The Boston-rooted, San-Francisco-headquartered company that quietly invented Pentest as a Service - and then spent a decade convincing the rest of the security industry to follow.
On any given Tuesday at Cobalt, somewhere on the platform a customer clicks a button and, within days, a hand-picked team of penetration testers - real humans with real CVEs to their names - starts trying to break into that customer's app. The findings stream into Slack, Jira, or whatever else the engineering team already lives in. There is no statement of work to redline. No six-month procurement detour. No 80-page PDF arriving at the end.
That ordinary scene is the entire bet. Cobalt is what happens when you decide that penetration testing should behave like software: continuous, observable, integrated, and faintly embarrassing to do any other way.
For most of the 2010s the standard enterprise pentest looked like this: a quarterly invoice, a consultant nobody on the engineering team ever met, a Word document delivered weeks after the test was finished, and findings that were stale before they were filed. Security teams treated it like flossing - obligatory, expensive, and largely performative.
Meanwhile every other corner of software - source control, deployments, monitoring - had been refactored into something continuous. Security testing alone got to keep its waterfall.
The catch, of course, was that no one had figured out how to make rigorous, manual, adversarial testing actually scale. Bug bounty platforms tried, but bounty hunters self-select for whatever pays well that week. Big consulting firms scaled by hiring; quality drifted accordingly. There was a gap in the middle, and Cobalt walked into it.
Cobalt started life in 2013 as Crowdcurity - a bug bounty platform launched in Copenhagen by Jacob Hansen, Esben Friis-Jensen, Jakob Storm and Christian Hansen. The pitch was familiar: a marketplace where companies posted vulnerabilities they were willing to pay for, and hackers around the world raced to claim them. The market politely declined to scale.
The instructive part is what they did next. Rather than chase HackerOne and Bugcrowd into the bounty wars, Cobalt's founders flipped the model: instead of paying per vulnerability, they would sell a subscription to a curated team. A managed engagement. A predictable bill. A SaaS dashboard. The hacker community would stay - but as a vetted "Core," not an open-call mob.
They called the new thing Pentest as a Service. Most people in the industry chuckled. Pentest as a Service is now a Gartner-tracked category.
Founded in Copenhagen as Crowdcurity. A bug bounty platform with a respectable URL and a niche pitch.
$1M seed round led by Tim Draper. The pitch deck still says "bug bounty."
Rebrand to Cobalt. The product begins its slow rotation toward managed pentesting.
$5M Series A from byFounders. The category gets a name - PtaaS - and a definition.
$29M Series B led by Highland Europe. Customer count crosses four digits.
Sonali Shah - ex-Invicti, Wharton MBA - is named CEO. Profitability follows. Coincidence is debatable.
AI-augmented pentests ship. The Cobalt Core hits 500 vetted members. 88 G2 badges. 31,000 testing days. One profitable year.
The core offering is still Pentest as a Service: scope an asset, pick a window, get matched with Core pentesters whose specialties fit the stack, watch findings appear in real time. What's grown around it is everything that makes the pentest itself useful.
On-demand, human-led pentests delivered through a SaaS workflow. Real-time findings, native Slack/Jira/GitHub integrations.
Dynamic Application Security Testing, layered underneath the manual work to catch the obvious stuff cheaply.
Continuous inventory of internet-facing assets. The "wait, we still own that?" prevention engine.
500+ vetted pentesters, matched to engagements by skill and stack. The community that makes the SaaS not feel like a tool.
Announced October 2025. Cobalt's position: AI accelerates humans, it doesn't replace them. Yet.
SOC 2, ISO 27001, PCI - the boring documents auditors want, automatically generated from the testing platform.
Press releases are cheap. The interesting metric for a security company is volume of useful adversarial work performed - the sort of thing that's hard to fake and easy to verify with customers.
Bars scaled to testing days. The smallest bar is also the scariest one.
The customer roster reads like a SaaS investor's portfolio page: Flexport, Vonage, Verifone, Snow Software, Algolia, Aircall, and roughly 1,500 others Cobalt is contractually less keen to name.
Cobalt's stated mission - modernize traditional pentesting into something continuous, collaborative and scalable - reads like a tagline until you remember what it's replacing: the annual ritual, the printed report, the consultant nobody can email. The shift is from "we got pentested in Q3" to "we have a pentest running."
Sonali Shah, who took the CEO role in August 2024, has been blunt about the next chapter. AI is going to commodify the easy half of pentesting. Cobalt's job, she has argued, is to make sure the human half - the creative, adversarial, "what if we tried this" half - scales alongside it. The Core grew 11% in her first year. The platform got AI features. The company got profitable. So far the math is working.
The thing about modern software is that nobody finishes it. Code deploys hourly. APIs sprawl. AI agents make decisions on behalf of customers. The attack surface grows on a schedule no quarterly pentest can keep up with. Cobalt's argument - put bluntly - is that traditional pentesting cannot survive this decade. Either testing becomes continuous, or it becomes ceremonial.
It is a tidy thesis with one inconvenient implication: every company that still buys a once-a-year pentest is, sooner or later, going to be a Cobalt customer or a cautionary tale.
Back to that ordinary Tuesday. A button gets clicked. A vetted team spins up. A finding surfaces in Slack before lunch. The annual ritual is dead, and most people in security haven't noticed yet - because Cobalt made the replacement so unceremonious it looked like software all along.