Do you fix security
bugs like this?
There's a better way for Security and Engineering to work together. Cobalt's Pentest as a Service approach turns chaos into order.
See How
Bring teams together with stronger security
Cobalt gives your teams the space to work together and achieve more in less time. Here's what that can look like.
Pentest
Remediate #1
Retest
Remediate #2
Retest
Remediate
Remediate #3
Retest
Confirm finding's risk level for new releases
Turn findings into patches
with the Cobalt platform
“Having instant communication with testers is a driving factor in why we chose Cobalt and continue to use them. Talking to the researchers in real time and getting instant feedback on issues, or answering their questions, just makes for a better quality pentest."
- Jeremy Galindo, Senior Offensive Security Manager, Datto
“What my engineering team liked about this [Cobalt] engagement is they had an opportunity to discuss issues with pentesters and review priorities together. It was a collaborative process. ”
- Sergey Stelmakh, Platform Security Architect, MuleSoft | Case Study
“Being able to interact with findings in the platform and discuss them through Slack makes for a much more efficient process. We’ve been able to get into it and engage with the findings there, which is a big improvement on the old process.”
- Chuck Kessler, CISO, Pendo | Case Study
Try for Free
The Pentest
How traditional pentesting works: You commission a third party to test your application for weaknesses, and you don't hear back for weeks -- until suddenly, a report lands in your inbox. There's little room for questions, interactions, or learning from the process.
How Pentest as a Service works: From day 1, your security and developer teams have direct access to the pentesters on Slack and in our Pentest as a Service platform. You get a front-row seat to the test from start to finish, with real-time updates on what the testers are working on and what they're finding.
How You Win
Your security team observes the testing process and learns how threat actors operate
Pentesters ask developers questions about the product's use cases and make their testing more targeted
Hey team! I went through the pentest brief and saw you shared login credentials, but you only the user names. Want to make sure that was intentional.
Yes, as part of the test we want to check if an attacker can guess / brute force passwords.
Understood! We're on it.
Pentester
Pentester
Customer
Finding #1
Rather than wait for the test to end, pentesters share updates on weaknesses as soon as they find them. They notify your team immediately and walk you through the following:
- The type of vulnerabilities
- How severe their impact can be on your systems & business operations
- How you can replicate them
- If they can chain together into a bigger, more damaging exploit
With this information, your security team can respond quickly and strategically.
Your security team guides developers on which issues to address first
Your security team can respond to vulnerabilities immediately
How You Win
"Sessions Don't Expire on Deactivating Users" is a high severity finding. We recommend you focus on this one first.
Pentester
Are any of these findings classed as high or critical severity?
Customer
Hi team! We found the following issues:
- Sessions Don't Expire on Logout.
- Non-Current Sessions Don't Expire on Password Change.
- Sessions Don't Expire On Deactivating Users.
You can find more details on how to replicate and fix these issues in the Cobalt platform.
Pentester
Remediate #1
Now comes the important part: remediation.
With traditional pentesting, your developers need to go through PDF reports and emails to find what they need.
Our platform integrates with your existing tech stack and sends that information straight to your developers.
Whether your team uses Jira, GitHub, or other tools, you can leverage the Cobalt API to easily turn findings into tickets and include them in upcoming sprints.
Your security team gets back valuable time from having to manually create tickets for every pentest finding
The Dev team gets critical context where they work, and can include patches in sprints much earlier
How You Win
We've evaluated all findings and can reproduce them on our end. We'll forward them to our developers' Jira boards now -- thank you for helping us find those two critical vulnerabilities!
Customer
Hi team! Our final report is finished and all findings are available on the Cobalt platform for review. Please let us know if there are any questions or if we can help with remediating.
Pentester
Confirm finding's risk level
Not every security detail is crystal clear to your Dev team. In many cases they're still learning about product security, and jargon adds even more complexity.
This is where having direct access to pentesters on Slack brings a lot of value. Developers can ask them questions or request help when they're stuck. This interaction not only saves your teams a lot of time, it also teaches developers more about security and empowers them to make strategic decisions.
