This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Define Your Assets

Security professionals perform pentests on your assets. Collect the info they need.

Help our pentesters test your assets faster.

The Let’s get started! screen includes two options:

  • Create a new pentest from an existing asset
    • This option opens a drop-down text box. Use it to select from assets that you’ve created. It populates the Asset screen with available information.
  • Create a new pentest for a new asset.

When you set up a pentest through the UI, your going through the following stages of our pentest wizard:

  • Define the Asset
  • Create Pentest Objectives
  • Specify Pentest Details
  • Plan the Pentest

This section can help you define your asset. In the Cobalt UI, you can define pentest objectives in the following screen:

Asset Screen

This page corresponds to the Assets that you can set up in the Cobalt app. You can access the UI to define your assets in the following ways:

  • Select Assets in the left-hand pane, and select New Asset.
  • Select Assets or Pentests in the left-hand pane, and select Create a Pentest. When you set up a pentest, the wizard allows you to define an asset.

This Getting Started Guide assumes that you’re setting up an asset as part of setting up a pentest.

The asset screen prompts you for the following information:

  • Asset Image: Use it to help identify what you need from a list of assets.
  • Asset Title: Set up a descriptive name to attract attention from the best pentesters.
  • Asset Type: Select one of the options described in the linked page.
  • Asset Scoping: Review the guidance on:
  • Asset Description: Add information that can help your pentesters fully analyze your asset.
  • Asset Documentation: Upload documentation, architecture diagrams, images, spreadsheets, videos related to your asset.

The UI provides the information that you need to add an Asset Image and Title. Now take the next step and define your Asset Type.

Invite Help

You may not have all the information that you need. To invite others to help define your pentest, look for the Add Collaborator icon:

Add Collaborator

If you select the icon, we save the current pentest, in draft format. We then prompt you for an email address of a coworker who could have more information about your pentest needs.

Next, your coworker receives an email to sign up for Cobalt, with a link directly to the pentest that you’re working on.

1 - Specify Asset Type

What kind of asset do you have?

Help us find the right pentesters for your asset.

For each asset, we provide guidance for each of the following asset types:

Asset Type Description
Web An online application (app). Includes APIs that supply data to the (Web) app.
Mobile Any application intended for smart phones or tablets.
API API is an Application Programming Interface. Use for APIs independent of a Web app.
External Network Any network that’s directly exposed to the internet.
Internal Network Any network with either a limited or no interface to the internet.
Cloud Config For systems on “the Cloud,” using services such as Amazon AWS, Microsoft Azure, or Google GCP.

We also support tests that span two categories, including:

  • Web + API
    • If the only APIs you use supply information to your web app, select the Web asset type. We test those APIs as part of web-only tests.
  • Web + External Network
  • Web + Mobile

Once you’ve classified your asset, select an Asset Type:

Select an Asset Type

The next step is to Size Your Assets

2 - Size Your Assets

Size your assets to ensure appropriate coverage.

Make sure your asset size matches its complexity.

Once you’ve read this page, you’ll know what to enter as an asset size. As shown in the asset page of the UI, you can select sizes between Extra Small and Extra Large.

Asset Size

The size you select depends on the complexity of your asset. We provide guidance on this page for each of the following Asset Types:

  • Web apps
  • External networks
  • Internal networks
  • Mobile apps
  • APIs
  • Cloud configuration (AWS, Azure, GCP)

We also support tests that span categories, including:

  • Web + API
  • Web + External Network
  • Web + Mobile

This page provides basic guidance for assets in a single category. If you have one of these “multiple category” assets, you’ll see a link to a basic guide in the UI. For example, if you’ve selected a Web + API Asset Type, you’ll see a link to a “Web + API Scoping Guide”:

Link to Scoping Guides in the UI

The following sections can help you understand the following characteristics of assets:

  • Different types
  • How to classify an asset by size

Once you’ve selected a size for your asset, your next step is to review the test coverage.

Web

To scope a Web asset, you need to specify the number of the following characteristics of that asset:

When scoping an Asset, include every type of User Role and Dynamic Page. Be thorough. If you forget certain roles or pages, your pentest might not cover all critical details.

