Outline detailed requirements and reasons for your pentest.

Outline detailed requirements and reasons for your pentest.

On the Pentest Details page, we will ask you to provide requirements. All mandatory fields must be filled out prior to submitting the test for review.

## 1. Set the Objectives

Add reasons for wanting to conduct this pentest or any concerns that our team should be aware of for example:

* SOC 2 compliance audit testing
* Brand new software code introduced
* Multiple user roles need testin

## 2. Set the In-Scope Targets

Adjust the targets in scope if you want to focus the pentest on a specific part of the asset.

Typically, all you need is a URL, IP address, or link.

| **Asset** **Type** | **Typical Target** |
|:---|:---|
| Web | Fully-Qualified Domain Name (FQDN) such as www.example.com. May also specify an IP or network address. |
| Mobile | URL where anyone can download a mobile app, such as on Google Play or the Apple App Store. |
| API | Base URL of the API. You can define the endpoints / queries in the Instructions text box. |
| External Network | IP addresses or the IP network address. |
| Internal Network | IP network address. External IP address for the [Jump Box](https://docs.cobalt.io/en-us/articles/glossary-YfTMKeZ1VM#h-jump-box). |
| Cloud Network | IP address(es) and FQDNs of your cloud components. |

## 3. Technology Stack

Technologies that you selected on the asset details page populate in the Technology Stack field in the pentest workflow. You can add more technologies for your pentest, in addition to those that you specified for your asset earlier. For guidelines on our technology stack see **[create an asset](https://docs.cobalt.io/en-us/articles/create-an-asset-9P1WPENeIC)**.

## 4. Credentials

Provide credential instructions for testers to access the application or environment.

* Enter credentials in **Access Instructions** (Access Instructions is the next field on the brief)
* Send credentials to testers through encrypted email (You can find email addresses within the brief once your pentest is in the Planned state)
* Testers can create their own credentials
* Authentication is not required ![](https://brainfish-storage-prod.s3-accelerate.amazonaws.com/uploads/e1eb5d82-35e0-4c9f-bde1-0baec07941c1/e9cbfa30-0f34-4e9d-ad27-4cc897b84328/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAUPPN5IL3U6VF3JMP%2F20260411%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20260411T175403Z&X-Amz-Expires=3000&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEID%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMiJIMEYCIQDq1Vok0%2FjrInp2BVjVVUq%2BZS9yqBWtiQNcNSV4alFr%2BQIhAL62rMo3BzOKH8%2Bf3RemaqCYsYYNWooXeulmdzXM37GVKt0FCEoQAhoMMzA4MTI1OTc1Mjg3IgxhvFiiFwI22HtkTbQqugWqXlqaujpNEPuPVAzOhOTJrr4YM5mT%2FfYHhe9yiaAzo5YSni3uX8TT6nUP5QTl2jhafS9%2B8Uz7NAwmhI7WYn%2F%2BWztEpyZPNET3Fg1RLun0gkBdQtn3VEUFV8Txj7r8JDDhuJDwLBxfJ0IF9HMOmpoqQR3gfmFfXN0EoKWJrV9E8PKwcVyWYzw84zGoPbi5Kekl3imNVXIQYOOfYAkgbWgq0PTCxoXK0koMY8ygnevJnfnfnlpybRI3yygrRGarU%2BiCWawhUhQQS8xvRHjDOuNWyfDDHspmTPTtFhy2ba%2Bf%2FnpQ7gHyKplD%2Bu0Zxw7hJX8YBckai6JG2OldpB0ao4n8KL2cyrbBXrYV1jhW2%2FfCjIPef8Oda8LUA2%2F98HV%2FWVtQO3YzM5UxnKe1MkIgEbK%2FaiegkWoxa7qRwsj3jhP2%2BZluJCZ%2BsTBLBhcHi8qzV6m%2BEZDbPusgovxkxdB4SzT5a1wI0rxb%2Bt2s6E%2BFctI3YZ%2Bzbh2n%2FW%2BPkZmgZrEoUIbVx5o8iMGSLxF00pHjgcgCj31CQZvBJ7mMZHgKgt2xqtCpF32Z3cv6XN7RAVb06XB18TITDxzdkQOE5%2FRiFmjCh%2B3B1QfgPr6D5iNZ%2BZBBI8KhVHVnsJGDNhn9Zg7bRwzcSRF869q1qe2GgCbCevlPKzqnAuxLGEgm9Co3U7pvmtgIpuxTNBwN%2FFubV1cVlrcmGpaeuWTrMuE%2FAR51dnnusiRrAAtV1EQUdxW1PUC%2BGxJ5nxxEcuXh9G4BQCsjxFw3RSnQVVXz7gZvb6pkZsKuHW0HaFPjCqemTkBBaqgI28wyFfHphgsfJZmERmmXNjY%2BHcjnrXV8w8lybnqs3bistMLVLXs0IkbxBzrNTrc3Qsl9pvXhZ5CHGviwaovJeZdV0vQI4n6KfXk6kDogR2epDOw%2BdaCgWTeDsTDI7unOBjqPAX4CXf%2BwyMCuLM3kkq1e4VehirIgtHE8NLaYsVXwegx9CGVTXHl2HUs6manaUiTI8fvie0gyE805xepTUdROhcOeojJdrqcL%2F6ID3dYHpIP1OQYvil3jR4XtgRXZrYLQ58kCGfFmp8k5yF95F83qtNmu63KJfWB6jSQnLDwcBiGV%2BnTQIXBrGf%2Blwkkjcmjy&X-Amz-Signature=b5ca0ff1dfed6bdc55e1743f3afc54358841a82b61d949687a6212a7ff5226f9&X-Amz-SignedHeaders=host&response-content-disposition=attachment)

## 5. Access Instructions

Provide Credentials and/or Access Instructions as required.

**Credentials** should be provided for each user role planned for your pentest, include the following:

* 1 test account per pentester
* A short description of the user role and associated permissions
* Authentication specification for the test account
* Ensure your passwords are secure
* Test your credentials to ensure that pentesters can access your software.
* Any other authentication requirements such as [multi-factor authentication (MFA)](https://docs.cobalt.io/en-us/articles/glossary-YfTMKeZ1VM#h-multi-factor-authentication).
* Once the pentest (and any retests) are complete, disable or delete the dedicated accounts.

**Access instructions** includes how to access the target environment (if any/needed, e.g. if it is an internal network test, you can give info on the jumpbox)

## 6. Special Instructions/Requirements

Our pentesters need to know about the environment that they’re testing, as well as whether they can find production data on the test system.

We need to know the environment of the pentest asset. The standard options are:

* Production (for end users)
* Staging (proposed future production environment)
* Development (asset in work)

Our pentesters also need information on test data. If your apps contain:

* Personally Identifiable Information (PII)
* Protected Health Information (PHI)
* Credit-card holder data (CHD)

Our pentesters take extra care to protect that information.


:::info
**Note**

All Cobalt pentesters have signed a Non-Disclosure Agreement (NDA).

:::

## 7. Prioritization or Exclusions

This question is optional but can provide helpful information for testers. While you’re not required to include any such details, we encourage you to include concerns that affect your production systems.

Provide any instructions related to the pentest like:

* Key areas for focus
* Specific vulnerabilities of concern
* Features, systems, or tests that are out of scope
* Potential risks or sensitive areas

## 8. Collaboration

Our Cobalt team and pentesters will have updates and questions for you as your pentest progresses. Select your preferred communication channel:

* **Cobalt Slack:** A [Slack channel](https://docs.cobalt.io/en-us/articles/collaborate-on-pentests-ILbpm2juqQ) dedicated for your pentest
* **Connect to Your Own Slack:** Select this to invite our pentesting team to a channel in your Slack environment.
* **Cobalt In-App Messaging:** Collaborate directly in the Cobalt platform with [messaging in the Cobalt app](https://docs.cobalt.io/en-us/articles/collaborate-on-pentests-ILbpm2juqQ)

## 9. Assign a Point of Contact

Cobalt Staff may reach out to the point of contact with questions regarding the pentest.

* You can assign yourself as the point of contact.
* To assign other users, go to the Collaborators tab on the pentest page.

