CxO Decision Brief: Offensive Security Testing and Pentest as a Service

Inside Cobalt’s Proactive Cyber Defense

Solution Value Icon

Solution Overview

Cobalt’s platform improves cybersecurity by integrating Offensive Security Testing (OST) with a robust SaaS solution. The platform offers outstanding flexibility and scalability, providing access to a global community of expert penetration testers. With its “outside-in” approach, Cobalt identifies critical vulnerabilities to ensure swift remediation and reduce the risk of costly breaches.

Benefit Icon

Benefit

The Cobalt platform enhances security through continuous, proactive testing that identifies and addresses vulnerabilities across the attack surface. It improves compliance, optimizes operations, and integrates seamlessly into development processes. Cobalt engages a global pool of security experts and pentesters to scale security efforts. The result: robust protection and efficient security workflows.

Urgency Icon

Urgency

Organizations lacking a programmatic approach to offensive security face increased risk from undetected vulnerabilities and breaches, as well as compliance penalties. Cobalt’s continuous security testing and expert staff provide robust vulnerability detection, enhancing security and operational efficiency. Urgency is driven by unchecked growth of the attack surface, increasing cyber threats, and ongoing resource constraints.

Impact Icon

Impact

The Cobalt Offensive Security Testing platform significantly enhances security by fostering a culture of proactive defense and offensive security testing, improving collaboration between security and development teams. It eliminates the high cost of hiring and training in-house security staff, reduces operational expenses through automation, and ensures a resilient security posture.

Risk Icon

Risk

Organizations that do not adopt a proactive and holistic approach that integrates OST into security operations and IT workflow may not realize the full benefits of the solution. Staff likewise must be trained to adapt existing security practices to an offensive security approach.

1. Solution Value

This GigaOm CxO Decision Brief commissioned by Cobalt.

Offensive Security Testing (OST) is a proactive approach to cybersecurity that encompasses traditional penetration testing but extends beyond to testing approaches that use the adversarial mindset. It includes simulating real-world attacks to identify and validate vulnerabilities in an organization’s defenses. By taking an “outside-in” perspective, OST helps security teams prioritize verified exposures with identified impacts over theoretical risks, ensuring that resources are focused on the most critical threats. Cobalt pioneered pentest as a service (PTaaS), which combines the deep insights of traditional pentesting with modern capabilities such as real-time collaboration, automated workflows, and integration with software development lifecycles (SDLC). This advanced approach to pentesting allows for rapid detection and remediation of vulnerabilities, ensuring a robust security posture. Cobalt’s offensive security testing platform takes PTaaS a step further by offering a broader set of services from its team of elite pentesters and incorporating modern testing technologies. By leveraging cloud scalability and a global talent pool, Cobalt OST offers comprehensive and efficient security assessments tailored to modern cybersecurity demands.

The Cobalt Offensive Security Testing platform blends human expertise with a powerful SaaS platform, offering both flexibility and scalability. With Cobalt, organizations gain access to a global community of highly skilled security experts who can be quickly deployed to assess specific needs across the enterprise. These services include PTaaS of many different asset types (from APIs to LLMs to networks and web applications) and other services, such as:

  • AI/LLM pentesting
  • Source code review
  • Digital risk assessments
  • Red teaming
  • Phishing
  • Dynamic application security testing (DAST)
  • Attack surface monitoring

This breadth of services, coupled with fast start times, ensures that vulnerabilities are identified and addressed promptly across a variety of needs.

2. Urgency and Risk

Rapidly evolving threat landscapes force organizations to take action to secure their systems and data. The consequences of inaction are serious, including significant financial losses, reputational damage, regulatory fines, and lost business opportunities. Embracing proactive security measures is no longer optional; it is a business imperative. Implementing advanced security solutions like Offensive Security provides proactive protection against sophisticated threats, safeguarding critical assets and maintaining compliance with industry regulations. Proactive security not only prevents breaches but also strengthens overall resilience in an increasingly digital world.

Urgency

Without offensive security capabilities, organizations are left reacting to threats rather than proactively identifying and mitigating them. Every security team will have a layered approach to defense, but vulnerabilities can remain undetected without evaluating if those defenses are truly effective. Relying completely on automated security testing leaves gaps for clever attackers to exploit. There is a need for manual testing, but the traditional approach through consultancies can be time consuming, inefficient, and cost prohibitive, which negatively impacts exposure time.

