Plan and Scope the Pentest
Now you can set a date and scope for the pentest.
Schedule the Pentest
Depending on your PtaaS tier, we can help you schedule pentests with a start date from at least one to three business days after you select “Submit for Review.”
When you set up a pentest through the UI, you’re going through the following stages of our pentest wizard:
- Review the asset
- Set pentest requirements
- Add pentest details
- Plan and scope the pentest
The standard testing period is 14 days. It may vary depending on the pentest scope and other factors.
If you have any special requirements, such as qualifications for pentester certifications, we reserve the right to start the pentest later than the flow time specified in your PtaaS tier.
Scope the Pentest
The pentest scope determines the number of credits required for a pentest. The bigger the scope, the more credits you need.
To set the pentest scope, identify the complexity of your asset. Under Scoping, specify the number of characteristics associated with the asset.
The characteristics differ for each asset type:
Once you’ve scoped the pentest, see how many credits it requires.
To scope a pentest for a Web asset, specify the number of the following characteristics of that asset:
Include those User Roles and Pages/Routes that should be in scope for this pentest. Be thorough. If you forget certain roles or pages/routes, your pentest might not cover all critical details.
NoteYou may not need to include every user role. For example, if you have dedicated administrative roles for backups, logs, and printers, that counts as one (1) role.
As part of our tests for web pages, we also test the backend API endpoints frequently used to populate content on those pages.
Our pentesters need to know more about your Web asset, including:
- Application type, such as a page-driven website or a single-page application
- Special endpoints associated with your pages
NoteIf the only APIs in your assets populate web pages, you may not need to set up a separate API asset. We test such APIs as part of our tests of a Web asset.
To scope a pentest for a Mobile asset, specify the number of the following characteristics of that asset:
Include those User Roles and Screens that should be in scope for this pentest. Be thorough. If you forget certain roles or screens, your pentest might not cover all critical details.
We can test both RESTful and GraphQL APIs. However, these APIs work in different ways. RESTful APIs set up data on different endpoints. GraphQL has a single endpoint, but uses mutations to manage different categories of data.
If you’re sizing a GraphQL API, identify a list of queries and mutations. For pentest purposes, that’s functionally equivalent to the number of RESTful API endpoints.
To scope a pentest for an API asset, specify the number of the following characteristics of that asset:
Include those User Roles and Endpoints / GraphQL Mutations that should be in scope for this pentest. If you forget some, you may sacrifice quality in penetration testing.
To scope a pentest for an External Network asset, specify the number of public IP addresses to be tested.
To scope a pentest for an Internal Network asset, specify the number of internal IP addresses to be tested.
If you’re working with servers on the cloud, you can also set up a Cloud Configuration asset.
Cobalt pentesters can test services on the following platforms:
- Google Cloud Platform (GCP)
- Amazon Web Services (AWS)
- Microsoft Azure Cloud (Azure)
Each platform includes different categories of services, such as EC2, databases, and machine learning engines.
To scope a pentest for a Cloud Configuration asset, specify the number of the following characteristics of that asset:
- User Accounts / Projects / Subscriptions
- Unique Services
Assets of Multiple Types
Sometimes, assets fit into more than one category. To that end, Cobalt supports pentests on assets in the following groups of categories:
- Web + API
- Web + External Network
- Web + Mobile
To scope a pentest for a combined asset, specify the number of characteristics for each asset type that it includes.
View Required Credits
Once you’ve identified the pentest scope, you can see the number of required credits in Credit(s) Per Pentest. Whenever you adjust the scope, our algorithm updates the number of credits. Under Credits, you can also view your Available Balance.
- The minimum number of credits required for a pentest depends on the pentest type:
- Pentests requiring more than 20 credits don’t get immediate credit confirmation. We’ll specify the number of required credits after reviewing the pentest.
- We may adjust the number of credits after reviewing your pentest.
If you’re ready with your pentest, select Save & Exit.
In the next screen, you can review your work, as a checklist.