## 10. Other Tester Requirements

Optionally, you can specify special requirements for pentesters. For example, if industry, company, or national regulations require that you limit pentesters to residents of one or more countries, you can request this. If you select one of these options, be sure to include details in the field below.

We can’t guarantee that we’ll accept your additional request. This may also delay scheduling the pentest.

## 11. Specifications

Based on the methodology selected on the Overview page, you will be required to check which specifications apply to your asset. If the specification applies, please provide details in the text box provided.

By providing this, you’ll ensure a more effective and targeted pentest.

Pentest Details

Pentests

Overview

Asset Details

Scope & Test Period

Preparation

Create a Pentest

Pentest Process

Pentest States

Coverage Checklist

Pentest Expectations

Set Up an In-House Pentest

Complete an In-House Pentest (For Pentesters)

In House Pentests

Severity Levels

Finding States

Remediate Findings

Findings

Customize Your Report

Co-branded Reports

Contents of a Pentest Report

Reports

How to get started with Cobalt

Getting Started

Risk Advisories

Assets are what we pentest

Asset Types

Create an Asset

Assets

Engagements Overview

Digital Risk Assessment

Secure Code Review

Engagements

Insights

Planning

Cobalt Methodologies Overview

Web Methodologies

API Methodologies

External Network Methodologies

Internal Network Methodologies

Mobile Methodologies

Cloud Configuration Review Methodologies

Cloud Pentest Methodology

Desktop Methodologies

AI/LLM Methodologies

Digital Risk Assessment Methodology

Secure Code Review Methodologies

Methodologies

Attack Surface Monitoring (ASM)

Attack Surface

DAST Scanner Overview

Best Practices

Integrations

Partial Scans: Reduced Scope

Scans

Sequence recorder

Targets

Target Authentication

Extra Hosts

Blackout Period

DAST Scanner

Account Overview

Account Settings

Password Best Practices

Sign In to Cobalt

Troubleshoot Sign-in Issues

User Account

Collaboration Overview

Collaborate on Pentests

Groups

Manage Pentest Collaborators

Manage Notifications

User Roles and Permissions

Collaboration

Organization Overview

Manage Users

Your Cobalt Contract

How to Configure SAML 2.0 for Cobalt 

SAML Migration: Update Your Configuration

Configure SAML SSO

SCIM Provisioning Setup Guide

Configure Organization Settings

Organization

Cobalt Credits

Track Your Credits

Cobalt PtaaS Tiers

Credits

Cobalt Integrations Overview

Connect your applications

Create GitHub tickets for Findings

Send MS Teams notifications for Findings

Create Azure DevOps Work Item for Findings

Create Jira tickets for Findings

Send email notifications for Findings from Outlook

Create GitLab tickets for Findings

HTTP Connector

Import Assets from Google Sheets

Map Cobalt Pentest Finding Severity to Jira Issue Priority

Modify Jira Issue Summary to contain Pentest Title

How to Guides

Troubleshooting

Integration Builder

Jira Data Center Integration

Push Cobalt Findings to Jira

Switching to a New Jira Instance

Jira Cloud Integration

Troubleshoot Your Jira Integration

Synchronize Cobalt Severity Levels with Jira

Integrate Jira with Cobalt

Slack

Microsoft Teams

Webhooks

DefectDojo

Kenna Security

Vanta

Carried Over Findings

Create Test Finding

Cobalt API Overview

Partner Integrations

API Versions

Events

Errors

Subscription

Introduction

Authentication

EU Data Center

Organizations

Engagement Findings

DAST Targets

DAST Scans

DAST Scheduled Scans

DAST Findings

External Ticket References

Tokens

Pagination

Idempotency

Rate Limits

Create a Personal Cobalt API Token

Changelog

Get an Organization Token

Revoke Your Personal Cobalt API Tokens

Create or Modify an Asset

Import Findings to Google Sheets

Cobalt API

Glossary

March 2026

February 2026

January 2026

November 2025 

August 2025

July 2025

June 2025

May 2025

April 2025

March 2025

January 2025

December 2024

November 2024

October 2024

September 2024

August 2024

July 2024

June 2024

May 2024

April 2024

March 2024

January 2024

What's New

Guide

Cobalt Product Documentation

Pentest Details

Share

Share

Pentest Details

Share

Share