Menu Icon
< back to main
 • 3 min read

The Hybrid Vigor of Security Testing

Cobalt has been on the forefront of the wave of bug bounty programs. We have been running public, curated, and private versions of these…

The Hybrid Vigor of Security Testing
Jakob Storm
Jakob Storm

Jakob Storm is Co-founder and Chief Product Architect at Cobalt. In his current role, Jakob helps guide the development of the Cobalt platform, working closely with product teams and business stakeholders to drive Cobalt’s architectural roadmap and ensure strong business/technology alignment.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

The Hybrid Vigor of Security Testing

Cobalt has been on the forefront as a Pentest as a Service (PtaaS) platform provider. Having transistioned from a bug bounty approach, we have been running public, curated, and private versions of these for businesses over the years. What we have noticed is that businesses are constantly juggling the trade-off between noise vs. exposure and coverage.

Application Security with Human Hybrid Vigor

Through our experience in these programs we have learned two valuable concepts. The most obvious learning is that nothing beats human logic — both in introducing vulnerabilities, *and *in identifying them — the automatic scanners out there only scratch the surface. In addition, we’ve learned that one size does not fit all. Each application is different, and its security should accommodate those differences.

It’s been an extremely interesting process — turning the different knobs to find a balance that makes sense depending on an applications security maturity level, team size, security drivers (e.g. compliance or internal security standards), and more. And we’ve learned a lot!

There is no doubt in my mind that a bug bounty program is a powerful tool — a lot of issues will surface from them. But, and there is a but, it’s a big job to manage it effectively, too big for most companies out there. I won’t dive deep into these hidden cost today, but feel free to check out one of our previous blog posts for a closer look.

One way to counter the issues of bug bounties programs is through traditional application vulnerability assessments — it’s a tried and true concept. You get structured and guaranteed coverage that is often set at a predictable cost. So it is easy to budget with and you can document the work to your stakeholders. However, too often the actual human testing is done by junior researchers, poorly incentivized working on an hourly pay. Or they may even substitute the human logic and ingenuity for a generic scanner.

Now I come back to the headline of this post, hybrid vigor. The improved functioning of any biological quality in a hybrid offspring. What if we took the elements that make bug bounties awesome — incentives, a qualified and diverse talent pool — and mix it with virtues from the traditional assessment world — structure, coverage, quality assurance, and fixed costs. Furthermore, powering this hybrid with technology that enables integration, communication, and collaboration. Making it a breeze to start and run an application security assessment, as well as making it easy for the DevOps teams to access issues, ask questions if needed, and finally fix them — which is the ultimate goal.

What would we call that cross between bug bounties and vulnerability assessments you may be asking? We call that hybrid offspring the Cobalt Pen Test. We assemble the best team for your company and applications based on the application size and tech stack. This handpicked security team will then deliver guaranteed coverage and actionable issue reports — including a top level executive summary that can easily be shared with relevant stakeholders.

With a security solution like this there are a number of advantages that come to mind: #Humanlogic, #tools_assisted, #great_talent, #feedback_cycles, #ratings, #collaboration, #agile, #integrated.

Feel free to tweet at us with some of the hashtags at @Cobalt.io

Security Maturity Assessment Banner

Related Stories

Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens