Scope & Test Period

Identify the complexity and type of your asset, along with the intended start date for your pentest.

The complexity of your asset determines the number of credits required for a pentest. The bigger the pentest scope, the more credits you need.

Learn more about Cobalt credits.

Scope a Copied Pentest

When you copy a pentest you will be able to copy the scope if the asset has not changed size. Select from the options:

Use same scope as copied pentest (pre-filled below): If the general size of the asset has not changed, inherit the scope of your last completed pentest.
I need to redefine the scope: If the general size of the asset has changed, rescope the pentest by adjusting scoping parameters, as described below.

Options for copying scope from previous pentest

Scoping aims to identify the complexity of your asset. Under Scoping, specify the number of parameters associated with the asset that need to be tested. To get exact numbers, consult with the asset owner inside your organization.

Scoping parameters differ for each asset type:

Web
Mobile
API
External Network
Internal Network
Cloud Config
Desktop
AI/LLM Pentest
Assets of multiple types

Once you’ve scoped the pentest, review the required credits, as determined by our calculator.

Web

To scope a pentest for a Web asset, specify the number of the following characteristics of the asset that need to be tested.

Parameter	Definition	Scoping Guidelines
User Roles	A User Role is a user group within an application with specific permissions, such as an administrator, manager, or guest.	Enter the number of User Roles in your Web asset that need to be tested. Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.
Dynamic Pages/Routes	A dynamic page is a unique web page that facilitates user interaction, such as submitting data, entering parameters, or uploading content. Read-only static pages are not counted because there is no interaction. A product catalog is not measured because the page workflow is not unique. A Route is a system for resource navigation in single-page applications (SPAs). In SPAs that use frameworks such as Angular, React, or Ember, routes provide unique URLs to specific content within the application.	Determine the type of your Web asset: Traditional web application. Enter the number of dynamic pages based on unique page templates. As part of our tests for dynamic pages, we also test the backend API endpoints frequently used to populate content on those pages. Single-page application. Enter the number of routes to test. As an example, read the React Router documentation to learn more about routing. Usually, an application includes one or more routing modules or files where you can retrieve the number of pages or routes using special commands or tools.

Parameter

Definition

Scoping Guidelines

User Roles

A User Role is a user group within an application with specific permissions, such as an administrator, manager, or guest.

Enter the number of User Roles in your Web asset that need to be tested.

Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.

Dynamic Pages/Routes

A dynamic page is a unique web page that facilitates user interaction, such as submitting data, entering parameters, or uploading content.

Read-only static pages are not counted because there is no interaction.
A product catalog is not measured because the page workflow is not unique.

A Route is a system for resource navigation in single-page applications (SPAs). In SPAs that use frameworks such as Angular, React, or Ember, routes provide unique URLs to specific content within the application.

Determine the type of your Web asset:

Traditional web application. Enter the number of dynamic pages based on unique page templates.
- As part of our tests for dynamic pages, we also test the backend API endpoints frequently used to populate content on those pages.
Single-page application. Enter the number of routes to test.
- As an example, read the React Router documentation to learn more about routing.

Usually, an application includes one or more routing modules or files where you can retrieve the number of pages or routes using special commands or tools.

If the only APIs in your assets populate web pages, you may not need to set up a separate API asset. We test such APIs as part of our tests of a Web asset.

Mobile

To scope a pentest for a Mobile asset, specify the number of the following characteristics of the asset that need to be tested.

Parameter	Definition	Scoping Guidelines
Operating Systems	An operating system (OS) is software that allows smartphones, tablets and other devices to run applications and programs.	Enter the number of operating systems (iOS, Android, Windows Mobile, etc) in your Mobile asset that need to be tested. Native applications are built to run on a specific mobile operating system, such as iOS or Android. Non-native applications are built to run on multiple operating systems.

Parameter

Definition

Scoping Guidelines

Operating Systems

An operating system (OS) is software that allows smartphones, tablets and other devices to run applications and programs.

Enter the number of operating systems (iOS, Android, Windows Mobile, etc) in your Mobile asset that need to be tested.

Native applications are built to run on a specific mobile operating system, such as iOS or Android.

Non-native applications are built to run on multiple operating systems.

API

To scope a pentest for an API asset, specify the number of the following characteristics of the asset that need to be tested.

Parameter Definition Scoping Guidelines

Parameter	Definition	Scoping Guidelines
User Roles	A User Role is a user group within an application with specific permissions, such as an administrator, manager, or guest.	Enter the number of User Roles in your API asset that need to be tested. Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.
Endpoints / GraphQL Queries and Mutations	A RESTful API Endpoint is a URL where an API receives requests about a specific resource on its server. A GraphQL Query is a method to fetch data. A GraphQL Mutation is an operation that allows you to modify server-side data.	We can test both RESTful and GraphQL APIs. However, these APIs work in different ways. RESTful APIs set up data on different endpoints. Enter the number of RESTful API endpoints in your API asset to test. Ignore specific parameters and HTTP methods for each endpoint. For example, `GET https://api.cobalt.io/pentests` and `POST https://api.cobalt.io/pentests` are two different HTTP requests for the same endpoint. GraphQL APIs have a single endpoint, but use mutations to manage different categories of data. Queries allow you to fetch data, while mutations allow you to modify it. Enter the number of queries and mutations in your API asset to test. For pentest purposes, that’s functionally equivalent to the number of RESTful API endpoints. If you’re using API tools such as Swagger, Postman, or Insomnia to work with your API asset, you can count the number of endpoints or GraphQL queries and mutations in these tools.

User Roles

A User Role is a user group within an application with specific permissions, such as an administrator, manager, or guest.

Enter the number of User Roles in your API asset that need to be tested.

Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.

Endpoints / GraphQL Queries and Mutations

A RESTful API Endpoint is a URL where an API receives requests about a specific resource on its server.

A GraphQL Query is a method to fetch data.

A GraphQL Mutation is an operation that allows you to modify server-side data.

We can test both RESTful and GraphQL APIs. However, these APIs work in different ways.

RESTful APIs set up data on different endpoints.
- Enter the number of RESTful API endpoints in your API asset to test.
- Ignore specific parameters and HTTP methods for each endpoint. For example, GET https://api.cobalt.io/pentests and POST https://api.cobalt.io/pentests are two different HTTP requests for the same endpoint.
GraphQL APIs have a single endpoint, but use mutations to manage different categories of data. Queries allow you to fetch data, while mutations allow you to modify it.
- Enter the number of queries and mutations in your API asset to test. For pentest purposes, that’s functionally equivalent to the number of RESTful API endpoints.

If you’re using API tools such as Swagger, Postman, or Insomnia to work with your API asset, you can count the number of endpoints or GraphQL queries and mutations in these tools.

External Network

To scope a pentest for an External Network asset, specify the number of IP addresses in your external network that need to be tested.

Parameter	Scoping Guidelines
IP Addresses	Enter the number of active IP addresses in your external network that need to be tested.

Internal Network

To scope a pentest for an Internal Network asset, specify the number of IP addresses in your internal network that need to be tested.

Parameter	Scoping Guidelines
IP Addresses	Enter the number of active IP addresses in your internal network that need to be tested.

Cloud Configuration Review

Cobalt pentesters can conduct a configuration review of the following Cloud Service Providers:

Amazon Web Services (AWS)
Microsoft Azure Cloud (Azure)
Google Cloud Platform (GCP)

To scope a cloud configuration review, specify the number of the following characteristics of the asset that need to be reviewed.

