make sure to fix the issues before sending the rule to the actual review by the SOC Prime Team experts.
4. While reviewing your content before publication, our experts may provide suggestions for improving your detection so that it complies with the technical requirements and Content Partner Licence. So, you can improve your rule based on the provided feedback.

Rating-Based Rewards

The Threat Bounty rating is closely tied to the number of unique meaningful interactions of unique companies who download or deploy the published threat detection rules via the SOC Prime Platform. At SOC Prime, we do not pay any rewards just for the fact of content publication, which is typical for bug bounty programs. Our regular contributors of detection rules via Threat Bounty Program keep monetizing their Sigma rules which were released by them months ago but are still in high demand by SOC Prime clients – find more information in our regular Threat Bounty Digests. 

Curating the pioneer Detection as Code platform, we carefully study our clients’ experience with the threat detection capabilities available on the platform, which is reflected in the rating-based approach, and reward content authors accordingly.

The dashboards in the Developer Cabinet demonstrate data on which the rating is based, and the actions of all Threat Bounty members, SOC Prime employees, and any repeated actions by clients are excluded. Normally, the numbers concerning content tractions will be significantly different on SOC Prime’s platform and your personal Developer cabinet.

Personal Brand

In addition to monetization, content authors of the Threat Bounty Program receive the following opportunities:

1. The authors’ content is published to the SOC Prime’s Detection as Code under their name (or nickname), and additionally, Sigma rule authors can view their personal achievements via the Search Page. Besides, we are always open to publishing interviews with our seasoned Threat Bounty members. 
2. Members of the Threat Bounty Program are welcome to the Threat Bounty Slack space (accessible via personal cabinet). There, they can follow the Program news and updates, communicate with their fellow Threat Bounty hunters, chat with SOC Prime representatives, and, what is even more important — create and submit Sigma rules directly via Slack using Sigma Rules Bot for Threat Bounty. 
3. Upon publication to the world’s largest Detection as Code platform, the authored detection content is brought in front of 23,000+ cybersecurity performers from 7,000+ organizations globally, allowing to strengthen the personal brand and make it visible to leading security experts.

Join Threat Bounty Program to gain a unique opportunity to monetize your Detection Engineering skills and make your own contribution to collaborative cyber defense. Take your professional expertise to the next level and connect to your industry peers to build a safer cyber world together.