Testing Methodology

Grey box by default. CodeAnt uses JS bundle analysis, data flow tracing, middleware awareness, API context, and codebase intelligence to inform exploit attempts.

Black box starting point. Cobalt begins with external reconnaissance, then uses human judgment and optional source code access depending on engagement scope.

Core Testing Model

Unified defensive plus offensive security platform. It reviews code and uses the same intelligence layer to guide offensive testing.

Human-led PTaaS platform. It relies on vetted pentesters, manual testing depth, and mature crowdsourced testing workflows.

Retesting Model

Unlimited automated retests included. Fix validation can happen in hours without additional retest cost.

Retesting is included within engagement scope, but terms vary by subscription tier. Usually, one validation cycle per finding is included.

Integration Approach

Unified platform from IDE through production. Findings appear where developers already review code, security issues, and CI/CD feedback.

Best-of-breed integrations. Cobalt connects with 1,000+ tools such as Jira, Slack, GitHub, and other workflow platforms for finding management.

Developer Workflow Fit

Strong for teams that want security feedback inside PRs, CI/CD, and remediation workflows.

Strong for teams that want pentest findings routed into existing ticketing and collaboration tools.

Best Fit

Fast-moving SaaS teams that need code-aware AI pentesting, continuous retesting, exploit validation, and SDLC-aligned evidence.

Teams that want mature human-led PTaaS, tester diversity, external validation, and a standalone pentesting program.

Do you need code-aware testing or is external-only sufficient?

Code-aware testing. CodeAnt AI discovers vulnerabilities that require understanding application internals, including misconfigured internal APIs, client-side logic flaws, authentication bypass chains, source-level authorization gaps, and risks visible only through code context. CodeAnt has published 87 CVEs, including CVSS 10.0 critical findings, showing what code-informed reconnaissance can uncover.

External-only testing. Cobalt catches vulnerabilities discoverable from the outside, simulating real adversaries who do not have code access. It is strong for external black-box testing and business logic flaws that benefit from human judgment.

If your threat model includes adversaries with partial code knowledge, such as ex-employees, leaked repositories, or supply chain compromise, code-aware testing models that reality better.

Do you need human business logic validation or is agentic depth enough?

Agentic exploit depth. CodeAnt uses 500+ autonomous agents to chain vulnerabilities systematically, such as BOLA → IDOR → privilege escalation → data exfiltration. This is strong for technical vulnerability depth, comprehensive exploit coverage, API abuse, authentication flaws, and large attack surfaces.

Human-led diversity. Cobalt’s 400+ pentesters bring creative thinking, business context understanding, and manual judgment that AI agents do not fully replicate yet. This is strong for authorization edge cases, multi-step workflow abuse, and domain-specific attack vectors.

Complex business workflows requiring contextual judgment favor human-led PTaaS. Deep technical exploitation across large attack surfaces favors agentic AI penetration testing.

How often do you ship, and what does retesting cost?

Daily or weekly releases. CodeAnt includes unlimited retesting by default. When a vulnerability is fixed, teams can trigger a retest, validate the patch, and close the issue without additional retesting cost. This fits continuous deployment and CI/CD security workflows.

Monthly or quarterly releases. Cobalt’s engagement-based retesting model can work well when release cycles are slower. Retest terms are usually negotiated per engagement scope or subscription tier.

Continuous deployment environments benefit from unlimited automated retesting. Less frequent releases can absorb engagement-based validation cycles.

What compliance evidence granularity do auditors require?

Highly regulated environments. CodeAnt delivers an 8-document compliance evidence package, including retest reports, timeline documentation, TSC control mapping such as CC6.1, CC6.6, and CC7.1, regulatory exposure analysis, and remediation verification. This supports SOC 2 Type 2, HIPAA, PCI-DSS, and ISO 27001 audit preparation.

Standard compliance needs. Cobalt provides a pentest report plus attestation letter, which is sufficient for many SOC 2 Type 1, ISO 27001, and standard customer security review requirements.

If auditors demand detailed control mapping, exploit PoC evidence, retest timelines, and remediation history, granular evidence packages can save audit preparation time.

