HackerOne Champion of the Quarter: monday.com's Amit Levy on Thinking Like an Attacker to Defend Like a Pro
Some security leaders manage programs. Amit Levy engineers them.
Amit spent a significant part of his earlier career on offense, learning how attackers think, what they look for, and where the gaps defenders typically miss. That background is the lens through which he runs everything.
When he evaluates a bug report, he's asking: if I were the one who found this, what would I do next? Where does this chain? What's the actual blast radius? It's an instinct that shapes his program structure, his researcher relationships, and the unusually precise way he measures whether his security posture is actually improving.
Amit is HackerOne's Q2 2026 Champion of the Quarter, a recognition we give each quarter to an individual in the HackerOne Champion Program who demonstrates measurable impact, shares their learnings, and moves the practice of security forward.
The Metrics Nobody Else Is Tracking
One researcher finding five bugs in an hour is a fire alarm.
This is how Amit thinks about program health. When asked how he defines a healthy bug bounty program, he didn't talk about finding count or bounty paid. He tracks researcher satisfaction, signal-to-noise ratio, and something most teams aren't measuring at all: researcher-hours spent against specific features.
"I know that for a specific feature, five researchers spent eight hours trying to break it," he said. "If they didn't succeed, that's 40 hours of adversarial effort and the feature held. That means something."
The goal isn't just to catch vulnerabilities, but to build genuine confidence that your platform has been seriously tested.
"I care about findings," Amit said, "but I also care about the level of effort researchers are spending trying to break my platform."
He also watches the time between a feature launch and the first relevant submission, working to minimize that window as a measure of researcher engagement and program responsiveness.
Researcher return rates are a leading indicator too. A researcher who keeps coming back is being treated fairly, paid promptly, and given enough context to do good work.
A Rare Win in Security: Engineering That Asks for Testing
"Just this week, the R&D department personally asked us to run a campaign for a new product launch," Amit told me. "It didn't come from security, it came from R&D themselves. They know it's a really good shield for them."
Getting engineering to pull security testing rather than have it pushed on them is a cultural shift most teams spend years pursuing. Amit got there by making the program consistently deliver. And the way he did that was architectural.
He embedded adversarial testing directly into monday.com's SDLC as the mandatory final security review step before any significant feature goes live. Every meaningful new feature now ends with a targeted Campaign, scoped specifically to that surface.
"Once we have a new feature, the last step of the security review is to launch a campaign," Amit said. "And we know that if there's going to be something critical, it will come from there."
The pattern he's observed holds consistently: skilled researchers who know the platform deeply find their way to new surfaces quickly. High and critical findings surface close to launch, before customers ever encounter them. Applied over years, that discipline created something rare: genuine engineering buy-in.
Building the Automation Pipeline That Made It All Scale
Running a high-quality program with a small team used to require a significant ongoing time investment. Amit's solution was to automate as much of the remediation workflow as possible, and over the last year, that investment has fundamentally changed what his team can do.
When a valid report comes in, HackerOne's Triage team handles first-pass validation and researcher communication. From there, a combination of HackerOne’s agentic AI system, Hai, and monday.com's own internal agents performs root cause analysis, identifies the issue in the codebase, suggests a fix, creates a PR, and opens a ticket for the responsible developer, complete with full context and a defined SLA. After the fix ships, an AI-assisted retest confirms resolution before the bounty is released.
"AI is doing the work, and we are just reviewing and approving it," he said. "We managed to reduce the effort required to validate a report by 70-80%."
That efficiency changed the program's economics entirely. With less overhead per report, Amit has been able to expand researcher invitations and run more targeted campaigns, all without adding headcount.
There's a second benefit he's quick to point out: fast fixes prevent duplicate reports.
"If you're fixing it in real time, you avoid duplication," he said. "You're fixing the vulnerability, that's first. And second, you're cutting noise." Less noise means better signal. Better signal means the team focuses on what matters.
When other security leaders tell him a bug bounty program sounds like too much work, he doesn't argue with them. He just tells them what he built: "I've automated almost all the process. Now it's a piece of cake. It's a shame not to use it."
When monday.com became an AI platform, Amit treated it the same way he treats every new surface: find the researchers who can break it before anyone else does. For AI-specific vulnerabilities, that community is still the most reliable detection method available.
A high-performing bug bounty program needs someone who owns it obsessively. For monday.com, that's Avihai Fedida, the operational engine behind the vision.
"Avihai Fedida is the person who takes my ideas and turns them into a real, working machine. As our HackerOne operational program manager, he's the one who makes sure everything actually runs: the metrics, the standards, the automations.”
Why Amit Is Champion of the Quarter
Amit built something that most security teams aspire to: a program that finds the most critical vulnerabilities, runs with minimal overhead, earns genuine buy-in from engineering, and keeps getting better as the threat landscape shifts.
He did it with a small team, on a complex platform, over years, through a combination of attacker instincts, operational discipline, and a genuine belief that the researchers testing your systems are partners worth investing in.
That's what the HackerOne Champion Program is here to recognize. Security leaders who do exceptional work and help the rest of the industry do the same.
About the Author
