For pentests, an asset is a software component of value. Learn more about the asset types.
Organization View
Navigate to the Assets page to view and manage your assets. Here, you can see how many pentests are associated with each asset.
You can create a pentest for an asset or edit the asset. To do this, select the three-dot icon under Action, and select the desired option.

Asset View
To view asset details, select an asset. Here, you can edit asset details, view associated pentests, and create a new pentest for the asset.

The Asset details are also available for Cobalt Core pentesters when they are assigned to Pentest - this will help them understand the Asset they are testing better.
Create a New Asset
For comprehensive information about creating an asset, see Create an Asset.
Best Practices
- Describe your asset as clearly as possible.
- Add a product walkthrough and asset documentation using the templates provided.
- Keep your assets up to date.
- Start creating or editing your asset before creating your pentest. You can reuse the asset for future pentests.
Asset in the Pentest Wizard
Once you've selected the pentest type, select how you want to proceed with your asset:
- Create a new asset:
- On the Asset page, specify the asset details. Once you select Create Asset, you land on the Assets page.
- To set up a pentest for this asset, select the three-dot icon under Action, and then select Create a Pentest.
- Use an existing asset:
- Select an asset from the list. Once you select Continue, you can see asset details on the Review Asset screen. To update asset information, select Edit Asset.
See Define Your Assets for more information.

Access and Permissions
Only Organization Owners and Organization Members can create an asset directly from the Organization page.
Pentest Team Members can't access the Assets page. They can see and edit an asset that is linked to the pentest they were added to. They may not be allowed to attach files to an asset. An Organization Owner or Member of their company or a Cobalt Customer Success Manager can assist in this case.
For more information about Cobalt user roles, see What do the user roles mean?
Value of Assets
1. Structure your pentests data and observe trends
The Insights enable you to get an overview and compare results of your asset(s). The data can be analyzed across one asset or all so you can zoom in and out to see how security posture changes across assets or as an aggregate.

More information about the Insights can be found here: Cobalt Insights.
2. Build knowledge and save time
Asset
Once you add information on your asset, you will never have to start a pentest from scratch again. All this knowledge will be re-used on your future tests. When needed, you can edit the Asset content and add new documents.
Findings
In the background (not visible by Cobalt customers), a lead pentester on a new pentest is able to see previous open findings of the past pentests under the same asset. This helps getting an understanding of the sensitive areas of your asset and avoid leaving vulnerabilities open for too long. A lead pentester can see the details of the previous findings, re-test them and confirm with you if they are still occurring.
FAQ
Can a pentest be attached to 2+ assets?
No, a pentest can only be linked to a single asset. If your asset has multiple methodologies such as Web + API, you can choose a combined methodology. If the combination is not available, e.g. Mobile + External Network, pick one of the two and let your Customer Success Manager know so that the Cobalt team can select pentesters with the appropriate expertise.
I want to test two scopes (e.g. web and mobile applications), how many assets should I set up?
There is a 1 asset -> Many pentest relationship on the Cobalt platform, therefore we can rephrase the question as how many pentests should we run to test the two scopes (in this example one web app and one mobile app).
It will depend on multiple criteria:
- Do the two scopes share some of the same code or functionalities?
- Do you need a separate pentest report for each of the applications?
- Is there one or multiple teams in charge of these applications?
If the web and mobile applications communicate and share some of the same workflows, only one report is needed and that one team is responsible for the two applications, it makes sense to test them together. However, if the applications are different, need a unique report for each and are handled by different teams, it makes more sense to divide them into two tests.
It is possible to run separate tests on the same asset. In other words, the web and mobile pentests could both be attached to the same asset.
In this example, we would suggest separating the assets because it will allow you to get a more granular overview of the maturity of your security posture and progress over time by product.
Comments
0 comments
Please sign in to leave a comment.