Menu Icon

What is Pentesting?

Pentesting, also known as penetration testing, is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or network security defenses by looking for vulnerabilities.

These are usually weaknesses or flaws that an attacker could exploit to impact data confidentiality, integrity, or availability. The testing goal is the same whether performing application pentesting or network pentesting.

The output of a pentest is a list of vulnerabilities, the risks they pose to the application or network, and a concluding report. The report includes an executive summary of the testing, scope of work, testing methodology, summary of findings, and recommendations for remediation.
The vulnerabilities found during a pentest can be used to fine-tune your security policies, patch your applications or networks, identify common weaknesses across applications, and strengthen your overall security posture.

What is Manual Pentesting?

Manual pentesting is an approach to security testing that layers human expertise on top of professional pentesting tools and techniques, such as automated binary static and automated dynamic analysis. Pentesting software is great at discovering problems with standard vulnerability classes but is unable to detect certain design flaws.
A manual pentest performed by a skilled pentester is required for complete coverage including design, business logic, and compound flaw risks that can only be detected through manual (human) testing.Learn more about Pentest Services Arrow Right

Pentest as a Service vs Traditional Pentesting

Companies need pentesting performed on their digital assets to establish trust with customers, comply with regulatory requirements, and improve their security posture. Traditional pentesting services operate in silos and take weeks to schedule and deliver, leaving companies exposed to the risk of breach.
Pentest as a Service (PtaaS) transforms this traditional model by combining on-demand access to expert talent with a modern SaaS delivery platform that allows for real-time collaboration and faster remediation. Customers can proactively build a data-driven pentesting program, test more of their applications more frequently, and mature their security posture over time by leveraging the platform’s collaborative technology.

Cobalt’s Pentest as a Service differs from traditional pentesting consultancies in several ways:

Trusted Talent icon

Trusted Talent

When beginning a pentest engagement, customers gain access to Cobalt's large, diverse talent pool. Cobalt matches pentesters to each project based on the desired skill set and experience with the technology stack of each application or network. So you do not get whichever generalists are available, but the pentesters who best match your needs.

Integrations icon

Integrations

Cobalt's collaborative platform allows you to more easily manage all your pentest findings compared to a traditional PDF pentest report, while communicating directly with testers using a Slack integration. Findings can also be directly integrated into your software development life cycle workflow via ticketing systems like Jira and GitHub.

Transparency icon

Transparency

You are able to communicate in real time with the pentester who discovered each vulnerability, making remediation and retesting much faster. You no longer have to wait until after testing is completed to receive your pentest report.

Flexibility icon

Flexibility

Cobalt's innovative approach to scheduling and tracking of pentester availability makes test scheduling much faster. Tests typically start within 24-48 hours, instead of weeks. Further, you can build a repeatable pentest program to stay compliant with PCI DSS, HIPAA, SOC-2, ISO 27001, GDPR, and more.

schedule a demo

PtaaS drives

50%

reduction in time to results compared to traditional pentesting

PtaaS can reduce a pentest’s costs by as much as

25%

Pentest as a Service Life Cycle

Pentest as a Service Lifecycle

1. Discover2. Plan3. Test4. Remediate5. Report6. Analyze

The Pentest as a Service (PtaaS) model combines data, technology, and talent to resolve security challenges for modern web applications, mobile applications, networks, and APIs. This new approach applies a SaaS security platform to pentesting in order to enhance workflow efficiencies.




The PtaaS life cycle consists of six stages, supported by three core components.


Manage:
Start off your test right by ensuring proper access and security controls.


Collaborate:
Empower collaboration between testers and your team with streamlined workflows.


Integrate:
While the test is running, feed results directly into your DevSecOps ecosystem.

Key roles in this new process include:

Customer:

Security and engineering teams using Cobalt services

Cobalt PenOps Team:

Schedules, manages, and facilitates the pentest process

Cobalt Core Lead:

Facilitates conversation between Pentest Team and Customer

Cobalt Core Domain Experts:

Leverage specialized skill sets which are matched to the Customer’s technology stack

Cobalt Customer Success Team:

Works closely with the customer to kick-off the test and address feedback

Phase 1. Discover

The first step in the Pentest as a Service process is the discovery phase where all parties involved prepare for the engagement. On the customer side, this involves mapping the attack surface areas and creating accounts on the Cobalt platform. The Cobalt PenOps Team assigns a Cobalt Core Lead and Domain Experts with skills that match your technology stack. A Slack channel is also created to simplify real-time communication between you and the Pentest Team.

For more information about this phase, check out
3 Tips for Preparing for a Pentest.

Pentesting Phase: Discover

Phase 2. Plan

The second step is to strategically plan, scope, and schedule your pentest. This typically involves a 30-minute phone call with the Cobalt teams. The main purpose of the call is to offer a personal introduction, align on the timeline, and finalize the testing scope.

For more information about this phase, check out
4 Tips to Successfully Kick Off a Pentest.

Pentesting Phase: Plan

Phase 3. Test

The third step is where the pentesting will take place. Steps 1 and 2 are necessary to establish a clear scope, identify the target environment, and set up credentials for the test. Now is the time for the experts to analyze the target for vulnerabilities and security flaws that might be exploited if not properly mitigated.


As the Pentest Team conducts testing, the Cobalt Core Lead ensures depth of coverage and communicates with your security team as needed via the platform and Slack channel. This is also where the true creative power of the Cobalt Core comes into play.

For more information about this phase, check out
Get to Know the Cobalt Core.

Pentesting Phase: Test

Phase 4. Remediate

Accelerate your remediation with the fourth phase in the lifecycle. This phase is an interactive and on-going process, where individual findings are posted in the platform as they are discovered. Integrations send them directly to developers’ issue trackers, and teams can start patching immediately. At the end of your test, the Cobalt Core Lead reviews all the findings and produces a final summary report.


The report is not static; it's a living document that is updated as changes are made (see Re-Testing in Phase 5).

For more information about this phase, check out
4 Tips for Making the Most of a Pentest Report.

Pentesting Phase: Remediate

Phase 5. Report

When you mark a finding as “Ready for Re-test” on the platform, the Cobalt Core Lead verifies the fix and updates the final report. Reports are available in different formats suited to various stakeholders, such as executive teams, auditors, and customers.

For more information about this phase, check out
Best Practices for Verifying Vuln Fixes.

Pentesting Phase: Report

Phase 6. Analyze

Once the testing is complete, you have the opportunity to analyze your pentest results more thoroughly to inform and prioritize remediation actions.


At this phase, you benefit from a deep dive into the pentest report with insights comparing your risk profile against others globally, identifying common vulnerabilities to inform development teams, and driving your security program's maturity.


Furthermore, executive teams will be delighted by the ease of use to track and communicate pentest program performance.

For more information about this phase, check out
3 Key Factors for Improving a Pentest.

Pentesting Phase: Analyze

Pentest Program Summarized

Without applying a lifecycle approach to a Pentest Program, an organization is forced to treat security as a point-in-time project rather than a continuous function. By its nature, a project has a start and end date. When the project is complete, everyone moves onto the next thing.
It's important to treat a Pentest Program as an on-going process. Step 6, the analysis phase, should always lead into the preparation for the next pentest whether it's happening the following week, month, quarter, or year.
A good pentest for us is the right people, doing the right tests. But then it's also communicating that effectively and then partnering with our organization in order to actually close those vulnerabilities once they've been found.Read the full storyArrow Right
Eric Galis Headshot, VP of Compliance and Security at Cengage
Eric Galis
VP of Compliance and Security at Cengage
Cengage

Want to see the Cobalt Platform in action?

schedule a demo