$ diff --left=cobalt --right=hackerone
Cobalt is a PtaaS pioneer with a credit model. HackerOne layers pen test on top of a bug-bounty platform. Both quote-only.
Cobalt wins when you want one vendor to run a continuous pen-test programme across multiple assets through a credit pool. HackerOne wins when you already run bug bounty on the platform and want to fold compliance pen test into the same MSA. Neither vendor publishes a price, so the only honest cost lever is consolidation with what you already use.
Last verified June 2026
PtaaS credit pool
Cobalt publishes a credit unit (1 credit = 8 hours of offensive testing) and three tiers (Standard, Premium, Enterprise) but no credit price. Best fit for buyers running an ongoing programme across web, API, mobile, cloud, and network.
Bug-bounty platform pen test
HackerOne Pentest is a separate product. The researcher pool overlaps with the bug-bounty marketplace; the SOW does not. Best fit for existing HackerOne bug-bounty customers.
$ heatmap --features
| Feature | Cobalt | HackerOne |
|---|---|---|
| Published price | ✗ | ✗ |
| Credit / hour unit published | ✓ | ✗ |
| Bug-bounty marketplace on same MSA | ✗ | ✓ |
| Continuous programme orientation | ✓ | ◐ |
| Web, API, mobile, cloud, network in catalog | ✓ | ◐ |
| Red-team product | ◐ | ◐ |
| Compliance attestation letter | ✓ | ✓ |