.svg){kind=icon}
.svg){kind=icon}
The Challenge
Labforward, a leader in integrated laboratory informatics solutions, merged with Labtwin, a company developing a voice-powered digital lab assistant. This merger expanded their portfolio, and therefore their ability to manage sensitive experimental data and proprietary research information. With the merger came the expansion of their platform, which handles sensitive experimental data and proprietary research information. The merger, along with customer requirements for proof of annual pentesting and the need to fulfill SOC 2 and ISO 27001, drove Labforward to expand their security measures, which previously consisted of cloud security monitoring and an internal review process that required every piece of code to to be reviewed by multiple developers. “While this approach was working for us, we saw an opportunity to further strengthen our security posture by adding specialized pentesting to identify gaps that automated tools or internal reviews might overlook,” said Rafael Ribeiro, Lead Backend Engineer at Labforward.
Having never partnered with a pentesting provider before, Labforward started their search for a pentesting partner to address their growing security needs.
The Solution
Labforward required a pentesting partner with effective communication and vulnerability tracking, direct collaboration with pentesters, and detailed reporting. The Labforward security team valued the ability to easily create new pentests using pre-defined templates and existing scopes, which rarely change.
"Cobalt's platform makes managing our pentests incredibly easy,” Rafael said. “Their programmatic approach to pentesting allows us to clearly understand how to allocate resources and the resulting scope of testing. The flexible pentest plans, from agile to comprehensive, are a huge plus, allowing us to tailor our testing approach to our specific needs."
The Results
Labforward partnered with Cobalt to complete API pentesting for their lab assistant mobile application, testing the API between the mobile application and the web application.
Findings from earlier pentests increased Labforward’s awareness of potential risks, allowing them to implement stronger security measures in new features, and reduce the likelihood of critical issues in the future. An early pentest identified a potential CSV injection risk (CWE-1236) in the export feature, which required prior account access to exploit. While not an immediate threat for the clients, addressing it helped enhance overall security.
Since partnering with Cobalt, Labforward rapidly improved their defensive capabilities by identifying vulnerabilities within their API and exposing gaps in their security posture. “Cobalt’s thorough testing has uncovered new findings in each pentest,” Rafael observed. “These insights have not only strengthened our security posture, but also improved our awareness and processes around managing application-generated files, making our platform more secure overall.”
Moving ahead, Labforward plans to leverage Cobalt’s expertise for AI and LLM application pentesting. “As our platform evolves, ensuring the security of AI-driven features will be increasingly important, and we see Cobalt as a valuable partner in helping us address those challenges,” Rafael concluded.