Adding an offensive security testing approach offers substantial value by combining the speed and human creativity of PTaas with the scalability and breadth of DAST and Attack Surface Monitoring (ASM). Continuous ASM catches low-hanging vulnerabilities and identifies new assets, like API endpoints. This provides security teams with the visibility they need to secure their organizations assets. Automated workflows enhance efficiency, and real-time communication with testers accelerates resolution. These capabilities improve security posture, operational efficiency, and compliance, which provide comprehensive defense against evolving cyberthreats.

Risk

Cobalt’s service-based, offensive security approach augments defensive measures and maximizes security spend, but it does require adjustment for companies to get full value. Organizations that do not adopt a proactive and holistic approach that integrates OST into application security operations and IT workflow will not be able to realize the full benefits of the solution. This approach requires adaptation of existing security practices and instills a culture of continuous improvement.

3. Benefits

The Cobalt Offensive Security Testing combines the expertise of elite security practitioners with the precision of DAST and the continuous monitoring of ASM, thus delivering continuous vulnerability detection and robust protection for organizations. By proactively identifying and addressing vulnerabilities with a depth and breadth approach, Cobalt helps organizations reduce risk, improve compliance, and optimize security operations.

Benefits include:

  • Proactive security: By combining human talent with proven technology to get broad visibility across the attack surface, Cobalt helps companies continuously monitor their web assets with ASM and DAST while meeting internal and external security mandates with thorough pentesting–all through a single platform with a consolidated view of vulnerabilities.
  • Reduced risk: Cobalt’s offensive security approach proactively identifies vulnerabilities, reducing the risk of costly breaches. By taking an outside-in approach, Cobalt helps organizations strengthen their defenses and protect their critical assets.
  • Speed and agility: With Cobalt, an organization can launch a pentest in 24 hours by simply submitting the needs and timelines. The on-demand community of security experts ensures that the right skills are tailored to the tech stack right away without waiting weeks for someone to free up. The Cobalt platform streamlines planning, scheduling, and onboarding, allowing for quick scoping and initiating new pentests, regardless of whether it’s the organization’s first or fiftieth.
  • Multiple asset types: Cobalt’s offensive security approach proactively identifies vulnerabilities across web applications and APIs, cloud environments, networks, physical devices, and IoT, as well as a growing practice in testing AI applications. By testing with standardized methodologies as well as by simulating real-world attacks, Cobalt helps organizations strengthen their defenses and protect their critical assets.
  • Improved compliance: Cobalt’s pentests and security assessments help organizations meet regulatory requirements and industry standards, such as PCI-DSS, DORA, HIPAA, SOC 2, ISO 27001, and GDPR. By ensuring compliance, organizations can avoid costly fines and penalties while demonstrating their commitment to security.
  • Real-time collaboration with security experts: Cobalt users engage directly with security experts during engagements, ensuring that fixes being developed actually address the identified vulnerabilities.
  • Optimized security operations: Cobalt’s platform streamlines security operations by automating repetitive tasks and integrating into business processes with 50+ integrations out of the box and low-code options for unique workflows. This gets vulnerabilities to the resolving teams fast and allows security teams to focus on strategic initiatives and high-impact projects, improving overall efficiency and effectiveness.
  • Enhanced development agility: By integrating security testing into the software development lifecycle, Cobalt helps organizations identify and fix vulnerabilities early in the development process. This reduces the cost and complexity of remediation, accelerates development cycles, and improves overall software quality.
  • Access to expert talent: Cobalt’s global community of highly skilled, certified, and experienced security experts provides organizations with on-demand access to specialized expertise, enabling organizations to scale their security efforts as needed without the overhead of hiring and maintaining a large in-house security team.

4. Best Practices

To maximize the value of Cobalt’s Offensive Security Testing platform and solutions, organizations should adopt a proactive and holistic approach to security. This involves integrating OST into the security operations and IT workflow, leveraging expert guidance, and continuously evaluating and adapting security measures.