What cost model fits your risk tolerance?

Performance-based pricing. CodeAnt uses a pay-for-results model where teams pay only for high or critical findings with working PoC exploits. Unlimited retesting is included. Total cost depends on vulnerabilities found, which can be less predictable but more directly tied to validated exploitability.

Credit-based subscription. Cobalt uses a fixed annual subscription model, often around $65K to $100K+ for continuous programs. Credits are allocated across different test types, which makes budgeting more predictable.

Budget predictability favors subscription-based PTaaS. Pay-for-results accountability favors performance-based AI penetration testing.

BOLA/IDOR

High detection

Moderate

Code analysis reveals object ownership models; systematic enumeration tests authorization across all resources

Auth Bypass

High detection

Moderate

Middleware configuration awareness shows which routes lack auth guards; JS bundle analysis exposes client-side checks

SQL Injection (second-order)

High detection

Lower

Data flow tracing follows stored input through database writes to later query construction

Business Logic Flaws

Lower detection

High

Human testers excel at understanding workflow intent and identifying logic gaps (refund abuse, coupon stacking)

Race Conditions

Lower detection

High

Requires timing-based exploitation and transaction boundary understanding—human judgment outperforms automation

GraphQL Issues

High detection

Moderate

Schema extraction from bundles enables systematic introspection bypass and batching attacks

50 devs

3-5 apps

$48K-$72K

$36K-$54K

$24K-$36K

$108K-$162K

200 devs

10-15 apps

$120K-$180K

$90K-$135K

$60K-$90K

$270K-$405K

500 devs

25-40 apps

$240K-$360K

$180K-$270K

$120K-$180K

$540K-$810K

50 devs

Quarterly web + annual mobile

$65K-$85K

$65K-$85K

$65K-$85K

$195K-$255K

200 devs

Monthly web + quarterly API

$120K-$160K

$120K-$160K

$120K-$160K

$360K-$480K

500 devs

Continuous on-demand

$200K-$300K+

$200K-$300K+

$200K-$300K+

$600K-$900K+

Hotfix deployment

Block release until retest scheduled (days)

Retest in pipeline (minutes)

Sprint-end release

Coordinate retest window with sprint

Continuous verification

Post-incident remediation

Emergency retest request

Immediate validation

Primary Pentest Report

Primary pentest report with CVSS scoring, exploit PoCs, technical findings, business impact, and remediation guidance.

Comprehensive pentest report with findings, severity, methodology, and remediation steps.

Required for SOC 2, ISO 27001, PCI-DSS, HIPAA, and enterprise customer security reviews.

Exploit Proof

Includes working exploit PoCs and attack chain documentation to show confirmed exploitability, not just theoretical risk.

Includes validated findings from human-led pentesting, with evidence depending on engagement scope and tester output.

Important when auditors or customers ask whether vulnerabilities were actually exploitable.

Control Mapping

Includes control mapping to TSC control IDs such as CC6.1, CC6.6, and CC7.1.

Compliance-focused formatting is available for SOC 2, ISO 27001, and PCI ASV needs, but custom TSC-level mapping may require follow-up.

Critical for SOC 2 Type 2 audits where auditors want control-level evidence.

Retest Timeline

Retest timeline showing fix validation dates, remediation status, and before/after verification.

Retest validation is included within engagement scope, with terms depending on subscription tier or engagement agreement.

Useful when auditors ask when the issue was fixed and how the fix was verified.

Regulatory Exposure Analysis

Includes regulatory penalty exposure analysis for frameworks such as HIPAA and PCI-DSS.

Standard reporting may support compliance review, but detailed regulatory exposure analysis may require additional coordination.

Important for healthcare, fintech, payment, and regulated SaaS teams.

Attack Chain Documentation

Documents attack chains with business impact, such as auth bypass → privilege escalation → data access.

Human testers document findings and impact, especially when manual business logic testing is in scope.

Valuable when technical findings need to be translated into business risk.

Compliance Attestation

Includes a compliance attestation letter as part of the 8-document evidence package.

