Cobalt Methodologies
Cobalt pentesters follow specific methodologies for different test and asset types.
By default, our pentesters test for industry standard vulnerabilities from:
- Open Web Application Security Project (OWASP).
- Includes different “Top 10” lists for web, API, mobile, AI/LLM, and cloud systems.
- Open Source Security Testing Methodology Manual (OSSTMM) (PDF).
- Used for internal and external networks.
For more information, refer to the detailed pages associated with your asset.
The methodology is usually fixed, based on the Test Type or the Asset Type you defined earlier. If you choose a combined asset type, such as Web + API, you can limit the test to either of the individual methodologies:
Testing Approaches
Understanding the level of testing access provided to the team is critical to defining the scope and depth of testing. We offer three standard approaches:
Black-box Testing
In a black-box engagement, testers are given no internal knowledge of the application or infrastructure. They simulate an external attacker with no privileged access, relying entirely on publicly available information and exposed functionality. This approach tests how the application performs under real-world attack conditions but may not uncover deeper or logic-based flaws due to limited visibility. Testing will cease immediately and the Customer will be contacted if the pentester gains access to the application or network.
Grey-box Testing
In a grey-box engagement, testers are provided with partial knowledge, such as valid user credentials, limited API documentation, or an overview of the application’s architecture. This approach balances realism with efficiency, allowing deeper testing of authenticated functionality, access control, and business logic flaws while retaining an external attack perspective.
White-box Testing
In a white-box engagement, testers are given full access to internal documentation, architecture diagrams, source code, configuration details, and test accounts with various roles. This method enables comprehensive coverage and is ideal for identifying deep-seated vulnerabilities, insecure configurations, and architectural weaknesses.
Last modified April 17, 2025