Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest



Surfdome is Europe’s premier action sports and lifestyle retailer with over 25 million annual visitors to its website. As a popular e-commerce website, Surfdome, sees the value in having a secure platform. For individuals to buy with confidence, they need to feel safe shopping around and trust the website with their sensitive data. Surfdome is a company that values security, and is ready to attack it head-on in order to ensure a secure environment for its customers.

Jose Pettoruti
Head of Technology

Searching for Security

Jose Pettoruti, Head of Technology at Surfdome, was looking for a new security testing service to help bring web application threats into the light. On their search, Jose and his team came across Cobalt’s Agile Penetration Tests. After a few meetings, they were ready to get started, and gain access to the talent pool and adaptable online platform.

Hacked Now or Hacked Later

It is said, “there are only two types of companies: those that have been hacked and those that will be.” Some companies out there may decide to push security aside and avoid the issue. Others are completely unaware that their application is even at risk. It isn’t until their company's name is spread across the internet linked with the latest worldwide hack, that they even acknowledge the situation.

It is critical for e-commerce companies to emphasize the importance of having a secure website. If a consumer doesn’t feel that the website is safe they won’t buy on it, and once a company has been hacked, damage is already made to the brand.

Surfdome didn’t want to be yet another hacked company headline blasted across the internet. Jose and his team weren’t going to duck dive security. As a modern company, Surfdome saw that testing should be a priority and they were ready to ride that wave out with Cobalt. They wanted the good guys, aka the Cobalt Core, to hack them first. Jose explains:

“At Surfdome, we recognize that web application security is an issue, and want to help address this issue by being aware of the vulnerabilities we are susceptible to. By knowing where threats lie, we can recognize them and fix them. Ensuring our customers that our application is as secure as possible”

Hello Agile Penetration Testing, Goodbye Unknown Security Threats

Surfdome decided to carry out an effective, progressive, and inventive security testing plan with the Cobalt Penetration Tests.

Cobalt supported Surfdome in setting up an application security testing program, with periodic penetration testing by the best pentesters in the Cobalt Core community. Each individual test included:

  • 2 weeks of focused testing performed by a CISSP certified curator and 2-3 technical domain experts sourced from Cobalt’s global talent pool
  • Coverage of OWASP best practices as well as specific application business logic
  • Gamified setup to incentivize pentesters to go both deep and broad in their testing use cases
  • A pentest and executive summary report living up to PCI standards

"We wanted something that could keep up with changes to our website as well as the industry.”

Interactive Platform & Awesome UI

Cobalt aims to provide a great user experience for its pentesters and clients alike on Cobalt Central-- Cobalt’s secure, collaborative, and intelligent platform.

With the Cobalt Central, Surfdome is able to get descriptions, POC, send out suggested fixes, as well as instantaneously mention and assign team members. Jose and his team are also able to communicate directly with pentesters on an individual or group basis. Every finding, vulnerability, and report is just a click or two away.

All Cobalt Penetration Tests are equipped with summary pages, detailed reports, vulnerability heat maps, and an executive summary. The Cobalt Central dashboard Includes user-friendly charts and diagrams that easily illustrate and interpret findings-- for both technical and less technical individuals. Jose expresses:

“Cobalt’s UI is amazing! The platform is effortless to navigate, easy to ask questions, and sharing findings is a breeze. They have really outdone themselves with the platform, and are constantly making additions to help better the experience.”


With Cobalt’s Pentests, Surfdome has received:

  • A modern security testing-as-a-service approach
  • A way to show customers their security posture
  • An amazing platform that allows for instant updates and feedback

“I recommend Cobalt Penetration Tests to any e-commerce business looking to secure their applications. Cobalt, compared to old school Penetration Tests, provides a modern way to run tests and provides a platform to ensure the correction of vulnerabilities, in direct contact with the pentesters.”


  • Finding a penetration testing service that would suit their modern business needs, as well as support them in PCI compliance


  • Semi-annual Cobalt Penetration Test on websites and API

  • A modern SaaS platform to easily work with the pentesters and track individual findings
  • Access to Cobalt’s global talent pool
  • A detailed pentest report