Define Your Assets
Security professionals perform pentests on your assets. Collect the info they need.
Help our pentesters test your assets faster.
The Let’s get started! screen includes two options:
- Create a new pentest from an existing asset
- This option opens a drop-down text box. Use it to select from assets that you’ve
created. It populates the Asset screen with available information.
- Create a new pentest for a new asset.
When you set up a pentest through the UI, your going through the following stages of our pentest wizard:
- Define the Asset
- Create Pentest Objectives
- Specify Pentest Details
- Plan the Pentest
This section can help you define your asset. In the Cobalt UI, you can
define pentest objectives in the following screen:
This page corresponds to the Assets that you can set up in the Cobalt app.
You can access the UI to define your assets in the following ways:
- Select Assets in the left-hand pane, and select New Asset.
- Select Assets or Pentests in the left-hand pane, and select Create a Pentest.
When you set up a pentest, the wizard allows you to define an asset.
This Getting Started Guide assumes that you’re setting up an asset as part of
setting up a pentest.
The asset screen prompts you for the following information:
- Asset Image: Use it to help identify what you need from a list of assets.
- Asset Title: Set up a descriptive name to attract attention from the best pentesters.
- Asset Type: Select one of the options described in the linked page.
- Asset Scoping: Review the guidance on:
- Asset Description: Add information that can help your
pentesters fully analyze your asset.
- Asset Documentation: Upload documentation,
architecture diagrams, images, spreadsheets, videos related to your asset.
The UI provides the information that you need to add an Asset Image and Title.
Now take the next step and define your Asset Type.
Invite Help
You may not have all the information that you need. To invite others to help define your pentest,
look for the Add Collaborator icon:
If you select the icon, we save the current pentest, in draft format. We then prompt you for an
email address of a coworker who could have more information about your pentest needs.
Next, your coworker receives an email to sign up for Cobalt, with a link directly to the pentest
that you’re working on.
1 - Specify Asset Type
What kind of asset do you have?
Help us find the right pentesters for your asset.
For each asset, we provide guidance for each of the following asset types:
| Asset Type |
Description |
| Web |
An online application (app). Includes APIs that supply data to the (Web) app. |
| Mobile |
Any application intended for smart phones or tablets. |
| API |
API is an Application Programming Interface. Use for APIs independent of a Web app. |
| External Network |
Any network that’s directly exposed to the internet. |
| Internal Network |
Any network with either a limited or no interface to the internet. |
| Cloud Config |
For systems on “the Cloud,” using services such as Amazon AWS, Microsoft Azure, or Google GCP. |
We also support tests that span two categories, including:
- Web + API
- If the only APIs you use supply information to your web app, select the
Web asset type. We test those APIs as part of web-only tests.
- Web + External Network
- Web + Mobile
Once you’ve classified your asset, select an Asset Type:
The next step is to Size Your Assets
2 - Size Your Assets
Size your assets to ensure appropriate coverage.
Make sure your asset size matches its complexity.
Once you’ve read this page, you’ll know what to enter as an asset size. As
shown in the asset page of the UI, you can select sizes between Extra Small
and Extra Large.
The size you select depends on the complexity of your asset. We provide
guidance on this page for each of the following Asset Types:
- Web apps
- External networks
- Internal networks
- Mobile apps
- APIs
- Cloud configuration (AWS, Azure, GCP)
We also support tests that span categories, including:
- Web + API
- Web + External Network
- Web + Mobile
This page provides basic guidance for assets in a single category. If you
have one of these “multiple category” assets, you’ll see a link to a basic
guide in the UI. For example, if you’ve selected a Web + API Asset Type, you’ll
see a link to a “Web + API Scoping Guide”:
The following sections can help you understand the following characteristics of assets:
- Different types
- How to classify an asset by size
Once you’ve selected a size for your asset, your next step is to review the
test coverage.
Web
To scope a Web asset, you need to specify the number of the following
characteristics of that asset:
When scoping an Asset, include every type of User Role and Dynamic Page.
Be thorough. If you forget certain roles or pages, your pentest might not
cover all critical details.
Note
You may not need to include every user role. For example, if you have
dedicated administrative roles for backups, logs, and printers, that counts
as one (1) role.
Cobalt subdivides the number of User Roles and Dynamic Pages into the following categories:
|
Extra Small |
Small |
Medium |
Large |
Extra Large |
| User Roles |
1 |
1 - 2 |
3 - 5 |
5 - 7 |
> 8 |
| Dynamic Pages |
0 - 30 |
30 - 60 |
60 - 90 |
90 - 120 |
> 120 |
If your numbers fit in different categories, use your judgment. Review your
findings with your Customer Success manager (CSM), or email support@cobalt.io.
If you choose a “bigger” category, you’ll get a more complete test.
As part of our tests for Dynamic Pages, we also test the backend API
endpoints frequently used to populate content on those pages.
