Create an Asset
You can launch multiple pentests for an asset. Once you’ve set up an asset, you can reuse it in your next pentests.
Creating Assets
To create an asset, go to the Assets page, then select New Asset.
In the form, specify your asset details.
Best practices for creating an asset:
- Describe your asset as clearly as possible.
- Add a product walk-through and asset documentation using the provided templates.
- Keep your assets up to date.
- Start creating or editing your asset before creating a pentest. You can reuse the asset for future pentests.
- Use tags to map your assets to external systems.
Asset Details
The Asset screen prompts you for the following information:
- Asset Title: Set up a descriptive name to attract attention from the best pentesters.
- Asset Image: Use it to help identify what you need from a list of assets.
- Asset Type: Select one of the options described in the linked page.
- Technology Stack (for Web, Mobile, API, and combined asset types): Add a technology stack for your asset. You can preview potential vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) standard for this stack.
- Asset Description: Add information that can help your pentesters fully analyze your asset.
- Attachments: Upload documentation, architecture diagrams, images, spreadsheets, or videos related to your asset.
- Assigned Group: The group that is assigned to the asset will have exclusive access to it and its associated pentests and findings. Learn how to create a group.
- Tags: An asset tag is customer-defined metadata associated with a Cobalt asset. Learn how to use asset tags.

Describe Your Assets
Our pentesters need all relevant information about your asset. To help you understand what to share, we include a description template.
For all assets, we’d appreciate a:
- High-level overview
- Description of important functions or features
- Business risks associated with each function and feature
Include links to published documentation related to the asset. You can upload documentation, diagrams, and more in various file formats under Attachments.
The following sections detail additional needs for different kinds of assets:
Web, API, Mobile
Web, API, and Mobile assets frequently include user roles in different categories such as:
- Administrator
- Service user
- Regular user
Each of these roles typically have different sets of rights, privileges, or permissions. We can verify whether such roles are appropriately limited.
For web assets, define the application type. For example, some web assets may be a:
- Page-driven website
- Single-page application
Web and API assets frequently include dedicated reference documentation. For example, RESTful API assets frequently include OpenAPI-based documents that describe the properties associated with each endpoint.
Web Asset Description
Help us find the right pentesters for your asset. Include a high-level overview of the application. Add details such as:
- Coding Language.
- Functions or features central to the capability of your asset.
- Business risks associated with specific functions or features.
- Special endpoints associated with your dynamic pages.
- While our pentesters can find the API endpoints used by your web app with browser “Developer Tools,” let us know if you have special concerns with one or more endpoints.
Network Assets (External and Internal)
Our pentesters need network diagrams to know what to test on a network. If you’ve set up a jump box for our pentesters on your network, include the location in the diagram.
Add network information, including the IP address / hostname of the jump box.
Cloud Configuration Assets
Our pentesters need to know how you’ve set up and use your cloud assets.
Make sure to include the:
- Cloud provider
- Services
- Applicable network / architecture diagrams
Technology Stack
You should specify the technology stack associated with your asset. The technologies can vary by asset:

When you create or update a Web, Mobile, API, or combined asset, you can add a technology stack for it. Technologies that you selected from a predefined list on the asset details page populate in the Technology Stack field in the pentest wizard.
- You can add more technologies for your pentest, in addition to those that you specified for your asset earlier.
- We don’t show a predefined list of technologies in the Technology Stack list in the pentest wizard, as opposed to the asset details page. Type a technology, and press Enter to confirm.
Web
When building a web application, you may use one or more coding languages. List those languages in the text box.
In addition, dynamic web sites may pull information from databases. Include those languages as well.
Mobile
For some, mobile apps are an extension of web apps. If you have a dedicated mobile app, your pentester needs to know the language used to develop that app.
You may have used one of the Web app languages. You may have also used one or more of the languages that designed for mobile apps. In either case, add those languages to the list.
API
An API, short for an Application Programming Interface, specifies how apps communicate with each other. Most APIs are associated with one of the following technologies:
- RESTful APIs
- GraphQL
- Simple Object Access Protocol (SOAP)
The technology drives the commands used to access data. And API testing also depends on the programming language used to set it up. In general, you may use one or more of the same programming languages used to create Web or Mobile apps.
Internal Network / External Network
The technologies associated with internal and external networks generally relate to hardware components, including:
- Routers
- Switches
- Firewalls
- Load Balancers
- Proxy Servers
If you’re looking for a test of an internal or an external network, it’s also helpful to include:
- A hardware diagram which depicts connections on your network
You can upload this information to your asset, as described in the section on Attachments.
Cloud Configuration
We can help users test their cloud configurations by service. In general, cloud services correspond to what may be installed on internal servers. But you also need to specify cloud components for the Technology Stack.
In this case, cloud configuration technology stacks correspond to the services that you might buy from a cloud provider such as Google, Amazon, or Microsoft. To help you list the right components, we provide this list of examples:
- APIs
- VPNs
- S3 Buckets
- Databases (SQL, RDMS)
- Remote Desktops
- Virtual Machines
Now that you’ve defined the technology stack, proceed to pentest details.
Attachments
To share more about your assets, you can upload the documentation of your choice under Attachment(s). Our app limits uploads to 100 MB.
Tip
You can add a video walk-through of your asset as an attachment. This will give pentesters more context about the asset they need to test.Screen recording instructions vary depending on your device and operating system. As an example, read how to record the screen on your Mac.

If you’d like to upload files in a different format, you can try to:
- Compress or archive the files into one of the noted formats.
- For example, you can use a “Zip” tool built for your operating system to save your file with a .zip file extension.
- Contact your Customer Success Manager (CSM) or support@cobalt.io for guidance.
For complex assets, we encourage spreadsheets. The UI includes links to the following templates:
- Workflow/Priority Target
- User role matrix
We’ve included suggested data in the downloadable Excel (.xlsx) files. We encourage you to replace this information with other data, and upload it with any other documentation for your asset.
Now you can start setting up a pentest.
Asset Tags
An asset tag is customer-defined metadata associated with a Cobalt asset. You can add multiple tags to an asset. Use tags to:
- Map your assets to external systems, such as your vulnerability management application or task tracking software. Add the asset identifier in your third-party system as a tag.
- Associate other metadata such as vulnerabilities in external systems with Cobalt assets.
- Assign internal teams or business units to manage specific assets in Cobalt.
- Assign a compliance audit type the asset is subject to, such as
SOC 2
,PCI-DSS
, orCREST
.

You can also add asset tags using the Cobalt API. Learn more in our API documentation.
Last modified September 19, 2025