Independent reference. Not affiliated with any vendor listed.

$ diff --left=cobalt --right=hackerone

Cobalt is a PtaaS pioneer with a credit model. HackerOne layers pen test on top of a bug-bounty platform. Both quote-only.

$ answer --question="Cobalt or HackerOne: which fits which buyer?"

Cobalt wins when you want one vendor to run a continuous pen-test programme across multiple assets through a credit pool. HackerOne wins when you already run bug bounty on the platform and want to fold compliance pen test into the same MSA. Neither vendor publishes a price, so the only honest cost lever is consolidation with what you already use.

Last verified June 2026

$ left --vendor=cobalt
Cobalt

PtaaS credit pool

Cobalt publishes a credit unit (1 credit = 8 hours of offensive testing) and three tiers (Standard, Premium, Enterprise) but no credit price. Best fit for buyers running an ongoing programme across web, API, mobile, cloud, and network.

open cobalt-pricing →

$ right --vendor=hackerone
HackerOne

Bug-bounty platform pen test

HackerOne Pentest is a separate product. The researcher pool overlaps with the bug-bounty marketplace; the SOW does not. Best fit for existing HackerOne bug-bounty customers.

open hackerone-pricing →

$ heatmap --features

$ heatmap --rows=7 --cols=2
FeatureCobaltHackerOne
Published price
Credit / hour unit published
Bug-bounty marketplace on same MSA
Continuous programme orientation
Web, API, mobile, cloud, network in catalog
Red-team product
Compliance attestation letter