Menu Icon
< back to main
 • 5 min read

Cobalt’s Pentest Maturity Model: Which Level Are You?

With a proper understanding of where on the cybersecurity maturity model your company lives, firms can better protect their digital assets based upon the business vulnerabilities unique to your industry and company.

Cobalt’s Pentest Maturity Model: Which Level Are You?
Ray Espinoza
Ray Espinoza

Ray Espinoza is the Head of Security at Cobalt. With over 20 years of technology experience and 12+ years in information security, Ray’s collaborative leadership style has enabled him to build information security and risk management programs that support business objectives and build customer trust.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

The modern business world constantly faces digital threats. With companies facing these continuous threats, understanding a business’ cybersecurity maturity level can empower better decision-making and ensure the proper tools, processes, and people are in place to be best protect against a cyberattack.

Introduction to Cybersecurity Maturity Assessment

With a proper understanding of where on the cybersecurity maturity model your company lives, firms can better protect their digital assets based upon the business vulnerabilities unique to your industry and company.

Other benefits of a cybersecurity maturity assessment (CSMA) include:

  • Better understand your security coverage and identify potential areas of improvement
  • Pentesting can be continuously improved to become a strategic, data-driven, and seamlessly integrated activity
  • The result is that pentests not only appropriately mirror the company’s DevSecOps maturity, but they also support its further progress through reliable analytics, standardized processes, and improved cross-departmental communication

Defining a Cybersecurity Maturity Model

Improving the output of your pentests requires incremental improvements over time. Cobalt has worked with organizations of varying industries, sizes, and DevSecOps maturity. What we’ve seen as a progression that they go through can be broken down into these 5 levels.

An important note about the cybersecurity maturity model, while the different levels include a variety of components, each individual component is not a requirement for every company. Depending upon the exact sector and business service offering, different aspects of each level should be prioritized and considered as relevant to your specific business.

Level 1

  • Testing and remediation happen ad hoc according to a random need, no defined structure
  • Only a specific asset is tested
  • Communication overhead between engineering and security - little to no alignment on who does what, when, and how
  • No process for standardizing pentests, which makes it difficult to compare results over time
  • Manual and time-consuming information collection process for when a new test needs to be scheduled or retests of the same asset

Leveling Up to Level 2: Introduce Structure

  • Implement regular pentests on high priority assets
  • Collect and maintain pentest information in one centralized location
  • Address silos between engineering and security teams with regular communication

Level 2

  • Testing and remediation at the minimum required level only on most critical assets for compliance or policy reasons
  • Challenges to pre-plan pentests and commitment to running pentests such as limited flexibility when responding to changes in engineering roadmaps
  • Remediation for low priority assets takes place only if there is a critical vulnerability
  • Security and engineering teams try to align, but remediation is still a largely manual and time-consuming process that doesn’t align with DevSecOps

Leveling Up to Level 3: Improve Efficiency

  • Automate repetitive manual tasks, like findings delivery and status updates on bug fixes, with integrations between technology stacks
  • Introduce smaller and more frequent pentests to stay on top of new code releases
  • Start collecting data from pentesting reports to assess the performance

Level 3

  • Testing and remediation occur at a minimum required level on most critical assets based upon compliance or policy requirements
  • Pentests follow a standard methodology, with ample planning and structure to deliver a consistent stream of data for analytics — this helps with performance assessments over time
  • Integrations send findings straight to engineering’s ticketing system to be fixed based upon risk analysis and service level agreement (SLA)
  • Efficient processes and data-driven decisions free up resources for medium priority assets but low priority assets take place only if a critical vulnerability exists

Leveling Up to Level 4: Strategize & Educate

  • Leverage analytics and statistics to guide secure development and define future strategy
  • Align pentesting plans with other departments’ roadmaps

Level 4

  • The organization has a strategic series of pentest with alignment between both compliance and engineering roadmaps
  • Company has a clear vision for compliance testing and good workflow and structure in place for handling ad hoc requests, driven by strategic decisions
  • Integrations between vendors and the organization’s technology stack empower pentesting to scale with the company
  • Streamlined pentesting processes enable engineers in real-time and automatically trigger retests alongside status changes

Leveling Up to Level 5: Leveraging Analytics to Empower Strategy

  • Further strategic alignment exists between engineering and compliance roadmaps
  • Integrations trigger a retest of assets after engineers process updates
  • Further development of pentesting scalability through a dedicated process to plan, structure, and standardize a continuous pentest approach of upcoming assets and application updates

Level 5

  • A highly strategic pentest program exists with alignment between both engineering and compliance roadmaps
  • Analytics utilized to inform decisions across different ancillary departments to security and engineering such as training and budgeting
  • Integrations between pentesting vendors’ and organizations’ technology stack to automatically send findings directly to engineers in real-time and trigger retests once updates have been made
  • Pentesting scalability unlocked within the company which includes a process to plan, structure, and standardize a continuous pentest approach for new assets and major releases

Key Aspects to Improve DevSecOps Maturity: Frequent and Consistent Pentesting

It’s important to remember that random one-off pentests don’t bring enough structure or data for teams to achieve this progression towards cybersecurity maturity. To push for continuous improvement, companies at levels 3 and 4 should opt for long-term programs that include smaller, more frequent pentests and retesting of assets after engineers deploy changes.

If you’d like to learn more about pentest programs, we’ve covered the topic from A to Z, with resources on:

Want to learn where on the cybersecurity maturity spectrum your company lives? Take the free maturity assessment today!

Security Maturity Assessment Banner

Related Stories

What is Cybersecurity Maturity Model Certification (CMMC)?
What is Cybersecurity Maturity Model Certification (CMMC)?
Read about the Cybersecurity Maturity Model Certification (CMMC) with this overview explaining the basics and how pentesting fits into this certification.
Read moreArrow Right
Cobalt Platform Deep Dive: Pentest Coverage Checklist
Cobalt Platform Deep Dive: Pentest Coverage Checklist
The Coverage Checklist is a list of checks that guides pentesters into following a baseline of security controls depending on the test’s requirements.
Read moreArrow Right
Cobalt Platform Deep Dive: Managing Your Pentests Just Got Easier
Cobalt Platform Deep Dive: Managing Your Pentests Just Got Easier
Customers can now delete unwanted pentests and help all collaborators focus on valid and import pentests.
Read moreArrow Right
The State of Pentesting 2020
The State of Pentesting 2020
The State of Pentesting 2020 Finds Strong Relationship Between Security and Engineering
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens