Pentest Expectations

What happens after you’ve set up your pentest.

Our pentesters share what they’ve found before they write your report.

Now that you’ve done all the work needed to set up a pentest, you might be anxious for results. Here’s what you can expect:

  1. Once you’ve finished setting up a pentest, select Pentests in the left-hand pane. You should see your pentest listed, with an “In Review” label.

  2. Select your pentest. You should see a link to a Slack channel, dedicated for your pentest.

  3. Add the colleagues of your choice to the Slack channel. Choose colleagues who can benefit from direct communication with our pentesters.

  4. We’ll select the best available testers before the start of the pentest. We need at least 48 hours. (We may need more time, if you have limits on the pentesters that we can use.)

    • As soon as we’ve selected your pentesters, and have moved your pentest to the “Planned” state, you’ll see them in your Slack channel.
  5. You may get questions from your pentesters in Slack. You can also elaborate on your requirements in that same channel.

  6. As our pentesters analyze your asset, they’ll add updates frequently in your Slack channel. If they discover vulnerabilities (“findings”), you can start remediating before the pentest is complete.

    Here’s an example finding as discussed in a Slack pentest channel.

    Pentest Sample Discussion

  7. Once the pentest is complete, we replace the “In Review” label with “Remediation.”

  8. You can start assessing all discovered vulnerabilities. In the Cobalt app, navigate to Pentests. Select your pentest, and navigate to the Findings tab.

    • Scroll down until you see “Activity.” Depending on your assessment, you can set the finding to one of the following states:

      • Pending Fix, when your developers are remediating the finding.
      • Ready for Re-Test, assumes that your developers have fixed the issue, and you’re ready for our pentesters to validate your fix.
      • Accepted Risk, when you’ve determined that the finding is either not critical, or is beyond your control. For more information, see the following blog post on Accepted Risk.
  9. We keep the Slack channel open until you’ve set each finding to:

    • Accepted Risk
    • Fixed

    If you need access to the archived channel, contact your Customer Success Manager or

  10. You’re welcome to customize the pentest report. For more information, see the following blog post on how you can Customize Your Pentest Reports.

  11. Within days, our pentesters share a more formal pentest report. You’re welcome to download this sample test report (PDF) for a web app.

Last modified December.12.2021