RSA
Attending RSA? Book a meeting with our team to discuss your Offensive Security needs.
RSA
Attending RSA? Book a meeting with our team to discuss your Offensive Security needs.

Introducing CVSS Scores and More Pentest Reporting Enhancements

Mar 20, 2025
Est Read Time: 3 min
Brittney Belt

Understanding your vulnerabilities and their potential impact is crucial for effective risk management. That is why clear, informative reporting along with detailed context for remediation is essential. We're excited to announce that CVSS (Common Vulnerability Scoring System) v3.1 is now a standard field in our reports. We will continue to provide both OWASP severity ratings and CVSS scores, ensuring you have multiple metrics to assess findings and prioritize risk more effectively. This update, along with a series of other improvements to our reports, ensures you’re equipped with the actionable insights needed to prioritize remediation.

CVSSblog image 1
Tester view in the Cobalt Platform

 

Enhanced Vulnerability Prioritization with CVSS Scores

CVSS Scores supply a qualitative measure of severity. Risk measurement can be subjective depending on the organization. CVSS provides a numerical 0-10 severity score for vulnerabilities, helping to standardize risk assessment and provide accurate and consistent ratings. The addition of CVSS scoring allows you to better understand findings and prioritize your risk accordingly.

 

OWASP Severity Ratings vs CVSS

There are ongoing debates about the proper risk rating methodology to use for vulnerabilities. OWASP and CVSS are just two of a number of rating systems that evaluate severity using distinct perspectives and scoring methods. The discussions often revolve around their roles in identifying and prioritizing security vulnerabilities, with OWASP focusing on guidance and risk assessments that can be more contextual and CVSS providing a standardized numerical score for vulnerability severity. 

  • OWASP: Prioritizes business impact by considering the broader context, including the organization’s objectives, risk tolerance, and the specific environment.
  • CVSS: Focuses on technical severity with a standardized score based on the vulnerability’s technical characteristics, without initially factoring in the specific environment or business impact.

We believe that having more information on vulnerabilities and multiple data points on findings to inform remediation efforts is a strong addition to Cobalt’s reporting.

One Senior Security Engineer stated, “Having both OWASP and CVSS scores within the Cobalt Platform gives us a comprehensive view of vulnerability severity, allowing for much more informed prioritization. The CVSS addition was exactly what we needed.”

Screenshot 2025-03-19 at 4.10.43 PM

 

How Does CVSS Scoring Work? 

In order to provide you with deeper context and insights for remediation, all new pentest findings in Cobalt will include a CVSS v3.1 rating in addition to the OWASP severity rating. All inputs to CVSS are available to you through the platform’s CSV and report downloads, the Cobalt API, and integrations. During our beta period with this feature, one of our customers told us, "The automatic CVSS score calculation and its integration into the reports and API is fantastic. It saves us time and ensures consistency across our vulnerability management workflows.” While another said, “The standardized CVSS scoring has significantly streamlined our risk assessment process. It's great to have a clear, numerical value alongside the OWASP ratings. This makes communicating risk to our teams so much easier."  Wherever you review and ingest findings you’ll now see the CVSS scores along with the OWASP rating and additional vulnerability context. 


Improved Pentest Reports, Actionable Insights

Along with improving severity rating and reporting data, we’ve also enhanced the final report delivered at the end of the pentest engagement. If you haven’t already noticed, all of our reports got a makeover this year. While the aesthetics might be nice, it’s more about clarity and readability. The Full Report, Full Report with Finding Details, and Customer Letter are now more refined and allows you to better tailor the report to fit your needs. We've added new customization options, a table detailing open and resolved findings, sorting options for remediation, and a 'Test Coverage' table outlining tested areas, coverage results, and associated findings.

cvssblogimage

These reporting enhancements, coupled with the severity rating improvements, are just a few ways we’re acting on our commitment to provide you with clear, comprehensive vulnerability insights to enhance your remediation efforts. Whether you're assessing vulnerability severity or sharing findings with stakeholders, these updated reporting features are designed to empower your teams with actionable security insights.

 

Cobalt-Website-Image-Services-Page

Back to Blog
About Brittney Belt
As a Product Marketing Manager at Cobalt, Brittney leverages her PMM and cybersecurity expertise to translate complex technical concepts into clear, engaging narratives to showcase the value of Cobalt's pentesting and security services. She also leads the strategy for customer content, highlighting how customers partner with Cobalt to strengthen their security posture. More By Brittney Belt

Related readings

Understanding the CVSS Base Score: An Essential Guide
Cybersecurity Insights
Blog
Apr 1, 2021
Read more
How to Write an Effective Pentest Report: Vulnerability Reports
Pentester Guides
Blog
May 17, 2021
Read more
Types of Pentesting Reports: Analyzing Pentest Data Trends
Types of Penetration Testing Reports: Analyzing Pentest Data for Trends
Modernizing Pentesting
Blog
Apr 25, 2023
Read more
see more

Never miss a story

Stay updated about Cobalt news as it happens