Learn more about the language of software security.

If you don’t see a term defined on this page, refer to one of the governmental or industry standards cited in the References.

The definitions included in this page may vary from the cited standards, based on how we configure and use Cobalt software.

Aggregated Risk

Aggregated Risk is the sum of the risks of individual findings discovered in a pentest.

The risk of an individual finding is the likelihood multiplied by the impact (Risk = Likelihood * Impact).


An allowlist explicitly lets identified systems access. In networks, an allowlist can specify IP addresses. You can typically find allowlists and denylists in files like /etc/hosts.allow and /etc/hosts.deny.

API Endpoint

An endpoint is typically a URL used to allow two software applications to communicate with each other. For example, is one endpoint that you can find at

Some RESTful API endpoints include additional information that may make them seem different. For example, the following two URLs are in fact the same endpoint, as the content after the ampersand (&) describes an action on data sent from that URL:


GraphQL operates on a single API endpoint. Functionally, GraphQL queries and mutations are similar to RESTful GET, POST, PUT, and other commands.

API Scope

See API Endpoint for how we look at RESTful and GraphQL APIs. To scope our work, when we need information about your API, we need numbers for either:


For pentests, an asset is a software component of value, such as a web application or API. Cobalt can perform pentests on assets in the following categories:

  • Web apps
  • External networks
  • Internal networks
  • Mobile apps
  • APIs
  • Cloud configuration (AWS, Azure, GCP)

Application Security (AppSec)

Application security is the practice of using security software, hardware, techniques, best practices, and procedures to protect computer applications from external security threats. Source: TechTarget.

Application Security Verification Standard (ASVS)

The OWASP Application Security Verification Standard (ASVS) relates to pentests of web application technical security controls.


Sometimes also known as a threat actor, malicious hacker, “black hat hacker,” or “cracker.” May be an individual, a group, or even a nation-state. Specified as “attacker” in Cobalt pentest reports.

Attestation Letter

A one-page report suitable for external stakeholders. Includes the following:

  • Executive Summary
  • An overall findings summary table

Learn more about pentest reports.

Attestation Report

A report similar to Customer Letter, with additional details:

  • Pentester user information
  • An overall list of findings

Learn more about pentest reports.

Automated Report

A system-generated report for an Agile Pentest intended for internal use. Includes the following sections:

  • Pentester user information
  • Executive Summary
  • Methodology
  • Post-Test Remediation
  • Finding Details

You can’t customize an Automated Report. Learn more about pentest reports.

Black-Box Testing

Where the pentester has no knowledge of the internal details of the asset. Contrast with gray-box and white-box testing.

Also known as “opaque-box testing.”

Center for Internet Security (CIS)

The Center for Internet Security is an independent nonprofit organization which develops and refines best practice security solutions.

One of the test criteria used by our pentesters is CIS Controls v8, released in 2021.

Cobalt Average

Cobalt Average for a given year is the average of the Aggregated Risk of all pentests conducted across all customers in that year.

Learn more about the Insights page and using this metric to analyze your assets.

Cobalt Users

When using the Cobalt platform, you may encounter a variety of user roles. Review a list of permissions associated with each role in User Roles and Permissions.

Pentest Team Member

A Pentest Team Member is a customer (organization) representative during a specific pentest. In the UI, you see this role as “Team Member.”

Learn more about the permissions associated with this role.

A Pentest Team Member does not have to be an Organization Owner or an Organization Member.

Organization Owner

An Organization Owner is the administrator for a customer organization within the Cobalt app. In the UI, you see this role as “Owner.”

Learn more about the permissions associated with this role.

An Organization Owner may also be a Pentest Team Member.

Organization Member

An Organization Member is a customer representative who manages pentests and assets for their organization on the Cobalt platform but has less permissions compared to an Organization Owner. In the Cobalt UI, you’ll see this user role as “Member.”

Learn more about the permissions associated with this role.

An Organization Member may also be a Pentest Team Member.


A Pentester is a Cobalt pentester who completes pentests for Cobalt customers. Learn more about the Pentester role.

Pentest Lead

A Pentest Lead is a Cobalt pentester who leads other Cobalt pentesters in their efforts to complete a Comprehensive Pentest. A Pentest Lead also drafts the pentest report (for Comprehensive Pentests).

We don’t assign a Pentest Lead to Agile Pentests.

In-House Pentester

A pentester invited by a customer (organization) to perform In-House Pentests on the Cobalt Pentest Management Platform (PMP). An In-House Pentester role has the same privileges as a Pentest Team Member, with additional access to pentester functionality.

