Public pricing available • Last verified April 2026

Cobalt PTaaS Pricing in 2026

Cobalt is the market-defining PTaaS vendor with partial public pricing. The platform-fee structure is public; credit pricing is available via Vendr and G2 marketplace data.

What’s public, what’s not

Publicly confirmed

Essentials plan: ~$2,500/month platform fee
Enterprise/custom plans: contact sales
1 credit = 8 hours of tester time
Credit packs start at $15,000/yr (Vendr data)

Contact sales / estimated

Per-credit price (varies by volume; ~$1,800 blended)
Large credit bundle discounts (15-25% at $50k+)
Enterprise multi-year pricing
Add-on retesting beyond included scope

Cobalt Pricing Tiers (April 2026)

Plan	Monthly fee	Credits included	Blended hourly	Best for
Essentials	$2,500/mo	Buy separately	~$225/hr blended	First pentest, SOC 2 one-off
Core (est.)	$4,000-$6,000/mo	2-4 credits/yr included	~$200/hr blended	Quarterly testing, multi-app
Custom/Enterprise	Contact sales	Volume packs ($50k+)	~$175-$200/hr	Continuous testing, large portfolio

Sources: cobalt.io/pricing, Vendr Cobalt marketplace, G2 Cobalt pricing reviews. Last verified April 2026.

Typical Engagement Scenarios

Single web app, SOC 2 trigger

1 credit (8 hours), Essentials platform. Covers a small web app, OWASP Top 10, summary report.

$2,500 + ~$1,800 credit = $4,300

Best for: Series A startup, first pentest

Web + API, quarterly testing

4 credits/yr, Core plan. Web app + API set, auth testing, quarterly cadence to match sprint cycles.

$30k-$40k/yr estimated

Best for: Growth-stage SaaS, continuous shipping

Continuous PTaaS, 12-month

10+ credits, enterprise plan. Multi-app portfolio, continuous coverage, custom methodology.

$50k-$100k/yr (Vendr data)

Best for: Scale-up, complex infrastructure

Cobalt vs Nearest Competitors

vs HackerOne

HackerOne assessment starts at $15k flat vs Cobalt $2,500/mo + credits. Cobalt cheaper for one-off; HackerOne for bounty-first orgs.

vs Synack

Synack is contact-sales only with a managed crowdsource model. Cobalt is more self-serve with clearer pricing. Synack stronger for FedRAMP.

vs Bishop Fox

Bishop Fox is $25k+ traditional SOW. At similar annual spend, Cobalt provides continuous coverage; Bishop Fox provides deeper one-time methodology.

How to actually get a Cobalt quote

Cobalt is the most self-serve of the 8 vendors. Start at cobalt.io, select Essentials, and you can initiate testing without a call. For credits beyond Essentials, prepare:

App inventory: list of all apps, their tech stack, approximate endpoint count
Testing cadence: how often you want to test (quarterly, after major releases, continuous)
Compliance trigger: SOC 2, PCI, ISO 27001, or general security maturity
Timeline: when you need the report (affects urgency premium)

Quote turnaround: 1-2 business days for Essentials; 3-5 days for custom enterprise contracts.

Strengths and Weaknesses

Strengths

Fastest time-to-test of all 8 vendors (platform-native)
Most transparent pricing in the PTaaS category
Integrated platform (scope, testing, reporting, retest)
Strong SOC 2 and ISO 27001 attestation depth
G2 4.5/5, strong developer-facing UX

Weaknesses

Platform fee adds cost for infrequent buyers (one-off SOC 2)
Credit model can make annual cost hard to predict without Vendr/G2 data
Less depth than boutique firms (Trail of Bits, IOActive) for complex targets
Not FedRAMP authorized (Synack is)

Back to all vendors →HackerOne pricing →Synack pricing →PTaaS vs traditional →Sources →