Pentest Expectations

Now that you’ve done all the work needed to set up a pentest, you might be anxious for results. Here’s what you can expect:

1. Once you’ve finished setting up a pentest, select Pentests in the left-hand pane. You should see your pentest listed, with an In Review label.
2. We’ll select the best available pentesters before the start of the pentest. The time we need depends on your PtaaS tier and any additional requests you have.
3. Once our pentesters start the pentest, they’ll update you on their progress. You can collaborate on the pentest using the following communication channels:
   • Beta Messaging in the Cobalt app. Select Messages on the pentest page. In the sidebar that opens, you can read updates from pentesters and communicate in the chat.
   • A Slack channel dedicated for your pentest.
   • Pentester Updates sidebar in the Cobalt app.
4. You may get questions from your pentesters. You can also elaborate on your requirements for the pentest.
5. As our pentesters analyze your asset, they’ll add updates frequently. If they discover vulnerabilities ("findings"), you can start remediating them before the pentest is complete.
6. Once the pentest is complete, we move it from Live to Remediation. Remember to delete/disable or rotate credentials to prevent unauthorized access or misuse once the testing period is over.
7. Review and analyze each finding. You can:
   • Fix the finding and submit it for retest
   • Mark the finding as Accepted Risk
8. When your pentest is in Remediation or Closed, you can download pentest reports.
   • If you’ve purchased a qualifying PtaaS tier, you can customize your pentest report.
9. We move your pentest to Closed once you’ve resolved all findings, which includes the following states:
   • Accepted Risk
   • Fixed