A customer can invite pentesters from their organization, a third-party company, or both to complete In-House Pentests on the Cobalt Pentest Management Platform (PMP).

Cobalt Staff

Select Cobalt Staff members have administrative access to your organization and pentests. If needed, they can help you:

  • Manage users in your organization.
  • Manage work on your pentests.

Compliance Audit

As defined by NIST, a comprehensive review of an organization’s adherence to governing documents such as whether:

  • A Certification Practice Statement satisfies the requirements of a Certificate Policy
  • An organization adheres to its Certification Practice Statement

Customer Letter

An executive summary of the pentest. May be used as a certificate of completion. Great for external stakeholders. Includes:

  • Executive Summary
  • Methodology

Learn more about pentest reports.

Dynamic Web Page

Many applications have web pages with dynamic content, which can be built on the server or the client. Contrast with Static Web Pages.


In the context of a Cobalt pentest, you can specify one of three options for an environment:

  • Production (for end users)
  • Staging (proposed future production environment)
  • Development (asset in work)


A finding is a vulnerability that a pentester reports during a pentest. We include findings in vulnerability reports, as something that a threat actor can exploit.

When you select Full Report + Finding Details, we add a detailed list of findings to your report, which includes:

  • Vulnerability Type
  • Description
  • Affected URLs
  • Proof of Concept of the vulnerability
  • Severity
  • Suggested Fix

Full Report

A report that contains comprehensive information about the pentest. Includes the following sections:

  • Pentester user information
  • Executive Summary, with an overall list of findings
  • Scope of Work
  • Methodology
  • Summary of Findings
  • Recommendations
  • Post-Test Remediation

Learn more about pentest reports.

Full Report + Finding Details

A report that adds details of every test finding to the Full Report. Learn more about pentest reports.


Per, GraphQL is a query language for your API. A GraphQL API is designed with a single endpoint.

For pentests of a GraphQL API, Cobalt needs the number of queries and mutations that you’ve configured. Also see API Endpoint.

GraphQL Queries and Mutations

For more information, see

Gray-Box Testing

Where the pentester has limited knowledge of the internal details of the asset. Contrast with white-box and black-box testing.

Also known as “translucent-box testing.”


Graylisting is a method of protecting email users from spam. A Mail Transfer Agent (MTA) using graylisting temporarily rejects emails from senders that they don’t recognize. The originating server tries to resend the email after a delay. If the email is legitimate, the MTA accepts it.

In-House Pentest

An In-House Pentest is a pentest that an organization performs on the Cobalt platform without involving Cobalt pentesters. You can launch In-House Pentests using the Pentest Management Platform (PMP).

Jump Box

Also known as a jump host or a jump server, a jump box is a system (typically) on an internal network or a DMZ. Jump boxes are used to access and manage devices in a separate security zone.

Where the pentester has limited knowledge of the internal details of the asset. Contrast with white-box and black-box testing.

Known Vulnerability

A “well-known” security vulnerability. Documented in a security bulletin or a CVE (Common Vulnerabilities and Exposures) from MITRE.

In Cobalt pentest reports, you may see this as a published or documented vulnerability.


To apply preventative measures. Based on problems identified by a pentest or incident report. Examples:

  • Install security updates on potentially affected servers
  • Review and update a codebase for issues identified on specific files

Contrast with remediate. This reflects how we use mitigate at Cobalt, and differs slightly from the NIST definition of mitigate.

Mobile Screen

A mobile screen is what you see on a mobile device, such as an iPhone or an Android system. As described by Codepath, mobile screens fall into several archetypes.

You may have multiple screens of an archetype. For example, you may have 10 mobile screens for the onboarding archetype.

For pentests of a mobile asset, we need the number of screens that you have, for each operating system that you support.

Multi-factor Authentication

Authentication which uses two or more different factors, which may include:

  • Something you know, such as a password or a PIN number
  • Something you have, such as an identity token
  • Something you are, which works with biometric authentication

Open Web Application Security Project (OWASP)

OWASP is a nonprofit foundation with “Top 10” security issues for different asset types, including Web apps, APIs, and Cloud systems.

Open Source Security Testing Methodology Manual (OSSTMM)

The OSSTMM tests the operational security of physical locations, human interactions, and all communications on the network, whether they be wireless, wired, analog, or digital.

Operations Security (OpSec)

Operations Security, commonly known as OpSec, identifies critical information, and if/how it may be used by opponents or enemies. OpSec measures can reduce security risks.


Short for penetration test. As described in the Getting Started Guide, you can draft a pentest. Once you submit it for review, Cobalt reviews your pentest and assigns a Pentest Lead and frequently one or more Pentesters who then test the asset specified in your pentest.

Pentest as a Service (PtaaS)

Combines manual and human testing with a modern delivery platform to deploy penetration testing programs.

PtaaS Pentest

A pentest that Cobalt pentesters perform on the Cobalt Pentest as a Service (PtaaS) platform for a customer. This includes the following pentest types:

Contrast with In-House Pentest that a customer runs on the Cobalt Pentest Management Platform (PMP) with their In-House Pentesters.

Agile Pentest

An Agile Pentest performed by Cobalt pentesters focuses on code changes or a specific area of an asset and comes with an Automated Report intended for internal use. Learn more about the pentest types.

You may want an Agile Pentest for:

  • Recent code changes, such as after a sprint or before a release
  • Specific subsets of your asset, such as:
    • A single feature such as a new RESTful API endpoint
    • One microservice
  • You can also use an Agile Pentest to test:

Comprehensive Pentest

A Comprehensive Pentest is performed by Cobalt pentesters for security audit, compliance audit, or customer attestation and includes comprehensive reports intended for external stakeholders. Learn more about Comprehensive Pentests.

You may want a Comprehensive Pentest for:

  • A comprehensive security audit of your software
  • Broad subsets of your asset, such as:
    • API with all the endpoints that it includes
    • All microservices
  • A compliance audit based on a specific framework, such as SOC 2
  • All categories from the OWASP Top 10 list
  • M&A due diligence, to identify and eliminate possible risks for all parties involved
  • A specific customer of third-party attestation request

Pentest Report

A summary of all vulnerability reports, including observations on positive security measures. Target audiences: executives, security engineers, and developers. Includes:

  • Executive Summary

    • Describes the tests performed with criteria.
  • Executive Analysis

    • Includes a high-level summary of vulnerabilities.
  • Scope of Work

    The scope of work for a pentest includes:

    • Target description
    • Environment
    • In-scope Testing Methodologies
    • Assumptions and Constraints
    • Test Methodologies
    • Web app-specific issues (endpoints, fuzzing)
    • Secure test cases
  • Summary of Findings

    • Trends and critical issues
    • Auto-generated graphs
  • Summary of Recommendations

    • Highlights of the work we recommend to remediate findings
  • Post-Test Remediation

    • List of details with type, severity, state, and resolution
  • Finding Details

    • More information on each finding

Within Cobalt, this is also known as a Report or a Final Report. For more information, see Pentest Reports.

Projects (Cloud Assets)

All resources included in your cloud asset. For example, AWS defines a project as a collection of resources associated with an asset.


To fix a vulnerability identified by a pentest or incident report. Examples:

  • Install a security update on an affected server
  • Update directly affected code

Contrast with mitigate. This reflects how we use remediate at Cobalt, and differs slightly from the NIST definition of remediation.

Resource Group (Cloud)

A set of resources in a cloud asset. For more information, see Google GCP documentation.


Per TechTarget, “A RESTful API is an architectural style for an application program interface (API) that uses HTTP requests to access and use data.” Also see API Endpoint.

Route (Software)

As defined by Manning, in software, it’s a system for resource navigation. If you’re working in the browser, you might be familiar with routing as it relates to:

  • URLs
  • Resources, such as paths to images and scripts, functions, and so on

If you’re working on the server, matching incoming request paths to resources from a database.

SAML Single Sign-on (SSO)

Single sign-on (SSO) is an authentication method that allows users to access multiple independent systems with a single set of credentials.

SSO based on the SAML 2.0 protocol works by passing authentication data in the form of digitally signed XML files (assertions) between two systems: a service provider (SP) and an identity provider (IdP).

  • A service provider requests authentication assertions from the identity provider.
  • An identity provider sends authentication assertions to the service provider once the user’s identity is confirmed.

Depending on where the authentication workflow starts, SAML SSO can be of the following types:

SAML SSO provides a secure experience because user credentials are never transmitted during authentication.

SP-Initiated SSO

In the service provider-initiated (SP-initiated) SAML SSO, the authentication workflow starts on the service provider side.

  • When a user signs in to the service provider system, the service provider sends an authentication request to the identity provider.
  • Once the IdP has authenticated the user’s identity, the user is signed in to the service provider system.

IdP-Initiated SSO

In the identity provider-initiated (IdP-initiated) SAML SSO, the authentication workflow starts on the identity provider side.

  • First, a user signs in to the identity provider system, such as Okta, OneLogin, or Microsoft Azure AD.
  • The user selects the app configured for their service provider in the IdP system or follows a unique URL.
  • The service provider requests the IdP to authenticate the user.
  • Once the user’s identity is authenticated on the IdP side, the user is signed in to the service provider system.

Security Assertion Markup Language

As defined by the Organization for the Advancement of Structured Information Standards (OASIS), the Security Assertion Markup Language (SAML) SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information.

Security Audit

As defined by NIST, an independent review and examination of a system’s records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.

SANS Institute

Original sponsor of a set of standards for testing networks. SANS stands for SysAdmin, Audit, Network, and Security. The SANS Top 20 has been migrated to CIS Controls Version 8.

Scope of Work

Cobalt may refer to this as the “scope” of your pentest. The scope of work for a pentest includes:

  • Target description
  • Environment
  • In-scope Testing Methodologies
  • Assumptions and Constraints
  • Test Methodologies
  • Web app-specific issues (endpoints, fuzzing)
  • Secure test cases

Single-Page Application

For more information, see

Specialized Pentest

A Specialized Pentest that you see in the Cobalt UI is a pentest engagement conducted by the Cobalt Professional Services team. Professional Services are an extension of our core PtaaS platform offering which provides access to Cobalt security experts who act as an extension of your internal team.

Here are some examples of special pentest engagements:

  • Secure code review
  • Security hardening
  • IoT ecosystem testing
  • Pentest program management
  • Red teaming
  • Phishing engagements
  • Physical social engineering
  • Threat modeling
  • Wireless network pentesting

For Specialized Pentests, we support additional asset types on the platform:

  • IoT: An IoT device. As defined by NIST, an IoT device has at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface, such as Ethernet, Wi-Fi, or Bluetooth, for interfacing with the digital world.
  • Physical: An office, building, campus, or a physical device.
  • Thick Client: An application installed locally on a user’s computer.
  • Wireless Network: A network that allows devices to stay connected without using wires of any kind.

To launch a Specialized Pentest tailored to your needs, contact our Professional Services team. You can’t create a Specialized Pentest or set up a special asset in the UI—we’ll do that for you. Once the Specialized Pentest is set up, you can:

  • Edit the asset details, except for the asset type.
  • Edit pentest details. Some pentest parameters may slightly differ for Specialized Pentests.

Static Web Page

Some applications are built solely on HTML, and do not change depending on the user or location. Contrast with Dynamic Web Pages.

User Role

A User Role specifies the permissions or privileges associated with a user. Common examples of User Roles include:

  • Global Administrator (such as a UNIX root user)
  • Administrator
  • Group Owner
  • Workspace Administrator
  • Full User
  • Guest

When scoping a pentest, specify the number of roles that you want to test.


A security issue discovered during a pentest. Also a specific weakness which can be exploited by a threat actor, such as an attacker who crosses privilege boundaries (and performs unauthorized actions) within a computer system.

Contrast with Known Vulnerability. A vulnerability may be part of a finding.

Vulnerability Management

The cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. At Cobalt, we focus on manual pentests (enhanced with automated tools). Also see Vulnerability Assessment and Management, as defined by the US Cybersecurity and Infrastructure Agency (CISA).

Vulnerability Report (Manual)

A document that provides information about one specific finding. Cobalt vulnerability reports are based on manual tests. Such reports include:

  • Step-by-step notes on how the tester identified each vulnerability (when possible)
  • Locations, such as files or hardware
  • Recommendations to remediate

Vulnerability Report (Automated)

A document created by an automated scanning tool. Primarily used to list known vulnerabilities associated with specific code patterns.

Vulnerability Type

How Cobalt classifies the vulnerability. Examples include:

  • Client Side Injection
  • Server Security Misconfiguration > Lack of Password Confirmation
  • Broken Authentication and Session Management

Web Page

A hypertext document on the web. Web applications typically include static and dynamic web pages.

  • A Static Web Page contains stable content that appears the same for every user who opens the page.
  • A Dynamic Web Page includes content that can be customized, either through an application server (server-side) or through code such as JavaScript running in the browser (client-side).

White-Box Testing

Where the pentester has full knowledge of the internal details of the asset. Contrast with black-box and gray-box testing.

Also known as “clear-box testing.”


Was this page helpful?

Yes No Create an Issue

Last modified May.05.2023