.svg)
The Challenge
A leading national audit, tax, consulting, and wealth management firm, found its application security program was a roadblock to innovation.The firm’s traditional, end-of-cycle approach created friction between teams and introduced significant risk. The development teams operated in a waterfall model, pushing security testing to the very end of projects. bThis process caused a strained relationship where security was seen as a final, painful gatekeeper—not a partner in innovation. This bottleneck consistently added 6 to 10 weeks to every project timeline. The CISO at the firm stated, “Project teams would tell us they were ready for testing, only for us to find out the pentesters were booked six to ten weeks out. We were always the ones slowing everything down.”
The financial and operational burdens were equally severe. The annual spend on testing was an unpredictable line item, making it difficult to justify to leadership. In the final year under the traditional model, the total cost was well into the six figures and a major budget line. At this price point, it wasn’t possible to scale the program to projects delivered by third-party development partners. “We were deploying internet-facing applications without any security validation. The risk was enormous,” said the CISO.
The Solution
The firm partnered with Cobalt to transform its approach, turning pentesting into a seamless, just-in-time service integrated directly into the development lifecycle. Instead of being a final gate, pentesting now runs in parallel with user acceptance testing. The CISO stated, “We went from a state of constant anxiety at the end of every cycle to a seamless process. Now, our development teams initiate a Cobalt pentest at the start of the QA cycle, long before the project is considered finished.” This shift empowered the team to find and fix architectural flaws and security defects without delaying the project schedule. The CISO continued, “We found a design flaw in one of our applications—an authentication issue—that we were able to catch in QA. It would have stopped the project cold if we had waited until the end.”
The new pentesting model dissolved the “us vs. them” culture and fostered a sense of shared ownership. The CISO noted, “Our developers see the Cobalt pentesters as an extension of our QA team. It’s truly become a partnership.” This collaborative approach also serves as a powerful training tool for the developers, helping them learn from findings and speed up their internal processes. Scaling their security testing processes to third-party developers allowed the firm to meet business demands that outpaced internal capacity, transforming unbounded risk into secure innovation and enabling the team to innovate faster and more securely.
The Results
By shifting to an integrated, developer-first pentesting model with Cobalt, the firm achieved measurable improvements to its timelines, budget, and overall risk posture.
The up to 50-day delay from security testing has been eliminated, reducing the pentest scheduling window to just one day—a 50x faster turnaround. The firm also saw a dramatic financial improvement. “We reduced our annual testing costs by 44%—all while increasing our testing coverage. It was very easy to show the business the ROI,” the CISO reported.
The security and team benefits have been just as significant. “Our overall defect rate and number of repeat findings have both gone down substantially over the last 2.5 years,” said the CISO. This improvement is a direct result of turning pentest data into an educational tool. Using the Cobalt Insights dashboard to spot trends from both his internal team and third-party dev shops, the CISO started to prioritize secure development courses that effectively taught developers not to introduce vulnerabilities in the first place. The strained relationship between security and development has been replaced by a “one team” mentality, fostering shared ownership and fundamentally improving security. This newfound, data-driven confidence means the firm can now leverage outsourced development shops to accelerate key business projects, knowing that security is baked into the process from the start.
