Datto ensures world-class product security with Cobalt's on-demand pentesting

Datto’s initial driver for its pentesting program was SOC 2 compliance. The company previously worked with a handful of third-party vendors who delivered pentesting services. However, their approach to vulnerability reporting was challenging to integrate with Datto’s Agile development workflows.

Lacking a channel for real-time communication with pentesters, Datto ran into several problems. Most notably, the company’s engineers weren’t receiving vulnerability reports in a usable format. Not only were they unable to seek clarification where needed, there were also issues with feeding reports into established engineering sprints. Combined, these issues made it difficult to obtain full value from each pentest.

Over time, Datto wanted to expand its program to support a more rigorous testing approach in line with its commitment to industry-leading cybersecurity. At this point, it became clear the traditional method wasn’t providing the high-quality, full-coverage testing Datto needed. Instead of having the same 2-3 pentesters working on the same assets year after year, Datto needed a more diverse pentesting approach.

Cobalt’s platform made it easy for Datto to expand its testing program and focus on delivering world-class security. In addition to essential real-time communication, Cobalt’s community approach to pentesting -- in which vetted, seasoned testers are matched to client engagements based on expertise -- gave Datto access to a broad range of testing skills. Executing a comprehensive pentest program on an annual cycle allowed Datto to flexibly switch pentesters between engagements, or request new testers and ensure full coverage for critical and frequently updated assets. When it came time to deliver pentest findings to engineering, the Cobalt platform came through again.

It was clear from the outset that Cobalt’s PtaaS platform was far better suited to Datto’s needs than the traditional approach. Almost immediately, the company took the opportunity to expand its pentesting program from fulfilling SOC2 compliance requirements to a larger scope. The Cobalt platform simplifies the process of involving Datto’s developers early in vulnerability management. This ‘shift left’ helps the company to action pentest findings more quickly and enables developers to play a more proactive security role than they could in the past.

Ultimately, the quality of a pentest comes down to its results. With Cobalt, Datto not only receives a more reliable stream of confirmed vulnerabilities, they also have a more detailed understanding of the coverage they receive from each pentest. After seeing first-hand the value Cobalt’s platform adds to Datto’s security mission, the team at Datto foresees outsourcing nearly all of its pentesting needs to Cobalt so their internal team can focus on different components of offensive security.