Sign In to Cobalt

Start the pentest process. Sign in to the Cobalt app.

Learn about your first steps with Cobalt after receiving a welcome email.

Set Up Your Account

Once you’ve received a welcome email from Cobalt, do the following:

  1. Select Sign In in the email.
  2. Create a strong password. To learn more, read our password best practices.

Once you’ve confirmed your email address and created a password, your Cobalt account is fully set up.

Sign-in Methods

Depending on the configurations of your organization, you can sign in to Cobalt in the following ways:

  • Through SAML single sign-on, if configured. Go to your identity provider system to sign in to Cobalt, or follow a unique URL.
    • If your organization has enforced SAML, authentication from the Cobalt Sign In page is not possible.
  • From the Cobalt Sign In page, with:
    • Your email address and password.
    • Your Google account with which you were invited to Cobalt.

      Cobalt Sign In page

SAML SSO

We support identity provider-initiated single sign-on (SSO) based on the Security Assertion Markup Language 2.0 (SAML 2.0) protocol. SAML-based SSO is available to all PtaaS tiers.

Navigate to your identity provider, and select the Cobalt app to authenticate. Depending on the setup, you may need to follow a unique URL.

SAML SSO affects the following roles:

If your organization enforces SAML SSO, you must authenticate only through your identity provider, such as Okta, OneLogin, or Microsoft Azure AD. Authentication from the Cobalt Sign In page is not possible.

Learn more about configuring SAML SSO (for Organization Owners).

Two-Factor Authentication

We support two-factor authentication (2FA) for users who sign in with their email and password. If you’re using SAML SSO to sign in, you don’t need to turn on 2FA.

  • If your organization enforces 2FA for all users, configure it upon signing in.
  • We recommend that you enable 2FA even if your organization doesn’t enforce it.

Browser Verification

When you sign in to Cobalt, we record information about your browser to add an extra layer of security to the sign-in process. This setting is based on cookies and is not related to 2FA or SAML SSO.

If you attempt to sign in from a device or browser that we don’t recognize, we take additional steps to verify your identity before granting you access. This happens when you:

  • Sign in from a new device or browser
  • Use your browser’s private (incognito) mode
  • Clear or turn off cookies in your browser
  • Sign in from a different system
Last modified December 18, 2024