Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

Frequently asked questions

For Business

For Pentesters

Scoping and Testing

Q: How does scoping of the pentests work at Cobalt?

A: Scoping a test is a structured process where you can submit information about the target, including platform specifications, objectives, and instructions. Based on this information, Cobalt will create a purpose-built team of pentesters with the right skills to test your application.

Q: How can I determine the number of Cobalt Credits needed for a pentest?

A: Cobalt offers pentests for a variety of asset types: web applications, mobile applications, APIs, internal and external networks, and cloud services (GCP, AWS, Azure). To determine the number of credits needed for any given pentest, Cobalt takes into consideration the size of the asset and the coverage level required. The average Cobalt pentest requires 12 credits. With that said, we’re able to scope up or down depending on your asset size and coverage needs. Read more about Cobalt Credits and pentest pricing. 

Q: Does Cobalt do security testing for mobile apps?

A: Yes, due to our diverse talent pool we can cover all mobile platforms. In particular, we perform a lot of testing on iOS and Android apps.

Q: Does Cobalt do security testing for APIs?

A: Yes, we know that many modern SaaS businesses rely heavily on web APIs and therefore we have specialized in delivering great API pentests. Together with being able to test web apps, mobile apps and external networks, we are a great fit for modern online businesses.

Q: Does Cobalt do security testing for networks?

A: Yes, we can cover external network testing. We typically do this for PCI testing or similar use cases.

Q: What kinds of vulnerabilities do the pentesters usually find?

A: Our pentesters find vulnerabilities of all types, but they most commonly report vulnerabilities in your business logic and vulnerabilities that fall into the OWASP Top 10 categories. In 2022, we found 6 vulnerabilities on average in a 2-week pentest.

Q: Can I get the pentesters to test specific scenarios I am particularly worried about?

A: Yes, you will be able to communicate directly with the pentest team to make sure they have the right knowledge to perform a high quality test.

Q: Can I share my credentials (usernames + passwords) with the pentesters for authenticated testing?

A: Yes, the majority of the pentests we do are on authenticated parts of a service and we offer a secure way of sharing the user credentials through the platform.

Q: I do not want tests to be run on my production environment. How can I avoid this?

A: In general, testing in production is recommended as it typically has the best data quality. Testing does not normally have any negative impact on the systems. But the best way to avoid testing in a production environment is to set up a staging environment with sample data for security testing.

Q: How many requests will hit my site during testing?

A: When pentesters investigate a site, they may use automatic tools to quickly check for different vectors to ensure that you are being covered across many areas. The amount of traffic and requests from testing will be similar to the traffic and requests you typically see from ordinary site visits by a few users. It may peak at 100Mbps (0.1Gbps) when running brief, intensive scans. However, the overwhelming amount of testing relies on manual techniques that typically use an order of magnitude less.

Q: I want to specify off-peak times for penetration testing so that my production environment does not go down when my users are most active. How can I do this?

A: In general, testing will not cause harm to your systems. However, If you want to establish testing windows for pentesters, our Enterprise tier offers this. Include a timeframe in your program description that specifies when pentesters can use your production environment for penetration testing and our team will work to accommodate the request.

Q: Do I need approval from my cloud provider (AWS and others)?

A: The big cloud providers (AWS, Azure, GCP) do not require prior notification of normal penetration testing. But if you are using a smaller provider you should check with them and Cobalt can help provide info.

Q: How do you support custom pentester requests?

A: For the Enterprise tier, we’ll accommodate special requests regarding pentesters who perform the pentest, which includes:

  • Staffing a pentest with pentesters from a specific region or time zone; or
  • Ensuring that pentesters can communicate with you and/or perform testing at specified times.

We’ll facilitate other requests on a case-by-case basis. All custom requests are subject to Cobalt availability. We may not be able to accommodate more than one such request per pentest.

Q: Can I change pentesters across different tests to fulfill company requirements?

A:  Yes! We can rotate pentesters for every pentest. Get a fresh perspective, reduce bias, and a diverse skill set on every pentest you conduct with Cobalt. Avoid multiple procurement processes and still remain compliant with our community of 400+ pentesters. Read more about best practices rotating pentesters.