Cobalt: A Startup Case Study – Securing the Digital World

Cobalt

Cobalt is a cybersecurity-focused startup that connects businesses needing penetration testing with vetted ethical hackers. The company provides professional security testing services to protect digital assets and infrastructure.

• Founding Year: 2013
• Headquarters: San Francisco, California, USA
• Industry: Professional, Scientific, and Technical Services
• Status: Active

Business Model

Model Type: B2B, Two-sided, Service

• Clients: Businesses of all sizes, from startups to large enterprises, that require security testing to protect their digital assets and infrastructure. This includes technology-driven businesses that handle sensitive data and prioritize security. Key stakeholders within these organizations include IT & Information Security Teams and DevOps Teams.
• Suppliers: Vetted security experts or ethical hackers who provide penetration testing services to client businesses

It’s Like: HackerOne but with a Focused Approach on Pentesting and a Strong Emphasis on Collaborative Security

Cobalt, similar to HackerOne, operates in the cybersecurity space, offering vulnerability assessment and management solutions. Both platforms aim to help organizations identify and address security vulnerabilities in their systems.

However, Cobalt differentiates itself through:

• Pentesting as a Service (PTaaS): Cobalt focuses on providing a streamlined, on-demand pentesting service, offering rapid vulnerability assessments with high accuracy through its PtaaS platform.
• Collaborative Approach: While HackerOne leverages a broad hacker community, Cobalt emphasizes a more structured, team-based approach. It fosters collaboration among pentesters, allowing them to learn from each other’s experiences and methodologies.
• Dedicated Support: Cobalt provides dedicated customer service and structured deployment, making it ideal for organizations seeking guided implementation and continuous support throughout the security testing process.
• Cobalt’s platform combines the expertise of skilled pentesters with advanced technology, offering features such as seamless integration, comprehensive vulnerability assessments, and an intuitive interface. This approach ensures that applications remain secure and compliant over time, making it particularly valuable for industries with stringent security requirements, such as finance, healthcare, and technology.

Problems Addressed

• Lack of Accessible and High-Quality Security Testing: Businesses often struggle to find affordable, high-quality security testing services that fit their specific needs.​
• Limited Opportunities for Collaboration with Security Experts: Organizations may lack accessible platforms to connect with ethical hackers, share security concerns, and receive expert feedback.​

Solutions

• Accessible and High-Quality Penetration Testing Services: Cobalt offers a platform to connect businesses with a network of vetted security experts, providing tailored penetration testing services to identify and address vulnerabilities.​
• Vibrant Community for Security Collaboration: The platform provides a space for businesses and security professionals to connect, share insights, participate in discussions, and collaborate on security challenges, fostering a supportive and proactive security environment.

Founding Story

• When and How Founded: Cobalt was founded in 2013 as CrowdCurity.
• Founders’ Problem Experience: The founders, who identified as “outsiders to the security world,” observed a significant demand for crowdsourced application security but recognized the limitations of traditional penetration testing methods.
• The Founders:
  • Jacob Hansen
  • Esben Friis-Jensen
  • Jakob Storm
  • Christian Hansen
• Founders’ Past Experience: The founders came from diverse backgrounds, including consulting, biotechnology, physics, and software development.
• Why Able to Start: Their combined skills and outsider perspective allowed them to approach security testing with fresh eyes.
• Problem-Solving Decision: Initially, they focused on a “bug bounty” program but pivoted to a Pentest as a Service (PTaaS) model due to challenges attracting early investment.
• Challenges: Attracting early-stage investment for the initial bug bounty model was a key challenge.
• First Results: The shift to the PTaaS model proved successful, with revenue increasing by 300% in 2015.
• Continued Growth: Cobalt secured significant funding rounds, including $1 million in 2014 and $1.5 million in 2016, enabling further growth and platform development.
• Innovation/Technology for Success: Cobalt’s success stemmed from its innovative PTaaS model, combining a proprietary SaaS platform with a vetted community of security experts. This approach provided faster, more efficient, and scalable penetration testing solutions compared to traditional methods.

Key Growth Milestones

• 2013: Founded as CrowdCurity.
• 2014: Secured $1 million angel round.
• 2015: Revenue grew by 300%.
• 2016: Raised $1.5 million seed round.
• 2018: Raised $5 million Series A funding.
• 2020: Secured $29.1 million Series B funding.
• 2021: Reported 75% YoY growth in ARR.
• 2022-2024: Recognized as a “Leader” and “Outperformer” in the PTaaS market by GigaOm for three consecutive years.

Market & Competition

Target Market

Cobalt’s target market encompasses businesses of all sizes and industries that require robust cybersecurity measures to protect their digital assets.

This includes organizations seeking comprehensive penetration testing services to identify and remediate vulnerabilities in their systems.

Notable clients include GoDaddy, Vonage, Axel Springer, and MuleSoft.

