Pentest Details

Outline detailed requirements and reasons for your pentest.

On the Pentest Details page, we will ask you to provide requirements. All mandatory fields must be filled out prior to submitting the test for review.

1. Set the Objectives

Add reasons for wanting to conduct this pentest or any concerns that our team should be aware of for example:

  • SOC 2 compliance audit testing
  • Brand new software code introduced
  • Multiple user roles need testing

2. Set the In-Scope Targets

Adjust the targets in scope if you want to focus the pentest on a specific part of the asset.

Typically, all you need is a URL, IP address, or link.

Asset TypeTypical Target
WebFully-Qualified Domain Name (FQDN) such as www.example.com. May also specify an IP or network address.
MobileURL where anyone can download a mobile app, such as on Google Play or the Apple App Store.
APIBase URL of the API. You can define the endpoints / queries in the Instructions text box.
External NetworkIP addresses or the IP network address.
Internal NetworkIP network address. External IP address for the Jump Box.
Cloud ConfigIP address(es) and FQDNs of your cloud components.

3. Technology Stack

Technologies that you selected on the asset details page populate in the Technology Stack field in the pentest workflow. You can add more technologies for your pentest, in addition to those that you specified for your asset earlier. For guidelines on our technology stack see create an asset.

4. Credentials

Provide credential instructions for testers to access the application or environment.

  • Enter credentials in Access Instructions (Access Instructions is the next field on the brief)
  • Send credentials to testers through encrypted email (You can find email addresses within the brief once your pentest is in the Planned state)
  • Testers can create their own credentials
  • Authentication is not required
Credentials section showing different authentication options

5. Access Instructions

Provide Credentials and/or Access Instructions as required.

Credentials should be provided for each user role planned for your pentest, include the following:

  • 1 test account per pentester
  • A short description of the user role and associated permissions
  • Authentication specification for the test account
  • Ensure your passwords are secure
  • Test your credentials to ensure that pentesters can access your software.
  • Any other authentication requirements such as multi-factor authentication (MFA).
  • Once the pentest (and any retests) are complete, disable or delete the dedicated accounts.

Access instructions includes how to access the target environment (if any/needed, e.g. if it is an internal network test, you can give info on the jumpbox)

6. Special Instructions/Requirements

Our pentesters need to know about the environment that they’re testing, as well as whether they can find production data on the test system.

We need to know the environment of the pentest asset. The standard options are:

  • Production (for end users)
  • Staging (proposed future production environment)
  • Development (asset in work)

Our pentesters also need information on test data. If your apps contain:

  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Credit-card holder data (CHD)

Our pentesters take extra care to protect that information.

7. Prioritization or Exclusions

This question is optional but can provide helpful information for testers. While you’re not required to include any such details, we encourage you to include concerns that affect your production systems.

Provide any instructions related to the pentest like:

  • Key areas for focus
  • Specific vulnerabilities of concern
  • Features, systems, or tests that are out of scope
  • Potential risks or sensitive areas

8. Collaboration

Our Cobalt team and pentesters will have updates and questions for you as your pentest progresses. Select your preferred communication channel:

  • Cobalt Slack: A Slack channel dedicated for your pentest

  • Connect to Your Own Slack: Select this to invite our pentesting team to a channel in your Slack environment.

  • Cobalt In-App Messaging: Collaborate directly in the Cobalt platform with messaging in the Cobalt app

9. Assign a Point of Contact

Cobalt Staff may reach out to the point of contact with questions regarding the pentest.

  • You can assign yourself as the point of contact.

  • To assign other users, go to the Collaborators tab on the pentest page.

10. Other Tester Requirements

Optionally, you can specify special requirements for pentesters. For example, if industry, company, or national regulations require that you limit pentesters to residents of one or more countries, you can request this. If you select one of these options, be sure to include details in the field below.

We can’t guarantee that we’ll accept your additional request. This may also delay scheduling the pentest.

11. Specifications

Based on the methodology selected on the Overview page, you will be required to check which specifications apply to your asset. If the specification applies, please provide details in the text box provided.

By providing this, you’ll ensure a more effective and targeted pentest.

Last modified October 10, 2025