Cobalt raises $29 million to expand its Pentest as a Service platform and transform software security testing

Posted: 20 August, 2020
  • Cobalt is a digital platform that connects companies with penetration testers (‘pentesters’) – human testers who find vulnerabilities in software so they can be fixed

  • The penetration testing market is expected to reach $4.5 billion by 2025, but the vast majority of spend currently goes to traditional consultancies – a slow, expensive process that frustrates both testers and customers, and that hasn’t seen innovation in over a decade

  • Cobalt performs thousands of penetration tests per year, growing exponentially

  • Company recognizes the solution lies in people and process innovation, not just ‘technofixes’

Berlin and San Francisco, August 20 2020 – Cobalt – the cybersecurity platform that connects human penetration testers (sometimes known as ‘ethical hackers’) with companies looking to test the robustness of their software – has raised $29 million from investors to continue its global expansion, bringing its total funding level to $37 million. The Series B round was led by growth-stage experts Highland Europe, the global venture capital firm whose portfolio includes Malwarebytes, Nexthink, Adjust, ContentSquare and WeTransfer. Gajan Rajanathan joins the board from Highland.

The new funding will go towards expanding global usage and continuing development of the Cobalt platform, which pioneered the penetration-test-as-service (PtaaS) model. The breakneck pace of technology innovation has triggered increased demand for sophisticated human cybersecurity experts, who work to find vulnerabilities in software – a process known as ‘penetration testing’ or ‘pentesting’. While automated cybersecurity screening is important, systematic security checks require human ingenuity and rigorous compliance reviews.

Cobalt was founded in 2013 by four Danish co-founders – Jacob Hansen, Esben Friis-Jensen, Jakob Storm and Christian Hansen, all self-identified outsiders to the security world. The team struggled for traction with early-stage investors for its original ‘bug bounty’ business model, in which testers were paid based on the vulnerabilities they found. This forced a rethink, leading the team to innovate its product as well as execute with impressive capital efficiency.

Cobalt now has more than 500 clients, including GoDaddy, Vonage, Axel Springer and MuleSoft, and around 300 pentesters on its platform. Customers are globally distributed, with the US Cobalt’s largest market. The company’s growth has accelerated in the first half of 2020, in spite of the global pandemic, with the company operating at breakeven. Over the past four years, Cobalt has conducted thousands of pentests; its annual testing figures are doubling year on year , and its rate of growth is increasing. As technology buying decisions become more agile and remote-first, Cobalt’s security certification process enables software and internet companies to navigate release cycles faster while ensuring trust and efficiency in the procurement process.

“Organizations do business globally and digitally, yet traditional pentesting is delivered locally via a PDF,” said Jacob Hansen, co-founder and CEO of Cobalt. “The pentesting industry doesn’t need another cool tool, it needs people and process innovation. That is why we created a way to engage the best cybersecurity talent, via our pentest management platform, allowing customers to move from a static pentest to platform-driven pentest programs. Cobalt ultimately drives better security and improves return on investment for each customer.”

There are three big problems with the traditional pentesting model:

  1. Through specialized consultancies, skills are mostly accessible at the local level. This runs counter to the increasingly globalized nature of today’s workforce and security community, and prevents pentesters from working in a truly agile, collaborative way.

  1. The consultancy structure means getting a pentest up and running is slow and cumbersome – and based on which testers in the team have spare capacity, rather than whether their expertise makes them suitable for a particular job.

  1. The output of a pentest is typically a static PDF, making it hard for data to make its way to developers in a form that allows them to patch vulnerabilities, and raises the risk they will go unaddressed. This can lead to headline-making breaches, such as the 2017 Equifax data breach, which stem from a failure to patch known vulnerabilities.

As a result, most organizations only perform pentesting once or twice a year, despite hackers updating their arsenal of tools much more frequently – and in conditions which mean they’re not getting the best value, and not receiving readily actionable results.

“Sometimes it’s by solving unsexy problems that you revolutionize a whole industry,” said Caroline Wong, Chief Strategy Officer of Cobalt. “Consultancies have relied on the story that the hardest part of pentesting is hacking the software. Actually, we’ve known for decades what the most pervasive technical problems are and how to address them. The much harder part is connecting with the right people who can do the technical security work, and delivering the results to the development team who can fix the vulnerability.”

From a customer’s perspective, Cobalt’s PtaaS approach opens up a global marketplace of talent, enabling pentesters to collaborate with one another and companies to easily locate specific expertise. This raises the quality bar and reduces the time to start testing from 2-4 weeks to as little as 24 hours. Every tester is thoroughly vetted; the small percentage of applicants accepted onto the platform undergo ongoing peer review to  guarantee high quality output.

Once pentesting begins, Cobalt’s platform logs issues as they arise. It visualizes them on a dashboard and connects seamlessly to development tools such as JIRA, so developers can quickly action on any breaches and notify pentesters – creating a dynamic, real-time feedback loop. This also allows security managers at client companies to oversee the entire process, with immediate visibility for the first time into which security flaws have been fixed, and the ability to request instant retests where needed.

“As someone who oversees security for a large and diverse portfolio of web applications, traditional pentesting simply cannot keep pace,” said Henning Christiansen, Chief Information Security Officer of Axel Springer. “We need real-time insight. Cobalt’s unique delivery model meets this need. All our business units have embraced the platform, which is testament to its ease of use, quality of the test findings, and ability to deliver real results.”

“We are the leading API management and integration platform, and it is our job to keep customer data safe and protected,” said Sergey Stelmakh, Platform Security Architect of MuleSoft. “During a pentest we need flexibility and speed, which is what Cobalt gives us — in addition to connecting us to the best talent.”

Cobalt’s platform is also able to collect rich data because, unlike the traditional model, pentesting results aren’t stored and sent in static documents, but rather in a dynamic online repository. This allows the client to improve the security of their customers by surfacing and remediating the types of vulnerability that are affecting them most over time. Cobalt is quickly establishing thought leadership in this critical area of cybersecurity, releasing its annual ‘State of Pentesting’ report, and expects to continue to enrich its business insights and product features in the future.

Gajan Rajanathan at Highland Europe, said: “The digitization of inefficient manual processes has continued to drive value for enterprises, and cybersecurity is no exception. By providing an automated and collaborative environment for DevOps professionals to engage with cybersecurity experts, Cobalt is disrupting a critical part of the application security and compliance value chain. We were impressed with what Jacob and his co-founders have accomplished within such a short period, and believe in their vision to democratize access to the best cybersecurity talent in a transparent manner.”

For the Series B round Highland was joined by angels Scott Belsky (chief product officer at Adobe), Soren Abildgaard (executive VP of engineering at Zendesk), Gary Swart (former CEO of oDesk), Elizabeth Tse (former senior VP of Operations at Upwork), Greg Nicastro (former executive VP of Product at Veracode and former Chief Product Officer at CloudHealth Technologies) and existing angel investor Gerhard Eschelbeck (former VP of security and privacy engineering at Google).

–  END  –