Create a Pentest
Plan and scope the pentest
To create a new pentest, first you should create the asset you wish to test.
Now, you’re ready to launch your new pentest.
On the Pentests page, select Create a Pentest.
A modal will ask you if you want to Start from Scratch or Copy from Previous Pentest.
Start from scratch: select the asset you want to test
Copy from previous pentest: select the pentest you wish to copy. This will copy most of the information except for information we need specific to each pentest e.g. credentials or point of contact
Select Confirm to start filling out the pentest
Overview
You’ll start on the Overview page. We’ll use this information to create the right type of pentest for your needs.
1. Name the Pentest
Change the default Title if you have specific naming conventions
Default title format: {Asset Name} {MM/YYYY}
2. Set your Test Goals
Help us understand your goals — whether it’s meeting compliance, assessing security risks, or testing a recent update. Your answer ensures a more effective pentest.
3. Set the Test Focus
Determine the focus for your test based on your use case, reporting needs and target audience.
| Narrow Scope (Agile) | Broad Scope (Comprehensive) | |
|---|---|---|
| Definition | Pentest performed by Cobalt pentesters focuses on code changes or a specific area of an asset and comes with an Automated Report intended for internal use | Pentest is performed by Cobalt pentesters for security audit, compliance audit, or customer attestation and includes comprehensive reports intended for external stakeholders |
| Pentest Scope | Specific part of an asset | Broad area of an asset |
| Use Cases | New release or feature testing Delta testing Exploitable vulnerability testing Single OWASP category testing Microservice testing Internal security testing | Comprehensive security audit Compliance audit testing based on the frameworks such as SOC 2, ISO 27001, PCI-DSS, CREST, or HIPAA M&A due diligence Internal or third-party attestation request |
| Standard pentest timelines | 3 or 4 credits: 7 days From 5 credits: 14 days | 14 days |
| Available Pentest Reports | Automated Report | Report written by pentesters Customer Letter Attestation Letter Attestation Report Full Report Full Report + Finding Details |
| Report Target Audience | Internal stakeholders | External stakeholders |
4. Set your test Methodology
Pentesters follow specific methodologies for each test. If your environment includes multiple asset types that can’t be effectively combined into a single test, we recommend creating separate tests.
Asset Details
Next you’ll review your Asset Details. This page is used to review any general details about your asset, specific pentest details will be provided next. See the create asset page for details on what information to provide here.
Pentest Details
On the Pentest Details page, we will ask you to provide requirements. All mandatory fields must be filled out prior to submitting the test for review.
1. Set the Objectives
Add reasons for wanting to conduct this pentest or any concerns that our team should be aware of for example:
- SOC 2 compliance audit testing
- Brand new software code introduced
- Multiple user roles need testing
2. Set the In-Scope Targets
Adjust the targets in scope if you want to focus the pentest on a specific part of the asset.
Typically, all you need is a URL, IP address, or link.
| Asset Type | Typical Target |
|---|---|
| Web | Fully-Qualified Domain Name (FQDN) such as www.example.com. May also specify an IP or network address. |
| Mobile | URL where anyone can download a mobile app, such as on Google Play or the Apple App Store. |
| API | Base URL of the API. You can define the endpoints / queries in the Instructions text box. |
| External Network | IP addresses or the IP network address. |
| Internal Network | IP network address. External IP address for the Jump Box. |
| Cloud Config | IP address(es) and FQDNs of your cloud components. |
3. Technology Stack
Technologies that you selected on the asset details page populate in the Technology Stack field in the pentest workflow. You can add more technologies for your pentest, in addition to those that you specified for your asset earlier. For guidelines on our technology stack see create an asset.
4. Credentials
Provide credential instructions for testers to access the application or environment.
- Enter credentials in Access Instructions (Access Instructions is the next field on the brief)
- Send credentials to testers through encrypted email (You can find email addresses within the brief once your pentest is in the Planned state)
- Testers can create their own credentials
- Authentication is not required
5. Access Instructions
Provide Credentials and/or Access Instructions as required.
