2022 has been a busy and exciting year, with many changes rolled out to our Pentest as a Service platform spanning integrations, reporting, UX adjustments, and a whole new pentest offering. Some might be familiar, but we bet there’ll be an item in this list that surprises you! Let’s take a look. 

New Pentest Offering

Agile Pentesting

Agile Pentesting allows security and development teams to identify and address security gaps faster, accelerate their build-to-release timeline, and align pentesting more closely to DevSecOps workflows. It’s a more targeted engagement which can help achieve numerous objectives: 

• New release testing: Pentest a new release before or shortly after it reaches production.
• Delta feature testing: Pentest for incremental improvements based on code differences since date or version.
• Exploitable vulnerability testing: Pentest a single vulnerability or a small subset across an asset to validate fixes.
• Single OWASP category testing: Pentest a single OWASP category for a web/mobile/API asset.
• Microservice testing: Pentest Kubernetes within AWS, Azure, or GCP, as well as hosted network services.

If you haven’t launched an Agile Pentest yet, check out our original announcement for more details on how it works. 

Integrations for Efficient Pentesting

Real-Time Updates with Webhooks

After launching the Cobalt API in 2021, we got to work on the next phase of delivering important updates in real time. Rather than repeatedly send requests to the same API endpoint, customers can now configure a webhook that automatically sends new data to a specified consumer URL. 

The initial version of Cobalt’s webhooks will push notifications to your endpoints when:

• Pentest is created
• Pentest state is changed
• Finding is published
• Finding state is changed
• Finding is updated

Customers can create and manage their webhooks directly from the Integrations Hub, in addition to the public Cobalt API. To learn more about this feature and how we plan to build it out even further, read more about Cobalt's PtaaS API.

Vulnerability Detector, powered by Nuclei 

Just a few weeks ago, we launched a new feature for our pentesters — a vulnerability scanner integrated with Nuclei that uses files describing desired requests and then runs them to find if vulnerabilities exist in certain URLs. 

The new feature enables automatic checks for specific findings, presenting “potential” findings to our testers, who can then validate the results. This change helps our Cobalt Core in three distinct ways:

1. Reduces the manual effort of running basic checks that can be reliably automated.
2. Reduces copy and paste from outside scanners. 
3. Increases the time spent on issues that take more effort to uncover.

To find out more about this tool, check out the original announcement.

New Risk Advisories Enrich Findings With CVE and NVD Data

Speaking of efficiency and integrations, we didn’t stop at making life easier for our pentesters. In October, we launched a new Risk Advisory Integration in the platform. Customers can now access list views with CVE data tailored to their asset types, instead of having to parse through expansive databases manually. 

Additionally, Cobalt’s Risk Advisory Integration feature consolidates with the NVD’s CPE (Common Platform Enumeration) database to ensure universal naming standards and clear, consumable information.

Interested in using this feature? Check out our detailed instructions in this blog post.

New Integrations with PlexTrac and anecdotes

The Cobalt platform now integrates with two new partners, enabling customers to:

• Add Cobalt pentest findings into PlexTrac reports to aggregate vulnerability data from other security tools.
• Integrate findings into the anecdotes.ai compliance operating system.

You can find instructions on how to connect with both tools on the Integrations page. 

Pentest Reporting for All Stakeholders

Attestation Letters 

Attestation letters are documents acting as proof that a company has commissioned a third party to perform one or several pentests. External stakeholders — auditors, prospects, or customers — often request these. 

All Cobalt customers can now generate an Attestation Letter under the “Reports” page, with each document showing the following information:

• Your company name;
• The type of pentest service;
• When it took place;
• A summary of our pentesters’ methodology;

• Our principal places of business;
• Our logo; 
• Our contact information;
• Confidentiality and trust components in the letter’s header and footer;

Check out the full Attestation Letter announcement for examples and instructions on how to generate this new report.

Co-branded Pentest Reports

In 2022, we made sure to launch features not only for our customers and pentesters, but also for our partners. As of July, organizations that partner with Cobalt can include their logo on pentest reports for shared customers. 

Follow this link for instructions on how to set up this feature. 

Improved UX

Lost Device Support

As customers manage their pentests on the Cobalt platform, we make sure that there are defenses keeping their information secure. One example is using 2FA to log into the platform. Users have the option to set up 2FA for their accounts, and organization owners can enforce 2FA setup for everyone within their team. 

But sometimes, users lose access to their registered devices. We have now made it easier (but no less secure!) to register a lost device and reset 2FA. 

Check out the full instructions here. 

New Views, Improved Notifications, and More 

We kept making the platform easier to navigate, so customers can access critical information faster. Here’s an overview of the changes: 

• New Pentest View: With a refreshed design, customers can quickly find information around pentest status, test period, number of findings, as well as sort and filter to the metrics most important to them; 
• Improved Role Management: Organization Owners can now change roles right within the People page.
• Upload Assets in Bulk: Customers can upload assets in bulk to the Cobalt platform using asset data stored in spreadsheets. This facilitates a single source of truth for pentesting. 
• Email Notifications Improvements: When someone changes the state of a finding, customers receive an email notification with the username of the person who made the change.
• Search Results: When customers search for something in the Vulnerability Type or Organizations list, search results no longer appear truncated at the beginning.

Feedback fuels all of these updates and our motivation to keep improving. We’re so thankful for our active customer community and look forward to achieving even more next year! Keep an eye out for our monthly release blogs (here’s October, for example) to stay in the know.