Archive for Cobalt

Cobalt Names Christopher Elisan as Head of Offensive Security Research and Community

Posted in Commentary with tags on April 23, 2025 by itnerd

Cobalt today announced the appointment of Christopher (Tophs) Elisan as its new Director of Offensive Security Research and Community. In this role, Elisan will spearhead continuous innovation in offensive security practices and lead the Cobalt Core community of 450+ of the world’s best pentesters. 

Elisan is a seasoned cybersecurity professional with specialized expertise in both offensive and defensive technologies. A premier Advanced Persistent Threat (APT) researcher, he has a proven track record in researching threat actor tooling, malware, deployment vectors, and attack infrastructure. His deep understanding of attacker behavior and the human elements behind cyberattacks enables him to bring a nuanced, strategic approach to threat intelligence.

Elisan’s career spans high-profile positions at organizations including RSA NetWitness, Polyswarm, Flashpoint, F-Secure, and Trend Micro, where he led global security teams through complex investigations, vulnerability management, and the deployment of advanced security solutions. In addition to his leadership expertise, Elisan has authored three books, including Hacking Exposed: Malware and Rootkits, and Malware, Rootkits & Botnets: A Beginner’s Guide. His thought leadership extends to international conferences, where he shares his expert opinions on the latest in cybersecurity threats and incidents.

At Cobalt, Elisan will oversee the company’s focus on evolving pentesting from an art into a science, combining offensive security testing with deep threat intelligence analysis to enhance the company’s PTaaS offerings. His work will focus on identifying emerging vulnerabilities, analyzing adversary tactics, techniques, and procedures (TTPs), and providing actionable insights to help businesses stay secure.

Elisan’s appointment underscores the company’s commitment to proactive cybersecurity, blending the power of offensive security with advanced research to deliver real-time insights that enable organizations to strengthen their defenses and stay ahead of attackers.

Organizations Fix Less Than Half of All Exploitable Vulnerabilities, with Just 21% of GenAI App Flaws Resolved

Posted in Commentary with tags on April 14, 2025 by itnerd

Cobalt today announced its seventh annual State of Pentesting Report 2025, revealing that organizations are fixing less than half of all exploitable vulnerabilities, with just 21% of genAI app flaws being resolved. 

The Cobalt State of Pentesting Report aims to explore the landscape of vulnerabilities organizations battle today and identifies how security leaders’ understanding of their security posture can be contradicted by the number of unremediated threats in their organization. Based on an analysis of pentests carried out by Cobalt, combined with the results of surveyed security leaders, Cobalt found crucial discrepancies exist between how “safe” security leaders believe their organizations are versus the reality. 

Key findings include:

  • Over-confidence: 81% of security leaders are “confident” in their firm’s security posture, despite 31% of the serious findings discovered having not been resolved.
  • Too many findings left unresolved: Overall, firms are remediating just 48% of all pentest results, however, this number significantly improves (69%) for findings labeled serious (vulnerabilities rated high and critical severity). 
  • GenAI vulnerabilities are most vulnerable: Organizations are particularly struggling with vulnerabilities within their genAI Large Language Model (LLM) web apps. Most (95%) firms have performed pentesting on these apps in the last year with a third (32%) of tests finding vulnerabilities warranting a serious rating.
    • Of those findings, a mere 21% of vulnerabilities were fixed, with risks including prompt injection, model manipulation, and data leakage.
    • 72% ranked AI attacks as their number one concern–ahead of risks associated with third-party software, exploited vulnerabilities, insider threats, and nation state actors. 
    • Only 64% say they are “well equipped to address all security implications of genAI.”
  • Speed over security: More than half of security leaders (52%) say they are getting pressure to support speed at the cost of security.
  • Lack in software security assurance: Just half (50%) fully trust that they can identify and prevent a vulnerability from their software suppliers–a particular concern given that 82% are required by customers/regulators to provide software security assurance.

Methodology

The report analyzes two different datasets. The majority of analysis is based on data collected during Cobalt pentests. This is supplemented by insights collected via a survey by a third-party research firm, Emerald Research. All penetration testing data analyzed in this report was collected through Cobalt pentests. This spans more than 2,700 organizations. Metadata from these pentests was exported from the Cobalt Offensive Security Platform, sanitized to remove client-identifying and other sensitive details, and provided to Cyentia Institute for independent analysis.