
Cobalt
Application Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Cobalt connector integrates Brinqa with Cobalt.io — a pentest-as-a-service platform — and synchronizes organizations, assets (under test), pentest engagements, and pentest findings (plus their deduplicated finding definitions) from the Cobalt v2 REST API into the Brinqa platform.
It speaks the application/vnd.cobalt.v2+json media type against https://api.cobalt.io (or an alternate URL configured on the instance).
Data retrieved from Cobalt
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Organization | Yes | (none — intentional) |
| Asset models (six per-type classes) | Yes | Site |
| PentestAssessment | Yes | Assessment |
| PentestFinding | Yes | Pentest Finding |
| PentestFindingDefinition | Yes | Pentest Finding Definition |
Model relationships
For detailed steps on how to view the data retrieved from Cobalt in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Cobalt from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://api.cobalt.io | Cobalt API URL |
| API key | Yes | — | Cobalt api key |
| Page size | No | 100 | Maximum number of records to get per API request |
| Max retries | No | 5 | Maximum number of retry attempts for a failed request (e.g., HTTP 429 rate-limit responses) |
Authentication
Method: API-key bearer authentication. The API key is configured on the connector; per-organization scoping uses an X-Org-Token header, with the token value returned by the GET /orgs endpoint.
Endpoint
| Method | URL |
|---|---|
GET | {url}/orgs |
Request Headers
| Header | Value |
|---|---|
Authorization | Bearer {apiKey} |
Accept | application/vnd.cobalt.v2+json |
Sample Response
{
"pagination": { "next_page": null, "prev_page": null },
"data": [
{
"resource": {
"id": "or_abc123",
"name": "Example Organization",
"token": "b3JfYWJjMTIzJCRleGFtcGxlLW9yZw=="
},
"links": {
"ui": {
"url": "https://api.us.cobalt.io/links/eyJ0eXBlIjoiT1JHIn0="
}
}
}
]
}
Response Fields
| Field | Type | Description |
|---|---|---|
pagination.next_page | String, nullable | URL of the next page when more records exist |
pagination.prev_page | String, nullable | URL of the previous page |
data[].resource.id | String | Unique identifier for the organization |
data[].resource.name | String | Human-readable organization name |
data[].resource.token | String | Per-organization scope token used as X-Org-Token on subsequent calls |
data[].links.ui.url | String | Deep-link into the Cobalt UI for this organization |
Usage
The connector extracts resource.token from each organization returned by GET /orgs and attaches it as the X-Org-Token header on all subsequent per-org endpoint calls (/assets, /pentests, /findings). The bearer API key is sent alongside on every request:
Authorization: Bearer <apiKey>
X-Org-Token: <token from /orgs for the target org>
Accept: application/vnd.cobalt.v2+json
Sync Behavior
The connector supports incremental (delta) syncs. It maintains a sync token between runs and applies it as an incremental timestamp filter, so each run re-processes only the records that changed after the previous sync. The initial run retrieves the complete data set; later runs are incremental. The specific timestamp field applied to each object is documented under that object's Sync Duration Parameter.