Market Size and Growth

The global cybersecurity market was valued at approximately $182.86 billion in 2023 and is projected to reach $314.28 billion by 2028, growing at a compound annual growth rate (CAGR) of 11.44%. This growth is driven by the increasing frequency of cyber threats and the escalating need for organizations to safeguard their digital infrastructures.

Potential New Markets

• Geographic Expansion: While Cobalt has a global presence, with the United States being its largest market, there is potential for further expansion into emerging markets where the demand for cybersecurity services is on the rise. ​

Number of Clients and Suppliers

As of April 2025, Cobalt reported having over 1,300 customers. Regarding suppliers, the company collaborates with a vetted community of security experts known as the Cobalt Core, having over 500 clients and approximately 300 pentesters on its platform.

Growth Trends

Cobalt has demonstrated significant growth since its inception. In 2020, the company secured $29 million in Series B funding, which fueled further expansion and platform development.

Additionally, the company reported a 60% year-over-year increase in Annual Recurring Revenue (ARR). This financial growth was accompanied by the addition of 450 new customers, expanding Cobalt’s client base to include companies such as Dynatrace, Rubrik, ISS, and Glossier. ​

Operationally, Cobalt conducted over 2,300 pentests in 2021, marking a 53% increase compared to the previous year. To support this expansion, the company increased its workforce by 53%, welcoming 73 new employees, including strategic executive hires such as Eric Brinkman as Chief Product Officer, Andrew Obadiaru as Chief Information Security Officer, and Russ Cobb as Chief Marketing Officer.

Competitor Landscape

Cobalt operates in a competitive cybersecurity market, particularly within the penetration testing niche.

Key competitors include:​

• Synack: Provides crowdsourced penetration testing services through a global network of ethical hackers.​
• Pentera: Offers automated security validation solutions to identify and remediate vulnerabilities.
• Astra Security: Delivers comprehensive penetration testing and vulnerability assessment services.
• Detectify: Provides automated web application security scanning powered by ethical hackers.​
• Veracode: Offers application security testing solutions to identify and fix vulnerabilities in code.

Marketing & Sales

Main Positioning Values: Time & Quality

Website & Socials

• Website: Cobalt.io
• Monthly Visits: Cobalt.io’s website attracts approximately 122.6K monthly visits. The majority of visitors come from the United States (40.79%), India (7.66%), Spain (4.77%), Poland (2.82%), and Germany (2.59%). ​
• Traffic Sources: Direct traffic represents the largest share, followed by organic search and referrals.
• Traffic from Social Media: On social media, LinkedIn stands out as the top channel, with 27,402 followers. It maintains a presence on X (formerly Twitter) with 8,571 followers.

Media Coverage

• Press Releases: Cobalt consistently disseminates press releases to announce company developments, partnerships, and product enhancements. For instance, in January 2025, Cobalt appointed Gunter Ollmann as Chief Technology Officer.
• State of Pentesting Reports: Annually, Cobalt publishes the “State of Pentesting” report, offering industry insights and establishing the company as a thought leader. The 2024 report highlighted challenges posed by AI adoption and staffing shortages in cybersecurity.
• GigaOm Recognition: Cobalt has been acknowledged as a “Leader” and “Outperformer” in GigaOm’s Penetration Testing as a Service (PtaaS) market reports for three consecutive years.
• Funding Announcements: In August 2020, Cobalt raised $29 million to expand its Pentest as a Service platform, as reported by Yahoo Finance. ​
• Industry Recognition: In May 2018, Dark Reading covered Cobalt.io’s $5 million Series A funding aimed at fueling the growth of its Pen Testing as a Service platform. ​

Marketing Strategies

• Target Audience: Cobalt operated under a B2B model, primarily targeting businesses of all sizes, from startups to large enterprises, with a focus on technology-driven companies. Their key target audience within these organizations are IT & Information Security Teams and DevOps Teams that require robust security assessments to protect their digital assets.
• Customer Acquisition:
  • Direct Sales: A dedicated sales team actively engaged with potential clients.
  • Partnerships: Strategic alliances, such as their partnership with emt Distribution, helped them expand their reach into new markets like the Middle East.
  • Inbound Marketing: Their website and valuable content, including blog posts, explainer videos, and downloadable resources, attracted potential customers actively seeking security testing solutions. For instance, their blog features articles authored by team members like Jacob Fox, who focuses on increasing Cobalt’s marketing presence by crafting positive user experiences on the website.
  • Industry Events: Participation in conferences like Blackhat and DefCon provided networking opportunities and increased brand visibility.
• Supplier Acquisition: Cobalt curated a community of vetted security experts or ethical hackers who provided the penetration testing services. They ensured a high level of quality and trust through a vetting process.

