Cobalt
Cobalt is not a bug bounty platform. It's a pentest-as-a-service offering built on a vetted pool of security researchers called Cobalt Core. If you're looking for free-form bug hunting with per-finding payouts, this isn't it. If you want scoped, time-boxed engagements with predictable compensation and a path out of the chaos of bounty economics, it's worth understanding.
Cobalt Core
Cobalt Core is the vetted pentester pool that staffs Cobalt's client engagements. Membership requires an application and vetting process - Cobalt reviews your experience, skills, and background before you're eligible to take on work through the platform.
The vetting is a genuine filter. Cobalt clients pay for engagements expecting professional-grade work and a final report they can use internally or show to auditors. The Core selection process reflects that expectation.
Once you're in Core, you receive engagement opportunities matched to your skill areas. You accept or pass on them based on your availability and interest. There's no obligation to take every engagement you're offered.
How Engagements Work
A Cobalt engagement is a time-boxed, scoped penetration test:
- Defined scope: The client specifies exactly what's in scope - application URLs, IP ranges, API endpoints, or mobile applications. You don't expand outside it.
- Defined window: Engagements have start and end dates. The testing window is typically one to two weeks for a standard web application pentest.
- Deliverable: At the close of the engagement, a report goes to the client summarising findings, severity ratings, and remediation recommendations. Cobalt handles the report assembly and client delivery.
- Compensation: Cobalt Core members are compensated per engagement or per hour depending on the engagement type. You're paid for your time, not just for findings.
The per-hour or per-engagement compensation model is the key practical difference from bug bounty. A bug bounty program pays you nothing if you spend a week on a target and find nothing. A Cobalt engagement pays you for the week regardless.
Application and Vetting
To apply for Cobalt Core, you typically need to demonstrate:
- Relevant professional experience - prior pentest work, security roles, or a strong bounty track record
- Technical skills matching at least one of Cobalt's engagement types (web, mobile, API, network, cloud)
- Willingness to operate under NDAs and client confidentiality requirements
Cobalt is not a platform to start your security research career on. It's a path for researchers who already have demonstrated skills and want to convert them into steadier paid work. The vetting process is designed to identify people who can handle client-facing engagements professionally, not just technically.
How It Differs from Bug Bounty Platforms
| Factor | Bug Bounty (H1/Bugcrowd) | Cobalt |
|---|---|---|
| Pay model | Per finding | Per engagement / hour |
| Scope freedom | Choose your own target | Assigned by client |
| Time structure | Continuous, open-ended | Time-boxed engagement |
| Output | Report per bug | Full pentest report |
| Income predictability | Low | Higher |
| Public portfolio building | Via disclosures | Restricted by NDA |
Researchers who run both Cobalt and traditional bounty programs tend to treat them differently: Cobalt for income stability, open platforms for competitive hunting and profile building.
Realistic Expectations
Cobalt Core membership doesn't guarantee a constant stream of engagements. Volume depends on Cobalt's client pipeline and how well your skill profile matches available work. Some Core members run multiple engagements per month; others go weeks between opportunities.
If income predictability is your primary goal, building relationships with pentest firms directly alongside a Cobalt Core membership gives you more surface area. Cobalt is one channel, not a complete solution.