Cobalt adds AI features to boost continuous pentests

Cobalt has introduced new artificial intelligence features to its continuous penetration testing platform, adding automated reconnaissance, vulnerability discovery and triage while leaving human testers to focus on more complex attack paths.

The update reflects a broader shift in cyber security as companies contend with larger, faster-changing attack surfaces across APIs, cloud systems, microservices and AI-based applications. Security teams are under pressure to move beyond periodic tests and maintain a continuous view of exposure.

The new functions sit within the Cobalt Offensive Security Platform, combining machine-led analysis with human pentesters and drawing on more than a decade of historical testing data. The model was trained on thousands of engagements and millions of vulnerability signals gathered over that period.

New functions

One addition is automated reconnaissance. The platform maps attack surfaces across JavaScript routes, shadow APIs and subdomains, then presents that information to testers at the start of an engagement.

Another feature focuses on vulnerability discovery, combining automated scanning with AI-based credential validation. The system checks form fields and common exposures, including well-known software flaws such as Log4j and WordPress vulnerabilities.

Cobalt has also added data enrichment tools that pull in information from public exploit feeds and pair it with the company's historical intelligence. Findings are then presented with added context linked to known adversarial behaviour.

Triage has also been updated. An AI-driven engine normalises and deduplicates findings across scanner outputs, creating a single view of verified issues and reducing repeated manual review.

The product now supports the Model Context Protocol, or MCP, allowing AI assistants to interface with pentest data in a controlled way. Security teams can query test results, triage findings and correlate risks through natural language prompts.

Human focus

Cobalt is positioning the release around a division of labour between automation and specialist testers. Software handles basic discovery and scanning, while human researchers concentrate on exploitation chains and business risk.

"AI is a powerful productivity tool, but a poor substitute for expertise," said Sonali Shah, CEO of Cobalt. "After running thousands of pentests annually, analyzing millions of vulnerability signals, and refining our platform alongside a global community of elite pentesters, we've built one of the deepest datasets of real-world offensive security intelligence in the industry. By integrating AI across the entire testing lifecycle - from reconnaissance to remediation - we give our experts the bandwidth to think like real attackers. That's how we deliver the frequency of automation with the depth of human-led adversarial testing."

Shah said the company had built "one of the deepest datasets of real-world offensive security intelligence in the industry" after "running thousands of pentests annually, analyzing millions of vulnerability signals, and refining our platform alongside a global community of elite pentesters".

"By integrating AI across the entire testing lifecycle-from reconnaissance to remediation-we give our experts the bandwidth to think like real attackers. That's how we deliver the frequency of automation with the depth of human-led adversarial testing," she said.

The announcement builds on AI reporting and insights tools introduced in the final quarter of 2025. Those functions automated parts of vulnerability documentation, benchmarking and product guidance. The latest release extends AI further into the testing workflow itself.

Market pressure

The move comes as security providers race to show how AI can improve offensive and defensive workflows without removing human oversight. Attackers are also using automation more heavily in reconnaissance and exploitation, raising concerns that conventional testing cycles may miss changes between scheduled assessments.

Continuous testing has gained ground as software release cycles have shortened. Modern development environments can change daily, particularly in cloud-native systems, leaving security teams looking for tools that can identify exposed assets and likely weaknesses more often.

Cobalt's approach differs from fully automated scanning services by keeping human validation at the centre of the process. It argues that this reduces noise and improves the relevance of findings.

Gallagher, a Cobalt customer, said that distinction mattered in practice.

Jon Cheuvront, senior security engineer at Gallagher, described human review as the main point of difference.

"While many continuous solutions rely solely on AI and scripts, the human validation provided at Cobalt is the key differentiator," said Jon Cheuvront, Sr. Security Engineer, Gallagher. "By leveraging the company's pentesting expertise, we move beyond the noise of raw data, allowing our team to focus on high-impact remediation rather than manual de-duplication."

Pentests can now be scoped and initiated through the platform with limited manual setup before automated testing begins. Human experts then join once the initial reconnaissance and scanning stages are complete. Future development will continue to focus on tighter integration between AI-driven workflows and human-led testing.