MSSP, Risk Assessments/Management

5 Questions: Caroline Wong, Cobalt CSO on Pen Testing

Pen testing is an essential for managed security service providers. MSSP Alert’s annual 250 research report for 2023 showed that 63% of MSSPs offer pen testing-as-a-service themselves and another 30% partner to offer it. 

One of the companies that offers pen testing as a service (PtaaS) is Cobalt, which partners with MSPs, MSSPs, referral partners, and also reseller and VAR partners.

Caroline Wong, Cobalt‘s chief security strategist (CSO), told MSSP Alert that the company’s channel partners can differentiate their service offering by incorporating offensive security pen testing as part of their overall managed security solution.

Cobalt’s channel program spans MSSPs, MSP, referral partners and reseller and VAR partners. The company stresses that its Pentest-as-a-Service (PTaaS) offering enables security service providers to modernize the way they pen test for their clients.

In mid-February, Cobalt published its inaugural OffSec Shift Report that showed a major trend towards blended offensive/defensive approaches, and the improved protection being realized by those leading this shift.

An Expert Look at the Pen Testing Market with Caroline Wong

MSSP AlertWhere’s the pen testing market going this year?

Wong: The pen testing market, like others in the cybersecurity space, will continue to evolve this year as it aims to stay ahead of the evolving threat landscape. Thanks to tools like generative AI, threat actors are developing more advanced and sophisticated cyberattacks at a faster speed, which means businesses need to be prepared to protect themselves like never before. 

Businesses across various industries are recognizing the importance of proactively identifying vulnerabilities within their systems and networks to mitigate potential risks, which is why we’re seeing a trend in combining offensive security tactics like pen testing with existing defensive tactics. 

Additionally, advancements in automation, artificial intelligence, and machine learning will also play a big part in reshaping the pen testing landscape, allowing for faster and more comprehensive assessments. Ultimately, this year will mark a vital phase of innovation and expansion for the pen testing market.

MSSP AlertWhat strategic initiatives have you set for the year?

Wong: We have some exciting things planned for the year ahead that we think will be valuable for both our customers and the cybersecurity community. We recently published our first OffSec Shift report, which looks at the rise in offensive security tactics and how offensive and defensive security tactics can be best used together to prevent breaches and hacks. 

We’ll also be releasing our State of Pen testing report later this spring, which will provide more insights into the cybersecurity landscape and hopefully provide some insights into the biggest concerns cybersecurity professionals are facing right now. 

Outside of our research efforts, we're also expanding our offerings with Dynamic Application Security Testing (DAST) which will bring together automated scanning tools and manual pen testing all on the same platform. This will enable companies to take an offensive approach to cybersecurity by identifying and addressing potential security weaknesses and up-leveling their security programs. 

MSSP Alert: How do you prioritize the needs of Cobalt's customers and channel partners with the company's core values?

Wong: Everything we do at Cobalt ties back to our mission to empower businesses to operate fearlessly and innovate securely. At Cobalt, we invented “pen testing-as-a-service,” and our Cobalt Core has radically changed the pen testing industry. This exclusive and diverse community of thoroughly vetted cybersecurity experts, in combination with our modern SaaS delivery platform, allows for real-time collaboration with customers and partners and quick remediation. 

Our collaboration with partners and customers to incorporate offensive security testing as part of their overall managed security solution allows companies to secure themselves at unparalleled levels.

MSSP AlertHow do you ensure that Cobalt's strategy encourages innovation and investment?

Wong: Because we are inventors and innovators in the space, we’ve always got our eye on what is next. This means we’re always looking into what aspects of pen testing and cybersecurity as a whole are causing frustrations and where they can be improved. 

We conduct regular hackathon exercises to bring small cross-functional groups of Cobalt team members together, and these frequently inform our product roadmap. Recent and ongoing new offerings include Domains (attack surface management), Scans (DAST), and DRA (Digital Risk Assessment). 

MSSP Alert: What strategic uncertainties are there in the market right now? How does Cobalt react to strategic uncertainties? Can you give us an example?

Wong: The market is currently impacted by a number of strategic uncertainties, including economic (inflation and interest rates), political (big election year in the USA), and technical (prevalence and growth of artificial intelligence). 

Cobalt responds to strategic uncertainty by focusing on the basics - the most effective way to secure any system is to conduct technical security testing to find security vulnerabilities, then take action to address and prevent those same vulnerabilities from happening again. 

To respond to economic uncertainties and the realities of security team layoffs and budget cuts, Cobalt recommends shifting cybersecurity investment towards offensive security controls. For years, Cobalt has provided security testing for voting systems as well as artificial intelligence systems. 

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.