## **Get Pentest Updates with Webhooks**

Set up webhook notifications for your organization.


:::info
Configure webhooks to subscribe to real-time updates for your pentests.

:::

## **Introducing Webhooks**

With our API-based webhooks, you can set up an integration between your app and the Cobalt platform to get notifications for pentest events. We’ll send you updates for each event to your URL through an HTTP POST request.

When you work with an API, you can become aware of new data in the following ways:

* Repeatedly send requests to the same [API endpoint](https://docs.cobalt.io/en-us/articles/glossary-YfTMKeZ1VM#h-api-endpoint) to retrieve new information, which is known as polling.
* Configure a webhook that automatically sends new data to the specified URL.

 ![](https://brainfish-storage-prod.s3-accelerate.amazonaws.com/uploads/e1eb5d82-35e0-4c9f-bde1-0baec07941c1/43b91206-04b1-4cf8-9a8b-4e5f6f6404b2/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAUPPN5IL3ZTVHZSLI%2F20260417%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20260417T014416Z&X-Amz-Expires=3000&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMiJIMEYCIQC1hyFdRaMs6AUJ47VIW7WQpEKF0JrPHrmJK1qgG%2FOZ9AIhAPDyQ8VDKf2s0nybK74e4T2veXJPQ5YTVcKOcfmENIjJKuYFCMj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQAhoMMzA4MTI1OTc1Mjg3IgyDVsIm6mWP45LRXpcqugW6AybiTH2KcikzFWhjLYYfoHBhwh101b%2BwA3%2FgM%2BkZUwZFYt23OYm6vAz%2Fwb2%2BmnnskHzoKUEjdyMF6jXObWLphSU%2BDd%2FODX91eEo0ojZC%2FvXPF5%2Bwq%2F0wUMosUp7wk4oHoHXUm6XQZB9rd1r1qBlAFVAyrA3A9t%2FP39FAfHa70WiWqDydL3%2FYZNXIKHwGA7F0OmdkodJVm%2FhNfhWtbDLG9T8N2tJ49xaAGvfAEsCgL5%2FGQKyn%2FpaQoX9sulqJUw4sjiV%2BjfO5D0oD0lxXdXbtbwDoHsS4DQ2r0MoLkBajotu2XzLRxLjAFEjQ1ffgsgo4VPjh0KUxABMnSiA3HRHuc41B3NudBi7F%2Buh1%2FGE4LCH%2B%2Fhbzd6sztiwjRhf8GT5j49iCcJT3HygxVgM0Hbt3gT%2BrSi4BL%2FHnu0D486woy987%2FINBsYjhMraVgNtapRliWsvc%2BCRxbucBY8O4keK70VXmj9MRmACVhGgbPTPmSOKTjvIKlHMWC8qcuLGx8ppqA46ajaYOXugUPOEmDPasKeBYNqduoWrtIM13I7ffd%2F6Y6nHcxnA6EaFD%2FXgrh99XPYSO6bLfuOXM4Aa9c%2FFAbR7foEqeO6Iwy8gly9%2FNjf9qnSxMZDiL54MasaeEPC8Ih3Uhm4YPvvbz5Jd70ScHrHWOtGpVkR3j7YNSGtQF4q8pgYqI23UYf4T4HCTJooBVdGGP02Qlkz6b3WAd1GLHXtOJc3q952C6MdJU%2FEdyd%2Bepl03yqBN1xqIHcM0dvgbpUxltE6GI1V7oonUnJmoml3ss8%2B%2FR1JfiM4ReiAaetnkA0JLendnRDP%2BL6r19KJbzVtAnmWSE84NybfwxD9XMQV1PTJGHbO%2BM4kufGbF0Vpw1RgHUxaEq8ZiUB9rQ%2BxKG2y87lv7kagTedhdDK4PeBEaGk%2F2%2FWV4GiDDU2oXPBjqPAe%2F0kVzGPInzSVrF3A%2B32ROx72pB%2FOpOucH4yZFIYx9g8SXwraBVRtsH4U5AVNFC4zPlsf8VrZasRG%2BLSo8wIhm%2FoSoRy7qzfCda3KQsVJxvYMABCrQuCFW6HRE5lhqt8Cfg3GkDpxwFz3dX%2BkQQhUEGAhHmJHlKY01nWBA%2BDllQHTO6Gw7ErmlGcMaVgnRr&X-Amz-Signature=2a35557cadeb5211a00b71fec3d74a0d6f23e7da9e869b9c3728a3f8a95b4c1c&X-Amz-SignedHeaders=host&response-content-disposition=attachment)

## You can configure webhooks through the [API](https://cobalt-public-api.netlify.app/v2/#webhooks) and in the [Cobalt UI](https://docs.cobalt.io/en-us/articles/webhooks-OuuDXWwHRm#h-configure-webhooks-in-the-ui).