Developers fix issues much faster,
reducing your exposure to possible breaches
Developers learn more about the security
of their code, and how to prevent similar
issues in upcoming releases
How You Win
Thanks, this helps us prioritize -- we'll address this after higher-risk findings.
Customer
For an attack to happen through this vulnerability, a victim user would need to put the final payload in the DOM via an insertion point or by using dev tools. How your system is set up makes this very unlikely. That being said, we don't recommend you leave this open indefinitely -- it still introduces some risk to your application.
Pentester
View Thread
Engineering question: I see you’ve marked the likelihood to exploit this finding as "Low." Is it because we assume no logged-in users will have bad intentions, or because it's hard to exploit? My team is planning to use the affected function in an upcoming feature, and we want to know if that makes the finding more urgent.
Customer
Retest
With Cobalt, you can retest every discovered vulnerability for free. Why? Because we want you to be sure that your systems are in fact secure after patching.
Once your developers flag that they've patched an issue, our pentesters get that update straight away. They then verify and report back, so you can close an issue with confidence that it's fixed.
If pentesters find that attackers can still exploit the issue, they update your teams in Slack and explain how to move forward.
Confirm that your patches can withstand an attack
How You Win
Thanks! We re-tested and these are no longer an issue. We've marked them as "Fixed" for your pentest report.
Customer
Hi Cobalt team! We marked the findings around environment configuration as ready for a re-test. Let us know if we've been able to fix this.
Pentester
Finding #1
Scope a Pentest
Finding #1
Finding #1
The Pentest
How traditional pentesting works: You commission a third party to test your application for weaknesses, and you don't hear back for weeks -- until suddenly, a report lands in your inbox. There's little room for questions, interactions, or learning from the process.
How Pentest as a Service works: From day 1, your security and developer teams have direct access to the pentesters on Slack and in our Pentest as a Service platform. You get a front-row seat to the test from start to finish, with real-time updates on what the testers are working on and what they're finding.
Your security team observes the testing process and learns how threat actors operate
Pentesters ask developers questions about the product's use cases and make their testing more targeted
How You Win
Rather than wait for the test to end, pentesters share updates on weaknesses as soon as they find them. They notify your team immediately and walk you through the following:
- The type of vulnerabilities
- How severe their impact can be on your systems & business operations
- How you can replicate them
- If they can chain together into a bigger, more damaging exploit
With this information, your security team can respond quickly and strategically.
Finding #1
Your security team guides developers on which issues to address first
Your security team can respond to vulnerabilities immediately
How You Win
Now comes the important part: remediation.
With traditional pentesting, your developers need to go through PDF reports and emails to find what they need.
Our platform integrates with your existing tech stack and sends that information straight to your developers.
Whether your team uses Jira, GitHub, or other tools, you can leverage the Cobalt API to easily turn findings into tickets and include them in upcoming sprints.
Remediate #1
Your security team gets back valuable time from having to manually create tickets for every pentest finding
The Dev team gets critical context where they work, and can include patches in sprints much earlier
How You Win
Confirm that your patches can withstand an attack
How You Win
With Cobalt, you can retest every discovered vulnerability for free. Why? Because we want you to be sure that your systems are in fact secure after patching.
Once your developers flag that they've patched an issue, our pentesters get that update straight away. They then verify and report back, so you can close an issue with confidence that it's fixed.
If pentesters find that attackers can still exploit the issue, they update your teams in Slack and explain how to move forward.
Retest
Not every security detail is crystal clear to your Dev team. In many cases they're still learning about product security, and jargon adds even more complexity.
This is where having direct access to pentesters on Slack brings a lot of value. Developers can ask them questions or request help when they're stuck. This interaction not only saves your teams a lot of time, it also teaches developers more about security and empowers them to make strategic decisions.
Confirm finding's risk level
Developers fix issues much faster,
reducing your exposure to possible breaches
Developers learn more about the security
of their code, and how to prevent similar
issues in upcoming releases
How You Win
Scope a Pentest
