Sonali Shah

 Sonali Shah, CEO of Cobalt, on taking the helm at a rapidly growing company, embracing AI the right way, and why culture requires intentionality

It took over a month before the final Jaguar Land Rover factory restarted production following a devastating cyberattack in late August 2025. The breach knocked 800 computer systems offline, halted production of over 1,000 cars daily, and ultimately cost the company an estimated $1.5 billion. A smaller JLR supplier had to lay off 40 people following the attack – nearly half its workforce. In a fraught world, where bad actors have an alarmingly sophisticated set of tools with which to attack organisations, knowing your business’s vulnerabilities has never been more important.

Sonali Shah is the CEO of Cobalt, which offers the Cobalt Offensive Security Platform designed to uncover vulnerabilities before attackers can exploit them. The company pioneered Pentesting as a Service (PTaaS), and delivers offensive security solutions by combining technology with human expertise. The platform helps organisations identify critical issues and accelerate risk mitigation through faster launches, real-time collaboration, and seamless integration with remediation workflows. Over 1,400 customers, including Verifone, Insurity, and Credit Karma, now rely on the Cobalt Platform. 

Shah’s career path is not the conventional cybersecurity one. She spent her early career on Wall Street as an investment banker at Credit Suisse before pivoting to cybersecurity, where she held a number of roles – including strategy and corporate development, product management, and marketing. Across two decades in cybersecurity, Shah held senior positions at Verisign, Syniverse, Bitsight, Veracode, Human, and Invicti. Throughout this time, she helped pioneer the first cybersecurity risk rating platform at Bitsight and helped integrate security testing earlier in the software development process at Veracode and Invicti. She has also been involved in multiple financings and M&A deals, including the $950 million sale of Veracode to Thoma Bravo and Summit Partners’ $625 million investment in Invicti.

In August 2024, she transitioned from Cobalt board member to CEO. At the time, Highland Europe Partner Gajan Rajanathan noted that she “brings the right experience to this team” with “the strategic vision and deep domain expertise needed to lead Cobalt into its next phase of growth.”

Shah’s experience on every side of the deal table has sharpened a skill she believes many technical leaders struggle with: the art of selling a vision. “I see many brilliant founders who are unable to communicate the value of their company,” she observes. “The importance of having a strong story and being able to communicate that to the market remains very important. In addition, many founders have a tough time evolving that vision as the market changes. Adaptability is particularly important as AI has rapidly sped up the pace of innovation.”

One year into her CEO role, Shah has settled on a different approach. “My North Star is what and where we are going to be 18 to 24 months out,” she explains. In a fast-changing world of emerging technologies and evolving threats, she feels that strategic visions need to be revisited more often, and long-term forecasts become less reliable.

Cobalt is at the forefront of offensive security at a time when organisations are struggling to keep pace. Cybersecurity incidents make headlines almost daily – with lives on the line when hospital systems are compromised, livelihoods at stake when small businesses are breached, and essential services threatened when critical infrastructure like power grids or water systems come under attack. 

Shah emphasises the need to evolve offensive security to give customers the flexibility they need at speed and scale, today and tomorrow. The attackers aren’t static; nor should technology solutions be.

Cobalt is using AI in its product to help customers identify and remediate risk quickly, while also deploying it internally to streamline processes and boost productivity across every department. 

Gigaom has named Cobalt a Leader and Outperformer in its PTaaS Radar report for three consecutive years, recognising its enterprise platform, 450+ global expert testers, and insights from over 5,000 annual pentests. “Now, with AI, we are able to enhance our key value propositions of speed, scale and expertise and offer our customers the flexibility to create continuous testing programmes. Our customers require solutions that can be customised based on the risk exposure of individual assets and their risk tolerance.”

“We are also using AI to improve internal efficiencies,” Shah explains. She routinely challenges every executive to think about how they can use technology to make their teams more impactful. Shah draws on her economics background to frame her thinking on AI, efficiency, and output. Rather than replacing people with technology, the goal is to shift what’s possible. “It’s about supercharging people to do more for our customers,” she explains. “With automation running repetitive tasks and machine learning providing expert guidance based on the collective knowledge of our community, our offensive security experts have more time to focus on finding vulnerabilities that require human ingenuity.” 

The Cobalt approach of building human-led, AI-powered offensive security services resonates in a sector where trust is paramount and scepticism around AI runs particularly high. Cobalt champions trust as their most important asset, and they protect it fiercely.

For Shah, the company’s technology is only one facet that determines success. “Maintaining culture requires intentionality, especially as companies scale,” she states. “There’s never enough time to focus on it, but you have to make time.” She outlines three key pillars of intentional culture:

1. Communication and Focus: “It’s important for the CEO, and the entire leadership team, to overcommunicate the long-term mission and vision and the top priorities each quarter,” Shah explains. “It’s equally important to align on what the company is not doing.” She has championed internal infrastructure that encourages learnings to be shared across departments, in order to break down silos and ensure everyone moves in the same direction. Clear communication doesn’t always come naturally to technical experts or go-to-market leaders. Building these communication muscles takes practice, and is especially important in fast-moving, remote environments.
2. Different Skills for Different Stages: Shah emphasises that scaling a company requires continuously evolving the team’s capabilities. “Rapid growth often comes with a fair bit of chaos. It’s important to hire people who can bring in the right structures to support growth and lead their teams through the changes that will be required.” The skills that take a company from founding to its first few million in revenue aren’t necessarily the same skills needed to reach $100 million or beyond. As companies scale from startup to enterprise, they continuously add new types of talent and expertise to complement the foundation already built.
3. Bi-Directional Feedback: “Mistakes will be made, especially when moving quickly in a high-growth or rapidly changing market. Expect them, and learn from them,” Shah notes. “Create a culture of transparency where employees feel empowered to give each other constructive feedback.” But she’s quick to emphasise that feedback can’t be one-directional. “It starts at the top. The CEO has to be comfortable both giving and receiving feedback and have an authentic desire to learn and improve.” She conducts bi-directional reviews and regularly asks for feedback through skip levels.

Shah notes that while internal communication and feedback are important, certain decisions can’t be discussed widely, and the weight of leadership is heavier on some days than others. “It’s actually a lonely place,” she acknowledges. Building relationships with other CEOs has created a space for her to share challenges, test ideas, and learn from others facing similar pressures. It’s another form of feedback that becomes invaluable when you’re making decisions from the top.

Shah transitioned to the CEO role at a pivotal moment for Cobalt. Global information security spending is projected to reach $212 billion in 2025 – a 15% increase from 2024 – as organisations prioritise security investments in response to escalating threats. This past year has proven that cybersecurity is not only a boardroom priority, it’s a kitchen table issue – families increasingly worry about elderly relatives falling victim to scams or personal data being compromised.

For Shah and Cobalt, the future is being purposely built with their customers, one quarter at a time. Her goal is to meet customers where they are today, and support them as they evolve their needs in the future. As she puts it, “having a lot of money in the bank or leading-edge technology doesn’t help you if you don’t understand your customers’ pain points. Especially in this sector, customers are looking for partners that can help them deal with the ever-evolving landscape.” In cybersecurity, that speed could mean the difference between catching a vulnerability and becoming the next headline.