Cobalt

Cobalt is a cybersecurity company that pioneered the Pentest as a Service (PTaaS) model, combining a SaaS platform with a global community of security researchers to deliver offensive security solutions. Headquartered in San Francisco, California, the company also maintains offices in Berlin and London, operating with a remote-first approach. Its mission is to empower organizations to operate securely and innovate fearlessly by modernizing traditional penetration testing.

The company's core offerings include a comprehensive offensive security platform that provides application, network, and cloud security services. These services encompass web and API penetration testing, AI and LLM testing, secure code review, automated Dynamic Application Security Testing (DAST), digital risk assessments, red teaming, and attack surface management. The Cobalt platform is designed to streamline pentest launches, facilitate real-time collaboration with testers, enable continuous scanning, and integrate seamlessly with remediation workflows, serving over 1,500 customers.

Recent notable developments include the appointment of cybersecurity pioneer Tony Spinelli to its Board of Directors in April 2026 and earning five industry awards at RSAC 2026 in March 2026. In March 2026, Cobalt also introduced new AI capabilities for continuous pentesting and released its eighth annual State of Pentesting Report. Led by CEO Sonali Shah, Cobalt has been recognized for its rapid growth, securing a spot on the Inc. 5000 list for the fourth consecutive year in August 2024, reinforcing its position as a leader in the offensive security market.

Latest updates

AI Security Lags, Eroding Confidence as Adoption Accelerates

Event summary

  • 32% of AI/LLM vulnerabilities are rated 'high-risk,' 2.7x the rate of other applications.
  • Only 38% of high-risk LLM vulnerabilities are resolved, the lowest resolution rate across all application types.
  • 20% of organizations report experiencing an LLM security incident in the past year, with 18% unsure and 19% declining to answer.
  • Security professional confidence in their ability to manage AI security risks has dropped from 64% to 51% year-over-year.
  • Organizations are seeing an eight-month gap (249 days) in remediation speeds for high-risk vulnerabilities between top and bottom performers.

The big picture

The Cobalt report underscores a growing disconnect between the rapid adoption of AI and the ability of security teams to effectively manage the associated risks. The low resolution rates for LLM vulnerabilities, coupled with declining security confidence, suggest a systemic challenge that extends beyond technical fixes and requires a fundamental shift in security strategy. This trend is likely to drive increased investment in offensive security services and potentially influence regulatory scrutiny of AI deployments.

What we're watching

Governance Dynamics
The widening gap between executive perception and practitioner reality regarding SLA adherence will likely intensify pressure for improved security processes and potentially trigger internal restructuring.
Regulatory Headwinds
The lack of vendor-led fixes for LLM vulnerabilities will accelerate calls for regulatory oversight and potentially mandate specific security controls for AI deployments.
Execution Risk
The observed eight-month remediation gap highlights a critical execution risk; organizations with slower remediation cycles will face disproportionately higher exposure to security incidents.

Cobalt Adds Seasoned CISO Spinelli to Board Amid Rising Cyber Risk

Event summary

  • Cobalt appointed Tony Spinelli, a four-time CISO and two-time CIO, to its board of directors.
  • Spinelli is currently Chief Security Officer at Halcyon and an early investor and customer of Cobalt.
  • The appointment comes as organizations increasingly adopt Continuous Threat Exposure Management (CTEM) strategies.
  • Cobalt boasts an NPS of 9, indicating high customer satisfaction.

The big picture

The appointment of a seasoned executive like Spinelli underscores the growing importance of continuous security validation in a landscape of rapidly evolving cyber threats. Cobalt’s positioning as a leader in PTaaS and AI-powered security is increasingly relevant as organizations move away from traditional, point-in-time security assessments. Spinelli's experience in scaling security programs at large enterprises like Capital One suggests Cobalt is targeting a higher-end, enterprise customer base.

What we're watching

Governance Dynamics
Spinelli’s presence on the board will likely accelerate Cobalt’s strategic shifts toward continuous security validation, potentially impacting the company’s product roadmap and pricing models.
Market Adoption
The pace at which enterprises fully transition from periodic pentesting to CTEM will determine Cobalt's ability to sustain its current growth trajectory and maintain its competitive advantage.
AI Integration
Cobalt’s success hinges on effectively integrating AI into its platform; Spinelli’s experience in AI initiatives at Capital One will be crucial for navigating this complex technical and market challenge.