  • Adopt an outside-in approach: Evaluate defensive security controls from an attacker’s perspective to identify and prioritize vulnerabilities that pose the greatest risk across your entire attack surface and clearly impact your organization.
  • Integrate with security and IT workflows: Incorporate security expertise in the development process to maximize efficiency. Integrate threat modeling and secure code review during the development stage. Perform DAST scanning and pentesting prior to the release of new features and products. Continuously monitor production with ASM and recurring DAST scans, as well as comprehensive pentest, to maintain a resilient security posture and meet compliance requirements.
  • Leverage expert guidance: Engage seasoned security professionals for specialized tasks beyond pentesting, such as threat modeling, red teaming, source code reviews, and digital risk assessments.
  • Automate asset discovery and monitoring : Continuously scan and monitor your organization’s web-facing assets. Discover new web assets and API endpoints and prioritize DAST scanning for important assets and pentesting for critical assets to ensure a rigorous view of your security posture.

By following these best practices, organizations can proactively address security risks, strengthen their defenses, and build a more resilient security posture.

5. Organizational Impact

The Cobalt Offensive Security Testing Platform drives significant organizational impact by transforming security from a roadblock to an enabler of business objectives. By providing actionable insights and fostering collaboration between teams, Cobalt helps organizations achieve the following:

  • Enhanced security culture: By regularly engaging in proactive security testing, organizations cultivate a heightened awareness of security risks and vulnerabilities. This awareness permeates the entire organization, encouraging employees to adopt secure practices and prioritize security in their daily work.
  • Improved collaboration: Cobalt’s platform facilitates seamless communication and collaboration between security and development teams. By integrating with popular tools like Slack, Jira, and GitHub, Cobalt ensures that security findings are promptly communicated and addressed, fostering a collaborative approach to risk mitigation.
  • Streamlined workflows: Cobalt’s platform automates many repetitive tasks, freeing up valuable time for security and development teams to focus on strategic initiatives. The platform integrates with over 50 existing tools and workflows, including Jira, Azure DevOps, GitHub, and Slack, reducing friction and improving efficiency. Additionally, the inclusion of ASM and DAST within the platform allows for seamless discovery of the attack surface, planning, prioritizing manual testing, and conducting automated testing with DAST. This comprehensive approach streamlines the entire security testing process, from initial discovery to remediation.
  • Increased efficiency: By automating repetitive tasks and streamlining workflows, Cobalt’s platform enables organizations to achieve greater efficiency in their security operations. This allows security teams to do more with less, maximizing their impact and ensuring that resources are allocated effectively.
  • Measurable results: Cobalt’s platform provides detailed reports and insights, allowing organizations to track their progress over time and measure the effectiveness of their security investments. This data-driven approach enables continuous improvement and ensures that security efforts align with business objectives.

Implementing Cobalt’s solution requires minimal training due to its user-friendly interface and intuitive workflows. Organizations may need to adjust existing security practices to fully embrace a proactive and offensive security approach. This may involve educating employees on the importance of regular security testing and fostering a culture of continuous improvement.

People Impact

The Cobalt Offensive Security Testing Platform significantly impacts an organization’s security workforce by addressing the challenges of hiring and retaining skilled security professionals, especially in a time of constrained security budgets and industry layoffs.

  • Cost-effective expertise: Cobalt’s on-demand model allows organizations to access a global community of skilled pentesters and cybersecurity experts without requiring extensive in-house hiring. This reduces the burden on internal security teams, allowing them to focus on strategic initiatives and core competencies.
  • Addressing the talent shortage: Cobalt’s platform bridges the skills gap by providing immediate access to a diverse pool of well-trained and expert talent, ensuring that organizations have the right security expertise they need.
  • Upskilling opportunities: Working alongside Cobalt’s expert pentesters provides internal security teams valuable learning opportunities. They can gain insights into the latest attack techniques, methodologies, and remediation strategies, enhancing their overall skills and knowledge base.
  • Scalability and flexibility: Cobalt’s on-demand model enables organizations to scale their security teams up or down as needed, providing flexibility to address fluctuating security requirements. This eliminates the need to maintain a large, full-time security staff, reducing overhead costs.
  • Collaboration and transparency: Cobalt enables the team to interact directly with security experts throughout the engagement. This ensures real-time insights and enables clarification of findings. Engagement with Cobalt facilitates fast retesting as fixes are developed. Integration with Cobalt and the security team builds trust during the offensive security engagement.
  • Cost savings: By leveraging the Cobalt Offensive Security Testing Platform, organizations can achieve significant breadth and speed in their security program compared to more traditional pentesting approaches. The on-demand model eliminates the need for costly hiring and training, while the platform’s automation capabilities further reduce operational costs.

