Event
Join cybersecurity experts from Slack, Riot Games, EY and more at our upcoming roadshow. 

What is pentesting?

Pentesting, also called penetration testing, is a security assessment, analysis and progression of simulated attacks on an application or network to check its security posture.

The foremost goal of pentesting is to harden and improve the security by discovering exploitable vulnerabilities in the security defenses. Insights provided in these attempts to successfully breach the system are then used to fine-tune policies and controls, while offering a chance to patch vulnerabilities before any compromise can occur.

Cobalt_what is pentesting_Header Image

In any application or network, there are weaknesses or flaws an attacker could exploit to impact data confidentiality, integrity, or availability. The testing goal is the same when performing application and network pentesting.

Pentest results are an output list of vulnerabilities, the risks they pose to the network or application and a concluding report. The report includes an executive summary of the testing, scope of work, methodology and recommendation for remediation.

Vulnerabilities found during a pentest can be used to modify your existing security policies, patch your applications and networks, identify common weaknesses across your systems, and help strengthen the overall security posture of your systems and organization.

What is manual pentesting?

Manual pentesting is an approach that layers human expertise with professional tools and techniques, such as automated binary static and dynamic analysis. Pentesting software is great at discovering problems with standard vulnerability classes, but it’s unable to detect certain design flaws.

This is why a manual pentest is needed in addition to pentesting software. A manual pentest performed by a skilled pentester is required for complete coverage including design, business logic, and compound flaw risks that can only be detected through manual, human testing.

Pentest as a Service vs. traditional pentesting

Companies regularly pentest their digital assets to establish trust with customers, comply with regulatory requirements, and improve their security posture. Traditional pentesting service models, however, do not work at the cloud-speed of today’s development. Traditional pentest services are siloed and slow, taking weeks to complete their work, while the company’s applications and networks lay exposed to the risk of breach.

The Pentest as a Service model offers a modern solution to these pentesting problems. This approach combines easy access to expert pentesting talent and a modern SaaS platform to enable pentests to happen fast, and collaboration and remediation to happen in real-time. Customers using this model can book a pentest on-demand and be a proactive participant in testing their applications frequently and maturing their security posture over time.

Cobalt-What is Pentesting-Pentest as a Service

Cobalt’s Pentest as a Service model is changing the way security and development teams perform and benefit from pentesting.

Cobalt-What is Pentesting-Trusted Talent-Icon

Trusted Talent

Cobalt assigns pentesters to each project, meaning you receive an expert pentester who best matches your needs.
Cobalt-What is Pentesting-Integrations Icon

Integrations

Cobalt’s platform allows you to easily manage and aggregate all your pentest data, directly communicate with testers via Slack, and seamlessly integrate with tools like Jira and GitHub.
Cobalt-What is Pentesting-Transparency

Transparency

Communicate in real time with the specific pentester who discovered each vulnerability. Live updates mean no more waiting until after testing is complete to receive your report.
Cobalt-What is Pentesting-Flexibility

Flexibility

Cobalt’s way of tracking pentester availability makes testing much faster. Tests start in days and offer sustainable ways to stay compliant with PCI DSS, HIPAA, SOC-2, ISO 27001, GDPR, and more.

The power of the Pentest as a Service model

50
%
LESS TIME TO GET PENTEST RESULTS
COMPARED TO TRADITIONAL PENTESTING
25
%
MORE COST EFFECTIVE THAN TRADITIONAL
PENTESTING CONSULTANCIES

Our Pentest as a Service lifecycle

The Pentest as a Service (PtaaS) model combines data, technology, and talent to resolve security challenges for modern web applications, mobile applications, networks, and APIs. This new approach applies a SaaS security platform to pentesting in order to enhance workflow efficiencies.

The PtaaS life cycle consists of six stages, supported by three core components.

Manage

Start off your test right by ensuring proper access and security controls.

Collaborate

Empower collaboration between testers and your team with streamlined workflows.

Integrate

While the test is running, feed results directly into your DevSecOps ecosystem.
Cobalt-Pentest Service Lifecycle-1-Discover@2x
Discover

The first step in the Pentest as a Service process is the discovery phase where all parties involved prepare for the engagement. On the customer side, this involves mapping the attack surface areas and creating accounts on the Cobalt platform. The Cobalt PenOps Team assigns a Cobalt Core Lead and Domain Experts with skills that match your technology stack. A Slack channel is also created to simplify real-time communication between you and the Pentest Team.

