Cobalt.io EU Alternative 2026: Pentest-as-a-Service CLOUD Act Risk — The Danish Paradox
Post #1251 in the sota.io EU Cyber Compliance Series
Cobalt.io was founded in Copenhagen, Denmark in 2013. Its co-founders came from the European security community, its earliest customers were European enterprises, and its product ethos — agile, collaborative, crowdsourced pentesting — reflects a distinctly European startup sensibility. Yet Cobalt Labs Inc. is incorporated as a Delaware C-Corp, headquartered in San Francisco, CA, and operates under full US CLOUD Act jurisdiction. This is the Danish Paradox: European DNA, US legal framework.
For EU organisations evaluating Cobalt's Pentest-as-a-Service (PtaaS) platform, the Danish Paradox creates a compliance problem that no amount of heritage or founder intent can resolve. The CLOUD Act does not care where a company was conceptualised — it applies wherever the legal entity is domiciled. And Cobalt Labs Inc. is firmly in Delaware.
This post gives EU security teams the CLOUD Act analysis, GDPR compliance implications, and EU-native alternatives they need before making a PtaaS sourcing decision.
What Is Cobalt.io?
Cobalt.io (Cobalt Labs Inc.) provides Pentest-as-a-Service (PtaaS) — a SaaS platform that connects organisations with a curated community of security researchers called the Cobalt Core. Rather than engaging a traditional penetration testing firm for a point-in-time assessment delivered as a PDF, Cobalt offers:
- On-demand pentesting with reduced lead times compared to traditional firms
- Cobalt Core: approximately 400 vetted security researchers who conduct assessments
- Persistent findings management: all vulnerabilities, retests, and commentary stored in the Cobalt SaaS platform
- Cobalt Core for AI: application security testing for AI/ML systems
- Integrations: Jira, GitHub, Slack — embedding pentest workflows into development pipelines
CEO Snehal Antani (since 2021, formerly of Splunk and Cisco) has positioned Cobalt as an AI-augmented PtaaS leader, launching "Cobalt Core for AI" and expanding integrations. Key strategic investors include Hewlett Packard Enterprise (HPE) Ventures, with additional US-based venture capital backing.
The company pursues FedRAMP certification (in progress), signalling explicit intent to serve US federal government customers.
Corporate Structure: The Danish Paradox
Understanding Cobalt's corporate structure is essential for any EU compliance assessment:
| Dimension | Detail |
|---|---|
| Legal Entity | Cobalt Labs Inc. |
| Incorporation | Delaware, USA |
| Headquarters | San Francisco, CA, USA |
| Origin | Founded Copenhagen, Denmark 2013 |
| Legal Framework | US federal law, including the CLOUD Act |
| Strategic Investor | Hewlett Packard Enterprise (HPE) Ventures |
| FedRAMP Status | In progress (targeting US government customers) |
The Danish Paradox is straightforward: Cobalt was conceived in Europe but operates as a US company. From a CLOUD Act perspective, the founding location is irrelevant. What matters is the Delaware incorporation, the San Francisco headquarters, and the US executive management team. All three confirm full CLOUD Act applicability.
HPE as Strategic Investor: Not a Neutral VC
The Hewlett Packard Enterprise investment deserves specific attention. HPE is not a passive financial investor — it is a strategic technology partner with extensive US Department of Defence, NSA, and intelligence community contracts. HPE's investment in Cobalt creates alignment between Cobalt's business development interests and HPE's government-sector customer relationships.
This is categorically different from a Sequoia or Andreessen Horowitz investment. When a US government contractor holds a strategic stake in a PtaaS platform, the governance relationships between Cobalt's board and HPE's government business units warrant scrutiny in any GDPR Data Protection Impact Assessment.
CLOUD Act Score: 18/25
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) enables US authorities to compel US-incorporated companies to produce data stored anywhere in the world, including EU-region servers. For Cobalt.io, this creates five compellable data dimensions:
D1: Corporate Jurisdiction (5/5)
Cobalt Labs Inc. is a Delaware C-Corp. There is no parent company domiciled outside the US that could argue jurisdictional separation. Full US CLOUD Act jurisdiction applies.
Score: 5/5
D2: Government Contract Exposure (3/5)
Cobalt's FedRAMP certification is actively in progress. FedRAMP is the US federal government's cloud security authorisation programme — pursuing it signals that Cobalt intends to serve US federal agencies, including defence and intelligence-adjacent departments. HPE's strategic investment reinforces this government-sector trajectory.
Cobalt does not (currently) hold confirmed DoD or IC-specific contracts at the level of Synack (which has NSA/TAO founders and FedRAMP High + DOD IL4). However, the FedRAMP-in-progress status and HPE relationship create a meaningful government exposure vector.
Score: 3/5
D3: Data Sensitivity of EU Client Information (5/5)
This is where PtaaS creates its most significant CLOUD Act risk — and where Cobalt's model amplifies that risk beyond traditional pentesting.
Traditional pentest risk profile: An engagement firm completes a test, delivers a PDF report, and the engagement ends. The vulnerabilities are documented once, in a report that exists on the client's systems.
