The challenge
As a leading HR software company experiencing rapid growth, Personio needed to adapt their security testing approach to match their fast-paced development cycle. After starting with annual pentests, it quickly became clear that a more agile approach was needed that could keep up with the ongoing cycle of new releases and updates. Point-in-time testing could leave substantial gaps where vulnerabilities might be introduced and remain undetected for extended periods, posing potential risks like data breaches and reputational damage. Personio's security team recognized the need to integrate testing earlier in the secure software development lifecycle (SSDLC).
The solution
To address these concerns, Personio's security team began exploring how to embed pentesting earlier into their SSDLC. Personio partnered with Cobalt as one of their offensive security partners to enable continuous application testing throughout the development process, rather than only testing at major feature launches. Arnau Estebanell, Lead Security Engineer at Personio, explained: "With hundreds of deployments daily, our security controls need to be an enabler, not a blocker. Our offensive security program allows us to simulate real-world attacks early in the SSDLC, ensuring vulnerabilities are identified and fixed before they can be exploited by attackers—and at a lower cost."
The results
Over 13 months, Personio completed 15 penetration tests, including web, API, mobile, and LLM application assessments. They also conducted targeted engagements to evaluate the effectiveness of their security controls and detections.
Personio performed comprehensive assessments of their main SaaS platform, mobile application, and supporting APIs. To align with their development schedule, they conducted several agile pentests focused on new functionality—particularly changes that expanded the application's attack surface. For example, before launching their Personio AI Assistant, a dedicated LLM pentest provided valuable insights into AI vulnerabilities and mitigation strategies to address risks like model hallucinations.
Looking ahead, Personio has ambitious plans for its offensive security program. Personio will continue working closely with Cobalt to test earlier and more regularly, providing new insights into emerging threats. Arnau concludes: "Our goal is enabling Personio to move fast while staying secure. We're focused on balancing speed of delivery with robust security—allowing engineers to develop and release products quickly while keeping our customers' data protected, which remains our top priority. Cobalt's agile pentesting has been instrumental in helping us achieve this balance."
