FAQs to help you get started with the Cobalt platform and know what to expect from the pentests.
Q: What is an organization?
A: An organization is the place on the Cobalt platform where you and your team can access all the information regarding all aspects of your pentest experience (pentests, reports, assets etc).
Q: How do I add people to my organization?
A: Log in to the platform, click on the People on the left side bar. Add the email address of the person you'd like to add and then select if you would like them to be an owner or a member. Note that only organization owners can add and remove people from the organization and enable SAML. For more information please see our article on adding new users.
Q: What user roles are available?
A: There are two main levels of user roles on the Cobalt platform: organization and individual pentest. On the organization level, both an organization owner and member can view all the pentests, assets and people within the organization. Only an organizational member can add/remove people. A team member (also referred to as a collaborator) is someone who is added to and can only see a specific pentest. For more details please see our article on different user roles.
Q: What is an asset?
A: An asset represents the product and/or aspects of the product you will be testing. Examples include a website, mobile application or an internal network. It is the foundation around which a pentest is built. On the Cobalt platform, an asset serves as a container of information about your product application, where you can track and view how the security posture of the application evolves over time (as seen in the Insights section of the platform).
Q: What is a credit?
A: A credit is a unit of work that can be applied to a pentest. Credits can be applied to any pentest, providing maximum flexibility. The number of credits needed for a pentest depends on the scope of the asset being tested. For more information please refer to https://www.cobalt.io/pentest-pricing#cobaltcredits .
Q: Where can I see my credit balance?
A: Log into the platform, click on "Credits" in the left navigation bar. Additional information on credits can be found here.
Q: How do I add more credits?
A: Consult your CSM about adding additional credits to your organization.
Q: What happens if I have purchased credits but they do not appear on the platform?
A: Credits appear on the start date of your subscription. Credits will not be available prior to that date. If you need your credits before that date, please contact your CSM.
Q: What is a pentest brief?
A: A pentest brief refers to the information provided in the Objectives and Details sections of the Cobalt pentest wizard. This includes information used by pentesters as a guide to test your asset. For example, this can include the functionality of the asset, critical business workflows, areas that you would like to receive extra attention, items that should remain out of scope and user roles.
Q: What information should I include on the brief?
A: The brief should include information on items like user roles, critical business works, areas of specific focus, areas that are out of scope, target urls and tech stacks. A full guide can be found in the Objectives and Details sections of the pentest wizard, as well as in Step 3 in the article “5 Steps to Create a Pentest”
Q: How soon can I begin my pentest?
A: Once the pentest brief is completed and submitted, a standard pentest with no additional requirements (i.e. testing during certain hours, specific credentials) will be staffed and ready to begin in 48 hours (2 business days). Additional requirements may result in longer staffing time. If needed sooner, please contact your Customer Success Manager (CSM).
Q: How long is the standard testing engagement?
A: Our standard pentest runs for two (2) weeks.
Q: How are pentesters selected for my pentest?
A: Pentesters are selected from our highly vetted pool of Cobalt pentesters (known as Core). They are matched based on the type of asset (i.e. web, mobile, network), tech stack, as well as other needs and requirements provided in the brief.
Q: Is there a way to provide pentesters a walkthrough of my product prior to starting testing?
A: You can attach a video of a product walkthrough under the Asset (file size up to 100MB) on the Cobalt platform, which pentesters will be able to view.
Q: How do customers communicate and collaborate with pentesters during a pentest?
A: Once a pentest is staffed, a Slack channel is automatically created. You and those you designate from your organization will receive an invitation (as discussed with your CSM), as well as the pentesters selected for the pentest, your CSM, and the Cobalt Pentest Architect who is responsible for staffing the engagement.
Q: What kind of communication can I expect from pentesters during the pentest?
A: All pentesters will provide at least 4 updates during the 2-week pentest period.
Q: Do you conduct pentests during holidays?
A: Pentests do run during holidays. If a pentest has launched prior to a holiday, pentesters will remain active during that period. However, we highly recommend that you do not begin a pentest during a holiday period in order to allow your team to work closely with the pentesting team during the first days of testing.
Q: When do I receive my final report?
A: The final report is delivered 3 business days after the end of a pentest engagement.
Q: What kinds of reports do you provide?
A: Cobalt provides four (4) types of reports: Customer Letter, Attestation, Full Report, Full Report + Finding Details. For more details about what is included in different report versions, please refer to this article.
Q: Are reports customizable?
A: For questions regarding customization, please contact your CSM.
Remediation and Retesting
Q: Is retesting included in my subscription?
A: Yes. Retesting is available to all current customers with an active subscription.
Q: How do I submit a finding for retest?
A: On the platform, locate the finding you would like retested by clicking on the pentest name>findings>filter by pending fix>select the finding. Under the Activity section, select “Ready For Re-test” from the dropdown menu. Add any additional comments in the comments field and click “Comment” to save. More information can be found in this article.
Q: How long does it take to retest a finding?
A: Retesting is generally completed within 7 business days from submission.
Q: When can I submit a finding for retesting?
A: A finding can be submitted for retesting at any time from after the vulnerability is reported on the platform until the end of a subscription (given at least 10 business days prior to subscription expiration).
Q: What if we determine that a reported vulnerability is a very low risk or can be addressed without a technical fix?
A: Findings in this category can be marked as an 'accepted risk.' Read more about marking a finding as an accepted risk in this article.