Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Pentest Services

Pentest Services

Pentest Services

Cobalt specializes in manual penetration testing (pentest) services for web applications, mobile applications (iOS/Android), desktop applications, APIs, and external networks. Using our SaaS platform, you can easily manage your vulnerability workflows.

Cobalt certified pentesters@2x

Skill set matching
for each test


No two applications are the same, so we bring just the right combination of skills, performance, and experience to you based on your tech stack. We draw on the Cobalt core, a core of 100+ heavily vetted, high quality pentesters to find the right skills to match to your security requirements, business needs, and schedule. Cobalt connects you with the world’s most skilled and trusted pentesters on an industry-leading security testing platform. We don’t just give you the next pentester waiting on the bench, instead we handpick the testers that fit your testing needs.


The Cobalt research pool contains a vast array of pentesters from certified security professionals to highly skilled pentesters with deep domain expertise. Our pentesters have years of experience and a passion for finding vulnerabilities. Each Cobalt Core pentester undergoes third party identification and criminal background checks, an extensive technical interview process, and an objective skills assessment.

Core pentester@2x
Cobalt certified pentesters@2x

What to fix and
how to get it fixed


Fixing vulnerabilities is an important part of reducing an application’s overall risk, but most important is fixing them so the application’s users and data can remain well-protected.


To help prioritize vulnerability fixes, Cobalt provides a criticality rating based on impact and business context such as the damage potential, reproducibility, exploitability, number of affected users, and discoverability of each finding. In addition, Core pentesters provide detailed notes on recommended fixes, and if you have a question at any point you can easily communicate with them in real time.

Pen test finding@2x

Our Pentest Service Offerings

As one of the top pentesting companies and penetration testing service providers, Cobalt offers a variety of security penetration testing services. Can't find what you're looking for? Reach out to learn about our different pentesting service offering.

Web Application Pentest


Cobalt’s web application penetration testing service leverages the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) and the OWASP Testing Guide, which together create a comprehensive framework for assessing the security of web-based applications, as the foundation for our web application assessment methodology. On top of OWASP Top 10 vulnerabilities the pentesters will also test the security of specific business logic associated with the web application such as weaknesses in data validation or integrity checks, flaws that can only be discovered through manual testing, not automated vulnerability scanning. Misconfiguration, cross-site scripting (XSS), broken authentication and session management, exposure of sensitive data, and access control-type vulnerabilities in applications are just a few of the vulnerability types that the Cobalt team discovers.

API Pentest


APIs, short for application programming interfaces, have gained a lot of popularity among developers because they easily allow third-party programs to interact in a more efficient and easy way. API penetration testing is very similar to web application penetration testing and so the Cobalt API pentesting methodology is based on the same foundation - the OWASP Top 10, the OWASP ASVS, and the OWASP Testing Guide. Cobalt tests web-based APIs, REST APIs, and mobile APIs. Cobalt pentesters analyze the target API to find out which authentication type is used. Cobalt pentesters study API structures, understand request methods, and understand responses. Per client instruction, they can use techniques which can be applied to endpoints and exploit bugs on a real production API or an API in a staging environment. By understanding structure, roles, and scopes the testers are able to find hidden weaknesses in your application.

Mobile Application Pentest


Mobile applications are becoming more and more popular which means that consumers and corporations find themselves facing new threats around privacy and insecure applications. Cobalt does testing for applications on all mobile platforms including iOS, Android, and Windows. Cobalt’s pentesters go beyond looking at just common API and web vulnerabilities to examine the risk of a mobile application, leveraging OWASP Mobile Top 10 and methodologies to assess the security. For instance, Cobalt pentesters discover vulnerabilities related to code tampering, reverse engineering, and extraneous functionality. .

External Network Pentest


Cobalt can test external networks for any hosting service. Cobalt pentesters will carry out the testing without detailed network or infrastructure diagrams and without any accounts or additional user information (unless required as part of the scope). At Cobalt, we follow a standard methodology based on Open Source Security Testing Methodology Manual (OSSTMM) for network penetration testing services. This comprehensive, peer-reviewed methodology in part, includes:

  • A posture review and preparation to avoid false positives
  • Enumerating targets and visibility audit
  • Verifying access, trust, controls, processes, configuration, property (information and data), exposure, quarantine measures, and survivability
  • Reviewing network segregation and privilege management
  • Reviewing alerts and logs

The External Network test can be limited to a specific IP range or also include more wide reconnaissance using OSINT (open-source intelligence).

AWS Pentest


Amazon Web Services penetration testing (AWS pentesting) is a popular service for any pentest company, driven by the growth of AWS capabilities. Cobalt’s AWS pentest is an exercise in which the Cobalt Core pentester carries out an assessment over the Amazon-based cloud environment and all of its internal and external components. At Cobalt, we follow an industry standard methodology primarily based on Amazon’s CIS Security Standard and additional security testing methodologies such as OWASP ASVS and the OWASP Top 10. We perform the following steps in order to ensure full coverage: target scope reconnaissance, component enumeration, automated component configuration assessment, automated and manual assessment of externally exposed services, architectural design analysis, reporting and remediation tracking.

Code Assisted Pentest


Pentests are typically performed from a “black box” or “zero knowledge” perspective; meaning the security pentesters have limited to no prior knowledge about the implementation details of the target, in-scope application. With code-assisted, gray-box penetration testing, Cobalt’s pentesters have access to the source code of the application; effectively enabling the team to use the code alongside testing activities as a means to gain a thorough understanding of the target application and enhance the accuracy of the findings discovered during testing.

Additional Pentest Services


Can't find what you're looking for? Reach out to learn about a more customized pentest engagement from micro engagements to continuous testing. As one of the world’s leading security penetration testing companies (pentesting companies), we offer services customized to your testing needs.