**Before You Start**

Before you start creating webhooks, complete the configuration in your app.


1. Make sure that the **URL** where you want to receive notifications is valid and your services work properly. If possible, test your connections.
2. (Optional) To add an extra layer of security to the integration, generate a **webhook secret** in your app. When we send a POST request to your URL, we include your secret in the request header. This allows you to validate that the API request is from Cobalt.

Read our [Best Practices](https://docs.cobalt.io/en-us/articles/webhooks-VnsjP2x9tp#h-best-practices) for more information.

## **Webhook Events**

When you set up a webhook, you can **select events** to which you want to subscribe:

| Pentest | Finding |
|----|----|
| Pentest created  \n[Pentest state](https://docs.cobalt.io/en-us/articles/pentest-states-KfXxlt4Re2) updated | • Finding deleted  \n• Finding published  \n• [Finding state](https://docs.cobalt.io/en-us/articles/finding-states-De6IE4W5Zw) updated  \n• Finding updated |

For security reasons, we only post essential details about webhook events, such as their ID and type. To retrieve more information about the event, use the [Cobalt API](https://cobalt-public-api.netlify.app/v2/).


:::info
**Note**

For webhooks that you created before June 2023, you get updates forall events. You can adjust the configuration of your existing webhooks. Select the three-dot iconunderActions, selectEdit Webhook, select webhook events in the overlay, and then selectSaveto confirm.

:::

## **Configure Webhooks in the UI**

Let’s configure webhooks in the Cobalt app.

### **Create a Webhook**

To create a webhook:


1. In the Cobalt app, navigate to the **Integrations** page, and then select **Webhooks** under **Native Integrations**.
2. On the **Webhooks** page, select **Create Webhook**.
3. In the overlay that appears, specify the following:
   * **Webhook Name**
   * **Webhook URL**: URL to which Cobalt sends HTTP POST requests for pentest [events](https://docs.cobalt.io/en-us/articles/webhooks-OuuDXWwHRm#h-webhook-events).
     * Use a unique name and URL for each webhook you create.
   * (Optional) **Secret**: Your [webhook secret](https://docs.cobalt.io/en-us/articles/webhooks-OuuDXWwHRm#h-before-you-start) that we use to authenticate a POST request to your URL.
   * **Events**: Select [webhook events](https://docs.cobalt.io/en-us/articles/webhooks-OuuDXWwHRm#h-webhook-events) to which you want to subscribe.
4. When ready, select **Save**.
5. We send a test event to the specified URL to validate your webhook. The webhook becomes active once the validation is complete.
   * If the validation fails, we’ll deactivate your webhook within 24 hours. See [Troubleshoot Webhooks](https://docs.cobalt.io/en-us/articles/webhooks-OuuDXWwHRm#h-troubleshoot-webhooks) for more information.

