Cobalt pioneered the Pentest as a Service (PTaaS) model when they launched in 2013. Their platform approach — connecting companies with a curated pool of freelance security researchers through a self-service interface — was a genuine disruption to the traditional consulting model. Faster starts, more flexible scope, and platform-based finding management made Cobalt an attractive choice for SaaS companies that found traditional firms too slow and too expensive.
Lorikeet Security builds on the PTaaS model with a different philosophy: dedicated team testers who develop deep familiarity with your architecture over time, integrated continuous attack surface management, and testing depth that goes beyond standard web app checklists into the complex authorization and cloud security issues that break real companies.
This comparison examines where the models differ and what that means for you.
Understanding the Crowdsourced Pentest Model
Cobalt's model is based on what they call the "Cobalt Core" — a vetted pool of freelance security researchers who bid on or are assigned to testing engagements. This model has real advantages:
- Speed: With a large pool of available researchers, Cobalt can often start an engagement within days rather than the weeks required by traditional firms
- Breadth: A large pool means more diversity of expertise — you can potentially match researchers with specific domain knowledge
- Scale: Cobalt can run many engagements simultaneously, making them accessible to companies that might struggle to get timely attention from a boutique firm
However, the crowdsourced model also has inherent structural limitations that matter for certain types of testing:
The consistency challenge
When testing is performed by different researchers on successive engagements, there is no institutional memory of your specific architecture. The researcher testing your API this year may have no knowledge of the edge case vulnerability that was remediated last year, or the architectural quirk in your multi-tenant data model that makes standard BOLA testing techniques less effective. Consistency of coverage requires consistency of testers.
Quality variance
Crowdsourced pools, by definition, have variance. Cobalt vets their Core researchers, but "vetted" means meeting a baseline standard — not guaranteed senior-level expertise on every engagement. The luck of researcher assignment can significantly affect the depth of your results.
Complex scope limitations
Cobalt's model works well for defined-scope web application and API testing. Internal network assessments, cloud infrastructure security testing, and complex red team engagements that require sustained presence and iterative reconnaissance are harder to execute with a rotating roster of researchers who are working your engagement on a part-time basis alongside other clients.
Direct Comparison
| Factor | Cobalt | Lorikeet Security |
|---|---|---|
| Testing model | Crowdsourced freelance researchers (Cobalt Core) | Dedicated team with ASM integration |
| Tester consistency | Different researchers per engagement typical | Same senior team across engagements |
| Engagement start | Often 2–5 days with available researchers | 1–2 weeks (scoping + scheduling) |
| Pricing model | Credit bundles ($10K–$50K+ annual) | Fixed-price per engagement |
| Best test types | Web app, API, mobile — standard scope | Web app, API, cloud, assumed breach, CI/CD |
| Internal network testing | Limited — primarily external scope | Supported with appropriate access |
| Continuous monitoring | Platform finding tracking; limited ASM | Integrated continuous ASM |
| Remediation retesting | Costs additional credits | Included in engagement |
| Finding quality floor | Depends on assigned researcher | Senior-reviewed on all findings |
| Architecture familiarity | Re-established each engagement | Accumulates across engagements |
The Credit Model Problem
Cobalt's credit-based pricing is worth examining carefully before you commit. The model works well when your testing needs are predictable and fit neatly into Cobalt's credit packages. It creates friction when:
- Scope expands mid-engagement: If your pentest uncovers a new attack surface that should be included, additional credits are required. This creates a perverse incentive — in some cases, testers may not fully explore adjacent scope to avoid triggering additional billing conversations.
- You need remediation retesting: Verifying that critical findings are fixed requires additional credits. The decision of whether to retest often becomes a budget question rather than a security question.
- Credit packages expire: Unused credits may lapse, creating pressure to schedule testing on your vendor's timeline rather than when it makes the most sense for your development cycle.
- Complex engagements don't fit standard credit costs: A cloud infrastructure assessment or assumed breach test doesn't map cleanly to a predefined credit value, creating scoping confusion.
Fixed-price engagements, by contrast, let you plan security spend as a known cost. You know exactly what you are getting before you sign.
Where Cobalt Genuinely Wins
Cobalt is not a bad choice. For specific situations, they are a strong option:
- You need to start a test within days and your testing cadence is high-volume and predictable
- You primarily need standard web application testing with a defined, narrow scope
- Your team is already familiar with the Cobalt platform and has relationships with specific Core researchers
- You have the in-house security capacity to review and prioritize findings independently — you need execution, not guidance
- Your compliance framework specifically requires documented PTaaS-model testing and Cobalt is an accepted vendor
Where Lorikeet Security Wins
- You need consistent depth from testers who know your architecture — not whoever is available from the pool this quarter
- Your primary risk areas are cloud configuration, multi-tenant authorization, or CI/CD security — beyond standard OWASP Top 10 checklists
- You want continuous attack surface monitoring integrated with your testing program, not just a management dashboard
- Remediation retesting within scope matters to you — you want to confirm fixes before your compliance deadline
- You are a growth-stage company that wants a security partner who understands your stage, not a platform that routes you to the next available researcher
- You want transparent, fixed pricing — no credit math, no scope expansion surprises
Questions That Reveal the Difference
When evaluating Cobalt or any PTaaS provider, these questions will reveal the real model behind the platform marketing:
- "Who specifically will test us, and will it be the same person on retests?" — The answer reveals the consistency model immediately.
- "What happens if I want to add scope mid-engagement?" — Forces clarity on credit model implications.
- "How do you handle complex, multi-tenant authorization testing?" — This is where crowdsourced models often under-deliver. Ask for specifics, not generalities.
- "Is remediation verification included in my engagement, and at what cost?" — Should be a simple answer. Complexity signals additional billing.
- "Can I see a sample report from a company at our stage and architecture?" — Report quality is the primary deliverable. See it before you buy.
- "What is your escalation process if a critical finding is discovered mid-test?" — Critical findings should be communicated immediately, not held for the final report.
Compare Directly: See Our Sample Reports
We are happy to share sanitized sample reports from companies at your stage and walk you through how our methodology specifically addresses your architecture and compliance needs. No credits, no catch.
Request a Sample Report
