Pentest Methodologies

• 1: Web Pentest Methodologies
• 2: Mobile Pentest Methodologies
• 3: API Pentest Methodologies
• 4: External Network Pentests
• 5: Cloud Pentests
• 6: Internal Network Pentests

1 - Web Pentest Methodologies

We use the penetration testing objectives listed on this page. If you want to know more about each methodology, navigate to the Pentest Methodologies page associated with your asset.

Web

The Cobalt team of pentesters do not need access to the underlying web application source code, unless you specify it as a requirement.

When you set up a pentest for a web asset in the UI, you’ll see the following in the Objectives text box:

Coverage of OWASP top 10, ASVS and application logic.

Learn more about these objectives from OWASP:

• OWASP Top 10 Web Application Security Risks
• OWASP Application Security Verification Standard (ASVS)

We look at application logic by working with your app.

Tests of a Web asset include tests of APIs used to populate content on that asset. If you have additional APIs, you may consider setting up:

• A combined Web + API test
• A separate test for APIs

We follow an industry standard methodology primarily based on the OWASP Application Security Verification Standard (ASVS) and Testing Guide. Our team takes the following steps to ensure full coverage:

• Target scope reconnaissance
• Business and application logic mapping
• Automated web crawling and web scanner configuration tweaking
• Automated vulnerability scanning
  • Manual crawling to ensure better coverage
• Manual web vulnerability tests and exploit reviews
  • Also covers microservices
• Ongoing assessments
  • Report results to clients through the platform
• Report, triage, and retest

We’ll write a report for pentests with at least eight (8) credits .

Additional Requirements

You’re welcome to define additional test objectives. If you follow best practices other than OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a “well-known” security practice, our pentesters probably already know them!

If you have special instructions for a pentest, add them later, under Special Instructions.

2 - Mobile Pentest Methodologies

We use the penetration testing objectives listed on this page. If you want to know more about each methodology, navigate to the Pentest Methodologies page associated with your asset.

Mobile

The Cobalt team of pentesters do not need access to the underlying mobile application source code, unless you specify it as a requirement.

When you set up a pentest for a mobile asset in the UI, you’ll see the following in the Objectives text box:

Coverage of OWASP top 10, ASVS and application logic.

Learn more about these objectives from OWASP:

• OWASP Mobile Top 10
• OWASP Application Security Verification Standard (ASVS)

We look at application logic by working with your app.

We follow an industry standard methodology primarily based on the OWASP Application Security Verification Standard (ASVS) and Testing Guide. Our team takes the following steps to ensure full coverage:

• Reconnaissance
  • Share the mobile application files
    • Android: .apk
    • iOS: .ipa
• Automated and Manual Testing
• Exploit Discovered Vulnerabilities
• Report, triage, and retest
  • We’ll write a report for pentests with at least eight (8) credits

Additional Requirements

You’re welcome to define additional test objectives. If you follow best practices other than OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a “well-known” security practice, our pentesters probably already know them!

If you have special instructions for a pentest, add them later, under Special Instructions.

3 - API Pentest Methodologies

We use the penetration testing methodologies listed on the page. If you want to know more about each methodology, navigate to the page associated with your asset.

API

The Cobalt team of pentesters do not need access to the underlying web application source code, unless you specify it as a requirement.

When you set up a pentest for an API asset in the UI, you’ll see the following in the Objectives text box:

Coverage of OWASP top 10, ASVS and application logic.

Learn more about these objectives from OWASP:

• OWASP API Security Top 10
• OWASP Application Security Verification Standard (ASVS)

We look at application logic by working with your app.

We base our methodology primarily on the OWASP Application Security Verification Standard (ASVS) and Testing Guide. Our team takes the following steps to ensure full coverage:

• Target scope reconnaissance
• Business and application logic mapping
• Automated web crawling and web scanner configuration tweaking
• Automated vulnerability scanning
  • Manual crawling to ensure better coverage
• Manual API vulnerability tests and exploit reviews
  • Also covers microservices
• Ongoing assessments
  • Report results to clients through the platform
• Report, triage, and retest
  • We’ll write a report for pentests with at least eight (8) credits

Additional Requirements

You’re welcome to define additional test objectives. If you follow best practices other than OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a “well-known” security practice, our pentesters probably already know them!

If you have special instructions for a pentest, add them later, under Special Instructions.

4 - External Network Pentests

We use the penetration testing methodologies listed on the page. If you want to know more about each methodology, navigate to the page associated with your asset.

External Networks

The Cobalt team of pentesters can proceed with a minimum of information, such as the IP addresses in question. However, you can include the following details in the scope of your desired pentest:

• Network diagrams
• Infrastructure diagrams
• Accounts (even temporary accounts for pentests)
• User information

When you set up a pentest for an external network asset in the UI, you’ll see the following in the Objectives text box:

Coverage of OSSTMM and SANS top 20 security controls.

Learn more about these objectives:

• Open Source Security Testing Methodology Manual (OSSTMM) (PDF).
• SANS Top 20 Security Controls CIS Controls v8

We follow an industry standard methodology primarily based on the OSSTMM standard for penetration testing.

