Cobalt.io, a “pentest-as-a-service” platform that lets any business access ethical hackers to stress-test their software, has raised $29 million in a series B round of funding led by Highland Europe.
Penetration testing, or “pentesting,” is a process that strives to identify vulnerabilities and exploit them as a real-world hacker might. The pentesting market is currently pegged at $1.7 billion, a figure that will more than double within five years, according to a MarketsandMarkets report.
Founded in 2013, San Francisco-based Cobalt vets qualified human pentesters and facilitates on-demand tests for clients, who pay a fixed price based on the size of their application and how frequently they want tests to be carried out. Companies receive vulnerability reports via the Cobalt Central dashboard, where they can be assigned directly to relevant developers through their bug-tracking system of choice (e.g., Jira or GitHub).
Cobalt Central also allows companies and pentesters to communicate about any vulnerabilities. This two-way interaction creates what Cobalt calls a “dynamic, real-time feedback loop” between developers and pentesters.
Cobalt promises to bring pentesting into the digital era, bypassing PDFs that simply list vulnerabilities and providing a marketplace for certified pentesters and an interface for managing the process from start to finish. Notable existing clients include MuleSoft, Verifone, and Axel Springer.
“Automation and AI are disruptive forces in the world of enterprise tech, but when it comes to pentesting, the manual element will never become obsolete,” chief strategy officer Caroline Wong told VentureBeat. “While there are many types of security vulnerabilities that can be found using automated platforms, there are entire classes of issues that can only be discovered manually, by humans. These include business logic bypass, race conditions, and chained exploits.”
Cobalt does lean on some automation, however. External pentesters and developers haven’t always worked together effectively, and companies need to be informed immediately when critical vulnerabilities are discovered. This is why Cobalt automates some of the communication and collaboration between the two parties, with tickets and fix-verification triggered automatically.
“Immediate notification of found vulnerabilities to the developer team, and on-demand, asynchronous communication between pentesters and engineers helps newly discovered security issues to get to the right folks so they can get fixed,” Wong said.
Cobalt recruits and assesses its pentesters, with each candidate undergoing a technical assessment and video interview. The company also gathers feedback on an ongoing basis from customers and other team members. Cobalt currently counts 300 pentesters as part of its Cobalt Core team.
“Our pentester community is the lynchpin of our business, so the bar for entrants is high,” Wong said. “It’s a closed and exclusive group, and we do not consider applications without a referral from within the community, within the company, or within our customer base.”
Cobalt had previously raised around $8 million, and with another $29 million in the bank it plans to double down on international growth. Other participants in its series B round include Gerhard Eschelbeck, former VP of security and privacy engineering at Google; Adobe’s chief product officer Scott Belsky; Soren Abildgaard; Gary Swart; Elizabeth Tse; and Greg Nicastro.