Cobalt PtaaS risk profile: Cobalt's SaaS platform retains all findings persistently. This includes:
- Detailed vulnerability descriptions, proof-of-concept exploit code, and attack vectors
- Complete retest history showing whether vulnerabilities were fixed, partially fixed, or left open
- All researcher commentary and methodology notes
- Integration data flowing to client Jira/GitHub/Slack instances
- AI-assisted analysis generated during the assessment
A DOJ subpoena under the CLOUD Act does not just retrieve a single pentest report — it retrieves the complete, live, longitudinal vulnerability database of the EU client organisation. Every unpatched vulnerability, every known attack path, every security weakness documented over multiple engagement cycles — all compellable under a single legal request.
This is the Persistent PtaaS Risk: the SaaS persistence model that makes Cobalt operationally superior to traditional pentesting creates a proportionally larger CLOUD Act exposure surface.
Score: 5/5
D4: Infrastructure Jurisdiction (3/5)
Cobalt operates on US-based cloud infrastructure (AWS us-east-1 primary). While EU customers may route through regional endpoints, the core platform and data persistence layer operates under US jurisdiction. Unlike some vendors that offer genuine EU-sovereign hosting with separate data planes, Cobalt's infrastructure architecture keeps EU client vulnerability data within the reach of US legal process.
Score: 3/5
D5: Contractual Protections (2/5)
Cobalt offers Standard Contractual Clauses (SCCs) for EU customers to satisfy GDPR Art.46 transfer mechanism requirements. However:
- No customer-managed encryption keys (CMEK) — Cobalt holds the decryption capability
- A Schrems II Transfer Impact Assessment would need to account for: Delaware jurisdiction, FedRAMP-in-progress government targeting, and HPE's US DoD/IC relationships
- No data residency guarantees preventing US-based engineer access to EU client vulnerability data
A legally rigorous TIA would likely conclude that SCCs alone are insufficient given the combination of US corporate jurisdiction, government sector trajectory, and the extreme sensitivity of the data category (complete vulnerability landscapes).
Score: 2/5
Total CLOUD Act Score: 18/25
| Dimension | Weight | Score | Notes |
|---|---|---|---|
| D1: Corporate Structure | 5 | 5/5 | Delaware C-Corp, San Francisco HQ |
| D2: Government Contracts | 5 | 3/5 | FedRAMP-in-progress + HPE strategic investor (HPE = major US DoD/IC contractor) |
| D3: Data Sensitivity | 5 | 5/5 | Persistent PtaaS: complete longitudinal vulnerability database |
| D4: Infrastructure | 5 | 3/5 | AWS US-primary, no EU-sovereign data plane |
| D5: Contractual Protections | 5 | 2/5 | SCCs only, no CMEK, Schrems II TIA challenged |
| Total | 25 | 18/25 | High CLOUD Act Risk |
The Cobalt Core Aggregation Risk
Cobalt's model relies on the Cobalt Core — a community of approximately 400 vetted security researchers who conduct assessments on client systems. This crowdsourced model introduces a specific risk vector that traditional pentesting firms do not create.
Each Cobalt Core researcher who assesses an EU organisation:
- Accesses the EU organisation's systems under an authorised scope
- Uploads their findings, methodologies, and evidence to the Cobalt SaaS platform
- Contributes to a centralised, US-jurisdiction dataset about the EU organisation's security weaknesses
The aggregation risk is that Cobalt's platform combines individual researcher outputs into a comprehensive picture that no single researcher holds. The CLOUD Act compels the platform operator — Cobalt Labs Inc. — not the individual researchers. A single subpoena to Cobalt retrieves the aggregated intelligence picture, including findings from dozens of researchers across multiple assessments.
For EU organisations in sectors covered by NIS2, DORA, or handling GDPR Special Category data, this aggregation creates a supply chain risk that Article 21(2)(d) NIS2 and Article 28 DORA ICT third-party requirements were designed to address.
GDPR and NIS2 Compliance Implications
GDPR Art.28: Data Processor Requirements
Under GDPR, Cobalt acts as a data processor when handling EU personal data encountered during pentesting (user credentials, PII in test systems, log files containing personal data). The Art.28 Data Processing Agreement must address:
- The categories of personal data Cobalt may access during assessments
- Restrictions on sub-processors (individual Core researchers are effectively sub-processors)
- Data deletion obligations after engagement completion vs. platform retention requirements
- Cobalt Labs Inc.'s CLOUD Act obligation to comply with US legal process — an obligation that cannot be contractually overridden
Critical gap: GDPR Art.28(3)(e) requires processors to "assist the controller in ensuring compliance with obligations" including data subject rights. A US court order requiring Cobalt to produce EU personal data encountered during a pentest overrides this contractual commitment.
NIS2 Art.21(2)(d): Supply Chain Security
NIS2-covered entities must assess security risks arising from ICT supply chain relationships. A PtaaS platform that holds their complete vulnerability landscape under US jurisdiction is precisely the type of third-party risk NIS2 Art.21(2)(d) targets. The Danish Paradox makes this worse: EU security teams may overlook the CLOUD Act jurisdiction because of Cobalt's European founding story.