Overall, Cobalt’s Offensive Security Testing Platform empowers organizations to build a more capable, resilient, and cost-effective security workforce, ensuring they have the expertise to protect their critical assets in today’s challenging threat landscape while maintaining a robust security posture.

Investment Outlook

Cobalt’s pricing model is based on credits, which can be used for any Cobalt service. Different tiers offer varying levels of service and features. Each credit corresponds to eight hours of testing or services, and the cost per credit varies depending on the chosen tier (Standard, Premium, or Enterprise). The Standard tier starts at $1,695 per credit, while the Premium tier is priced at $1,895 per credit. Enterprise pricing is custom-quoted to cater to the specific needs of larger organizations. The number of credits required depends on the asset being tested and the type of test being conducted.

In addition to the credit-based model, Cobalt offers an annual subscription for DAST, starting at $3,597 for three targets. Cobalt provides access to one DAST target as well as access to ASM as part of the subscription.

This flexible pricing model allows organizations to tailor their investment to their specific needs and budget, readily supporting changing business needs and priorities. This ensures that organizations only pay for the services they use, minimizing upfront costs and providing greater budget control.

It’s important to consider the value provided by Cobalt’s platform and expertise when considering the cost. The comprehensive nature of its pentests, the speed and efficiency of its service delivery, and the access to a global community of experts justify the investment. Existing investments in defensive controls are augmented and more impactful in protecting the organization.

In terms of risk, Cobalt’s SaaS model eliminates the need for lengthy procurement and provisioning processes, allowing organizations to quickly start and scale their security testing efforts. This agility is crucial in today’s rapidly evolving threat landscape, where the ability to respond quickly to emerging threats can make all the difference.

It’s worth noting that Cobalt’s solution is designed for customers to get value quickly. Customers can initiate attack surface monitoring (including in all subscriptions) to get visibility into their web-facing assets, prioritize important assets with recurring DAST scanning (with one target included with any Cobalt subscription), and ensure critical assets are regularly pentested to meet compliance requirements.

6. Solution Timeline

Organizations can typically implement the Cobalt Offensive Security Testing Platform within days. The platform’s intuitive interface and streamlined workflows enable rapid onboarding and minimal ramp-up time. With the ability to launch a pentest in just 24 hours, Cobalt’s on-demand model ensures quick deployment. Integration with existing tools like Jira, Slack, and GitHub further expedites the process, allowing seamless adoption into current security and development workflows. This timeline may vary depending on the organization’s existing security infrastructure and specific needs.

Future Considerations

Over the next three years, Cobalt customers can expect continued expansion of the platform’s capabilities and services. Cobalt is actively investing in broadening its offensive security offerings to include enhanced attack surface monitoring and incorporating AI into the platform as part of its commitment to staying at the forefront of cybersecurity innovation.

Cobalt’s focus on integrating automation into its platform aligns with the broader industry trends. Customers can anticipate further enhancements in this area, streamlining workflows and improving efficiency.

Additionally, Cobalt’s open API and commitment to integrations suggest a future where its platform seamlessly integrates with a wide range of development and security tools, providing a unified view of an organization’s security posture.

Cobalt’s breadth of testing services, driven by customer demand, is expected to continue to expand. Cobalt’s commitment to continuous improvement and customer-centric approach positions it well to address emerging challenges and provide innovative solutions that meet the changing needs of its customers.

7. Analyst’s Take

The pentesting market is growing rapidly, driven by the increasing sophistication of cyberthreats and the need for continuous, proactive security testing. Pentesting is still the gold standard and backbone of the security industry. It approaches an organization from the attacker’s perspective. Adding an offensive approach augments defensive measures and maximizes security spend. Cobalt is an acknowledged leader in the offensive security testing space, offering a unique combination of human expertise and technology that delivers comprehensive and efficient security assessments quickly and at scale.

8. Report Methodology

This GigaOm CxO Decision Brief analyzes a specific technology and related solution to provide executive decision-makers with the information they need to drive successful IT strategies that align with the business. The report is focused on large impact zones that are often overlooked in technical research, yielding enhanced insight and mitigating risk. We work closely with vendors to identify the value and benefits of specific solutions and to lay out best practices that enable organizations to drive a successful decision process.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2024 "CxO Decision Brief: Offensive Security Testing and Pentest as a Service" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.