This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Pentest Expectations

What happens after you’ve set up your pentest.

Our pentesters share what they’ve found before they write your report. We’ll write a report for pentests with at least eight (8) credits .

Now that you’ve done all the work needed to set up a pentest, you might be anxious for results. Here’s what you can expect:

  1. Once you’ve finished setting up a pentest, select Pentests in the left-hand pane. You should see your pentest listed, with an In Review label.

  2. Select your pentest. You should see a link to a Slack channel, dedicated for your pentest.

  3. Add the colleagues of your choice to the Slack channel. Choose colleagues who can benefit from direct communication with our pentesters.

  4. We’ll select the best available testers before the start of the pentest. The time we need depends on your PtaaS Tier and any special requirements you have.

    • As soon as we’ve selected your pentesters, and have moved your pentest from In Review to Planned, you’ll see them in your Slack channel.
  5. You may get questions from your pentesters in Slack. You can also elaborate on your requirements in that same channel.

  6. As our pentesters analyze your asset, they’ll add updates frequently in your Slack channel. If they discover vulnerabilities (“findings”), you can start remediating before the pentest is complete.

    Here’s an example finding as discussed in a Slack pentest channel.

    Pentest Sample Discussion

  7. Once the pentest is complete, we move your pentest from Planned to Remediation.

  8. You can start assessing all discovered vulnerabilities. In the Cobalt app, navigate to Pentests. Select your pentest, and navigate to the Findings tab.

    • Scroll down until you see Activity. Depending on your assessment, you can set the finding to one of the following states:

      • Pending Fix, when your developers are remediating the finding.
      • Ready for Re-Test, assumes that your developers have fixed the issue, and you’re ready for our pentesters to validate your fix.
      • Accepted Risk, when you’ve determined that the finding is either not critical, or is beyond your control. For more information, see the following blog post on Accepted Risk.
  9. We keep the Slack channel open until you’ve set each finding to:

    • Accepted Risk
    • Fixed

    If you need access to the archived channel, contact your Customer Success Manager or

  10. If you’ve purchased a qualifying PtaaS Tier, you can customize your Pentest report. However, we report all findings. For more information, see the following blog post on how you can Customize Your Pentest Reports.

  11. Based on your Service Level Agreement, our pentesters then share a formal report. You’re welcome to download this sample test report (PDF) for a web app.

Our Pentest States page includes more information about each pentest state, including Draft, In Review, Planned, Remediation, and Closed.

1 - What's in a Pentest Report

Here’s what can you expect in a Pentest Report.

Our pentest reports include what you need to further secure your systems.

We provide following types of pentest reports:

  • Customer Letter
  • Attestation Report
  • Attestation Letter
  • Full Report
  • Full Report + Finding Details

Our Full Report + Finding Details includes all of the following sections. If you’ve purchased an appropriate PtaaS Tier, you can customize what you see in all but the Attestation Letter.

The Attestation Letter is a one-page report that you can share with external stakeholders such as prospects or customers. We base the letter on our Executive Summary. You cannot customize an Attestation Letter.


We include the Pentest Target, the location of your asset.

Test Period

We include the dates when we tested your asset.

Test Performed By

We include a list of pentesters who analyzed your asset. Each pentester name includes a link to their Cobalt profiles.

Executive Summary

Our executive summary includes:

  • A high-level summary of the tests we performed
  • A table with the number of findings that we identified, categorized by different severity levels
  • Highlights of any significant findings

Scope of Work

The scope shown in the following subsections varies depending on the type of asset.

Target Description

The report includes information on the asset that we tested, along with the environment you specified when planning the pentest:

  • Production (for end users)
  • Staging (proposed future production environment)
  • Development (asset in work)

In-Scope Testing Methodologies

In this section, we get into more specifics on the tests that we performed. In general, we test to standards such as:

In this section we include a checklist of the tests that we performed on your assets. Depending on your asset, it may also include manual and automated steps that we use with black box and grammar-based fuzzing. For more information, see:

Test Cases that Thwarted Exploitation Attempts

This section lists the tests that did not find vulnerabilities while testing your asset.


We list the basic methodologies that we used before, during, and after our tests.


  • Scoping
  • Customer
  • Documentation
  • Information
  • Discovery

Penetration Testing

  • Tool-assisted assessment
  • Manual assessment
  • Exploitation
  • Risk Analysis
  • Reporting

Post Engagement

  • Prioritized remediation
  • Best practice support
  • Re-testing

Risk Factors

We use a modified version of the OWASP Risk Rating Methodology, based on their business impact and likelihood. We measure each factor on a scale from 1 (very low) to 5 (very high).

Severity Definitions

Based on Risk Factors, we assign a rating to each finding, using the following equation:

risk = impact * likelihood

For more information, see our documentation on Severity Levels.

Summary of Findings

When feasible, we include graphs that categorize vulnerabilities by:

  • Type
  • Severity


We include a short summary of each vulnerability. If you have a Full Report + Finding Details, you can find more information about each vulnerability in the appendix on Finding Details.

Where applicable, we also include a list of open ports and services.

General Risk Profile

We include a color coded chart based on impact and likelihood of each vulnerability.


We include recommendations for what you can do to mitigate and remediate each finding.

Post-Test Remediation

In this section, we include the type, severity, and state of each finding, as well as whether the finding has been resolved.


This section includes a disclaimer.

Appendix A - Finding Details

In this section, we go into details for each finding. Our descriptions include the following:

  • Vulnerability Type
  • Description
  • Affected URLs
  • Proof of Concept of the vulnerability
  • Severity
  • Suggested Fix