Plan and Scope the Pentest

Set up a schedule. Scope the pentest.

Set the start date for your pentest and define its scope.

Workflow for creating a pentest

Schedule the Pentest

Depending on your PtaaS tier, you can schedule pentests with a start date from at least one to three business days after submitting it for review.

If you have any special requirements, such as qualifications for pentester certifications, we reserve the right to start the pentest later than the flow time specified in your PtaaS tier.

Set a start date for your pentest

Pentest Timelines

Pentest timelines depend on the pentest type, scope, and other factors. When you schedule your pentest and set a start date, the end date populates automatically.

Standard pentest timelines:

Comprehensive Pentests: 14 days
Agile Pentests:
- 3 or 4 credits: 7 days
- From 5 credits: 14 days

Learn more about the pentest types.

Important

Pentest duration may vary depending on the pentest scope and other factors.

Scope the Pentest

The pentest scope determines the number of credits required for a pentest. The bigger the scope, the more credits you need.

To set the pentest scope, identify the complexity of your asset. Under Scoping, specify the number of characteristics associated with the asset that need to be tested. To get exact numbers, consult with the asset owner inside your organization.

The characteristics differ for each asset type:

Web
Mobile
API
External Network
Internal Network
Cloud Config
Assets of multiple types

Once you’ve scoped the pentest, review the required credits, as determined by our algorithm.

Web

To scope a pentest for a Web asset, specify the number of the following characteristics of the asset that need to be tested:

Scoping Parameter	Definition	Notes
User Roles	A User Role specifies the permissions or privileges associated with a user. Common examples of User Roles include: Global Administrator (such as a UNIX root user) Administrator Group Owner Workspace Administrator Full User Guest	Enter the number of User Roles in your Web asset that need to be tested. Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.
Pages/Routes	A Page is a hypertext document with a unique URL that a user interacts with. A Route is a system for resource navigation in single-page applications (SPAs). In SPAs that use frameworks such as Angular, React, or Ember, routes provide unique URLs to specific content within the application.	Determine the type of your Web asset: Traditional web application. Enter the number of Pages to test. You may want to skip static pages because security-related risks are low for them. For dynamic pages, count the number based on unique page templates. As part of our tests for dynamic pages, we also test the backend API endpoints frequently used to populate content on those pages. Single-page application. Enter the number of Routes to test. Usually, an application includes one or more routing modules or files where you can retrieve the number of pages or routes using special commands or tools.

Scoping Parameter

Definition

Notes

User Roles

A User Role specifies the permissions or privileges associated with a user. Common examples of User Roles include:

Global Administrator (such as a UNIX root user)
Administrator
Group Owner
Workspace Administrator
Full User
Guest

Enter the number of User Roles in your Web asset that need to be tested.

Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.

Pages/Routes

A Page is a hypertext document with a unique URL that a user interacts with.

A Route is a system for resource navigation in single-page applications (SPAs). In SPAs that use frameworks such as Angular, React, or Ember, routes provide unique URLs to specific content within the application.

Determine the type of your Web asset:

Traditional web application. Enter the number of Pages to test.
- You may want to skip static pages because security-related risks are low for them.
- For dynamic pages, count the number based on unique page templates.
- As part of our tests for dynamic pages, we also test the backend API endpoints frequently used to populate content on those pages.
Single-page application. Enter the number of Routes to test.

Usually, an application includes one or more routing modules or files where you can retrieve the number of pages or routes using special commands or tools.

Note

If the only APIs in your assets populate web pages, you may not need to set up a separate API asset. We test such APIs as part of our tests of a Web asset.

Mobile

To scope a pentest for a Mobile asset, specify the number of the following characteristics of the asset that need to be tested:

Scoping Parameter	Definition	Notes
User Roles	A User Role specifies the permissions or privileges associated with a user. Common examples of User Roles include: Global Administrator (such as a UNIX root user) Administrator Group Owner Workspace Administrator Full User Guest	Enter the number of User Roles in your Mobile asset that need to be tested. Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.
Screens (For All OSes)	A Screen is a screen-sized interface that a user interacts with on a mobile device. Depending on the operating system, Screens may be referred to as: Superviews or subviews on iOS Views on Android Screens in a mobile application are functionally equivalent to Dynamic Pages in a Web asset.	Enter the number of Screens in your Mobile asset that need to be tested, based on the application type. Native applications are built to run on a specific mobile operating system, such as iOS or Android. Enter the total number of screens for all operating systems. We’ll test the application for each operating system it runs on. For example, your mobile application runs on both iOS and Android. The application has 10 screens, so you should specify 20 screens in total. Non-native applications are built to run on multiple operating systems. Enter the number of screens in the application. Because non-native applications use the same codebase to run on different operating systems, we’ll test a single version.

Scoping Parameter

Definition

Notes

User Roles

A User Role specifies the permissions or privileges associated with a user. Common examples of User Roles include:

Global Administrator (such as a UNIX root user)
Administrator
Group Owner
Workspace Administrator
Full User
Guest

Enter the number of User Roles in your Mobile asset that need to be tested.

Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.

Screens (For All OSes)

A Screen is a screen-sized interface that a user interacts with on a mobile device.

Depending on the operating system, Screens may be referred to as:

Superviews or subviews on iOS
Views on Android

Screens in a mobile application are functionally equivalent to Dynamic Pages in a Web asset.

Enter the number of Screens in your Mobile asset that need to be tested, based on the application type.

Native applications are built to run on a specific mobile operating system, such as iOS or Android.
- Enter the total number of screens for all operating systems. We’ll test the application for each operating system it runs on.
  - For example, your mobile application runs on both iOS and Android. The application has 10 screens, so you should specify 20 screens in total.
Non-native applications are built to run on multiple operating systems.
- Enter the number of screens in the application. Because non-native applications use the same codebase to run on different operating systems, we’ll test a single version.

API

To scope a pentest for an API asset, specify the number of the following characteristics of the asset that need to be tested:

Scoping Parameter	Definition	Notes
User Roles	A User Role specifies the permissions or privileges associated with a user. Common examples of User Roles include: Global Administrator (such as a UNIX root user) Administrator Group Owner Workspace Administrator Full User Guest	Enter the number of User Roles in your API asset that need to be tested. Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.
Endpoints / GraphQL Queries and Mutations	A RESTful API Endpoint is a URL where an API receives requests about a specific resource on its server. A GraphQL Query is a method to fetch data. A GraphQL Mutation is an operation that allows you to modify server-side data.	We can test both RESTful and GraphQL APIs. However, these APIs work in different ways. RESTful APIs set up data on different endpoints. Enter the number of RESTful API endpoints in your API asset to test. GraphQL APIs have a single endpoint, but use mutations to manage different categories of data. Queries allow you to fetch data, while mutations allow you to modify it. Enter the number of queries and mutations in your API asset to test. For pentest purposes, that’s functionally equivalent to the number of RESTful API endpoints. If you’re using API tools such as Swagger, Postman, or Insomnia to work with your API asset, you can count the number of endpoints or GraphQL queries and mutations in these tools.

Scoping Parameter

Definition

Notes

User Roles

A User Role specifies the permissions or privileges associated with a user. Common examples of User Roles include:

Global Administrator (such as a UNIX root user)
Administrator
Group Owner
Workspace Administrator
Full User
Guest

Enter the number of User Roles in your API asset that need to be tested.

Determine User Roles based on personas, or target user groups of your asset. Group user permissions into several levels, and count the number of such groups.

Endpoints / GraphQL Queries and Mutations

A RESTful API Endpoint is a URL where an API receives requests about a specific resource on its server.

A GraphQL Query is a method to fetch data.

A GraphQL Mutation is an operation that allows you to modify server-side data.

We can test both RESTful and GraphQL APIs. However, these APIs work in different ways.

RESTful APIs set up data on different endpoints.
- Enter the number of RESTful API endpoints in your API asset to test.
GraphQL APIs have a single endpoint, but use mutations to manage different categories of data. Queries allow you to fetch data, while mutations allow you to modify it.
- Enter the number of queries and mutations in your API asset to test. For pentest purposes, that’s functionally equivalent to the number of RESTful API endpoints.

If you’re using API tools such as Swagger, Postman, or Insomnia to work with your API asset, you can count the number of endpoints or GraphQL queries and mutations in these tools.

External Network

To scope a pentest for an External Network asset, specify the number of IP addresses in your external network that need to be tested:

Scoping Parameter	Definition
IP Addresses	Number of active IP addresses in your external network that need to be tested.

Internal Network

To scope a pentest for an Internal Network asset, specify the number of IP addresses in your internal network that need to be tested:

Scoping Parameter	Definition
IP Addresses	Number of active IP addresses in your internal network that need to be tested.

If you’re working with servers on the cloud, you can also set up a Cloud Configuration asset.

Cloud Configuration

Cobalt pentesters can test services on the following platforms:

Google Cloud Platform (GCP)
Amazon Web Services (AWS)
Microsoft Azure Cloud (Azure)

Each platform includes different categories of services, such as EC2, databases, and machine learning engines.

To scope a pentest for a Cloud Configuration asset, specify the number of the following characteristics of the asset that need to be tested:

Scoping Parameter	Definition	Notes
User Accounts, Projects, or Resource Groups	User Accounts refer to accounts in your cloud asset. Projects are all resources included in your cloud asset. Resource Groups are sets of resources in a cloud asset.	Enter the total number of accounts, projects, or resource groups in your cloud asset that need to be tested.
Unique Service Instances	Unique services are the different functionalities that you’ve configured in your cloud deployment.	Enter the number of unique services in your cloud asset that need to be tested.

Scoping Parameter

Definition

Notes

User Accounts, Projects, or Resource Groups

User Accounts refer to accounts in your cloud asset.

Projects are all resources included in your cloud asset.

Resource Groups are sets of resources in a cloud asset.

Enter the total number of accounts, projects, or resource groups in your cloud asset that need to be tested.

Unique Service Instances

Unique services are the different functionalities that you’ve configured in your cloud deployment.

Enter the number of unique services in your cloud asset that need to be tested.

Assets of Multiple Types

Sometimes, assets fit into more than one category. To that end, Cobalt supports pentests on assets in the following groups of categories:

Web + API
Web + API + External Network
Web + External Network
Web + Mobile

To scope a pentest for a combined asset, specify the number of characteristics for each asset type that it includes. Refer to the corresponding sections of this guide for details.

View Required Credits

Once you’ve identified the pentest scope, you can see the number of required credits in Credit(s) Per Pentest. Whenever you adjust the scope, our algorithm updates the number of credits. Under Credits, you can also view your Available Balance.

Next Step

If you’re ready with your pentest, select Save & Exit. In the next screen, you can review your work before submitting the pentest.

Was this page helpful?

Yes No Create an Issue

Last modified May.05.2023