These instructions are for those who have 2-3 Assets in scope for a 8 or 12 credit pentest. As of right now, the only Asset options we have to select from are shown below, in the case that you had scoped a project with us that does not fit into one of these categories please follow the below instructions for the time being as our product team works on a permanent solution.
Web + API
Web + External Network
Web + Mobile
Create a New Asset
Provide the following information about the asset, keep in mind only one Asset you create can be attached to the pentest.
Asset Title: Provide a name that makes sense for your team. Examples include “Web Application” and “Global External Network.”
This is also where you can include all Asset types that are in scope
Type: This is the type of product you will be testing. As mentioned above, if your combination of Assets deviates from the list shown above select the option that most closely matches.
For example if you are planning on a combined pentest for Web, API, and Cloud Config select the Web + API option
- For each methodology, a Scoping Guide is available to help determine the Size of the asset and the Coverage needed. By default standard coverage is selected for any asset size.
- You can view this by clicking on 'Web Scoping Guide'
- Select what most closely aligns and keep in mind that our Customer Experience team will be reviewing the brief and can follow up to clarify anything if needed.
- Based on the inputs to Size and Coverage, credits will be automatically recommended as the default credit for the asset.
- This is not the final credit selection, that will happen in the Planning section
- Description: Provide details about the asset that will help inform testing.
- This includes a high level overview of what each asset does and its place within your business and business workflows.
- Attachments: Include any documentation and if possible, a demo video of the asset (up to 100 MB) with the "Upload Files" button (pictured below) for all included assets.
- Templates for Workflow/Priority target and User role matrix are available to guide you if you are not sure what to add.
- Click "Next" once you have completed these steps which creates an asset. Now you are ready to move on to creating the pentest.
Provide information regarding the goals, scope and all criteria of the pentest. Be as specific and detailed as possible, as Cobalt pentesters use this information to guide their pentesting activities.
- Target(s): Provide all target URLs and IP ranges (if applicable)
- Methodology: Copied from “Asset Type” selected for associated asset
- Objectives: Standard objective is “Coverage of OWASP top 10, ASVS and application logic.” Please edit/add and additional objectives as needed. An example would be specific business logic.
- Test Credentials: Indicate if pentesters will require credentials during testing. If so, we recommend 1 user accounts per tester. Additionally, if pentester email is required, Cobalt will provide them via email notification as well as in platform once pentesters are assigned to your pentest.
- Instructions: Provides Cobalt with all pertinent information regarding your pentest, including targets, goals around testing and any areas that need particular attention. Below are suggested areas of focus:
- High level overview of what the application does
- Highlights of functions or features that are most important to you or need the most attention
- Specific vulnerabilities that are you most concerned about
- Specific business risks in mind related to specific features
- Any other information about quirks or things unique to the app/platform/API
- Instructions on how to access the target environment
- Highlight any areas or workflows that are out of scope
- Description or links to any relevant documentation (API Developers Guide, SDK, etc.)
- Platform: Include tags describing the technology used in your asset(s) that you plan to test, for examples click on info icon. This helps Cobalt match pentesters with relevant skill sets and knowledge.
Provide Target Details
Provide information on the target environment. This includes:
Target Environment Information
Additional Pentesting Guidelines
Information pentesters should be aware regarding business-critical workflows and items to be excluded from testing
Test Accounts & Data
More details about data that may be stored in the asset to be tested as well as any requirements for credits, credit cards etc for payment flows included in testing.
The Details section also provides a list of IP addresses Cobalt pentesters will use for testing.
Select a Start Date & Credits
Timeline: Add your desired start date (at least 2 business days from the date the form is filled out). The form will auto-populate the end date as two weeks from start date. Your Customer Success Manager will work with you to confirm and schedule your pentest. If the pentest needs to begin prior to 2 business days, please discuss with your Customer Success Manager.
Credits: Confirm number of credits to use for the pentest as previously added to the Asset. If you are unsure of the amount of credits to designate, please reach out to your Customer Success Manager. The number of credits assigned for a pentest will be confirmed prior to the start of the pentest.
- Reminder: 4 credit pentests do not include a final report, a pentest must have 5 or more credits allocated to it to include the final reporting.
Advance options (Additional requests):
This field allows you to directly provide special staffing restrictions to Cobalt.
- This is where you can also note all Asset types you have included in the scope of your combination pentest.
- For example: 12 credit pentest scoped for Web + API + Network
Please note that Cobalt cannot guarantee that these requests will be approved. If the request is approved, it is likely to delay the pentest start date.
Once all necessary information is captured you can click Save & Exit from the wizard. The pentest will be saved in Draft state and you will land in the pentest Brief view. Here you can either review pentest information or collaborate with your internal stakeholders to capture additional information and review it again. Once all the pentest information is verified you can click Submit for Review and a Customer Success Manager will review your questionnaire and reach out to you with any questions and next steps.
After submitting the pentest for review you will see a success modal which will guide you on some of the next steps you can take while the pentest is being reviewed by our team.