Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

Frequently asked questions

For Business

For Pentesters

Platform Features

Q: What kind of deliverables can I expect from Cobalt Penetration tests?

A: Comprehensive Pentests come with a full report that contains the following sections: an executive summary, scope of work, methodology, summary of findings, recommendations, post-test remediation, and finding details.  Comprehensive Pentests also include a customer letter and an attestation letter. The various report formats give you options for sharing results with a variety of stakeholders - including customers and auditors. 

Agile Pentests include an automated report with finding details, intended for internal consumption. 

Premium and Enterprise Tier customers have the ability to customize reports by removing sections as needed. 

Q: Can I use Cobalt Penetration test reports to satisfy PCI DSS?

A: Yes, you can conduct a Comprehensive Pentest with Cobalt to satisfy PCI requirements for external pentetration testing. The Cobalt team can support you in making sure that both the test coverage and reporting lives up to your auditor’s expectations. A Comprehensive Pentest can satisfy PCI-DSS section 11.3.1, including confirmation of fixes related to section 11.3.3.

Q: Can I use Cobalt Pentest reports for my Sales process?

A: Yes, many of our customers use Cobalt pentests to show their own customers that they take security seriously. Our Comprehensive Pentest engagement comes with a variety of report types, including a full report with finding details, a customer letter, and an attestation letter. 

Q: I need a pentest report ASAP, can you help me?

A: Yes, being agile and on-demand is a key part of Cobalt’s pentest offering. Schedule a demo today and we can get your testing started right away.

Q: Can I get a sample report from a Cobalt Pentest?

A: Yes, schedule a demo and we will provide you with one.

Q: How do you ensure Report Quality?

A: For every Comprehensive Pentest engagement, the Pentest Lead is responsible for reviewing each individual finding and the overall report. Additionally, each team member is rated on their report submissions. This provides transparency and accountability for the Cobalt Core to deliver consistently strong results.

Q: If I don’t fully understand a vulnerability report submitted by a pentester. Can I communicate with the pentester?

A: Yes, communication is key! You can write comments directly to the pentesters asking them to clarify a specific report. You can also write internal comments to your team members to enhance collaboration. We also know that pentest findings don’t always get fixed right away, so we allow direct communication with the pentesters for months following the completed pentest engagement.

Q: Who can see the findings of my pentests?

A: Only invited team members and the pentesters can see the list of reported vulnerabilities. Cobalt Customer Success and SecOps members will be able to view vulnerabilities in order to support the pentest. All of this access is visible and controllable within each pentest program’s settings.

Q: Can a pentester publicly disclose vulnerabilities found in my site?

A: Only with your permission. If a pentester wants to publicly disclose a vulnerability (anonymized or de-anonymized) to benefit the community, they will request your permission and act in accordance with your response.

Q: Does Cobalt offer API access to pentest findings?

A: We do offer API access where customers can easily integrate data about their assets, pentests, and findings into the rest of their technology stack. Cobalt API enables teams to manage their data more easily and build a holistic view of their vulnerability and application landscape. Learn more about The Cobalt API and other PtaaS Integrations.

Q: How does Cobalt rank vulnerability findings from a pentest?

A: There are five severity levels to rank vulnerabilities ranging from informational to critical. Read more about severity levels.

Q: Does Cobalt offer customizable pentest reports?

A: Cobalt offers a variety of report templates for Comprehensive Pentests, including a full pentest report with finding details, a customer letter, and an attestation letter. All Agile Pentests include an automated report with finding details. For Premium and Enterprise Tier customers, report templates can be customized as needed with the ability to remove sections.

Q: Does Cobalt have an API? If so, is it public-facing?

A: Yes, the Cobalt API is public-facing. For access to our API documentation, visit