For more information about this phase, check out

3 Tips for Preparing for a Pentest.

Cobalt-Pentest Service Lifecycle-2-Plan@2x
Plan

The second step is to strategically plan, scope, and schedule your pentest. This typically involves a 30-minute phone call with the Cobalt teams. The main purpose of the call is to offer a personal introduction, align on the timeline, and finalize the testing scope.

For more information about this phase, check out

4 Tips to Successfully Kick Off a Pentest.

Cobalt-Pentest Service Lifecycle-3-Test@2x
Test

The third step is where the pentesting will take place. Steps 1 and 2 are necessary to establish a clear scope, identify the target environment, and set up credentials for the test. Now is the time for the experts to analyze the target for vulnerabilities and security flaws that might be exploited if not properly mitigated.

As the Pentest Team conducts testing, the Cobalt Core Lead ensures depth of coverage and communicates with your security team as needed via the platform and Slack channel. This is also where the true creative power of the Cobalt Core comes into play.

For more information about this phase, check out

Get to Know the Cobalt Core.

Cobalt-Pentest Service Lifecycle-4-Remediate@2x
Remediate

Accelerate your remediation with the fourth phase in the lifecycle. This phase is an interactive and on-going process, where individual findings are posted in the platform as they are discovered. Integrations send them directly to developers’ issue trackers, and teams can start patching immediately. At the end of your test, the Cobalt Core Lead reviews all the findings and produces a final summary report.

The report is not static; it's a living document that is updated as changes are made (see Re-Testing in Phase 5).

For more information about this phase, check out

Explore Cobalt's PtaaS Integrations.

Cobalt-Pentest Service Lifecycle-5-Report@2x
Report

When you mark a finding as “Ready for Re-test” on the platform, the Cobalt Core Lead verifies the fix and updates the final report. Reports are available in different formats suited to various stakeholders, such as executive teams, auditors, and customers.

For more information about this phase, check out

Best Practices for Verifying Vuln Fixes.

Cobalt-Pentest Service Lifecycle-6-Analyze@2x
Analyze

Once the testing is complete, you have the opportunity to analyze your pentest results more thoroughly to inform and prioritize remediation actions.

At this phase, you benefit from a deep dive into the pentest report with insights comparing your risk profile against others globally, identifying common vulnerabilities to inform development teams, and driving your security program's maturity.

Furthermore, executive teams will be delighted by the ease of use to track and communicate pentest program performance.

For more information about this phase, check out the Cobalt Platform Insights Brief.

Cobalt-What is Pentesting-Why Pentest

Why Pentest as a Service is the future of modern pentesting

Without applying a lifecycle approach to a Pentest Program, organizations are forced to treat security as a point-in-time project rather than a continuous aspect of proactive security. Projects have a start and end date but a good Pentest Program functions as an on-going process. The analysis phase of any pentest project should be set up to naturally lead into the preparation for the next pentest whether it's happening the following week, month, quarter, or year.
22-Cobalt_Compliance-Customers_Kubra logo@2x
Tushar Chandgothia
Information security and risk Management
“When we first went with Cobalt it was purely for PCI requirements, but we were looking to scale our program and pentest on a more continuous basis. Cobalt gave us the ability to pentest on a frequent basis with minimum effort from our teams. Saving us time and providing us quality results on a consistent basis.”
Read the full story
Cobalt-Get Started-axel springer@2x
Henning Christiansen
Chief Information Security Officer, Axel Springer
“Part of protecting information, part of protecting data is to show that you're regularly checking whether there are any security issues. And this model that we have set up with Cobalt, the continuous security monitoring, helps a lot.”
Read the full story
Cobalt-Get Started-Pendo logo@2x
Chuck Kesler
Chief Information Security Officer, Pendo
“I looked at the numbers for Cobalt and thought, ‘If they're able to deliver what they're saying at this cost, it's close to twice the value I would expect from a traditional pentest.’ And it turned out that way.”
Read the full story

See Cobalt for yourself.

Flying Bug Image