Try Now
Get hands on with Cobalt's PtaaS Platform

Frequently asked questions

For Business

For Pentesters

Platform Features

Q: What kind of deliverables can I expect from Cobalt Penetration tests?

A: You will receive both individual finding reports with detailed descriptions of each vulnerability as well as a full summary report that describes the test and findings at an executive level - perfect for sharing with stakeholders.

Q: Can I use Cobalt Penetration test reports to satisfy PCI DSS?

A: Yes, the Cobalt Penetration Test reporting was built based on the PCI requirements for external penetration testing and we can support you in making sure that both the test coverage and reporting lives up to your auditor’s expectations. This can satisfy PCI DSS section 11.3.1, including confirmation of fixes related to section 11.3.3.

Q: Can I use Cobalt Pentest reports for my Sales process?

A: Yes, many of our SaaS customers use Cobalt to show their own customers that they take security seriously. Our reporting comes in different levels of detail - from an attestation-style report to a full report with all findings details. Thus you can decide how exactly much you want to share with your customers.

Q: I need a pentest report ASAP, can you help me?

A: Yes, being agile and on-demand is a key part of Cobalt’s pentest offering. Schedule a demo today and we can get your testing started right away.

Q: Can I get a sample report from a Cobalt Pentest?

A: Yes, schedule a demo and we will provide you with one.

Q: How do you ensure Report Quality?

A: During each engagement, the Pentest Lead is responsible for ensuring that each individual finding and the overall report meets Cobalt’s high level of expectations. These Leads are very experienced individuals - in 2016, the average number of years of professional experience for Cobalt’s Pentest Leads was 11 years. Additionally, each team member is rated on their report submissions. This provides transparency and accountability for the Cobalt Core to deliver consistently strong results.

Q: If I don’t fully understand a vulnerability report submitted by a pentester. Can I communicate with the pentester?

A: Yes, communication is key! You can write comments directly to the pentesters asking them to clarify a specific report. You can also write internal comments to your team members to enhance collaboration. We also know that pentest findings don’t always get fixed right away, so we allow direct communication with the pentesters for months following the completed pentest engagement.

Q: Who can see the findings of my pentests?

A: Only invited team members and the pentesters can see the list of reported vulnerabilities. Cobalt Customer Success and SecOps members will be able to view vulnerabilities in order to support the pentest. All of this access is visible and controllable within each pentest program’s settings.

Q: Can a pentester publicly disclose vulnerabilities found in my site?

A: Only with your permission. If a pentester wants to publicly disclose a vulnerability (anonymized or de-anonymized) to benefit the community, they will request your permission and act in accordance with your response.

Q: Does Cobalt offer API access to pentest findings?

A: We do offer API access where customers can easily integrate data about their assets, pentests, and findings into the rest of their technology stack. Cobalt API enables teams to manage their data more easily and build a holistic view of their vulnerability and application landscape. Learn more about The Cobalt API and other PtaaS Integrations.

Q: How does Cobalt rank vulnerability findings from a pentest?

A: There are five severity levels to rank vulnerabilities ranging from informational to critical. Read more about severity levels.

Q: Does Cobalt offer customizable pentest reports?

A: Cobalt offers a variety of report templates, including a full pentest report with finding details, a customer letter, and an attestation. For Premium and Enterprise Tier customers, report templates can be customized as needed with the ability to remove sections.

Q: Does Cobalt have an API? If so, is it public-facing?

A: Yes, the Cobalt API is public-facing. For access to our API documentation, visit