This blog post is part of an ongoing series in which members of the Cobalt product team provide deep dives into specific platform features.
We are excited to announce Asset Scoping, a recently released feature on our PtaaS platform that automatically calculates credits needed for a pentest based on the asset size and coverage required.
What does Asset Scoping mean?
Since we rolled out the credit model for our Pentest as a Service (PtaaS) platform, we've been successfully delivering speed and simplicity to our customers. But we know there’s always room for improvement to provide more clarity around how they should determine the right amount of credits to purchase for a given pentest.
Asset Scoping is a huge step towards enabling our customers to automatically calculate credits based on the size of the asset to be tested and the level of coverage needed for the test. By eliminating the burden for our customers to determine their own credit requirements, Asset Scoping allows security teams to get started even faster with launching their pentests.
- Intuitive: You will no longer be asked to select the number of credits needed for a pentest. Instead, Cobalt will automatically recommend the number of credits to you based on the information you provide on size of the asset to be tested and default coverage.
- Consistent: Pentest are scoped based on asset size and coverage by default, so you do not need to worry about calculating how many credits are needed for repeat tests on an asset.
- Flexible: We offer the flexibility to adjust coverage for a pentest when you need to investigate deeper in certain areas, or reduce testing hours due to budget constraints.
-Transparent: A scoping guide is available on the platform for customers to understand how credits are calculated.
How it works
Automatic Pentest Credits Recommendation
Pentest Credits are recommended automatically by Cobalt based on the asset size and coverage. This is the default recommendation that comes from the asset level; you can keep the default coverage from the assets or edit the coverage for a specific pentest based on your requirement.
For example, if you need a focused test on only one feature it could be Extra Light coverage. If they need an extended test covering every feature, customers can select Large or Extra Large. Customers can modify the coverage field based on their requirement from a pentest.
When inputting information about your asset size and coverage, we provide you with a scoping guide. This guide walks you through how to determine the right size and coverage for your specific asset type. Below is an example of how the scoping guide would look for a Web asset type:
The Impact on Existing Assets
All legacy assets now have size and coverage values associated with them, as we have backfilled this data. You can edit and update this information at any time without restriction.
Pentests completed before the release of this feature will not have size and coverage association. Credits will remain as they were originally filled for these completed tests.
Copying A Completed Pentest
Copying pentests that have credits calculated based on size and coverage will reflect the same values submitted for these fields. You can adjust the coverage for the pentest or edit the asset in the wizard as needed.
If you copy an older pentest without size and coverage association, the copied pentest does not copy the credits. Instead, it will inherit the size and coverage from the asset level and automatically recommend the credits.
Updating Asset Size and Coverage During an Active Test
The new values for size and coverage will be reflected in the pentests already created until they are moved to the planned state.
As we continue to be a leader in PtaaS, we are always looking for ways to ensure Cobalt is the most innovative solution for DevOps-driven software companies that want to implement security across the development lifecycle and optimize application security processes.
Curious to learn more? See the Cobalt platform in action!