Cobalt's Award Haul Signals Shift to Continuous Security Validation

Event summary

  • Cobalt received five industry awards at RSAC 2026, recognizing its leadership in Penetration Testing as a Service (PTaaS) and Continuous Threat Exposure Management (CTEM).
  • Awards include a Gold Winner and Best of Category from the Globee Cybersecurity Awards for PTaaS, and a Finalist from SC Media for CTEM innovation.
  • Cobalt also received two Market Disruptor awards from Cyber Defense Magazine and a Gold Award from the Cybersecurity Excellence Awards.
  • CEO Sonali Shah highlighted a shift towards continuous, programmatic security testing as a driver for the recognition.

The big picture

Cobalt's awards underscore the growing demand for continuous security validation, driven by expanding attack surfaces and the need for more proactive risk mitigation. The company's focus on combining human expertise with AI-powered automation positions it to capitalize on this trend, but also exposes it to the challenges of scaling AI-driven security solutions. The shift away from periodic assessments represents a fundamental change in how organizations manage cybersecurity risk, moving towards a more programmatic and ongoing approach.

What we're watching

Market Adoption
The pace at which enterprises fully adopt CTEM practices will determine Cobalt's ability to scale its platform and maintain its competitive advantage, as point-in-time assessments remain prevalent.
AI Integration
Cobalt's reliance on AI agents for discovery and reporting introduces execution risk; the effectiveness of these agents in identifying and prioritizing vulnerabilities will be critical to justifying the platform's value proposition.
Competitive Landscape
Increased recognition for PTaaS and CTEM will likely attract new entrants and intensify competition, potentially eroding Cobalt’s market share and pricing power.

Cobalt Integrates AI for Continuous Pentesting, Aims to Automate Security Workflow

Event summary

  • Cobalt, a provider of penetration testing as a service (PTaaS), introduced new AI capabilities for continuous pentesting, delivered through its Offensive Security Platform.
  • New features include Automated Reconnaissance, AI-Powered Vulnerability Discovery, and Proprietary Data Enrichment, alongside AI-Driven Deduplication and Triage.
  • The company claims its platform leverages a 'largest dataset of real-world pentesting intelligence' to refine testing logic.
  • Cobalt introduced compatibility with the Model Context Protocol (MCP) to enable AI assistants to interface with pentest data.
  • CEO Sonali Shah emphasizes a focus on augmenting human expertise with AI, rather than replacing it.

The big picture

The increasing sophistication of cyberattacks and the acceleration of modern development practices are driving demand for more frequent and automated security assessments. Cobalt’s move to integrate AI into its PTaaS offering reflects a broader trend towards leveraging AI to augment human expertise and scale security operations, but also introduces the risk of over-reliance on automated systems and potential for false positives.

What we're watching

Adoption Rate
The success of Cobalt’s strategy hinges on the willingness of security teams to adopt continuous pentesting and integrate AI-powered tools into their workflows, which may require significant cultural and process shifts.
MCP Integration
The adoption and standardization of the Model Context Protocol (MCP) will be crucial for Cobalt’s ability to expand its AI integrations and offer broader compatibility with security tools.
Competitive Response
Other PTaaS providers and cybersecurity firms will likely respond to Cobalt’s AI advancements, potentially intensifying competition and driving further innovation in the market.

Cobalt Launches Security Program Manager Service to Address Enterprise Security Scaling Challenges

Event summary

  • Cobalt introduced a Security Program Manager service aimed at helping enterprises scale their offensive security programs.
  • The service provides dedicated experts who act as an extension of internal security teams, coordinating testing schedules and aligning remediation workflows.
  • Cobalt’s Security Program Manager builds on its existing Offensive Security Platform, which combines automation, AI, and human expertise.
  • Jamie Strickland, Security Analyst Lead at Patterson Companies, highlighted the service's value in ensuring consistency and managing complex pentesting projects.

The big picture

As enterprises grapple with expanding attack surfaces and accelerated development cycles, the need for operationalized and scalable offensive security programs is intensifying. Cobalt's Security Program Manager service addresses a growing pain point for security teams struggling to translate strategic objectives into effective execution. This move signals a shift towards a more managed services model within the cybersecurity space, where specialized expertise is increasingly outsourced to augment internal capabilities.

What we're watching

Service Adoption
The success of this offering hinges on whether enterprises will adopt outsourced program management, given existing internal security team structures and potential data governance concerns.
Integration Depth
Cobalt’s ability to deeply integrate its Security Program Manager service with existing development tools (Jira, GitHub, Slack) will be crucial for driving adoption and demonstrating value to engineering teams.
Competitive Response
Other cybersecurity service providers will likely respond to Cobalt’s move, potentially leading to a commoditization of security program management services and increased pricing pressure.