Credentials should be provided for each user role planned for your pentest, include the following:
- 1 test account per pentester
- A short description of the user role and associated permissions
- Authentication specification for the test account
- Ensure your passwords are secure
- Test your credentials to ensure that pentesters can access your software.
- Any other authentication requirements such as multi-factor authentication (MFA).
- Once the pentest (and any retests) are complete, disable or delete the dedicated accounts.
Access instructions includes how to access the target environment (if any/needed, e.g. if it is an internal network test, you can give info on the jumpbox)
6. Special Instructions/Requirements
Our pentesters need to know about the environment that they’re testing, as well as whether they can find production data on the test system.
We need to know the environment of the pentest asset. The standard options are:
- Production (for end users)
- Staging (proposed future production environment)
- Development (asset in work)
Our pentesters also need information on test data. If your apps contain:
- Personally Identifiable Information (PII)
- Protected Health Information (PHI)
- Credit-card holder data (CHD)
Our pentesters take extra care to protect that information.
Note
All Cobalt pentesters have signed a Non-Disclosure Agreement (NDA).7. Prioritization or Exclusions
This question is optional but can provide helpful information for testers. While you’re not required to include any such details, we encourage you to include concerns that affect your production systems.
Provide any instructions related to the pentest like:
- Key areas for focus
- Specific vulnerabilities of concern
- Features, systems, or tests that are out of scope
- Potential risks or sensitive areas
8. Collaboration
Our Cobalt team and pentesters will have updates and questions for you as your pentest progresses. Select your preferred communication channel:
Cobalt Slack: A Slack channel dedicated for your pentest
Connect to Your Own Slack: Select this to invite our pentesting team to a channel in your Slack environment.
Cobalt In-App Messaging: Collaborate directly in the Cobalt platform with messaging in the Cobalt app
9. Assign a Point of Contact
Cobalt Staff may reach out to the point of contact with questions regarding the pentest.
You can assign yourself as the point of contact.
To assign other users, go to the Collaborators tab on the pentest page.
10. Other Tester Requirements
Optionally, you can specify special requirements for pentesters. For example, if industry, company, or national regulations require that you limit pentesters to residents of one or more countries, you can request this. If you select one of these options, be sure to include details in the field below.
We can’t guarantee that we’ll accept your additional request. This may also delay scheduling the pentest.
11. Specifications
Based on the methodology selected on the Overview page, you will be required to check which specifications apply to your asset. If the specification applies, please provide details in the text box provided.
By providing this, you’ll ensure a more effective and targeted pentest.
Scope & Test Period
The complexity of your asset determines the number of credits required for a pentest. The bigger the pentest scope, the more credits you need.
Learn more about Cobalt credits.
Scope a Copied Pentest
When you copy a pentest you will be able to copy the scope if the asset has not changed size. Select from the options:
- Use same scope as copied pentest (pre-filled below): If the general size of the asset has not changed, inherit the scope of your last completed pentest.
- I need to redefine the scope: If the general size of the asset has changed, rescope the pentest by adjusting scoping parameters, as described below.
Scoping aims to identify the complexity of your asset. Under Scoping, specify the number of parameters associated with the asset that need to be tested. To get exact numbers, consult with the asset owner inside your organization.
Scoping parameters differ for each asset type:
- Web
- Mobile
- API
- External Network
- Internal Network
- Cloud Config
- Desktop
- AI/LLM Pentest
- Assets of multiple types
Once you’ve scoped the pentest, review the required credits, as determined by our calculator.