 ![](https://brainfish-storage-prod.s3-accelerate.amazonaws.com/uploads/e1eb5d82-35e0-4c9f-bde1-0baec07941c1/8c0150bd-e59a-4d1f-a86a-5d21a4bf740a/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAUPPN5IL3ZTVHZSLI%2F20260417%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20260417T014416Z&X-Amz-Expires=3000&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMiJIMEYCIQC1hyFdRaMs6AUJ47VIW7WQpEKF0JrPHrmJK1qgG%2FOZ9AIhAPDyQ8VDKf2s0nybK74e4T2veXJPQ5YTVcKOcfmENIjJKuYFCMj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQAhoMMzA4MTI1OTc1Mjg3IgyDVsIm6mWP45LRXpcqugW6AybiTH2KcikzFWhjLYYfoHBhwh101b%2BwA3%2FgM%2BkZUwZFYt23OYm6vAz%2Fwb2%2BmnnskHzoKUEjdyMF6jXObWLphSU%2BDd%2FODX91eEo0ojZC%2FvXPF5%2Bwq%2F0wUMosUp7wk4oHoHXUm6XQZB9rd1r1qBlAFVAyrA3A9t%2FP39FAfHa70WiWqDydL3%2FYZNXIKHwGA7F0OmdkodJVm%2FhNfhWtbDLG9T8N2tJ49xaAGvfAEsCgL5%2FGQKyn%2FpaQoX9sulqJUw4sjiV%2BjfO5D0oD0lxXdXbtbwDoHsS4DQ2r0MoLkBajotu2XzLRxLjAFEjQ1ffgsgo4VPjh0KUxABMnSiA3HRHuc41B3NudBi7F%2Buh1%2FGE4LCH%2B%2Fhbzd6sztiwjRhf8GT5j49iCcJT3HygxVgM0Hbt3gT%2BrSi4BL%2FHnu0D486woy987%2FINBsYjhMraVgNtapRliWsvc%2BCRxbucBY8O4keK70VXmj9MRmACVhGgbPTPmSOKTjvIKlHMWC8qcuLGx8ppqA46ajaYOXugUPOEmDPasKeBYNqduoWrtIM13I7ffd%2F6Y6nHcxnA6EaFD%2FXgrh99XPYSO6bLfuOXM4Aa9c%2FFAbR7foEqeO6Iwy8gly9%2FNjf9qnSxMZDiL54MasaeEPC8Ih3Uhm4YPvvbz5Jd70ScHrHWOtGpVkR3j7YNSGtQF4q8pgYqI23UYf4T4HCTJooBVdGGP02Qlkz6b3WAd1GLHXtOJc3q952C6MdJU%2FEdyd%2Bepl03yqBN1xqIHcM0dvgbpUxltE6GI1V7oonUnJmoml3ss8%2B%2FR1JfiM4ReiAaetnkA0JLendnRDP%2BL6r19KJbzVtAnmWSE84NybfwxD9XMQV1PTJGHbO%2BM4kufGbF0Vpw1RgHUxaEq8ZiUB9rQ%2BxKG2y87lv7kagTedhdDK4PeBEaGk%2F2%2FWV4GiDDU2oXPBjqPAe%2F0kVzGPInzSVrF3A%2B32ROx72pB%2FOpOucH4yZFIYx9g8SXwraBVRtsH4U5AVNFC4zPlsf8VrZasRG%2BLSo8wIhm%2FoSoRy7qzfCda3KQsVJxvYMABCrQuCFW6HRE5lhqt8Cfg3GkDpxwFz3dX%2BkQQhUEGAhHmJHlKY01nWBA%2BDllQHTO6Gw7ErmlGcMaVgnRr&X-Amz-Signature=436d52733e45ee484db10a7e16a8c7c7524da83988f464e4f025fe52b143b6cb&X-Amz-SignedHeaders=host&response-content-disposition=attachment)

## **Manage Webhooks**

Now you can manage the webhooks that you [created](https://docs.cobalt.io/en-us/articles/webhooks-OuuDXWwHRm#h-create-a-webhook).

* To make a webhook **inactive**, use the toggle under **Active**.
* To **edit** a webhook, select the three-dot icon ⋯ under **Actions**, and then select **Edit Webhook**. Update webhook parameters in the overlay that appears.
* To **delete** a webhook, select the three-dot icon ⋯ under **Actions**, and then select **Delete Webhook**.
  * You can make a webhook inactive without deleting it.

## **Troubleshoot Webhooks**

You can check the status of your webhooks on the **Webhooks** page. The following icons indicate that there is a problem with your webhook:

* **Yellow warning**: The webhook stopped responding to events at the specified time. We’ll deactivate the webhook after 48 hours of failed attempts.
* **Red error**: The webhook stopped responding, and we deactivated it after 48 hours of failed attempts.