Cobalt subdivides the number of User Roles and Dynamic Pages into the following categories:

Extra Small Small Medium Large Extra Large
User Roles 1 1 - 2 3 - 5 5 - 7 > 8
Dynamic Pages 0 - 30 30 - 60 60 - 90 90 - 120 > 120

If your numbers fit in different categories, use your judgment. Review your findings with your Customer Success manager (CSM), or email support@cobalt.io. If you choose a “bigger” category, you’ll get a more complete test.

As part of our tests for Dynamic Pages, we also test the backend API endpoints frequently used to populate content on those pages.

Our pentesters need to know more about your Web asset, including:

  • Application type, such as a page-driven website or a single-page application
  • Special endpoints associated with your dynamic pages

Mobile

To scope a Mobile asset, you need to specify the number of the following characteristics of that asset:

When scoping an Asset, include every User Role, Operating System, and Mobile Screen. Be thorough. If you forget certain roles, pages, or screens, your pentest might not cover all critical details.

Cobalt subdivides these properties into the following categories:

Extra Small Small Medium Large Extra Large
User Roles 1 1 - 2 3 - 5 5 - 7 > 8
Operating Systems 1 1 1 - 2 1 - 3 1 - 3
Mobile Screens 1 - 19 20 - 39 40 - 59 60 - 79 > 80

If your numbers fit in different categories, use your judgment. Review your findings with your CSM, or email support@cobalt.io. If you choose a “bigger” category, you’ll get a more complete test.

API

We can test both RESTful and GraphQL APIs. However, these APIs work in different ways. While some RESTful APIs can have dozens of endpoints, a GraphQL API has a single endpoint.

If you’re sizing a GraphQL API, identify a list of queries and mutations. For pentest purposes, that’s functionally equivalent to the number of RESTful API endpoints.

To scope an API, you need to specify the number of the following characteristics of that asset:

When scoping an asset, do include every user role and endpoint. If you forget some, you may sacrifice quality in penetration testing.

Cobalt subdivides the number of User Roles and Dynamic Pages into the following categories:

Extra Small Small Medium Large Extra Large
User Roles 1 1 - 2 3 - 5 5 - 7 > 8
Endpoints/Queries 0 - 74 75-149 150-224 225-299 300-374

If your numbers fit in different categories, use your judgment. Review your findings with your CSM, or email support@cobalt.io. If you choose a “bigger” category, you’ll get a more complete test.

External Network

To scope an External Network, you need to specify the number of affected public IP addresses:

Extra Small Small Medium Large Extra Large
Public IP Addresses 1 - 149 150 - 299 300 - 449 450 - 599 600 - 749

If you’re working with more external IP addresses, you can set up additional external network assets. One way to organize such assets is by subnet.

Internal Network

To scope an Internal Network, you need to specify the number of affected IP addresses and servers:

Extra Small Small Medium Large Extra Large
Private IP Addresses 1 - 149 150 - 299 300 - 449 450 - 599 600 - 749
Servers 1 - 49 50 - 99 100 - 149 150 - 199 200 - 249

If you’re working with more internal IP addresses, you can set up additional internal network assets. One way to organize such assets is by subnet.

If you’re working with servers on the cloud, you can also set up a Cloud Configuration asset.

Cloud Configuration

Cobalt pentesters can test services on the following platforms:

  • Google Cloud Platform (GCP)
  • Amazon Web Services (AWS)
  • Microsoft Azure Cloud (Azure)

Each platform includes different categories of services, such as EC2, databases, and machine learning engines.

To scope a Cloud Configuration asset, total the number of services you use on that asset.

Extra Small Small Medium Large Extra Large
Services 1 - 49 50 - 99 100 - 149 150 - 199 200 - 249

If you’re working with more services, you can set up additional cloud configuration assets.

Assets of Multiple Types

Sometimes, assets fit into more than one category. To that end, Cobalt supports pentests on assets in the following groups of categories:

  • Web + API
  • Web + Internal Network
  • Web + Mobile

The challenges with each of these combined asset types is complex, beyond the scope of this Getting Started documentation. If you select a combined asset type, our UI includes a pop-up scoping guide.

Once you’ve selected a size for your asset, your next step is to review pentest coverage.

3 - Understand Pentest Coverage

To get a cost-effective but complete pentest, you need the “right” coverage for your assets.

Once you’ve sized an asset, you can select the desired pentest coverage.

Coverage and Credits

We have standard recommendations for our pentests. Each recommendation correlates to a number of credits.

Sizing and Credits

We specify sizing criteria by asset type and size. For more information see our guide on how to Size Your Assets.

