WEBINAR
Compliant vs. Secure: A CISO and CEO Discuss How to Manage Real-World Risk
WEBINAR
Compliant vs. Secure: A CISO and CEO Discuss How to Manage Real-World Risk
Case Study

From False Savings to True Protection: How a Business Identity Platform Provider Chose Cobalt for Better Pentesting

Cobalt Color_Logotype (1)

A business identity platform provider was searching for additional options for pentesting and wanted to look at the most budget-friendly options to try and save money wherever they could. They looked at a number of different solutions and decided to try Astra Security. After working with Cobalt for a number of years, they had a high standard for pentesting, and the process of managing all of their tests in the Cobalt platform. However, after a year of grappling with an inadequate testing experience, the security team recognized the critical value of human-led pentesting and returned to Cobalt for their comprehensive and effective security assessments.

A cost-driven departure

The decision to explore alternatives stemmed from a financial drive to reduce costs. This pursuit of a lower price point led them to Astra. While Astra boasted an appealing price, the security team quickly discovered that the cost savings came at a significant expense to the quality and efficacy of their pentests.

The main issue the Operations and Security Program Manager identified was Astra’s reliance on automated vulnerability scans. “Astra doesn’t actually have human pentesters. They ran vulnerability scans and then a person would review the scans and send it to us.” This automated approach resulted in a flood of noisy findings that weren’t insightful. A Software Engineer added, “Astra caused a lot of friction for our engineering team. We were trying to fix things that didn't feel like the best use of time, with some of our engineers noting findings that were irrelevant, duplicated, or simply didn't apply to our use case. A lot of context was missing from their pentests.”

The slow retesting process and delayed confirmation of remediated critical findings from Astra also created issues for the company’s customer-facing GRC efforts, which directly impacted customer conversations and concerned the sales team. The Operations and Security Program Manager stated, “The entire process—running a new scan, updating findings, and reissuing the report—took far too long. This led to awkward conversations with our customers who would ask, 'You have a critical thing here. Why was this not resolved?' My only response could be, 'It actually was resolved; we're just waiting for Astra's retesting confirmation.'”

The return to tried and true: prioritizing value over price

After a year of these challenges, the security team recognized that the initial cost savings with Astra, which were minimal by industry standards, were overshadowed by the inefficiencies, lack of actionable insights, and operational headaches. This led them to return to Cobalt. “Given our good pre-existing relationship with Cobalt, we decided to return to what’s tried and true,” said the Operations and Security Program Manager.

The initial experience with Cobalt had set a high bar. The Operations and Security Program Manager recalled, “The Cobalt pentesters provided quality findings. Things that were actually significant that we had overlooked and could be seen as a critical vulnerability. The work we were doing with Cobalt was actually providing value while also preparing us for the worst.” Beyond the quality findings, the seamless pentesting process was a major differentiator. “We set a deadline, stayed in constant communication with the pentesters to remain on track, and received live feedback on our remediations. This helped us close out issues and ensure the pentesters agreed that we had fully remediated vulnerabilities and made ourselves foolproof." This established trust and proven value ultimately drew them back. “We appreciate Cobalt providing more ways to get us comprehensive coverage across our applications,” concluded the Operations and Security Program Manager.

Snapshot-business-identity-platform-company-snapshot

 

“We set a deadline, stayed in constant communication with the pentesters to remain on track, and received live feedback on our remediations. This helped us close out issues and ensure the pentesters agreed that we had fully remediated vulnerabilities and made ourselves foolproof.”

Operations and Security Program Manager, Software Development