Product & Innovation

Pentest as a Service (PtaaS) Model

Cobalt revolutionizes traditional penetration testing by offering a Pentest as a Service (PtaaS) platform. This model provides organizations with rapid, on-demand access to a global community of vetted security experts, enabling tests to commence in as little as 24 hours—a significant improvement over the typical 2-4 week lead time associated with conventional consultancies.

Integrated Platform with Real-Time Collaboration

The Cobalt platform enhances the penetration testing process through real-time collaboration features. It offers a dynamic dashboard that visualizes identified vulnerabilities and integrates seamlessly with development tools such as Jira and GitHub. This integration facilitates immediate action on findings and fosters a continuous feedback loop between security testers and development teams, streamlining remediation efforts. ​

Continuous Testing and Attack Surface Monitoring

To address the evolving cybersecurity landscape, Cobalt has introduced continuous testing capabilities, including Attack Surface Monitoring (ASM). These features provide organizations with ongoing visibility into their external attack surfaces, enabling proactive identification and mitigation of vulnerabilities. The ASM includes automated security checks for exposed credentials, weak cipher suites, missing security headers, and takeover risks, thereby enhancing the organization’s overall security posture.

AI-Driven Workflow Automation

In its commitment to innovation, Cobalt has integrated artificial intelligence to streamline workflow creation. The platform’s AI-driven engine allows users to build complex workflows using simple prompts, significantly reducing the time and effort required for integration processes. This advancement underscores Cobalt.io’s dedication to leveraging cutting-edge technology to enhance user experience and operational efficiency.

Scalable Solutions for Enterprise Security

Recognizing the challenges large enterprises face in scaling security operations, Cobalt has developed features tailored for complex organizational needs. These include in-house pentesting management tools, asset tagging, secure code review, and dynamic application security testing. Such capabilities empower enterprises to optimize their security testing programs, improve collaboration among stakeholders, and strengthen their overall security frameworks.

Financials & Metrics

• Annual Recurring Revenue (ARR): In 2021, Cobalt achieved significant growth across various aspects of its business. The company reported a 60% year-over-year increase in Annual Recurring Revenue (ARR).
• Estimated Peak Revenue: Estimated revenue between $50 million and $100 million in January 2025.
• Total Funding: Approximately $36.6 million to $37 million across multiple rounds.
  • Angel Round: $1 million in July 2014
  • Seed Round: $1.5 million in August 2016
  • Series A: $5 million in May 2018
  • Series B: $29.1 million in August 2020
• Employee Count: Varied during active phases.
  • Range: 201 to 500 employees
• Revenue Sources: Cobalt’s primary revenue is derived from its Pentest as a Service (PtaaS) platform, offering on-demand penetration testing services to organizations seeking to enhance their security posture.

Structure & Culture

Structure and Culture

Structure:

• Leadership:
  • Chief Executive Officer (CEO): Sonali Shah
  • Chief Technology Officer (CTO): Gunter Ollmann
  • Vice President of Engineering: Mike Garon​
  • Chief Financial Officer (CFO): Martin Rannje​
  • Chief Revenue Officer (CRO): Chris Essex​
  • Chief Information Security Officer (CISO): Andrew Obadiaru
  • Chief Marketing Officer (CMO): Lisa Matherly
  • Senior Vice President of Product: Jason Lamar
  • Chief People Officer (CPO): Rosie Carley
  • Chief Customer Officer (CCO): Jeri Allan​
• Teams: The company has dedicated teams for engineering, product development, sales, marketing, and operations.

Culture:

• Innovation: Cobalt’s commitment to innovation is evident in its pioneering of the PTaaS model and its continuous development of new features and services.
• Customer Focus: The company emphasized understanding and meeting the needs of its customers, as seen in its focus on providing value-added content and its efforts to simplify complex security concepts.
• Collaboration: The PTaaS platform itself was designed to facilitate collaboration between security testers and client teams. Additionally, Cobalt actively engaged with the broader cybersecurity community through events, conferences, and thought leadership initiatives.

Values: 

• Continuous Learning and Growth: The company promotes a culture of continuous learning, offering employees opportunities for professional development through workshops, mentorship programs, and online courses. This commitment to growth ensures that team members remain at the forefront of industry advancements.
• Remote-First Flexibility: Recognizing the importance of work-life balance, Cobalt operates as a remote-first company, allowing employees the flexibility to work from various locations. This approach supports diverse talent acquisition and accommodates different working styles. ​
• High-Performance Culture: Cobalt celebrates the exceptional contributions of its employees, fostering a high-performance culture that encourages innovation and excellence. By prioritizing a culture of continuous improvement, the company maintains its position as a leader in the offensive security industry.