You can set your assets to one of five sizes:

Size Default Credits
Extra Small 4
Small 8
Medium 12
Large 16
Extra Large 20

Coverage Levels and Credits

Cobalt includes the following coverage levels for each asset. The number of credits that we recommend varies by coverage level:

Coverage Description
Extra Light Covers up to two features.
Light Sufficient for most general compliance test functionality.
Standard Recommended for compliance tests.
Large Extended coverage for key assets with complex functionality.
Extra Large Comprehensive tests for assets with complex functionality.

Every situation is unique. You may select more (or less) rigorous testing levels.

The following table specifies the number of credits associated with different asset sizes and coverage levels:

Extra Light Light Standard Large Extra Large
Extra Small X X 4 8 12
Small X 4 8 12 16
Medium 4 8 12 16 20
Large 8 12 16 20 24
Extra Large 12 16 20 24 28

Pentest Reports

If you want a pentest report, you generally must set up a test of at least eight (8) credits. If you’ve set up a pentest with fewer credits, you’ll still have access to the non-report items listed in Pentest Expectations.

We do not create multiple pentest reports for large assets. For example, if you want separate pentest reports for different APIs, set up different pentests for each API.

Now that you’ve defined the asset type and coverage, you can now describe your asset in detail.

4 - Describe Your Assets

Better descriptions help our pentesters test your assets properly.

Help our pentesters test your assets faster.

Our pentesters need all relevant information about your asset. To help you understand what to share, we include a description template.

For all assets, we’d appreciate a:

  • High-level overview
  • Description of important functions or features
  • Business risks associated with each function and feature

Include links to published documentation related to the asset. You can upload documentation, diagrams, and more in various file formats under Asset Documentation.

The following sections detail additional needs for different kinds of assets:

Web, API, Mobile

Web, API, and Mobile assets frequently include user roles in different categories such as:

  • Administrator
  • Service user
  • Regular user

Each of these roles typically have different sets of rights, privileges, or permissions. We can verify whether such roles are appropriately limited.

For web assets, define the application type. For example, some web assets may be a:

Web and API assets frequently include dedicated reference documentation. For example, RESTful API assets frequently include OpenAPI-based documents that describe the properties associated with each endpoint.

Web Asset Description

Help us find the right pentesters for your asset. Include a high-level overview of the application. Add details such as:

  • Coding Language.
  • Functions or features central to the capability of your asset.
    • Business risks associated with specific functions or features.
  • Special endpoints associated with your dynamic pages.
    • While our pentesters can find the API endpoints used by your web app with browser “Developer Tools,” let us know if you have special concerns with one or more endpoints.

Network Assets (External and Internal)

Our pentesters need network diagrams to know what to test on a network. If you’ve set up a jump box for our pentesters on your network, include the location in the diagram.

Add network information, including the IP address / hostname of the jump box.

Cloud Configuration Assets

Our pentesters need to know how you’ve set up and use your cloud assets. Even when your cloud assets stand alone, they may share features with other types of assets.

For example, if you have dedicated roles to maintain cloud assets, describe them as you would describe a web app asset.

Make sure to include the:

  • Cloud provider
  • Service
  • Unique users / roles
  • Applicable network / architecture diagrams

Asset Documentation

To share more about your assets, you can upload the documentation of your choice. Our app accepts files in the following categories and formats:

  • Archives (.gz, .rar, .tar, .zip)
  • Documents (.doc, .docx, .pdf, .txt)
  • Images (.gif, .jpg, .jpeg, .png)
  • Spreadsheets (.csv, .xls, .xlsx)
  • Videos (.mov, .mp4)

Our app limits uploads to 100 MB.

Asset Documentation Screen

If you’d like to upload files in a different format, you can try to:

  • Compress or archive the files into one of the noted formats.
    • For example, you can use a “Zip” tool built for your operating system to save your file with a .zip file extension.
  • Contact your Customer Success Manager (CSM) or support@cobalt.io for guidance.

For complex assets, we encourage spreadsheets. The UI includes links to the following templates:

  • Workflow/Priority Target
  • User role matrix

We’ve included suggested data in the downloadable Excel (.xlsx) files. We encourage you to replace this information with other data, and upload it with any other documentation for your asset.

At this point, you’ve completed all entries in the Asset section of the pentest wizard. You can now select Create asset and pentest to move to the next part of the wizard, the Pentest Objectives.