Web
To scope a pentest for a Web asset, specify the number of the following characteristics of the asset that need to be tested.
| Parameter | Definition | Scoping Guidelines |
|---|---|---|
| User Roles | A User Role is a user group within an application with specific permissions, such as an administrator, manager, or guest. | Enter the number of User Roles in your Web asset that need to be tested. Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups. |
| Dynamic Pages/Routes | A dynamic page is a unique web page that facilitates user interaction, such as submitting data, entering parameters, or uploading content. Read-only static pages are not counted because there is no interaction. A product catalog is not measured because the page workflow is not unique. A Route is a system for resource navigation in single-page applications (SPAs). In SPAs that use frameworks such as Angular, React, or Ember, routes provide unique URLs to specific content within the application. | Determine the type of your Web asset: Traditional web application. Enter the number of dynamic pages based on unique page templates. As part of our tests for dynamic pages, we also test the backend API endpoints frequently used to populate content on those pages. Single-page application. Enter the number of routes to test. As an example, read the React Router documentation to learn more about routing. Usually, an application includes one or more routing modules or files where you can retrieve the number of pages or routes using special commands or tools. |
Note
If the only APIs in your assets populate web pages, you may not need to set up a separate API asset. We test such APIs as part of our tests of a Web asset.
Mobile
To scope a pentest for a Mobile asset, specify the number of the following characteristics of the asset that need to be tested.
| Parameter | Definition | Scoping Guidelines |
|---|---|---|
| Operating Systems | An operating system (OS) is software that allows smartphones, tablets and other devices to run applications and programs. | Enter the number of operating systems (iOS, Android, Windows Mobile, etc) in your Mobile asset that need to be tested. Native applications are built to run on a specific mobile operating system, such as iOS or Android. Non-native applications are built to run on multiple operating systems. |
API
To scope a pentest for an API asset, specify the number of the following characteristics of the asset that need to be tested.
| Parameter | Definition | Scoping Guidelines |
|---|---|---|
| User Roles | A User Role is a user group within an application with specific permissions, such as an administrator, manager, or guest. | Enter the number of User Roles in your API asset that need to be tested. Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups. |
| Endpoints / GraphQL Queries and Mutations | A RESTful API Endpoint is a URL where an API receives requests about a specific resource on its server. A GraphQL Query is a method to fetch data. A GraphQL Mutation is an operation that allows you to modify server-side data. | We can test both RESTful and GraphQL APIs. However, these APIs work in different ways. RESTful APIs set up data on different endpoints. Enter the number of RESTful API endpoints in your API asset to test. Ignore specific parameters and HTTP methods for each endpoint. For example, GET https://api.cobalt.io/pentests and POST https://api.cobalt.io/pentests are two different HTTP requests for the same endpoint. GraphQL APIs have a single endpoint, but use mutations to manage different categories of data. Queries allow you to fetch data, while mutations allow you to modify it. Enter the number of queries and mutations in your API asset to test. For pentest purposes, that’s functionally equivalent to the number of RESTful API endpoints. If you’re using API tools such as Swagger, Postman, or Insomnia to work with your API asset, you can count the number of endpoints or GraphQL queries and mutations in these tools. |
External Network
To scope a pentest for an External Network asset, specify the number of IP addresses in your external network that need to be tested.
| Parameter | Scoping Guidelines |
|---|---|
| IP Addresses | Enter the number of active IP addresses in your external network that need to be tested. |
Internal Network
To scope a pentest for an Internal Network asset, specify the number of IP addresses in your internal network that need to be tested.
| Parameter | Scoping Guidelines |
|---|---|
| IP Addresses | Enter the number of active IP addresses in your internal network that need to be tested. |
Cloud Configuration Review
Cobalt pentesters can conduct a configuration review of the following Cloud Service Providers:
- Amazon Web Services (AWS)
- Microsoft Azure Cloud (Azure)
- Google Cloud Platform (GCP)
To scope a cloud configuration review, specify the number of the following characteristics of the asset that need to be reviewed.