• Reconnaissance
  • Corporate website
  • Related websites, databases
  • DNS
  • Public records (such as WHOIS information)
• Service discovery
  • Port scans on specific IP ranges
  • Focus on public-facing services
  • Follow-up with further tests
• Vulnerability scans
  • Test for penetration of the internal network
• Manual assessment
  • Public-facing services (Web, FTP, Email, Firewalls, Routers, DNS, VPNs, and more)
• Report, triage, and retest
  • We’ll write a report for pentests with at least eight (8) credits

Additional Requirements

You’re welcome to define additional test objectives. If you follow best practices other than OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a “well-known” security practice, our pentesters probably already know them!

If you have special instructions for a pentest, add them later, under Special Instructions.

5 - Cloud Pentests

We support penetration testing of systems in the following cloud environments:

• Amazon AWS
• Google Cloud Platform (GCP)
• Microsoft Azure

While we perform many of the same tests on different cloud configurations, each environment has unique testing requirements.

Common Requirements

Cobalt assesses your selected cloud environment, as well as all internal and external components. Cobalt follows an industry standard methodology primarily based on:

• Best practices established by your cloud provider
• OWASP standards for Cloud Providers (PDF) and Application Security Verification Standard (ASVS).

The Cobalt team of pentesters do not need access to the underlying web application source code, unless you specify it as a requirement.

We follow an industry standard methodology primarily based on the OWASP ASVS Testing Guide. Our team takes the following steps to ensure full coverage:

• Target scope reconnaissance
• Component enumeration
  • Based on automated component discovery
• Automated component configuration assessment
  • Detail risks, based on Center for Internet Security (CIS) best practices
• Automated / manual review of externally exposed services
  • Basic vulnerability assessments
• Architectural design analysis
• Report, triage, and retest
  • We’ll write a report for pentests with at least eight (8) credits

In general, the cloud providers that we work with no longer need to know before we perform our pentests. However, each cloud provider may have their own procedure. We’ve included links to procedures that we know of in the section for each provider.

Source IP Addresses

Cloud providers may need to include IP addresses associated with pentest traffic in their allowlist. We’ll share these addresses when you create an actual pentest.

Testing Parameters

When you create a pentest that involves a cloud provider, we’ll share the information that your cloud provider may require, including:

• Peak bandwidth
• Peak queries per second
• Escalation traffic requirements
• Emergency contact information

Amazon AWS

Our pentesters need access to test your AWS systems. To that end, you should prepare:

• A dedicated AWS account for each pentester, with access to each target system.
  • Identity and Access Management (IAM) API credentials for each affected AWS account.
    • Include the following managed policies for the pentest user or role:
      • SecurityAudit
      • ViewOnlyAccess

These are the required policy Amazon Resource Names (ARN):

arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

You should also include the architecture of your cloud configuration.

Google Cloud Platform (GCP)

Our pentesters need access to test your GCP systems. To that end, you should prepare:

• A dedicated GCP account for each pentester, with access to each target system.
  • Identity and Access Management (IAM) API credentials for each affected GCP account.
    • To provide API credentials, use a (service) account with Viewer and Security Reviewer permissions.

Microsoft Azure

Our pentesters need access to test your Azure systems. To that end, you should prepare:

• A dedicated Azure account for each pentester, with access to each target system.
  • Identity and Access Management (IAM) API credentials for each dedicated account.

Other Cloud Providers

We’ve done pentests on other cloud providers. You can refer to the Common Requirements listed earlier.

Additional Requirements

You’re welcome to define additional test objectives. If you follow best practices other than OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a “well-known” security practice, our pentesters probably already know them!

If you have special instructions for a pentest, add them later, under Special Instructions.

6 - Internal Network Pentests

We use the penetration testing methodologies listed on the page, based in large part on the OSSTMM.

Special Pentester Needs

Our pentests of internal networks are all performed remotely. To support this access, our pentesters need:

• Access to your internal network through a stable VPN.
• A lightweight Linux server inside the network, used as a jump box.
  • If you use AWS for your internal network, you can use this link to set up a virtual machine.
  • You can also download a Kali VM Image.
  • You’ll need to set up key-based SSH access for each pentester.

Internal Networks

The Cobalt team of pentesters can proceed with a minimum of information, such as the IP addresses in question. However, you can include the following details in the scope of your desired pentest:

• Network diagrams
• Infrastructure diagrams
• Accounts (even temporary accounts for pentests)
• User information

When you set up a pentest for an internal network asset in the UI, you’ll see the following in the Objectives text box:

Coverage of OSSTMM and SANS top 20 security controls.

Learn more about these objectives:

• Open Source Security Testing Methodology Manual (OSSTMM) (PDF).
• SANS Top 20 Security Controls CIS Controls v8

We follow an industry standard methodology primarily based on the OSSTMM standard for penetration testing.

• Reconnaissance
  • Corporate website
  • Related websites, databases
  • DNS
  • Public records (such as WHOIS information)
• Service Discovery
  • Port scans on specific IP ranges
  • Focus on public-facing services
  • Follow-up with further tests
• Vulnerability scans
  • Test for penetration of the internal network
• Manual assessment
  • Public-facing services (Web, FTP, email, firewalls, routers, DNS, VPNs, and more)
  • Access control systems such as Microsoft Active Directory
  • Less secure email protocols (SMTP, POP3, IMAP)
  • Printers
• Report, triage, and retest
  • We’ll write a report for pentests with at least eight (8) credits

Additional Requirements

You’re welcome to define additional test objectives. If you follow best practices other than OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a “well-known” security practice, our pentesters probably already know them!

If you have special instructions for a pentest, add them later, under Special Instructions.