HackerOne Blog

Government Cybersecurity Leaders Embrace Crowdsourcing, But Must Commit to AI Defense

HackerOne Team
Cyber Skyscraper
New research shows public sector CISOs are ahead of the curve—but challenges remain.

Whether managing sprawling infrastructures or adapting to rapid AI adoption, public sector CISOs must protect more with less, often under intense scrutiny. 

But an evolution is underway. Increasingly, these leaders are turning to crowdsourced security as a key part of their offensive strategy. According to new research from HackerOne and Oxford Economics, 97% of public sector CISOs are familiar with crowdsourced security, and 81% are already using it.

And while many government CISOs are leading the way in crowdsourced security effectiveness, there is evidence they could be left behind in a key area.

Where Public Sector CISOs are Leading

The wider CISO community is now saddled with two new mandates: additional responsibilities for both data privacy and AI security. For cybersecurity leaders in government and the public sector specifically, 74% oversee data privacy initiatives and 81% are responsible for AI security.

However, one in four (25%) government CISOs now qualify as leaders in crowdsourced security, This means they use all three core components—vulnerability disclosure programs (VDPs), bug bounty programs, and third-party pentesting—and also include testing for data privacy issues and AI security vulnerabilities.

Based on our research, this puts public sector CISOs among tech providers and non-profit organizations as the top three industries seeing the greatest impact of crowdsourced security.

Top Three Industries Leading in Crowdsourced Security

By embracing comprehensive crowdsourced testing, these security leaders are not only managing risk, they're setting the pace for what mature government cybersecurity can look like.

Key Challenges Facing Public Sector Security Teams

Despite strong adoption, CISOs in federal and SLED organizations still face hurdles to expand their offensive security programs or implement specific crowdsourced security methods. 

When asked about barriers to expanding offensive security efforts, public sector CISOs cited the same issues as others: budget constraints and a lack of buy-in from internal stakeholders. But they were among the few industries reporting higher legal or compliance concerns.

Top Three Barriers to Expand Offensive Security for the Government and Public Sector CISO

And the challenges these CISOs report in implementing crowdsourced security elements vary by method:

  • Vulnerability disclosure programs (VDPs):
    • Lack of internal stakeholder buy-in
    • Lack of skilled personnel
  • Bug bounty programs:
    • Lack of C-level or board prioritization
    • Lack of skilled personnel
    • Challenges managing reports effectively
  • Third-party pentesting:
    • Challenges managing reports effectively
    • Budget constraints

Navigating these barriers takes proactive communication and strong internal advocacy, especially when expanding beyond a single method.

Find actionable insights to tackle these common challenges in our latest whitepaper.

The AI Testing Gap in the Public Sector

AI is transforming digital operations in the public sector, from citizen engagement tools to backend process automation. But that innovation brings new security risks. 

Carahsoft, an IT solutions provider for government agencies, reports a variety of AI use cases for public sector organizations: The Library of Congress leverages AI to support data tagging and natural language processing to review physical records, and the city of San Jose, California uses it to streamline grant and memo writing, analyzing large amounts of public commentary and data.

These AI initiatives are modest in function, but still introduce potential risks.

“Agencies should have a monitor of all these models in real time for any abnormal behavior that’s out there,” Jared Vichengrad, head of public sector at Check Point, told Carahsoft.

Our research uncovered a significant gap: While government CISOs currently include AI systems in offensive testing at roughly the same rate as the broader CISO group (39% for government versus 33% for all), the future outlook is different—52% of CISOs across all industries plan to include AI in offensive testing within the next year, but only 29% of public sector CISOs plan to do the same.

Cybersecurity leaders in government organizations should align with other industries in securing AI with offensive testing, as Gartner predicts significant growth of these implementations throughout this decade.

"By 2029, 60% of government agencies worldwide will leverage AI agents to automate over half of the citizen transactional interactions, up from less than 10% in 2025."

6 Tactics for Governments to Impact Mission and Cut Costs With GenAI, Gartner ®, August 4, 2025
 

This disparity underscores a pressing challenge in government cybersecurity: staying ahead of threats while AI adoption accelerates. Crowdsourced red teaming and continuous testing offer a scalable way to bridge this gap without overburdening internal teams.

Lead the Way in AI-Ready Government Cybersecurity

Public sector CISOs are joining other leaders to show that crowdsourced security is essential, but are at risk of falling behind in managing AI vulnerabilities. As usage expands, the risks will too. Committing their already-strong crowdsourced security practices to AI security, government organizations can build resilience that scales with innovation.

Government agencies can tap into the global security researcher community to keep pace with evolving threats. With collaborative, offensive testing models, securing AI innovation doesn’t have to come at the cost of operational burden.

See how your agency can close the AI testing gap with continuous crowdsourced security

 

Survey methodology: Oxford Economics surveyed 400 CISOs from April to May of 2025. Respondents represented four countries (US, UK, Australia and Singapore) and 13 industries (Telecommunications, Real Estate/Construction, Utilities, Government/Public Sector, Consumer Goods, Education, Retail, Banking/Financial Services/Insurance, Retail/Ecommerce, Manufacturing, Healthcare, Transport/Logistics, and Not-for-profit/Non-profit). 70.5% of respondents worked at publicly-held organizations, while the other 29.5% worked for private organizations. Roughly 2 out of 5 respondents work at smaller organizations (between 1,000 and 2,500 employees); respondents from organizations with at least 10,000 FTEs make up 27% of the sample. Finally, revenue breakdowns are evenly split across 5 revenue buckets: Less than $500m; $501m to $999m; $1b to $4.9b; $5b to $9.9b; and $10b and more.

*Our research includes 31 CISOs from the FED/SLED industry. The results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Crowdsourced Security
AI
AI Red Teaming