| Parameter | Definition | Scoping Guidelines |
|---|---|---|
| Accounts, Projects, or Resource Groups | Accounts refer to accounts in your AWS cloud asset. Projects are all resources included in your GCP cloud asset. Resource Groups are sets of resources in an Azure cloud asset. | Enter the total number of accounts, projects, or resource groups in your cloud asset that need to be reviewed. AWS: The number of AWS accounts within the AWS Organization. The IAM user that pentesters will use to enumerate and assess AWS configurations is set based upon these accounts. GCP: The cloud configuration size is based on Projects. In Identity and Access Management (IAM), access is managed through IAM policies. An IAM policy can be attached to a Google Cloud Project. Each policy contains a collection of role bindings that associate one or more principals, such as users or service accounts, with an IAM role. Azure: Subscriptions may contain various Resource Groups—containers that hold related resources for an Azure solution. The CIS Benchmark for Azure is assessed at the Subscription level. |
| Unique Service Instances | Unique services are the different functionalities that you’ve configured in your cloud environment. | Enter the number of unique services in your cloud asset that need to be reviewed. Examples of services: EC2, S3, Comprehend, Kubernetes, Azure Bot Service, Cloud Storage, Azure Container Service. Cobalt sizes Unique Instance of Services Used for Cloud Configuration Reviews as we’re enumerating configurations, not hosts. Example: 100 EC2 instances using the same base image are considered redundant from the configuration perspective and counted as 1 unique service. |
Desktop
To scope a pentest for a Desktop asset, specify the number of the following characteristics of the asset that need to be tested.
| Parameter | Definition | Scoping Guidelines |
|---|---|---|
| Operating Systems | An operating system (OS) is software that allows desktop devices to run applications and programs. | Enter the total number of operating systems in your desktop application that need to be tested. Examples of desktop operating systems include Microsoft Windows, macOS, various Linux distributions, and others. |
AI/LLM Pentesting
To scope an AI/LLM pentest specify the Number of independent LLM features to be tested.
| Parameter | Definition | Scoping Guidelines |
|---|---|---|
| LLM Features | A specific capability or functionality exhibited by a Large Language Model (LLM). | Enter the total number of LLM features within your application that need to be tested. Example of a feature include a chatbot. |
If multiple independent features are selected, the results will be documented in the same report and findings will reported in the same pentest. If separate reports are needed, it’s recommended to run seperate pentests for them.
AI/LLM pentests are available for Web assets only.
Assets of Multiple Types
Sometimes, assets fit into more than one category. To that end, Cobalt supports pentests on assets in the following groups of categories:
- Web + API
- Web + API + External Network
- Web + External Network
- Web + Mobile
To scope a pentest for a combined asset, specify the number of characteristics for each asset type that it includes. Refer to the corresponding sections of this guide for details.
Set a Start Date
Depending on your PtaaS tier, you can schedule pentests with a start date from at least one to three business days after submitting it for review. Pentests submitted after 11 AM PST (19:00 UTC) will require an additional business day start time.
Our staff will confirm the end date after review. Pentest timelines depend on test focus, scope, and other factors. Retest end date shows when your free retesting period ends, this is based on your tier and contract end date.
Preparation
Our Preparation page details steps you need to complete before the pentest, otherwise your start date could be impacted.
1. Ensure testers have access
- Are the credentials valid?
- Do you need to set up any access requirements?
2. Add our IPs to your allowlist
Our pentesters send requests from one or more IP addresses on a Virtual Private Network. Share this pentest with your network administrator. They may need to know the IP addresses that we use:
- 188.226.141.7
- 209.222.30.28
- 185.70.198.155
- 5.22.219.47
- 64.226.132.108
- 96.126.102.182
- 64.226.133.130
- 216.238.76.199
- 216.238.106.73
- 212.59.68.70
- 192.46.213.72
- 139.84.156.110
- 172.104.52.94
- 67.219.111.23
- 139.84.232.86
3. Confirm the team availability
The Point of Contact assigned is expected to collaborate with our Cobalt staff and pentesters to ensure we have enough information to start the pentest.
Submit for Review
If you’re ready with your pentest, select Submit for Review.
Once you do so, learn what to expect after you create a pentest.
Last modified August 22, 2025