Impact & Success

Impact and Success

Customer Testimonials:

Jarvis Analytics: “When it came to pentesting and assessing our system against threats, we really gravitated towards the Pentesting as a Service model because it was important that my team could login and see exactly what was happening, what testers were working on and finding, as well being able to flexibly buy additional credits as needed.” – STEVEN MAROULIS, FOUNDER AND CEO, JARVIS ANALYTICS

Pendo: Chuck Kesler, Chief Information Security Officer at Pendo, emphasized the efficiency of Cobalt’s platform, stating, “Being able to interact with findings in the platform and discuss them through Slack makes for a much more efficient process.”

KUBRA: Tushar Chandgothia, Vice President of Information Security and Risk Management at KUBRA, highlighted the value of Cobalt’s services, noting, “We went to Cobalt for a single pentest but we loved the process and results, so we continue to go back—Cobalt saves us time and provides us with quality results on a consistent basis.”

Case Studies:

• Insurity: Operating in a heavily regulated industry, Insurity leveraged Cobalt’s Pentest as a Service (PtaaS) platform to meet compliance requirements such as PCI-DSS and SOC 2. The collaboration enhanced Insurity’s security practices, fostering trust and protecting critical business assets.
• GoReact: GoReact, an online video feedback platform, partnered with Cobalt to increase the speed, collaboration, and integration of their pentesting processes. The engagement resulted in a more efficient security testing approach, aligning with GoReact’s commitment to robust security standards.
• Algolia: As a search-as-a-service company, Algolia prioritized protecting customer data. By collaborating with Cobalt, Algolia established a robust, effective, and transparent security program, benefiting from seamless communication and comprehensive reporting capabilities.

Growth & Future

Challenges and Plans

Challenges and Risks:

• Competition: The PTaaS market is highly competitive, with numerous players vying for market share.
• Talent Shortage: The cybersecurity industry faces a persistent shortage of skilled professionals, which can potentially impact Cobalt’s ability to scale.
• Rapid Technological Advancements: Keeping pace with the evolving threat landscape, particularly the rise of AI, required significant and ongoing investment.
• Economic Pressures: Potential economic downturns and budget constraints within organizations could impact demand for cybersecurity services.

Future Plans:

​As of April 2025, Cobalt is poised to advance its position in the cybersecurity landscape through several strategic initiatives:​

• Embracing Artificial Intelligence (AI): Cobalt recognizes the transformative potential of AI in cybersecurity. The company’s 2024 State of Pentesting Report highlighted that 78% of security teams had adopted new AI tools in the past year. Cobalt plans to integrate AI-driven methodologies to enhance the efficiency and effectiveness of its penetration testing services.
• Enhancing Pentest as a Service (PtaaS) Platform: Cobalt aims to continually refine its PtaaS offerings by:
  • Expanding Integrations: Introducing additional integrations with popular development and security tools to streamline workflows.
  • Improving User Experience: Focusing on intuitive interfaces and user-friendly features to facilitate seamless navigation and operation.
  • Real-Time Collaboration: Enhancing real-time communication channels between clients and pen-testers to expedite issue resolution.
• Thought Leadership and Community Engagement: Cobalt is committed to sharing insights and fostering discussions within the cybersecurity community by:
  • Publishing Industry Reports: Continuing the annual “State of Pentesting” reports to provide valuable data and analysis on emerging trends and challenges.​
  • Hosting Webinars and Events: Organizing educational sessions to discuss best practices, compliance strategies, and the evolving threat landscape.
• Geographic and Market Expansion: To address the growing global demand for robust cybersecurity solutions, Cobalt plans to:
  • ​Enter New Markets: Expand its services into additional geographic regions, tailoring solutions to meet local compliance and security requirements.​
  • Diversify Client Portfolio: Target various industries, including healthcare, finance, and technology, to provide specialized security assessments.

Key Takeaways for Entrepreneurs

• Embrace a two-sided marketplace model: Cobalt’s success highlights the power of connecting two distinct groups with a shared need. Consider if a similar model could unlock value in your chosen market.
• Focus on a niche, then scale: Cobalt initially targeted technology-driven businesses for their security testing needs. Starting with a specific niche can help you gain traction and build expertise before expanding to a broader market.
• Diversify your customer acquisition strategy: Cobalt utilizes a mix of direct sales, partnerships, inbound marketing, and industry events. Don’t rely on just one channel – explore and test different approaches to reach your target audience.
• Build a strong community around your service: Cobalt carefully curates its network of security experts, ensuring quality and trust. Cultivating a strong community can be a significant differentiator, attracting both customers and suppliers.
• Don’t underestimate the power of physical products: While Cobalt itself focuses on digital services, its expert analysis highlights a resurgence in physical product businesses. Don’t discount the potential of the physical world, even in a digitally-driven era.
• Look for opportunities in underserved markets: Cobalt’s expert analysis points to the growing demand for D2C product launch support, particularly among creators and influencers. Identify underserved segments within your market and tailor your solution to their specific needs.