Find solutions for common troubleshooting problems in the table below:

| **Problem** | **Solution** |
|----|----|
| You can’t create a webhook because the name or URL already exists. | Enter a unique name and URL for your webhook. |
| You can’t create a webhook because the validation fails.You don’t get webhook notifications to your URL.You can’t activate a webhook that we or you deactivated earlier. | We failed to validate your webhook. Check the following:   \n• The URL is valid and can accept requests.   \n• If you’re using a webhook secret to validate API requests from Cobalt, make sure that it’s valid. Refresh the secret or generate a new one if needed. |
| You can’t delete a webhook. | • Try again.   \n• Contact your Customer Success Manager (CSM) or [support@cobalt.io](mailto:support@cobalt.io) for assistance. |




Webhooks

Cobalt Integrations Overview

Troubleshooting

HTTP Connector

Import Assets from Google Sheets

Map Cobalt Pentest Finding Severity to Jira Issue Priority

Modify Jira Issue Summary to contain Pentest Title

Create Azure DevOps Work Item for Findings

Send MS Teams notifications for Findings

Create GitLab tickets for Findings

Create Jira tickets for Findings

Send email notifications for Findings from Outlook

Create GitHub tickets for Findings

How to Guides

Connect your applications

Integration Builder

Synchronize Cobalt Severity Levels with Jira

Push Cobalt Findings to Jira

Jira Cloud Integration

Jira Data Center Integration

Troubleshoot Your Jira Integration

Switching to a New Jira Instance

Integrate Jira with Cobalt

Slack

Microsoft Teams

DefectDojo

Kenna Security

Vanta

Carried Over Findings

Create Test Finding

Integrations

How to get started with Cobalt

Getting Started

Risk Advisories

Assets are what we pentest

Asset Types

Create an Asset

Assets

Pentests

Overview

Asset Details

Pentest Details

Scope & Test Period

Preparation

Create a Pentest

Pentest Process

Pentest States

Coverage Checklist

Pentest Expectations

Set Up an In-House Pentest

Complete an In-House Pentest (For Pentesters)

In House Pentests

Severity Levels

Finding States

Remediate Findings

Findings

Customize Your Report

Co-branded Reports

Contents of a Pentest Report

Reports

Engagements Overview

Digital Risk Assessment

Secure Code Review

Engagements

Insights

Planning

Cobalt Methodologies Overview

Web Methodologies

API Methodologies

External Network Methodologies

Internal Network Methodologies

Mobile Methodologies

Cloud Configuration Review Methodologies

Cloud Pentest Methodology

Desktop Methodologies

AI/LLM Methodologies

Digital Risk Assessment Methodology

Secure Code Review Methodologies

Methodologies

Attack Surface Monitoring (ASM)

Attack Surface

DAST Scanner Overview

Best Practices

Partial Scans: Reduced Scope

Scans

Sequence recorder

Targets

Target Authentication

Extra Hosts

Blackout Period

DAST Scanner

Account Overview

Account Settings

Password Best Practices

Sign In to Cobalt

Troubleshoot Sign-in Issues

User Account

Collaboration Overview

Collaborate on Pentests

Groups

Manage Pentest Collaborators

Manage Notifications

User Roles and Permissions

Collaboration

Organization Overview

Manage Users

Your Cobalt Contract

How to Configure SAML 2.0 for Cobalt 

SAML Migration: Update Your Configuration

Configure SAML SSO

SCIM Provisioning Setup Guide

Configure Organization Settings

Organization

Cobalt Credits

Track Your Credits

Cobalt PtaaS Tiers

Credits

Cobalt API Overview

Partner Integrations

API Versions

Events

Errors

Subscription

Introduction

Authentication

EU Data Center

Organizations

Engagement Findings

DAST Targets

DAST Scans

DAST Scheduled Scans

DAST Findings

External Ticket References

Tokens

Pagination

Idempotency

Rate Limits

Create a Personal Cobalt API Token

Changelog

Get an Organization Token

Revoke Your Personal Cobalt API Tokens

Create or Modify an Asset

Import Findings to Google Sheets

Cobalt API

Glossary

March 2026

February 2026

January 2026

November 2025 

August 2025

July 2025

June 2025

May 2025

April 2025

March 2025

January 2025

December 2024

November 2024

October 2024

September 2024

August 2024

July 2024

June 2024

May 2024

April 2024

March 2024

January 2024

What's New

Guide

Cobalt Product Documentation

Webhooks

Share

Share

Webhooks

Share

Share