Our pentesters need to know more about your Web asset, including:
- Application type, such as a page-driven website or a single-page application
- Special endpoints associated with your dynamic pages
Note
If the only APIs in your assets populate dynamic web pages, you may not need to set up a
separate API asset. We test such APIs as part of our tests of a Web asset.
Mobile
To scope a Mobile asset, you need to specify the number of the following
characteristics of that asset:
When scoping an Asset, include every User Role, Operating System, and Mobile Screen.
Be thorough. If you forget certain roles, pages, or screens, your pentest might not
cover all critical details.
Cobalt subdivides these properties into the following categories:
|
Extra Small |
Small |
Medium |
Large |
Extra Large |
| User Roles |
1 |
1 - 2 |
3 - 5 |
5 - 7 |
> 8 |
| Operating Systems |
1 |
1 |
1 - 2 |
1 - 3 |
1 - 3 |
| Mobile Screens |
1 - 19 |
20 - 39 |
40 - 59 |
60 - 79 |
> 80 |
If your numbers fit in different categories, use your judgment. Review your
findings with your CSM, or email support@cobalt.io. If you choose a “bigger” category,
you’ll get a more complete test.
API
We can test both RESTful and GraphQL APIs. However, these APIs work in different
ways. While some RESTful APIs can have dozens of endpoints, a GraphQL API has a
single endpoint.
If you’re sizing a GraphQL API, identify a list of queries and
mutations. For pentest purposes, that’s
functionally equivalent to the number of RESTful API endpoints.
To scope an API, you need to specify the number of the following
characteristics of that asset:
When scoping an asset, do include every user role and endpoint.
If you forget some, you may sacrifice quality in penetration testing.
Cobalt subdivides the number of User Roles and Dynamic Pages into the following categories:
|
Extra Small |
Small |
Medium |
Large |
Extra Large |
| User Roles |
1 |
1 - 2 |
3 - 5 |
5 - 7 |
> 8 |
| Endpoints/Queries |
0 - 74 |
75-149 |
150-224 |
225-299 |
300-374 |
If your numbers fit in different categories, use your judgment. Review your
findings with your CSM, or email support@cobalt.io. If you choose a “bigger” category,
you’ll get a more complete test.
External Network
To scope an External Network, you need to specify the number of affected public IP addresses:
|
Extra Small |
Small |
Medium |
Large |
Extra Large |
| Public IP Addresses |
1 - 149 |
150 - 299 |
300 - 449 |
450 - 599 |
600 - 749 |
If you’re working with more external IP addresses, you can set up additional external network
assets. One way to organize such assets is by subnet.
Internal Network
To scope an Internal Network, you need to specify the number of affected IP addresses and servers:
|
Extra Small |
Small |
Medium |
Large |
Extra Large |
| Private IP Addresses |
1 - 149 |
150 - 299 |
300 - 449 |
450 - 599 |
600 - 749 |
| Servers |
1 - 49 |
50 - 99 |
100 - 149 |
150 - 199 |
200 - 249 |
If you’re working with more internal IP addresses, you can set up additional internal network
assets. One way to organize such assets is by subnet.
If you’re working with servers on the cloud, you can also set up a Cloud Configuration
asset.
Cloud Configuration
Cobalt pentesters can test services on the following platforms:
- Google Cloud Platform (GCP)
- Amazon Web Services (AWS)
- Microsoft Azure Cloud (Azure)
Each platform includes different categories of services, such as EC2, databases, and machine
learning engines.
To scope a Cloud Configuration asset, total the number of services you use on that asset.
|
Extra Small |
Small |
Medium |
Large |
Extra Large |
| Services |
1 - 49 |
50 - 99 |
100 - 149 |
150 - 199 |
200 - 249 |
If you’re working with more services, you can set up additional cloud configuration assets.
Assets of Multiple Types
Sometimes, assets fit into more than one category. To that end, Cobalt supports pentests on
assets in the following groups of categories:
- Web + API
- Web + Internal Network
- Web + Mobile
The challenges with each of these combined asset types is complex, beyond the
scope of this Getting Started documentation. If you select a combined asset type,
our UI includes a pop-up scoping guide.
Once you’ve selected a size for your asset, your next step is to review
pentest coverage.
3 - Understand Pentest Coverage
To get a cost-effective but complete pentest, you need the “right” coverage for your assets.
Once you’ve sized an asset, you can select the desired pentest coverage.
Coverage and Credits
We have standard recommendations for our pentests. Each recommendation correlates to
a number of credits.
Note
The number of credits associated with a pentest size and coverage is subject to change.
While we do our best to keep this documentation up to date, the UI is the authoritative
source of truth for the number of required credits.
Sizing and Credits
We specify sizing criteria by asset type and size. For more information see our guide
on how to Size Your Assets.