Cobalt's Contract Transparency Boosts Market Position

Event summary

  • Cobalt achieved a Customer Favorability Score of 80% from TermScout’s Certify analytics platform, placing it within the top 7% of vendors benchmarked.
  • TermScout’s TrustMark™ designation assesses over 750 data points across key contract clauses like indemnification and termination rights.
  • Cobalt benchmarked its Terms of Service against direct competitors within the penetration testing as a service (PTaaS) market.
  • The certification aims to reduce negotiation friction and accelerate procurement cycles for Cobalt's security services.

The big picture

The increasing scrutiny of B2B contract terms, particularly within the cybersecurity sector, reflects a broader trend towards greater transparency and fairness in vendor relationships. Cobalt's proactive approach to certification signals a shift away from protracted legal negotiations and towards streamlined procurement processes, a key differentiator in a market increasingly demanding ease of doing business. This move could significantly impact Cobalt's sales cycles and customer acquisition costs.

What we're watching

Competitive Response
Other PTaaS providers may now feel pressure to improve their own contract transparency and seek similar certifications to remain competitive, potentially driving up the cost of compliance.
Procurement Impact
The TrustMark™ designation could become a standard expectation for security buyers, accelerating procurement timelines for Cobalt but also raising the bar for all vendors.
TermScout Adoption
The success of Cobalt’s certification will influence the broader adoption of TermScout’s TrustMark™ program by other vendors and buyers in the B2B technology space.

Pentesting-as-a-Service Gains Ground as Bug Bounties Face Efficacy Concerns

Event summary

  • A Cobalt report, based on a survey of 198 elite security professionals, found 58% rank Penetration Testing as a Service (PTaaS) as the most effective vulnerability discovery model, compared to 15% for bug bounties.
  • 54% of pentesters surveyed reported discovering a Zero-Day or N-Day vulnerability, highlighting the continued importance of human expertise.
  • The report indicates 30% of bug bounty submissions are considered 'noise,' creating administrative burdens for security teams.
  • 51% of pentesters cite the 'first-to-file' pressure in bug bounty programs as a primary frustration, potentially compromising thoroughness.

The big picture

Cobalt's report highlights a growing recognition that traditional bug bounty programs, while initially appealing for their cost-effectiveness, often lack the depth and focus of professional penetration testing. This trend reflects a broader industry move towards more proactive and continuous security practices, driven by escalating cyber threats and increasing regulatory scrutiny. The findings suggest a potential consolidation in the offensive security market, favoring platforms that combine human expertise with technology to deliver actionable insights.

What we're watching

Model Shift
The increasing preference for PTaaS over bug bounties suggests a potential shift in how organizations approach vulnerability discovery, which could impact the economics of the bug bounty market.
Talent Dynamics
The report's emphasis on human expertise and career-critical discoveries underscores the ongoing challenge of attracting and retaining skilled cybersecurity professionals, particularly pentesters.
Integration
The success of PTaaS hinges on its ability to integrate with existing remediation workflows and provide continuous feedback loops; the pace of this integration will determine its long-term adoption.

Cobalt Bolsters Leadership as Pentesting Demand Escalates

Event summary

  • Cobalt appointed Paul Zymba as Senior Vice President of Customer Success, effective immediately.
  • Deepak Dalvi joined Cobalt as Vice President of Product, also effective immediately.
  • Zymba brings over 25 years of experience from companies including Veracode, Mendix, GAN Integrity, and Galvanize.
  • Dalvi previously held leadership roles at Trellix, Aqua Security, and Lacework.
  • Cobalt boasts a Net Promoter Score (NPS) of 9.

The big picture

Cobalt's leadership additions signal a deliberate push to scale its enterprise presence amidst increasing pressure on security teams to manage complex environments and sophisticated threats. The appointments suggest a focus on operationalizing pentesting as an ongoing discipline, aligning with the broader trend of integrating security into the software development lifecycle. The company's reliance on both human expertise and AI underscores the evolving nature of cybersecurity and the need for a blended approach.

What we're watching

Execution Risk
The success of these appointments hinges on how effectively Zymba and Dalvi integrate into Cobalt's existing structure and collaborate to drive the stated strategic priorities.
Competitive Landscape
Given Dalvi's experience at multiple competitors, his insights into Cobalt's product roadmap and positioning will be critical in differentiating the platform and maintaining market share.
Enterprise Adoption
The pace at which Cobalt can translate these leadership changes into demonstrable enterprise adoption and expansion will be a key indicator of its ability to capitalize on the growing demand for continuous pentesting.

