Bug bounty programs have become an increasingly common tool in cybersecurity, with startups and established companies inviting hacker bounty hunters from around the world to attempt to find security holes in their networks in exchange for rewards. Even Apple, which long dismissed the idea, began offering bug bounties this year —for as much as $200,000—amid widespread questions about iOS vulnerabilities.

Organizations offering bug bounties often say the programs allow them to test their digital safeguards against a wider range of attackers than they could possible have on staff, often at a fraction of the cost. One bounty management provider, San Francisco-based Bugcrowd, reported earlier this year that companies using its platform have paid out more than $2 million between January 2013 and March 2016.

“When you open the doors, so to speak, and say, ‘come attack us and if you attack us, we’re going to pay you some money’ … it brings a lot of risk into the equation.”

But for some companies and government agencies, inviting arbitrary strangers from across the internet to probe their security systems is a bigger risk than they’re willing to take, says Jay Kaplan, CEO of Redwood City, California, security firm Synack.

“When you open the doors, so to speak, and say, ‘come attack us and if you attack us, we’re going to pay you some money,’ and you don’t know who those people are and you have no auditability of what they’re doing, it brings a lot of risk into the equation, especially for conservative enterprises,” says Kaplan.

To allow those organizations to still get some of the benefits of a bug bounty program while maintaining discretion and security, Synack employs a network of freelance security researchers around the world, including programmers, engineers, and academic researchers. Once they’re properly vetted, they’re assigned to probe particular customers’ networks based on their particular strengths and interests and are rewarded for the vulnerabilities they uncover.

In addition to corporate clients in the health care, energy, finance, and other sectors, Synack recently inked a contract with the Department of Defense, focused on the department’s more sensitive IT assets. Contracts with Synack and San Francisco-based HackerOne are together worth $7 million. In a three-week pilot “Hack the Pentagon” program, the Defense Department reportedly received nearly 1,200 bug reports with about 1,400 hackers, paying out a total of about $150,000.

And this week Synack also announced a $2 million deal with the Internal Revenue Service to protect systems on the irs.gov domain, the first crowdsourced security bug-hunting effort by a civilian federal agency. Those government clients generally require strict background checks and limit participation to U.S.-based hackers, says Kaplan, who founded Synack in 2013 with CTO Mark Kuhr after both had worked at the National Security Agency.