How to obtain Cobalt credentials
Obtain the required credentials (url, apiKey) from your Cobalt administrator or the Cobalt admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Organization
| Source Field Name | SDM Attribute |
|---|---|
links.ui.url | URL |
resource.id | UID / NAME |
resource.name | NAME |
| sync time | LAST_CAPTURED |
Asset models (six per-type classes)
| Source Field Name | SDM Attribute |
|---|---|
derived | CATEGORIES |
envelope links.ui.url | URL |
owning OrgResource.id | ORG_ID |
owning OrgResource.name | ORG_NAME |
resource.asset_type | TYPE |
resource.attachments[].download_url | ATTACHMENT_URLS |
resource.attachments[].file_name | ATTACHMENT_FILE_NAMES |
resource.description | DESCRIPTION |
resource.id | UID / NAME |
resource.logo | LOGO |
resource.tags[].name | TAGS |
resource.technology_stack[].title | TECHNOLOGY_STACK |
resource.title | NAME |
| sync time | LAST_CAPTURED |
PentestAssessment
| Source Field Name | SDM Attribute |
|---|---|
envelope links.ui.url | URL |
| owning org | ORG_ID, ORG_NAME |
resource.asset_id | TARGETS |
resource.collaboration_channel | COLLABORATION_CHANNEL |
resource.coverage | COVERAGE |
resource.end_date | END_DATE |
resource.has_default_scope | HAS_DEFAULT_SCOPE |
resource.id | UID / NAME |
resource.image | IMAGE_URL |
resource.methodology | METHODOLOGY |
resource.num_of_credits | NUM_OF_CREDITS |
resource.num_of_researchers | NUM_OF_RESEARCHERS |
resource.objectives | DESCRIPTION |
resource.out_of_scope_urls[] | OUT_OF_SCOPE_URLS |
resource.point_of_contacts[] | POINT_OF_CONTACTS |
resource.preparation.add_following_ips | PREPARATION_ADD_FOLLOWING_IPS |
resource.preparation.confirm_team_availability | PREPARATION_CONFIRM_TEAM_AVAILABILITY |
resource.preparation.ensure_testers_have_access | PREPARATION_ENSURE_TESTERS_HAVE_ACCESS |
resource.reassociate_carried_over_findings | REASSOCIATE_CARRIED_OVER_FINDINGS |
resource.size | SIZE |
resource.start_date | START_DATE |
resource.state | STATUS |
resource.tag + resource.platform_tags[] | TAGS |
resource.targets[] | IN_SCOPE_URLS |
resource.test_data_types[] | TEST_DATA_TYPES |
resource.test_environments[] | TEST_ENVIRONMENTS |
resource.test_goals[] | TEST_GOALS |
resource.tester_requirements[] | TESTER_REQUIREMENTS |
resource.testing_type | TESTING_TYPE |
resource.title | NAME |
| sync time | LAST_CAPTURED |
PentestFinding
| Source Field Name | SDM Attribute |
|---|---|
envelope links.ui.url | URL |
FindingUtils.normalizeFindingStatus(state) | SOURCE_STATUS |
max(resource.log[].timestamp) | LAST_FOUND |
| owning org | ORG_ID, ORG_NAME |
resource.affected_targets[] | AFFECTED_TARGETS |
resource.asset_id | TARGETS |
resource.attachments[].download_url | ATTACHMENT_URLS |
resource.attachments[].file_name | ATTACHMENT_FILE_NAMES |
resource.created_at | SOURCE_CREATED_DATE |
resource.http_request | REQUEST |
resource.id | UID |
resource.impact | IMPACT |
resource.likelihood | LIKELIHOOD |
resource.pentest_id | PENTEST_ID |
resource.predecessor_id | PREDECESSOR_ID |
resource.prerequisites | PREREQUISITES |
resource.proof_of_concept | PROOF_OF_CONCEPT |
resource.ref_key | REF_KEY |
resource.severity_justification | SEVERITY_JUSTIFICATION |
resource.state | PROVIDER_STATUS |
resource.successor_id | SUCCESSOR_ID |
resource.suggested_fix | RECOMMENDATION |
resource.tag + resource.labels[].name | TAGS |
resource.title | TYPE |
resource.updated_at | SOURCE_LAST_MODIFIED |
| sync time | LAST_CAPTURED |
PentestFindingDefinition
| Source Field Name | SDM Attribute |
|---|---|
FindingUtils.getFindingSeverityScore(SEVERITY) | SEVERITY_SCORE |
FindingUtils.normalizeFindingSeverity(resource.severity) | SEVERITY |
first v2 entry in resource.cvsss[] | CVSS_V2_BASE_SCORE, CVSS_V2_VECTOR, CVSS_V2_SEVERITY |
first v3 entry in resource.cvsss[] | CVSS_V3_BASE_SCORE, CVSS_V3_VECTOR, CVSS_V3_SEVERITY |
first v4 entry in resource.cvsss[] | CVSS_V4_BASE_SCORE, CVSS_V4_VECTOR |
resource.cves[] filtered by CVE-\d{4}-\d{4,} | CVE_IDS, CVE_RECORDS |
resource.cwes[] filtered by CWE-\d+ | CWE_IDS, WEAKNESSES |
resource.description | DESCRIPTION |
resource.labels[].name | TAGS |
resource.severity | SOURCE_SEVERITY |
resource.title | UID / NAME |
resource.title | NAME |
resource.type_category | CATEGORIES |
| sync time | LAST_CAPTURED |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Organization
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET /orgs
Asset models (six per-type classes)
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET /assets
PentestAssessment
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET /pentests
PentestFinding
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET /findings
PentestFindingDefinition
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET /findings
Changelog
The Cobalt connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.1 | Bug Fixes - Pentest finding sync failure on findings with CWEs. Cobalt's findings API now returns each entry in a finding's cwes array as an object ({"id": <number>, "name": "<description>"}) rather than a plain string, which caused PentestFinding data integrations to abort with a Jackson deserialization error and skip the entire page of findings. The connector now reads the structured CWE objects and continues to populate the CWE_IDS and WEAKNESSES attributes on PentestFindingDefinition records using the standard CWE-<id> form. - Data integration creation failure. Creating or editing a Cobalt 3.0.0 data integration could fail on the Sync configuration step with an HTTP 500 / Kryo serialization error. The connector now returns its object-type list using a serializable collection, so the schema screen loads reliably. Improvements - Full CVSS metric extraction. PentestFindingDefinition records previously carried only the raw CVSS vector string, base score, and severity. Each CVSS vector reported by Cobalt is now parsed and every individual metric is populated on the record — attack vector, attack complexity, privileges required, user interaction, scope, confidentiality / integrity / availability impacts, and the v4-only metrics (attack requirements, sub-impacts, safety, automatable, recovery, value density, response effort, provider urgency, exploit maturity) — across CVSS v2, v3.0, v3.1, and v4.0. Dashboards, reports, and rules keyed on the granular CVSS metric attributes can now filter Cobalt findings the same way they filter findings from other connectors. - Attribute consolidation precedence. Custom Cobalt attributes (e.g. ORG_ID, ORG_NAME, ATTACHMENT_FILE_NAMES, pentest scope/preparation fields) now participate in consolidation at the default priority, so values reported by the Cobalt connector take precedence over non-connector data sources (UI edits, manual imports, bulk uploads). - Refreshed in-house dependencies (parent platform, connectors model, local store) to pick up upstream platform improvements. | N/A |
| 3.0.0 | New Features - Granular asset mapping. Cobalt assets are now synced as distinct object types derived from their asset_type — SiteAsset, ApiEndpointAsset, NetworkAsset, CloudResourceAsset, HostAsset, and AiLlmAsset — so each asset lands under the correct Brinqa UDM category automatically. - Configurable asset routing. A new assetTypeOverrides operation option lets administrators override how a Cobalt asset_type maps to a Brinqa UDM (JSON map, e.g. {"ai_llm":"CloudResource"}). - Pentest assessments. Cobalt pentests are synced as Assessment records including preparation checklist flags, platform tags, methodology, size, coverage, point-of-contacts, and scope metadata. - Normalized finding catalog. A new PentestFindingDefinition model keyed by finding title carries definition-level metadata (severity, CVSS v2/v3/v4, CVE IDs, CWE IDs, categories), so shared metadata is reported once per finding type no matter how many pentests surface it. - Retry on rate-limit. HTTP 429 responses from Cobalt are retried automatically — the server's Retry-After hint is honored, otherwise an exponential back-off is used. A new maxRetries connector configuration (default 5) caps the retry count. Improvements - Upgraded to the Cobalt v2 API ( application/vnd.cobalt.v2+json). Findings, assets, and pentests now capture every field Cobalt returns — attachments, audit log, HTTP request payloads, reference keys, predecessor/successor links, and organization context. - Finding-to-definition linkage ( TYPE attribute) is now the human-readable finding title rather than an internal hash, making joins visible in dashboards. | • Object-type rename (all models). 1.x emitted four types: Organization, Asset, Pentest, Finding. 3.x replaces them with ten: Organization, SiteAsset, ApiEndpointAsset, NetworkAsset, CloudResourceAsset, HostAsset, AiLlmAsset, Assessment, PentestFinding, PentestFindingDefinition. Action: purge existing Cobalt records and run a full re-sync so objects land under the new type names. • Attribute rename. 1.x custom title-cased attribute keys (e.g. "Sys ID", "Last modified", "Type") are replaced with standard Brinqa attribute names (__UID__, LAST_CAPTURED, SOURCE_LAST_MODIFIED, etc.). Action: update any dashboards, reports, or filters that reference the 1.x attribute keys. • Finding catalog split. Severity, CVE/CWE, and category data moved from the Finding record to the new PentestFindingDefinition record. Action: re-sync to populate the definition catalog and update any downstream joins that previously read severity/CVE data from the Finding. |