Size Your Assets

Size your assets to ensure appropriate coverage.

Make sure your asset size matches its complexity.

Once you’ve read this page, you’ll know what to enter as an asset size. As shown in the asset page of the UI, you can select sizes between Extra Small and Extra Large.

Asset Size

The size you select depends on the complexity of your asset. We provide guidance on this page for each of the following Asset Types:

  • Web apps
  • External networks
  • Internal networks
  • Mobile apps
  • APIs
  • Cloud configuration (AWS, Azure, GCP)

We also support tests that span categories, including:

  • Web + API
  • Web + External Network
  • Web + Mobile

This page provides basic guidance for assets in a single category. If you have one of these “multiple category” assets, you’ll see a link to a basic guide in the UI. For example, if you’ve selected a Web + API Asset Type, you’ll see a link to a “Web + API Scoping Guide”:

Link to Scoping Guides in the UI

The following sections can help you understand the following characteristics of assets:

  • Different types
  • How to classify an asset by size

Once you’ve selected a size for your asset, your next step is to review the test coverage.

Web

To scope a Web asset, you need to specify the number of the following characteristics of that asset:

When scoping an Asset, include every type of User Role and Dynamic Page. Be thorough. If you forget certain roles or pages, your pentest might not cover all critical details.

Cobalt subdivides the number of User Roles and Dynamic Pages into the following categories:

Extra Small Small Medium Large Extra Large
User Roles 1 1 - 2 3 - 5 5 - 7 > 8
Dynamic Pages 0 - 30 30 - 60 60 - 90 90 - 120 > 120

If your numbers fit in different categories, use your judgment. Review your findings with your Customer Success manager (CSM), or email support@cobalt.io. If you choose a “bigger” category, you’ll get a more complete test.

As part of our tests for Dynamic Pages, we also test the backend API endpoints frequently used to populate content on those pages.

Our pentesters need to know more about your Web asset, including:

  • Application type, such as a page-driven website or a single-page application
  • Special endpoints associated with your dynamic pages

Mobile

To scope a Mobile asset, you need to specify the number of the following characteristics of that asset:

When scoping an Asset, include every User Role, Operating System, and Mobile Screen. Be thorough. If you forget certain roles, pages, or screens, your pentest might not cover all critical details.

Cobalt subdivides these properties into the following categories:

Extra Small Small Medium Large Extra Large
User Roles 1 1 - 2 3 - 5 5 - 7 > 8
Operating Systems 1 1 1 - 2 1 - 3 1 - 3
Mobile Screens 1 - 19 20 - 39 40 - 59 60 - 79 > 80

If your numbers fit in different categories, use your judgment. Review your findings with your CSM, or email support@cobalt.io. If you choose a “bigger” category, you’ll get a more complete test.

API

We can test both RESTful and GraphQL APIs. However, these APIs work in different ways. While some RESTful APIs can have dozens of endpoints, a GraphQL API has a single endpoint.

If you’re sizing a GraphQL API, identify a list of queries and mutations. For pentest purposes, that’s functionally equivalent to the number of RESTful API endpoints.

To scope an API, you need to specify the number of the following characteristics of that asset:

When scoping an asset, do include every user role and endpoint. If you forget some, you may sacrifice quality in penetration testing.

Cobalt subdivides the number of User Roles and Dynamic Pages into the following categories:

Extra Small Small Medium Large Extra Large
User Roles 1 1 - 2 3 - 5 5 - 7 > 8
Endpoints/Queries 0 - 74 75-149 150-224 225-299 300-374

If your numbers fit in different categories, use your judgment. Review your findings with your CSM, or email support@cobalt.io. If you choose a “bigger” category, you’ll get a more complete test.

External Network

To scope an External Network, you need to specify the number of affected public IP addresses:

Extra Small Small Medium Large Extra Large
Public IP Addresses 1 - 149 150 - 299 300 - 449 450 - 599 600 - 749

If you’re working with more external IP addresses, you can set up additional external network assets. One way to organize such assets is by subnet.

Internal Network

To scope an Internal Network, you need to specify the number of affected IP addresses and servers:

Extra Small Small Medium Large Extra Large
Private IP Addresses 1 - 149 150 - 299 300 - 449 450 - 599 600 - 749
Servers 1 - 49 50 - 99 100 - 149 150 - 199 200 - 249

If you’re working with more internal IP addresses, you can set up additional internal network assets. One way to organize such assets is by subnet.

If you’re working with servers on the cloud, you can also set up a Cloud Configuration asset.

Cloud Configuration

Cobalt pentesters can test services on the following platforms:

  • Google Cloud Platform (GCP)
  • Amazon Web Services (AWS)
  • Microsoft Azure Cloud (Azure)

Each platform includes different categories of services, such as EC2, databases, and machine learning engines.

To scope a Cloud Configuration asset, total the number of services you use on that asset.

Extra Small Small Medium Large Extra Large
Services 1 - 49 50 - 99 100 - 149 150 - 199 200 - 249

If you’re working with more services, you can set up additional cloud configuration assets.

Assets of Multiple Types

Sometimes, assets fit into more than one category. To that end, Cobalt supports pentests on assets in the following groups of categories:

  • Web + API
  • Web + Internal Network
  • Web + Mobile

The challenges with each of these combined asset types is complex, beyond the scope of this Getting Started documentation. If you select a combined asset type, our UI includes a pop-up scoping guide.

Once you’ve selected a size for your asset, your next step is to review pentest coverage.


Last modified November.11.2021