Cobalt PTaaS Pricing in 2026
Cobalt is the market-defining PTaaS vendor. It publishes its credit model and tier structure (Standard, Premium, Enterprise) but does not publish list prices on its pricing page: every tier routes to “get a quote.” The dollar figures below are buyer-marketplace estimates from Vendr and G2, not prices Cobalt publishes.
What’s public, what’s not
- Three tiers: Standard, Premium, Enterprise
- 1 credit = 8 hours of offensive security testing
- Credits sold in annual packages; no list prices shown (every tier is “get a quote”)
- Credits are specific to each contract year
- Entry platform fee ~$2,500/month (Vendr/G2 reports)
- Per-credit price ~$1,800 blended (varies by volume)
- Annual contract values $15k-$50k for mid-market (Vendr)
- Large credit bundle discounts (15-25% at $50k+)
Estimated Cobalt Cost by Tier (buyer-marketplace data)
Tier names are Cobalt’s published tiers. Dollar figures are estimates triangulated from Vendr and G2, not list prices published by Cobalt.
| Tier | Est. monthly equiv. | Credits | Blended hourly | Best for |
|---|---|---|---|---|
| Standard | ~$2,500/mo (est.) | Annual credit pack | ~$225/hr blended | First pentest, SOC 2 one-off |
| Premium | ~$4,000-$6,000/mo (est.) | Larger credit pool, rollover | ~$200/hr blended | Quarterly testing, multi-app |
| Enterprise | Contact sales | Volume packs ($50k+) | ~$175-$200/hr | Continuous testing, large portfolio |
Tier names: cobalt.io/pricing (Standard/Premium/Enterprise, contact-sales). Dollar estimates: Vendr Cobalt marketplace and G2 Cobalt pricing reviews. Cobalt does not publish list prices. Last verified June 2026.
Typical Engagement Scenarios
1 credit (8 hours), Standard tier. Covers a small web app, OWASP Top 10, summary report.
4 credits/yr, Core plan. Web app + API set, auth testing, quarterly cadence to match sprint cycles.
10+ credits, enterprise plan. Multi-app portfolio, continuous coverage, custom methodology.
Cobalt vs Nearest Competitors
HackerOne assessment is estimated ~$15k entry (third-party data, not published) vs Cobalt's ~$2,500/mo + credits (also estimated). Cobalt cheaper for one-off; HackerOne for bounty-first orgs.
Synack is contact-sales only with a managed crowdsource model. Cobalt is more self-serve with clearer pricing. Synack stronger for FedRAMP.
Bishop Fox is $25k+ traditional SOW. At similar annual spend, Cobalt provides continuous coverage; Bishop Fox provides deeper one-time methodology.
How to actually get a Cobalt quote
Cobalt is the most self-serve of the 8 vendors, with the fastest platform-native onboarding. Start at cobalt.io and request the Standard tier. Before you request a quote, prepare:
- App inventory: list of all apps, their tech stack, approximate endpoint count
- Testing cadence: how often you want to test (quarterly, after major releases, continuous)
- Compliance trigger: SOC 2, PCI, ISO 27001, or general security maturity
- Timeline: when you need the report (affects urgency premium)
Quote turnaround: 1-2 business days for the Standard tier; 3-5 days for custom enterprise contracts.
Strengths and Weaknesses
- Fastest time-to-test of all 8 vendors (platform-native)
- Most transparent pricing in the PTaaS category
- Integrated platform (scope, testing, reporting, retest)
- Strong SOC 2 and ISO 27001 attestation depth
- G2 4.5/5, strong developer-facing UX
- Platform fee adds cost for infrequent buyers (one-off SOC 2)
- Credit model can make annual cost hard to predict without Vendr/G2 data
- Less depth than boutique firms (Trail of Bits, IOActive) for complex targets
- Not FedRAMP authorized (Synack is)