Mid-market organizations (200-2,500 employees) running compliance-driven testing cycles (SOC 2 Type 2, PCI DSS, ISO 27001), particularly SaaS companies and fintechs needing fast, auditor-acceptable web app and API pen tests with retests included.
Fortune 500 enterprises wanting the largest researcher pool (HackerOne / Bugcrowd better), federal buyers requiring cleared researchers (Synack better), EU buyers requiring strict data residency (Intigriti / YesWeHack better), or buyers wanting fully-managed continuous bug bounty.
Is Cobalt a trustworthy vendor?
- 2022-04-12Series B raised $29M led by Highland Europe; growth capital secured for PTaaS expansion
- 2023-06-15Pivot to compliance-driven sales messaging; positioning shifted from developer-tooling brand to SOC 2 / PCI / ISO 27001 focus
- 2024-03-22Cobalt Core researcher pool crossed 1,000+ vetted testers; expanded specialty coverage (mobile, IoT)
- 2024-09-22Pricing escalation reported at renewal; engagement-credit pricing increased 10-15% for renewing customers
- 2025-04-15Free retest window expanded; included retests within 6 months of engagement close
What 240 reviews actually say
Synthesized from G2, Capterra, Reddit, Trustpilot. Patterns >15% prevalence shown.
Praise patterns
- Fast time-to-engagement (typically <2 weeks)87% →
- Auditor-ready reports for SOC 2 / PCI / ISO 2700178% →
- Free retests within 6 months valued71% ↑
- Cobalt Core researcher quality consistent64% →
Complaint patterns
- Pricing escalation reported at renewal47% ↑
- Researcher pool smaller than HackerOne / Bugcrowd41% →
- Specialty engagement scope-creep charges38% →
- Compliance-pivot reduced developer-experience polish31% ↑
What buyers actually pay
142 anonymized deal disclosures · last updated 2026-05-01
| Company size | Median annual |
|---|---|
| Single engagement (web app) | $18,000 |
| Annual platform (mid-market) | $96,000 |
| Enterprise unlimited | $320,000 |
Auto-verified certifications
Editorial: Strengths
- PTaaS pure-play since 2016 (category-defining commercial PTaaS)
- Strong fit for SOC 2 / PCI / ISO 27001 mid-market compliance work
- Cobalt Core vetted-researcher pool (1,000+ background-checked testers)
- Mature retest workflow (free retests within 6 months)
- Fast time-to-engagement (typically <2 weeks scheduling)
- Mature integrations (Jira, ServiceNow, Slack, GitHub)
- $29M Series B 2022 (Highland Europe)
Editorial: Weaknesses
- Pivot to compliance-driven sales 2023+ has reduced developer-experience focus
- Researcher pool meaningfully smaller than HackerOne / Bugcrowd
- Fortune 500 logo coverage thinner than bug-bounty leaders
- Pricing escalation reported at renewal 2024-2025
- Limited bug-bounty product (PTaaS-focused, not bounty-first)
Key features & integrations
- +Cobalt Core vetted-researcher pool (1,000+ testers)
- +Web app, API, mobile, cloud, and network pen testing
- +Free retests within 6 months
- +Auditor-ready PDF reports (SOC 2, PCI, ISO 27001 mapped)
- +Real-time finding stream during engagement
- +Mature Jira, ServiceNow, Slack, GitHub integrations
- +Dedicated security advisor
- +Compliance-mapped reporting templates
Read our full ranking of Penetration Testing as a Service (PTaaS)
Cobalt ranks #2 in our editorial review of 10 penetration testing as a service (ptaas) platforms. The deep-dive covers methodology, comparison tables, decision matrix, migration scoring, and FAQs.
Read the full rankingClosest alternatives in Penetration Testing as a Service (PTaaS)
Contribute your verified deal price
Pricing in B2B software is opaque because vendors want it that way. Verified buyer prices fix that, anonymously. Share what you actually paid for Cobalt; we’ll add it to the verified pricing dataset on this page (with company size band only, no identifying details).
Submit anonymously