You can set your assets to one of five sizes:
| Size |
Default Credits |
| Extra Small |
4 |
| Small |
8 |
| Medium |
12 |
| Large |
16 |
| Extra Large |
20 |
Coverage Levels and Credits
Cobalt includes the following coverage levels for each asset. The number of credits that we recommend
varies by coverage level:
| Coverage |
Description |
| Extra Light |
Covers up to two features. |
| Light |
Sufficient for most general compliance test functionality. |
| Standard |
Recommended for compliance tests. |
| Large |
Extended coverage for key assets with complex functionality. |
| Extra Large |
Comprehensive tests for assets with complex functionality. |
Every situation is unique. You may select more (or less) rigorous testing levels.
Note
By default, an “Extra Small” Asset size (1 credit) is associated with “Standard”
coverage. Our algorithms reduce the number of credits for “Light” (-1) and “Extra
Light” (-2) coverage. Since we do not do zero-credit tests, we do not allow “Light”
or “Extra Light” coverage of an “Extra Small” asset.
The following table specifies the number of credits associated with
different asset sizes and coverage levels:
|
Extra Light |
Light |
Standard |
Large |
Extra Large |
| Extra Small |
X |
X |
4 |
8 |
12 |
| Small |
X |
4 |
8 |
12 |
16 |
| Medium |
4 |
8 |
12 |
16 |
20 |
| Large |
8 |
12 |
16 |
20 |
24 |
| Extra Large |
12 |
16 |
20 |
24 |
28 |
Pentest Reports
If you want a pentest report, you generally must set up a test of at least eight (8) credits.
If you’ve set up a pentest with fewer credits, you’ll still have access to the non-report
items listed in Pentest Expectations.
We do not create multiple pentest reports for large assets. For example, if you
want separate pentest reports for different APIs, set up different pentests
for each API.
Now that you’ve defined the asset type and coverage, you can now
describe your asset in detail.
4 - Describe Your Assets
Better descriptions help our pentesters test your assets properly.
Help our pentesters test your assets faster.
Our pentesters need all relevant information about your asset. To help
you understand what to share, we include a description template.
For all assets, we’d appreciate a:
- High-level overview
- Description of important functions or features
- Business risks associated with each function and feature
Include links to published documentation related to the
asset. You can upload documentation, diagrams, and more in various
file formats under Asset Documentation.
The following sections detail additional needs for different kinds of assets:
Web, API, Mobile
Web, API, and Mobile assets frequently include user roles in different
categories such as:
- Administrator
- Service user
- Regular user
Each of these roles typically have different sets of rights, privileges,
or permissions. We can verify whether such roles are appropriately limited.
For web assets, define the application type. For example, some web assets may be a:
Web and API assets frequently include dedicated reference documentation. For example,
RESTful API assets frequently include OpenAPI-based documents that describe the
properties associated with each endpoint.
Web Asset Description
Help us find the right pentesters for your asset. Include a high-level overview
of the application. Add details such as:
- Coding Language.
- Functions or features central to the capability of your asset.
- Business risks associated with specific functions or features.
- Special endpoints associated with your dynamic pages.
- While our pentesters can find the API endpoints used by your web app with
browser “Developer Tools,” let us know if you have special concerns with
one or more endpoints.
Network Assets (External and Internal)
Our pentesters need network diagrams to know what to test on a network.
If you’ve set up a jump box for our pentesters on your
network, include the location in the diagram.
Add network information, including the IP address / hostname of the
jump box.
Cloud Configuration Assets
Our pentesters need to know how you’ve set up and use your cloud assets.
Even when your cloud assets stand alone, they may share features with
other types of assets.
For example, if you have dedicated roles to maintain cloud assets, describe
them as you would describe a web app asset.
Make sure to include the:
- Cloud provider
- Service
- Unique users / roles
- Applicable network / architecture diagrams
Asset Documentation
To share more about your assets, you can upload the documentation of your choice. Our app accepts files
in the following categories and formats:
- Archives (.gz, .rar, .tar, .zip)
- Documents (.doc, .docx, .pdf, .txt)
- Images (.gif, .jpg, .jpeg, .png)
- Spreadsheets (.csv, .xls, .xlsx)
- Videos (.mov, .mp4)
Our app limits uploads to 100 MB.
If you’d like to upload files in a different format, you can try to:
- Compress or archive the files into one of the noted formats.
- For example, you can use a “Zip” tool built for your operating system to
save your file with a .zip file extension.
- Contact your Customer Success Manager (CSM) or support@cobalt.io for guidance.
For complex assets, we encourage spreadsheets. The UI includes links to the following
templates:
- Workflow/Priority Target
- User role matrix
We’ve included suggested data in the downloadable Excel (.xlsx) files.
We encourage you to replace this information with other data, and upload it
with any other documentation for your asset.
At this point, you’ve completed all entries in the Asset section of the pentest wizard.
You can now select Create asset and pentest to move to the next part of the wizard,
the Pentest Objectives.