Provides an attestation letter certifying test scope and methodology.

Helpful for customers, auditors, procurement teams, and security questionnaires.

Executive Summary

Executive summary maps technical findings to business risk for leadership and audit stakeholders.

Executive summaries are typically included in mature PTaaS reporting workflows.

Useful for CISOs, founders, boards, and non-technical stakeholders.

Remediation Verification

Remediation verification report includes before/after evidence and retest confirmation.

Retest validation is available within the engagement scope, but additional cycles may depend on contract terms.

Important when audit teams require proof that fixes were validated, not just marked complete.

Best Compliance Fit

Best fit for SOC 2 Type 2, ISO 27001, HIPAA, and PCI-DSS audits that require granular control mapping, exploit proof, retest evidence, and detailed remediation history.

Best fit for standard SOC 2 Type 2, ISO 27001, and PCI-related audits where a pentest report plus attestation letter is sufficient.

Choose based on how much evidence detail your auditor expects.

Potential Follow-Up Work

Lower follow-up burden when granular documentation is required because the 8-document package is included.

Custom control mapping may require 1 to 2 weeks of additional coordination if auditors request specific TSC-level documentation.

Matters when audit deadlines are tight.

Auditor Confidence

Granular evidence can reduce auditor follow-up questions by 60 to 70% when control mapping and retest proof are required.

Cobalt holds SOC 2 Type 2, ISO 27001, and PCI ASV certifications itself, which can provide additional auditor confidence.

Useful for compliance-heavy teams comparing AI pentesting vs human-led PTaaS evidence.

Scope Definition

Test 2 to 3 production apps, including one customer-facing app, one internal app, and one API-heavy application.

Coverage across web apps, APIs, authentication flows, and internal workflows.

A good PTaaS pilot should test real SaaS risk, not only a small demo environment.

Testing Model

Run a black box baseline first, then run a grey box retest with source or code context where possible.

Clear difference between external-only testing and code-aware AI pentesting.

This helps compare Cobalt’s human-led PTaaS model with CodeAnt AI’s code-aware defensive plus offensive testing model.

Pilot Timeline

Allow 4 to 6 weeks for the initial test, remediation, and retest cycle.

Full cycle completed from kickoff to report to fix validation.

A PTaaS pilot is incomplete if it only measures first findings and ignores retesting speed.

Time-To-Retest

Measure how many hours pass from fix deployment to validation complete.

Lower time-to-retest means faster remediation closure.

This is critical for continuous pentesting, CI/CD security testing, SOC 2 evidence, and release velocity.

Critical Finding Rate

Track CVSS 9.0+ exploitable issues per application.

Number of confirmed high or critical findings with working exploit PoCs.

This measures exploit validation quality, not just scanner output or theoretical vulnerabilities.

Audit Evidence Completeness

Check whether the deliverables satisfy your compliance framework, such as SOC 2, ISO 27001, HIPAA, or PCI-DSS.

Evidence package includes scope, methodology, exploit proof, control mapping, retest reports, and remediation verification.

Compliance-heavy teams should evaluate whether the PTaaS report reduces auditor follow-up work.

Developer Friction

Survey engineering teams on workflow integration, finding clarity, and remediation effort.

Developers can understand, reproduce, and fix findings without excessive back-and-forth.

A strong PTaaS platform should improve security without slowing engineering teams.

Commercial Validation

Calculate 12-month TCO using pilot finding counts and expected retest volume.

Realistic annual cost estimate based on your application risk and release frequency.

This helps compare performance-based AI pentesting pricing with credit-based PTaaS subscriptions.

Retest Volume Estimate

Estimate annual retest volume based on deployment frequency and expected vulnerability fixes.

Predicted number of retests per month or quarter.

Unlimited retesting matters more for teams shipping daily or weekly.

Auditor Time Saved

Quantify how much internal audit preparation time is saved through evidence packages.

Hours saved on control mapping, remediation proof, and report preparation.

This shows whether compliance evidence is a true platform benefit or still requires manual internal work.