Cobalt Delivers Fast Application Security Pentesting as a Service for Actionable Results in Real Time

TL; DR: Cobalt provides application security pentesting that’s faster, easier, and more affordable than traditional solutions. Its Pentest as a Service (PtaaS) platform integrates with Jira and GitHub workflows to empower customers to pinpoint, track, and fix software vulnerabilities in real time, instead of through point-in-time snapshots. Certified white-hat pentesters perform on-demand tests so customers can build robust, hack-proof protocols into their development cycle. And Cobalt keeps costs low with a fixed price based on application size and testing frequency.

Security pentesting can be a slow, often expensive process for software companies. And the results often show where a product stands at a moment in time, not as a dynamic entity.

Companies traditionally approach pentesting in two ways. The first is to hire in-house pentesters, an option large banks often choose. But that can be challenging, as pentesters are in high demand and aren’t always available. The second approach is to use a traditional management agency or security consultancy. While each consultation project may be highly customized, they often take a long time to put together because all stakeholders need to agree on specifics, which could mean weeks before testing can start.

“Neither model, whether building in-house pentesting or outsourcing individual projects, fits with current software development practices,” said Caroline Wong, Chief Strategy Officer at Cobalt, a Pentest as a Service (PtaaS) Platform. “Everything is moving much faster because software development is iterative today.”

Cobalt provides security penetration testing that is faster, easier, and more affordable than traditional offerings. And Cobalt delivers real-time, actionable results that empower customers to pinpoint, track, and fix software vulnerabilities promptly. Instead of producing a point-in-time snapshot, the Cobalt platform is a data-driven application security engine designed to make the third-party pentesting process simple.

As the company says in its mission statement, modern organizations should have access to fast, reliable security tests. But the traditional pentesting and assessment industry is not built to meet the needs of modern organizations, so Cobalt offers something better than archaic PDF reports and simple security scanners.

And one driver of that change is the way organizations develop software today.

“The entire world is moving to more agile, DevOps development processes,” said Caroline. “That means organizations are releasing software faster.”

Security is about protecting value, and it is shifting along with the digital landscape. That means the way security is tested needs to change, as well.

Cobalt meets those evolving needs with a global talent pool of vetted security pentesters, and it can put a customized team together in 24 hours. It also offers services at a fixed price based on application size and testing to keep costs affordable.

As part of the SaaS-enabled marketplace, Cobalt’s Pentest as a Service (PtaaS) platform delivers results that allow clients to act immediately. It helps pinpoint, track, and fix software vulnerabilities, and makes it so easy to set up, schedule, and manage tests that it’s often called the TurboTax of penetration testing.

A team of more than 270 certified white-hat pentesters perform on-demand tests so customers can build hacker-like testing into their development cycle. The majority of pentesters in the Cobalt community have more than 10 years of testing experience.

The Cobalt platform supports a comprehensive find-to-fix workflow for all required pentesting and assessments throughout an organization. That includes vulnerability reports, integrated messaging and monitoring, smart filtering, and push notifications, all promptly addressing issues.

When a program launches, users receive vulnerability reports on Cobalt Central, a dedicated application security inbox. Reports include descriptions, screenshots, and suggested fixes from Cobalt’s recommendation engine.

Users can assign reports depending on their preferred workflow. And questions can be cleared up quickly because users communicate directly with pentesters on the Cobalt Central dashboard, ensuring that they can tighten security as efficiently as possible.

Cobalt pentesting also satisfies requirements customers may have throughout the sales process when they may need to verify their security posture, including compliance. Reports automatically update with those findings, so the most accurate information is always available. Cobalt can also fulfill requirements for most certifications, including vendor assessments, PCI, HIPAA, and SOC-2.

The Cobalt platform is also secured through two-factor authentication, and it runs the company’s customized security program.

Cobalt launched in 2013 as a bug bounty company called CrowdCurity. At the time, Jacob Hansen, the company’s CEO, and Esben Friis Jensen, its Chief Customer Officer, were working together as consultants. They thought the traditional consulting model had plenty of room for improvement, so they decided to start their own company.

All four Cobalt founders, including Chief Product Architect Jakob Storm and CTO Christian Hansen, were interested in Bitcoin. And they saw a market need when the Mt. Gox bitcoin exchange was hacked in 2011, and people were losing a lot of their investments.

When that happened, the company pivoted from bug bounties to focus on comprehensive pentesting.

“They looked at the security industry and saw that there was a lot of room for improvement in manual pentesting, and they could also see how they could do it better,” said Caroline.

Compared to managing a company’s security vulnerabilities through bounties, pentesting has the advantage of being relatively predictable.

“We have a methodology that ensures coverage across a web app or a mobile app or an API,” said Caroline. “We also have relatively higher quality because we use custom-built teams of pentesters, instead of inviting the entire world to test your software.”

Caroline joined the company in 2016 when it had fewer than 10 employees in a tiny San Francisco office. Now, that number has grown to more than 100 worldwide. With offices in San Francisco, Berlin, and Boston, Cobalt has plans to expand in the next few years.

Traditional pentesting is often cloaked in secrecy, which may not inspire client confidence in the final product, Caroline said.

“Some pentest clients experience variance in quality and a lack of transparency in the activities,” she said.

That lack of openness often extends to who compiles the results. By contrast, Cobalt’s model is open: Reports tell a customer who did the pentesting, including the tester’s name and contact information.

But finding the security problems is the first part of solving the problem — fixing them is the priority. In addition to pentesting, Cobalt provides remediation support for developers to fix vulnerabilities.

While many consulting firms charge extra for this service — or may charge if vulnerabilities aren’t fixed in a short period — Cobalt validates these fixes as part of its all-inclusive service.

Its transparency, and the flexibility of the global pentesting pool, make it possible for Cobalt to streamline the start-up process, quickly assembling the right team for each customer project.

That capability is almost impossible to equal if a company hires its own team or works with a traditional consulting firm.

“Quality at Speed” is one of Cobalt’s core values. Instead of having to wait weeks for a consulting firm to start and finish a pentest project, then another week or so for management to review a report and email a PDF, developers are involved in Cobalt pentests from the beginning.

When a Cobalt pentest begins, the pentesters collaborate with the developers as they find issues.

“After all, who is developing software? Developers,” said Caroline. “So, they need to understand what security vulnerabilities are found in the software.”

Another important developer-friendly factor that attracts customers is the solution’s ease of use, which is where the platform comes in. As soon as pentesters find vulnerabilities, they push tickets into the bug tracking system that developers can see. That’s also why the platform integrates with Jira and GitHub workflows.

In line with its values of giving its customers speedy, actionable intelligence through on-demand pentesting, Cobalt has some new features in the works. These include a flexible pricing model and Jira bidirectional integration.

As part of building a modern PtaaS platform, Cobalt has introduced Cobalt Credits. Instead of customers paying separately each time they want to do a pentest, they can buy credits in advance to use later.

Many software developers use an agile or DevOps software development methodology, which is why they may not know how big of a pentest they need or when they will need it, said Caroline.

“The idea is, you forecast how much pentesting you want to do, you buy credits, and then you use them whenever you want to, whenever you need to. That is the first delivery model that standardizes cost with a unit of work, and it is highly disruptive to the traditional consulting model.”

In June, Cobalt plans to add Jira bidirectional integration, which will expedite remediation and improve efficiency. Security and development teams can then, through Jira, communicate online and within the platform instead of manually uploading findings into the software.

“With that feature, security pentesters can not only send security vulnerabilities to developers, but when the developers fix vulnerabilities, they can close them in their bug tracking systems. Then we can populate that information in Cobalt,” said Caroline.