Menu Icon
< back to main
 • 5 min read

Pentest as a Service Life Cycle

The phases and process of a modern pentest platform

Pentest as a Service Life Cycle
Caroline Wong
Caroline Wong

Caroline Wong is the Chief Strategy Officer at Cobalt. As CSO, Caroline leads the Security, Community, and People teams at Cobalt. She brings a proven background in communications, cybersecurity, and experience delivering global programs to the role.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

The Pentest as a Service model combines data, technology, and talent to resolve security challenges for modern web applications, mobile applications, and APIs. This new approach applies a SaaS security platform to pentesting in order to enhance workflow efficiencies.

Pen Testing as a Service Life Cycle

Key roles in this new process include:

  • Customer: Security and engineering teams using Cobalt services

  • Cobalt PenOps Team: Schedules, manages, and facilitates the pentest process

  • Cobalt Core Lead: Facilitates conversation between Pentest Team and Customer

  • Cobalt Core Domain Experts: Leverage specialized skill sets which are matched to the Customer’s technology stack

  • Cobalt Customer Success Team: Works closely with the customer to kick-off the test and address feedback

All 6 phases of Pentest as a Service, as visualized in the infographic above, happen in the cloud on the Cobalt platform and Slack channel.

Pen Testing Team

Phase 1. Preparation

The first step in the Pentest as a Service process is to prepare all the parties involved in the engagement. On the Customer side, this involves determining and defining the scope of the test and creating accounts on the Cobalt platform. The Cobalt PenOps Team assigns a Cobalt Core Lead and Domain Experts with skills that match the Customer’s technology stack. A Slack channel is also created to simplify on-demand communication between the Customer and the Pentest Team.

For more information about the Preparation phase, check out 3 Tips for Preparing for a Penest.

Kickoff

Phase 2. Kick Off

The second step is kicking off the pentest. This will typically involve a 30-minute phone call with the Customer and Cobalt Teams. The main purpose of the call is to offer a personal introduction, align on the timeline, and finalize the testing scope.

For more information about this phase, check out 4 Tips to Successfully Kick Off a Pentest.

Testing

Phase 3. Testing

The third step is where the pentesting will take place. Steps 1 and 2 are necessary to establish a clear scope, identify the target environment, and set up credentials for the test. Now is the time for the experts to analyze the target for vulnerabilities and security flaws that might be exploited if not properly mitigated.

As the Pentest Team conducts testing, the Cobalt Core Lead ensures depth of coverage and communicates with the Customer as needed via the platform and Slack channel. This is also where the true creative power of the Cobalt Core Domain Experts comes into play.

For more information about this phase, check out 4 Tips for Keeping a Pentest Methodology Successful.

Reporting

Phase 4. Reporting

The fourth step is the reporting phase, which is an interactive and on-going process. Individual findings are posted in the platform as they are discovered, and at the end of a test the Cobalt Core Lead reviews all the findings and produces a final summary report. Once the report is complete, it is sent to the customer.

The report is not static; it’s a living document that is updated as changes are made (see Re-Testing in Phase 5).

For more information about this phase, check out 4 Tips for Making the Most of a Pentest Report.

Re-test

Phase 5. Re-Testing

It’s important to identify vulnerabilities in your applications, but most important is fixing the issues that are found in order to improve the security and quality of the code. Once the Customer is aware of the security issues identified during the pentest, addressing each issue happens over the course of the next few weeks and months. When the Customer marks a finding as “Ready for Re-test” on the platform, the Cobalt Core Lead verifies the fix and the final report is updated.

For more information about this phase, check out Best Practices for Verifying Vuln Fixes.

Feedback

Phase 6. Feedback

Once the testing is complete, the report has been sent to the Customer, and remediation is in the works, Cobalt’s Customer Success Team reaches out to the Customer for feedback. Customers initially provide feedback through a five-question survey which allows them to rate the overall process, findings, and full report.

During a scheduled feedback call, Customers dive deeper into their survey responses as needed and align with the Cobalt Customer Success Team on action items and expectations moving forward. This feedback helps the Cobalt team to continue to improve the process for upcoming tests and shape the platform product roadmap moving forward.

For more information about this phase, check out 3 Key Factors for Improving a Pentest.

Concluding Remarks

Without applying a lifecycle approach to a Pentest Program, an organization is doomed to treating security as a point-in-time project rather than a continuous function. By its nature, a project has a start and end date. When the project is complete, everyone moves onto the next thing.

It’s important to treat a Pentest Program as an ongoing process. Step 6, the Feedback Phase, should always lead into the preparation for the next pentest whether it’s happening the following week, month, quarter, or year.

Sign up here for a demo of Cobalt’s Pentest as a Service platform.

Related Stories

How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens