Sign In to Cobalt

Start the pentest process. Sign in to the Cobalt app.

Learn about your first steps with Cobalt after receiving a welcome email.

Set Up Your Account

Once you’ve received a welcome email from Cobalt, do the following:

  1. Select Sign In in the email.
  2. Create a strong password. To learn more, read our password best practices.

Once you’ve confirmed your email address and created a password, your Cobalt account is fully set up.

Sign-in Methods

Depending on the configurations of your organization, you can sign in to Cobalt in the following ways:

  • Through SAML single sign-on, if configured. Go to your identity provider system to sign in to Cobalt, or follow a unique URL.
    • If your organization has enforced SAML, authentication from the Cobalt Sign In page is not possible.
  • From the Cobalt Sign In page, with:
    • Your email address and password.
    • Your Google account with which you were invited to Cobalt.

      Cobalt Sign In page

SAML SSO

We support identity provider-initiated single sign-on (SSO) based on the Security Assertion Markup Language 2.0 (SAML 2.0) protocol. SAML-based SSO is available to all PtaaS tiers.

Navigate to your identity provider, and select the Cobalt app to authenticate. Depending on the setup, you may need to follow a unique URL.

SAML SSO affects the following roles:

If your organization enforces SAML SSO, you must authenticate only through your identity provider, such as Okta, OneLogin, or Microsoft Azure AD. Authentication from the Cobalt Sign In page is not possible.

Learn more about configuring SAML SSO (for Organization Owners).

Two-Factor Authentication

We support two-factor authentication (2FA) for users who sign in with their email and password. If you’re using SAML SSO to sign in, you don’t need to turn on 2FA.

  • If your organization enforces 2FA for all users, configure it upon signing in.
  • We recommend that you enable 2FA even if your organization doesn’t enforce it.

Device Verification

When you sign in to Cobalt, we record information about your device to add an extra layer of security to the sign-in process.

If you attempt to sign in from a device that we don’t recognize, we take additional steps to verify your identity before granting you access. This may happen when you:

  • Sign in from a new browser
  • Use your browser’s private (incognito) mode
  • Clear your site data
  • Sign in from a different system



Was this page helpful?

Yes No Create an Issue

Last modified May.05.2023