.png)
A pentest is more than a security scan. It’s human-driven, and the value of a pentest depends on the skill, creativity, and expertise of the team performing the test. Finding a vulnerability is one thing, but understanding its business context and providing a clear path to remediation is another. This is why the process of staffing a pentest is one of the most critical functions in ensuring a successful security engagement.
At Cobalt, this responsibility falls to the technical project manager (TPM). The TPM is the glue of your pentest team. We follow a strict, multi-stage process to assemble a team of experts matched to your technology, goals, and business requirements. This is a look inside that process. It reveals how a testing team is built to deliver the actionable insights you need to strengthen your security posture.
The Pentest Brief: Your Blueprint for a Successful Test
Every successful pentest begins with a clear and detailed blueprint. The Pentest Brief is the foundational document our TPMs use to understand the precise scope and objectives of your engagement. This initial data gathering phase is critical. It ensures the final team is aligned with your needs from day one.
The brief gathers four key categories of information.
Requirements: First, we establish the basic requirements. Cobalt requires target URLs or IPs in order to define the test's scope. This ensures our pentesters can access the in-scope application and focus their efforts on the assets that matter most to our customers.
Instructions: Second, we need your instructions. It is important for customers to provide the goal and objective of a test. Are you testing to meet a specific compliance mandate, like PCI DSS or SOC 2? Or is the goal to assess and improve your internal security posture? This context shapes the entire engagement. It determines the perspective from which pentesters view your application and the focus of their final report.
Methodology: Third, we define the methodology. Customers can select from a wide range of methodologies. These include web application, API, internal network, external network, mobile application, and cloud configuration review. You can even combine methodologies, such as a Web and API test, for comprehensive coverage. This serves as a primary filter for testers. A test on an AI/LLM Application requires a completely different skill set than an external network pentest.
Tech stack review: Finally, we review your tech stack. Understanding your technology stack allows us to better staff tests. A pentester with deep experience in Python and Linux environments is an ideal match for an application built on those technologies. This detail allows the TPM to find an expert who understands not just the type of asset, but the specific technical environment it lives in.
Specific Requirements: Tailoring the Test to Your World
No two organizations are the same. Your business operates with unique constraints, compliance needs, and operational requirements. A modern pentesting approach must be flexible enough to adapt to your world. The TPM uses your specific requirements as a secondary filter to finding the right security experts for your pentest.
Certifications: Some customers require specific certifications. These professional certifications, such as CREST, OSCP (Offensive Security Certified Professional), or OSWE (Offensive Security Web Expert), serve as a trusted benchmark for technical skill. Our Cobalt Core community of pentesters holds an additional wide range of industry certifications, such as CRTP, AWS CAA, NSE, eWPTXv2, CRT, C-AI/MLPen, and more. The TPM ensures your team members hold the credentials you require.
Geographical Restrictions: We also accommodate geographical restrictions. Due to industry policy, data sovereignty rules, and compliance needs like GDPR, many organizations require testing to be performed by professionals located in specific geographies, such as the United States or the European Union. Our platform allows the TPM to filter our global community of experts to meet these critical geographic requirements.
Testing Times: Your operational stability is a priority. Some customers specify certain times of dayto monitor activity or to avoid potential downtime in a production environment. The TPM works with the pentest team to schedule testing during these approved windows, minimizing any disruption to your business.
Testing Timeline: Finally, Cobalt has the flexibility to support an adaptable timeline. Unlike traditional consulting engagements with rigid schedules, Cobalt can meet your specific needs. If a scope is larger than anticipated, the TPM can extend the testing timeline. If a scope is smaller, the timeline can be reduced to deliver results faster.
The Cobalt Core: An Elite Community of Security Experts
Upon clearly understanding your technical and business needs, the TPM leverages our most valuable resource: the Cobalt Core. The Cobalt Core is an elite, hand-picked community of pentesters who power our PTaaS solution. They are highly-skilled and vetted security professionals who perform manual penetration tests across a wide range of assets.
The Core is defined by two key elements:
- Proficiency and Skill Sets: First is deep skill and expertise. Core members bring knowledge and mastery in critical areas like vulnerability discovery, including the OWASP Top 10, application misconfigurations, and privilege escalation. Their skills cover advanced disciplines, such as red teaming, mobile app reverse engineering, and cloud security. Beyond their technical depth, our Core thrives on collaboration. They work directly with clients in real time and deliver clear, actionable reports that help you quickly remediate findings.
- Leads and Pentesters: Second is a clear distinction between a team lead and a pentester. On any given test, both the lead and the pentester perform hands-on security testing to identify vulnerabilities. The pentester is focused on executing the deep technical work. The lead pentester, however, has additional responsibilities. The lead oversees the entire engagement, coordinates the team, and reviews all findings for quality and accuracy. They serve as the main point of contact for the customer and are responsible for writing the final, consolidated report. This two-tier structure is a powerful quality assurance mechanism. It ensures consistency, collaboration, and high standards across every pentest.
The Team: Assembling Your Handpicked Pentest Unit
The final step in the process is putting it all together. The TPM combines the details from the Pentest Brief and your specific requirements to assemble a hand-picked team from the Cobalt Core.
Every test is staffed based on the required methodology. The team’s collective skill set is aligned with the asset you need tested, whether it is a web application, an internal network, or a complex cloud environment. This ensures the pentesters have the right proficiency for the engagement.
The quality of our community is reflected in its performance. We also believe in cultivating our talent. To ensure a seamless experience and maintain our high standards, we often staff veteran leads with newer Cobalt Core pentesters. This provides new Cobalt Core members to understand the Cobalt way. The result is a dedicated team of experts, led by an experienced professional, with the necessary skills needed to secure your application.
Learn how to raise the level of your security with continuous, programmatic pentesting. Download The Offensive Security Blueprint and build a modern, resilient security program today.
