Today Cobalt officially announced that the company has raised $29 million from investors in a Series B funding round, led by Highland Europe. We sat down with two of the company’s leaders — Jacob Hansen, CEO and co-founder, and Caroline Wong, Chief Strategy Officer — to talk about what this means, how Cobalt is disrupting the world of pentesting, and why PtaaS is resonating so strongly.
What an exciting milestone, congratulations!
Jacob Hansen: Yes, this is a magical moment. My co-founders and I have long believed that traditional pentesting is outdated. We knew that we could do better, and now we’ve received further validation for that vision.
Most of the innovation in this space centers on tools. But the people and process side of pentesting was ripe for improvement: that’s where we saw opportunity, and that’s what sets us apart.
Interestingly, none of the founding members of Cobalt were security “insiders.” Yet we all brought a unique perspective, and I think that’s been a large part of our success — the ability to act as an outsider.
Caroline Wong: I couldn’t have said it better. This is such an awesome company and an incredible team. We have many people to thank for helping us to get where we are today. There are three groups in particular that we always acknowledge are critical to Cobalt: our team members, our customers, and our pentester community. I’m incredibly passionate about each of these constituencies, and love that I’m in a position to work directly with each. Those individuals, I’d say, are our “special sauce.” They’re what makes Cobalt tick.
Speaking of “what makes Cobalt tick”, the driver behind any funding round is, arguably, the startup’s unique value proposition. So what exactly is the value prop here? How does it differ from the traditional model?
JH: Security testing has been around for decades, but it’s undergone a seismic shift. Digital transformation has given rise to a level of business complexity that automation alone cannot handle. So you need human logic — people — to test software.
That’s where Cobalt comes in. We address the manual element of security testing and tackle 3 major pentest pain points:
Static report delivery. The fact that a multibillion dollar industry still relies on PDF reports is problematic. That’s not conducive for bug tracking and it’s not dynamic. We built a SaaS application, which streamlines communication and makes a pentest inherently collaborative.
Local talent limitations. Cobalt manages a global community of pentesters. That allows customers to start an engagement faster, and also lets them amass talent based on skill set and expertise, versus just physical location.
Expensive and cumbersome testing. With Cobalt, you get better ROI and can start your test in as little as 24 hours. That’s a major differentiator for many of our customers, who may be dealing with budget limitations or need to kick off their test in less than 4 weeks, which is the industry average.
I could go into more detail about any one of these three areas, but that’s a high-level overview.
CW: I’m going to double-click on the talent piece Jacob touched on, because that’s really interesting.
We as a company champion deep collaboration and cooperation between pentesters, security teams, and developers. I believe it’s only in partnership that security issues can be found and fixed so the software can become more secure. As global value shifts from physical to digital,. there’s a tremendous demand for cybersecurity skills. Few individuals truly have what it takes to actually do a manual pentest. Security consultancies have taken advantage of this fact. They use smoke and mirrors and custom SOW’s to manage a limited bench of consultants. For any given project, there’s no guarantee or transparency into the skills of the pentester actually matching the technology stack being tested.
Cobalt is challenging that old school model because it doesn’t scale, it requires a tremendous amount of resources, and it just doesn’t work with how the modern world develops software. ‘SaaS enabled marketplace’ is kind of a heady term, but it pretty accurately describes what we do, and why we use the term PtaaS, or pentesting as a service.
Interesting that in each of your responses, you combined value with vision.
JH: Yes, the two are inextricably linked. We are executing on the promise of a more secure world, with a vision of ultimately building the interface to the global security workforce.
Everyone talks about the magic combination of people, process, and technology, so let’s dig into the people piece. You’ve stressed that having quality talent on hand to conduct a manual pentest is core to Cobalt’s success. What does that vetting process look like?
CW: Great question. We currently have hundreds of pentesters in our community and the numbers of yearly tests we conduct is set to increase by more than 100% this calendar year. That’s a lot of growth to sustain and we need to bring people on board who will meet the high bar which we’ve set for ourselves. Cobalt receives a huge number of inbound pentester applications each month, and I’d estimate we only accept about 3 to 4% of the inbound applicant number. It’s a rigorous trust-building process.
What lies ahead for Cobalt? Any closing thoughts?
JH: We’ll use this latest round of funding to accelerate our business growth and execute on major milestones. Over the coming years, we have a goal of building a 1-click pentesting interface. That means you could start a pentest without needing to speak with anyone. We also are working on integrating Cobalt into the rest of the application security ecosystem. There will be more information to come on both these milestones, but needless to say I’m incredibly excited about the massive impact they will have on the pentest industry as a whole. The gravity field is going to completely shift.