Pentest Satisfaction Plummets as Security Teams Struggle to Secure AI

Event summary

  • A Cobalt survey of 150 security leaders reveals only 36% are satisfied with their current penetration testing vendor.
  • 76% of respondents prioritize staying ahead of threats and vulnerabilities, while 50% are focused on securing AI adoption.
  • 40% are motivated to switch vendors for higher quality testing, and 37% for AI-specific expertise.
  • 35% say faster scheduling (days vs. weeks) would motivate a vendor change.

The big picture

The Cobalt report highlights a growing crisis in cybersecurity, where traditional pentesting models are failing to keep pace with the rapid adoption of AI and the increasing complexity of modern systems. This disconnect is creating a significant operational burden for security teams, forcing them to re-evaluate their vendor relationships and testing methodologies. The findings underscore the need for a more agile and specialized approach to offensive security, particularly as AI-generated code introduces new and evolving vulnerabilities.

What we're watching

Vendor Dynamics
The high churn rate among pentesting vendors suggests a broader realignment of security service providers as organizations seek more specialized and responsive capabilities.
AI Integration
The gap between AI security concerns and actual assessment frequency indicates a significant operational challenge that will likely drive increased investment in specialized tooling and expertise.
Testing Cadence
The demand for faster, more integrated testing models signals a shift away from traditional, periodic pentests toward continuous security validation embedded within the development lifecycle.

Cobalt Gains CSA AI Trustworthy Pledge, Signaling Growing Security Scrutiny

Event summary

  • Cobalt, a Penetration Testing as a Service (PTaaS) provider, achieved the CSA AI Trustworthy Pledge.
  • The achievement involved completing the CSA Security, Trust, Assurance, and Risk (STAR) Level 1 CAIQ Self-Assessment based on CAIQ v4.0.3.
  • Cobalt’s CISO, Andrew Obadiaru, emphasized the importance of practical security demonstrations over mere documentation.
  • The Cobalt Offensive Security Platform centralizes access to security services and integrates with remediation workflows.

The big picture

Cobalt's achievement reflects a broader trend of increased scrutiny and formalization of AI governance within the cybersecurity sector. As cloud-native environments become more prevalent and sophisticated, enterprises are demanding greater assurance and transparency from their security providers. This certification provides a marketing differentiator, but also signals a potential shift towards more rigorous auditing and compliance requirements for companies leveraging AI in security services.

What we're watching

Governance Dynamics
The adoption of AI Trustworthy Pledge frameworks will likely become increasingly common for security vendors, potentially raising operational costs and creating a barrier to entry for smaller players.
Regulatory Headwinds
Further regulatory scrutiny of AI-powered security tools is probable, especially concerning data privacy and algorithmic transparency, which could necessitate ongoing compliance efforts for Cobalt.
Execution Risk
Cobalt’s ability to maintain its NPS of 9 while scaling its platform and integrating these new compliance requirements will be a key indicator of its long-term success.

Cobalt Integrates with Microsoft Teams, Expanding Pentesting Reach

Event summary

  • Cobalt, a penetration testing as a service (PTaaS) provider, launched an integration of its Offensive Security Platform with Microsoft Teams, now available in the Microsoft Marketplace.
  • The integration mirrors Cobalt’s existing Slack integration, offering bi-directional collaboration between pentesters, customers, and project managers.
  • Cobalt employs a network of over 500 security experts and can initiate penetration tests within 24 hours.
  • Microsoft Teams has over 320 million monthly active users and a 90% adoption rate among Fortune 100 companies.
  • Cobalt boasts a Net Promoter Score (NPS) of 9.12.

The big picture

Cobalt’s move to integrate with Microsoft Teams underscores the increasing importance of seamless collaboration in cybersecurity workflows. The enterprise security market is consolidating around platforms that offer both human expertise and automated tools, and integrations with widely adopted collaboration platforms like Teams are becoming a key differentiator. This partnership allows Cobalt to tap into a massive, pre-existing network of enterprise users, potentially accelerating growth and solidifying its position as a leader in the PTaaS space.

What we're watching

Market Penetration
The success of this integration hinges on Cobalt’s ability to leverage Microsoft Teams’ massive enterprise footprint to acquire new customers and expand its existing user base.
Competitive Response
Other PTaaS providers will likely accelerate their own integrations with major collaboration platforms, intensifying competition for enterprise security budgets.
Integration Depth
The long-term value of the integration will depend on how deeply Cobalt embeds its services within Teams workflows, moving beyond basic notifications to automated remediation actions.
CID: 3870