The Challenge
HeyJobs, an AI-powered employee candidate recruiting platform, faced a common yet critical dilemma: how to maintain an effective and scalable security program with a lean team. Their small, four-person security team constantly needed to balance the demands of daily operations while delivering high-quality, secure features to their global customer base.
HeyJobs was also proactively working towards compliance certifications, such as ISO 27001, and adhering to the European Artificial Intelligence Act, a non-negotiable given the nature of the personal data they processed—including resumes, emails, and phone numbers. HeyJobs’s security team needed a solution that would help them deliver new features with confidence, while keeping pace with their ambitious growth and compliance goals.
The Solution
HeyJobs partnered with Cobalt to supplement their security capabilities with fast and actionable pentests. The speed and intuitive nature of the Cobalt Offensive Security Platform allowed HeyJobs to kick off pentests with minimal lead time, while Jira integration accelerated remediation. The 12-month retest window offered their team flexibility for planning and executing remediations and mitigations, enabling HeyJobs to proactively address vulnerabilities before feature releases. The Cobalt Core also provided HeyJobs's security team with fresh perspectives and valuable expertise for continuous learning.
Rodrigo Oliveira, Platform Engineering and Team Lead at HeyJobs, stated: “Cobalt provides a genuinely collaborative pentesting experience. Our team deeply appreciates the direct access to pentesters working on European hours and the constant communication via Slack. This setup enables us to learn so much, as the pentesters clearly explain their findings and guide us on remediation, making it an incredibly valuable partnership."
The Results
HeyJobs instituted an offensive security program with bi-annual pentesting of their platform, supplemented by tests of new customer-facing features. Automatically triggered pentests allowed the HeyJobs security team to address high-severity vulnerabilities before releases. Beyond this, HeyJobs also ran DAST scans and completed multiple narrow scope pentests for continuous monitoring of internal networks and domains, to quickly identify issues such as DNS record changes.
After completing pentests, HeyJobs logged all findings and their severities in their ticketing system, so their tech leads could quickly prioritize high-severity issues and roadmap fixes, and implement preventive measures to avoid recurrence. This proactive program directly supported HeyJobs's goals to support ISO 27001 certification and prepare for the European Artificial Intelligence Act.