Parameter	Definition	Scoping Guidelines
Accounts, Projects, or Resource Groups	Accounts refer to accounts in your AWS cloud asset. Projects are all resources included in your GCP cloud asset. Resource Groups are sets of resources in an Azure cloud asset.	Enter the total number of accounts, projects, or resource groups in your cloud asset that need to be reviewed. AWS: The number of AWS accounts within the AWS Organization. The IAM user that pentesters will use to enumerate and assess AWS configurations is set based upon these accounts. GCP: The cloud configuration size is based on Projects. In Identity and Access Management (IAM), access is managed through IAM policies. An IAM policy can be attached to a Google Cloud Project. Each policy contains a collection of role bindings that associate one or more principals, such as users or service accounts, with an IAM role. Azure: Subscriptions may contain various Resource Groups—containers that hold related resources for an Azure solution. The CIS Benchmark for Azure is assessed at the Subscription level.
Unique Service Instances	Unique services are the different functionalities that you’ve configured in your cloud environment.	Enter the number of unique services in your cloud asset that need to be reviewed. Examples of services: EC2, S3, Comprehend, Kubernetes, Azure Bot Service, Cloud Storage, Azure Container Service. Cobalt sizes Unique Instance of Services Used for Cloud Configuration Reviews as we’re enumerating configurations, not hosts. Example: 100 EC2 instances using the same base image are considered redundant from the configuration perspective and counted as 1 unique service.

Parameter

Definition

Scoping Guidelines

Accounts, Projects, or Resource Groups

Accounts refer to accounts in your AWS cloud asset.

Projects are all resources included in your GCP cloud asset.

Resource Groups are sets of resources in an Azure cloud asset.

Enter the total number of accounts, projects, or resource groups in your cloud asset that need to be reviewed.

AWS: The number of AWS accounts within the AWS Organization. The IAM user that pentesters will use to enumerate and assess AWS configurations is set based upon these accounts.
GCP: The cloud configuration size is based on Projects. In Identity and Access Management (IAM), access is managed through IAM policies. An IAM policy can be attached to a Google Cloud Project. Each policy contains a collection of role bindings that associate one or more principals, such as users or service accounts, with an IAM role.
Azure: Subscriptions may contain various Resource Groups—containers that hold related resources for an Azure solution. The CIS Benchmark for Azure is assessed at the Subscription level.

Unique Service Instances

Unique services are the different functionalities that you’ve configured in your cloud environment.

Enter the number of unique services in your cloud asset that need to be reviewed.

Examples of services: EC2, S3, Comprehend, Kubernetes, Azure Bot Service, Cloud Storage, Azure Container Service.
Cobalt sizes Unique Instance of Services Used for Cloud Configuration Reviews as we’re enumerating configurations, not hosts. Example: 100 EC2 instances using the same base image are considered redundant from the configuration perspective and counted as 1 unique service.

Desktop

To scope a pentest for a Desktop asset, specify the number of the following characteristics of the asset that need to be tested.

Parameter	Definition	Scoping Guidelines
Operating Systems	An operating system (OS) is software that allows desktop devices to run applications and programs.	Enter the total number of operating systems in your desktop application that need to be tested. Examples of desktop operating systems include Microsoft Windows, macOS, various Linux distributions, and others.

AI/LLM Pentesting

To scope an AI/LLM pentest specify the Number of independent LLM features to be tested.

Parameter	Definition	Scoping Guidelines
LLM Features	A specific capability or functionality exhibited by a Large Language Model (LLM).	Enter the total number of LLM features within your application that need to be tested. Example of a feature include a chatbot.

If multiple independent features are selected, the results will be documented in the same report and findings will reported in the same pentest. If separate reports are needed, it’s recommended to run seperate pentests for them.

AI/LLM pentests are available for Web assets only.

Assets of Multiple Types

Sometimes, assets fit into more than one category. To that end, Cobalt supports pentests on assets in the following groups of categories:

Web + API
Web + API + External Network
Web + External Network
Web + Mobile

To scope a pentest for a combined asset, specify the number of characteristics for each asset type that it includes. Refer to the corresponding sections of this guide for details.

Set a Start Date

Depending on your PtaaS tier, you can schedule pentests with a start date from at least one to three business days after submitting it for review. Pentests submitted after 11 AM PST (19:00 UTC) will require an additional business day start time.

Our staff will confirm the pentest end date after review. Pentest timelines depend on test focus, scope, and other factors. Retest end date shows when your free retesting period ends, this is based on your contract tier and end date.

Last modified November 20, 2025