Menu Icon
< back to main
 • 4 min read

Cobalt Platform Deep Dive: Explain Accepted Risk in a Few Easy Steps

Explain why the risk was defined as acceptable in just a few easy steps.

Cobalt Platform Deep Dive: Explain Accepted Risk in a Few Easy Steps
Yogi Petkar
Yogi Petkar

Yogi has more than 15 years of experience working in tech through positions in both Fortune 500 companies and startups. He heads our CX Product Management team and shares regular deep dives of new major features in our PtaaS platform.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

This blog post is part of an ongoing series in which members of the Cobalt product team provide deep dives into specific platform features.

Most organizations that have undergone a pentest understand that the actual test is just the beginning. The real work begins the moment you receive your pentest report with the list of vulnerabilities and posed risks, and a concluding report along with information on the testing methodology and remediation recommendations.

With Cobalt’s PtaaS platform, reporting is an interactive and ongoing process. Individual findings and recommended fixes are posted on the platform in real time, so your team can take immediate action. And in some cases, that can mean marking their associated risk as “accepted”.

What does accepted risk mean and why is explaining it important?

Today, security teams accept the risk of some findings for a variety of reasons. Their severity may not meet the internal risk threshold for remediation, or there might be upcoming security controls that address the. Unfortunately, the reason for accepting certain risks often resides in an organization's internal documentation and is not captured as part of the findings report. When reports are shared with their customers or stakeholders, the reason for accepting risk is either lost or must be explained separately.

With the Cobalt platform, you can now not only identify and mark vulnerabilities that have no measurable impact to your security posture, but also explain why the risk was defined as acceptable. This additional contextis captured in the final pentest report that can be shared with stakeholders including customers and auditors, so they can determine the security posture of your organization’s assets accordingly.

How it works

Once you have initiated a pentest on Cobalt’s platform and vulnerabilities are discovered, they become available for you and your team to review and analyze. If you decide that certain findings are not a true risk to your assets, you can change their state to “Accepted Risk.”

Accepted risk selection

Once you click on “Accepted Risk,” a new modal opens.

Accepted Risk No Dropdown

Accepted Risk Full Screen

From here, you can select a reason for accepting the risk. If you don’t see a matching reason applicable to your organization, you can select “Other” from the drop-down list and enter additional information in the notes section.

Once you click “Submit,” this information will be recorded in the platform and will be visible in the findings comments section for all users who have appropriate access. Additionally, this event will be recorded on the platform and collaborators from your organization will be notified within the platform, as well as through email. All users with access to the pentest and the associated findings will be able to see who has accepted the risk, when it was accepted, and why.

Accepted risk reason

All of this information is also included in your final pentest report. The Post-Test Remediation table provides a summary of all findings from the pentest, along with their latest status. If the status is “Accepted Risk” ,there is a supplemental table below the remediation table that presents the accepted risk reason and additional notes. This will help organizations convey contextual information to their most important stakeholders such as customers, prospects and auditors without needing supplemental information or having to verbally explain it.

Post-test remediation table

As we continue to be a leader in PtaaS, we are always looking for ways to ensure Cobalt is the most innovative solution for DevOps-driven software companies that want to implement security across the development lifecycle and optimize application security processes.

Curious to learn more? Schedule some time with one of our security experts to see Cobalt in action!

Product Updates

Related Stories

Cobalt Platform Deep Dive: Customize Your Pentest Reports per Your Needs
Cobalt Platform Deep Dive: Customize Your Pentest Reports per Your Needs
Cobalt introduces more options to configure pentest reports and adjust their layout on a granular level.
Read moreArrow Right
Cobalt Platform Deep Dive: Managing Your Pentests Just Got Easier
Cobalt Platform Deep Dive: Managing Your Pentests Just Got Easier
Customers can now delete unwanted pentests and help all collaborators focus on valid and import pentests.
Read moreArrow Right
Cobalt Platform Deep Dive: New and Improved Navigation
Cobalt Platform Deep Dive: New and Improved Navigation
New and improved navigation brings a modern look and feel to Cobalt dashboard, making it more intuitive and easy to use.
Read moreArrow Right
Cobalt Platform Deep Dive: Pentest Coverage Checklist
Cobalt Platform Deep Dive: Pentest Coverage Checklist
The Coverage Checklist is a list of checks that guides pentesters into following a baseline of security controls depending on the test’s requirements.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens