In November, not only was Cobalt named a Leader and a Fast Mover in the 2025 GigaOm Radar Report for Penetration Testing as a Service (PTaaS), but we were the closest to the center of the radar’s bullseye. We’re not usually ones to brag, but in this case, we will. This is our fourth consecutive year as a Leader, and we have no intention of slowing down! That distinction goes beyond logos and quadrants.
Our proximity to the bullseye signals something deeper: balance across innovation, maturity, scalability, and real-world effectiveness. And that matters more than ever.
Why the Bullseye Means More Than the Label
Here’s the reality: Security leaders are incredibly busy people. Most buyers scan analyst reports for who made the Leaders category and stop there. It’s all about who comes in first place.
But the GigaOm Radar is designed to tell a more nuanced story. It evaluates how well platforms perform across the dimensions that actually affect outcomes for security teams: operational impact, flexibility, integration depth, roadmap strength and vision, and ability to scale with modern engineering environments.
Vendors closest to the center aren’t just strong in one area. They’re demonstrating consistency across the criteria that define whether a security program can function in real life, not just on paper. That consistency is increasingly rare, and increasingly necessary, especially when distinguishing what sets one company, product or service apart from the rest.
The Real Issue With Legacy Pentesting Isn’t Just Speed
Most organizations already know the obvious problem, and we often hear this statement repeated again and again, and for a good reason: point-in-time pentests can’t keep up with continuous deployment.
But what’s becoming clearer is that this isn’t only a cadence problem. It’s a structural mismatch between traditional pentesting models and how modern software is built and operated.
Security leaders today are being asked to:
- Validate risk continuously, not annually
- Prove impact to leadership, not just pass audits
- Integrate security into CI/CD workflows
- Support cloud, APIs, SaaS, and AI-driven systems
- Reduce noise while increasing confidence
Many pentesting approaches were never designed for that reality. They were built for static environments, slower release cycles, and compliance-driven reporting.
The GigaOm Radar reflects this shift in expectations, and why proximity to the bullseye increasingly signals whether a platform is actually designed for today’s operating environment.
.svg)
What the Radar Really Measures (Beyond Marketing Claims)
GigaOm’s methodology focuses on concrete business and technical criteria, not feature checklists. The Radar evaluates how platforms perform across areas like flexibility, speed to value, integration maturity, scalability, reporting depth, and ability to reduce real risk over time.
Being closest to the bullseye indicates balanced strength across those dimensions, not just innovation for the sake of offering new features, and not just legacy maturity without evolution.
That balance is difficult to achieve. It requires architectural decisions, process maturity, product philosophy, and community strength that align with where offensive security is heading, not where it’s been.
If You’re Rethinking Your Pentesting Strategy This Year, You’re Not Alone
For many organizations, a new year signals a new vendor. Many enterprises are actively re-evaluating what “good” looks like in offensive security. Development velocity is increasing. AI is introducing new attack surfaces. Regulatory pressure is growing. Boards are getting more involved than ever, asking sharper questions. And security teams are being asked to deliver clarity, not just findings.
Why This Matters for Cobalt Customers (and Future Ones)
Being closest to the GigaOm bullseye isn’t something we view as a vanity metric. We view it as validation that the way we’ve built Cobalt — the platform architecture, operational model, human-led approach, integrations, and research-driven methodology — aligns with how modern security teams actually operate.
Our customers are looking for clarity. They need to understand which risks matter, how those risks change as their environments evolve, and how to operationalize testing in a way that supports engineering velocity rather than slowing it down. That’s exactly the gap we’ve spent the last decade closing.
Join the Deep Dive: What the v4 GigaOm Radar Reveals About Modern PTaaS
Chris Ray, Field CTO at GigaOm and lead analyst behind the report, joins Cobalt’s Anne Nielsen and Toast’s David Kosorok to break down what actually defines leadership in today’s PTaaS market, and why many traditional approaches are quickly falling behind.
You’ll explore:
- Why many modern pentesting programs are still structurally stuck in the past
- How GigaOm evaluates PTaaS vendors using real business and technical criteria
- Why enterprises are shifting away from checkbox compliance toward measurable risk reduction
- Six practical lessons leaders are using to modernize offensive security programs today
We hope you’ll join us for this valuable session!
