Cobalt.io, a “pentest-as-a-service” platform that lets any business access ethical hackers to stress-test their software, has raised $29 million in a series B round of funding led by Highland Europe.
Penetration testing, or “pentesting,” is a process that strives to identify vulnerabilities and exploit them as a real-world hacker might. The pentesting market is pegged at a $1.7 billion industry in 2020, a figure that will more than double within five years, according to a MarketsandMarkets report.
Founded in 2013, San Francisco-based Cobalt vets qualified human pentesters and facilitates on-demand tests for its clients, who pay a fixed price based on the size of their application and how frequently they want tests to be carried out. Companies receive vulnerability reports via the Cobalt Central dashboard, from which they can be assigned directly to the relevant developers through their bug-tracking system of choice, whether in Jira, GitHub, or elsewhere.
Cobalt Central can be used as a communication conduit between companies and pentesters to clarify any lingering questions about vulnerabilities that are found. This two-way interaction creates what Cobalt calls a “dynamic, real-time feedback loop” between the developers and the pentesters.
At the heart of Cobalt’s pitch is a promise to bring pentesting into the modern digital era, bypassing PDFs that simply list vulnerabilities to provide a marketplace for certified pentesters and an interface for managing the process from start to finish.
AI and automation are increasingly infiltrating the cybersecurity sphere, which is why automated pentesting platforms should come as no surprise. But Cobalt believes a human-centric approach is best for finding all potential vulnerabilities.
“Automation and AI are disruptive forces in the world of enterprise tech, but when it comes to pentesting, the manual element will never become obsolete,” chief strategy officer Caroline Wong told VentureBeat. “While there are many types of security vulnerabilities that can be found using automated platforms, there are entire classes of issues that can only be discovered manually, by humans. These include business logic bypass, race conditions, and chained exploits.”
Cobalt does lean on some automation, however. External pentesters and developers haven’t always worked together effectively, and companies need to be informed immediately when critical vulnerabilities are discovered. This is why Cobalt automates some of the communication and collaboration between the two parties, with tickets and fix-verification triggered automatically.
“Immediate notification of found vulnerabilities to the developer team, and on-demand, asynchronous communication between pentesters and engineers helps newly discovered security issues to get to the right folks so they can get fixed,” Wong said.
In terms of how Cobalt recruits and assess its pentesters, each candidate must pass a technical assessment and video interview, with feedback gathered on an ongoing basis from customers and within the team. Cobalt currently counts 300 pentesters as part of its Cobalt Core team.
“Our pentester community is the lynchpin of our business, so the bar for entrants is high,” Wong said. “It’s a closed and exclusive group, and we do not consider applications without a referral from within the community, within the company, or within our customer base.”
Prior to now, Cobalt had raised around $8 million, and with another $29 million in the bank the company said it plans to double down on international growth. Notable clients include MuleSoft, Verifone, and Axel Springer.