DORA Art.28: ICT Third-Party Risk for Financial Services
For EU financial institutions under DORA, Cobalt presents heightened ICT third-party risk because:
- Cobalt accesses production-adjacent systems during assessments
- Findings include exploitation paths for systems that process financial data
- US CLOUD Act compellability creates a concentration risk: one legal request could expose the complete security profile of a DORA-regulated entity
DORA's concentration risk provisions (Art.28(5)) require financial institutions to assess whether their ICT third-party providers create systemic risk. Storing complete vulnerability data for multiple EU financial institutions in a single US-jurisdiction SaaS platform is a textbook concentration risk scenario.
EU-Native Alternatives: 0/25 CLOUD Act Score
The EU-native alternatives to Cobalt.io all score 0/25 on the CLOUD Act framework — meaning they carry no US-compellability risk:
Intigriti NV (Antwerp, Belgium) — 0/25
| Dimension | Score |
|---|---|
| Corporate Structure | 0 — Belgian NV, EU jurisdiction |
| Government Contracts | 0 — no US government alignment |
| Data Sensitivity | handled under EU law |
| Infrastructure | EU-hosted |
| Contractual Protections | GDPR-native, no CLOUD Act |
Intigriti is the leading EU-native bug bounty and vulnerability disclosure platform. Founded in Belgium, incorporated as a Belgian NV, and operating exclusively under EU law. Their platform serves many of Europe's largest companies, and they have explicit EU data sovereignty positioning. Intigriti supports GDPR Art.28 DPA requirements natively without the CLOUD Act conflict that Cobalt creates.
YesWeHack SAS (Paris, France) — 0/25
| Dimension | Score |
|---|---|
| Corporate Structure | 0 — French SAS, EU jurisdiction |
| Government Contracts | 0 — ANSSI-relationship, FR/EU government |
| Data Sensitivity | handled under EU law |
| Infrastructure | EU-hosted (OVHcloud + French DC) |
| Contractual Protections | GDPR-native |
YesWeHack is a French bug bounty and vulnerability disclosure platform. Founded in Paris, incorporated as a French SAS. They have a relationship with ANSSI (France's national cybersecurity agency) and serve numerous EU public sector and enterprise clients. Unlike Cobalt, a DOJ subpoena to YesWeHack would have no direct legal effect — French SAS entities are not subject to the US CLOUD Act.
Yogosha SAS (Paris, France) — 0/25
| Dimension | Score |
|---|---|
| Corporate Structure | 0 — French SAS, EU jurisdiction |
| Government Contracts | 0 — ANSSI-certified |
| Data Sensitivity | handled under EU law |
| Infrastructure | EU-hosted |
| Contractual Protections | GDPR-native |
Yogosha is an ANSSI-certified French bug bounty and pentest-as-a-service provider. Their ANSSI certification distinguishes them from US-origin alternatives — ANSSI qualification is a rigorous French government security accreditation that implies EU data handling standards. Yogosha's French SAS structure provides genuine data sovereignty for EU clients.
EU-Native Traditional Pentesting Firms
For organisations requiring full engagement security (not SaaS platform dependency), EU-headquartered traditional pentesting firms offer zero CLOUD Act risk:
- SEC Consult (Vienna, Austria): EU-incorporated, IC3S methodology, extensive GDPR/NIS2 practice
- NVISO (Brussels, Belgium): Belgian firm, EU public sector focus, NIS2 compliance assessments
- Orange Cyberdefense (Paris, France): French subsidiary of Orange Group, EU-native, extensive EU regulatory expertise
- SySS GmbH (Tübingen, Germany): German GmbH, BSI-aligned methodology, German industrial security
Traditional pentests from these firms deliver reports on client-controlled infrastructure — no persistent SaaS platform, no US-jurisdiction data aggregation, no CLOUD Act compellability risk.
Decision Framework: When Cobalt's Risk Is Acceptable
Not every EU organisation must avoid Cobalt.io. The decision depends on:
| Factor | Cobalt Acceptable | Cobalt Risk High |
|---|---|---|
| Data type | Internal IT systems, no special category data | Systems processing financial, health, or government data |
| Regulatory regime | Unregulated private sector | NIS2-covered, DORA-regulated, GDPR Art.9 data |
| Threat model | External attack vectors only | Nation-state or IC-level adversary concern |
| Assessment frequency | One-time engagement | Continuous PtaaS with persistent findings |
| Sector | Consumer tech, SME | Critical infrastructure, financial services, healthcare |
For NIS2-covered entities, DORA-regulated financial institutions, and organisations handling GDPR Special Category data, the 18/25 CLOUD Act score and persistent PtaaS model create compliance risks that are difficult to mitigate contractually. For these organisations, Intigriti, YesWeHack, Yogosha, or EU-native traditional pentesting firms provide equivalent capability with zero CLOUD Act exposure.
Summary
| Vendor | Incorporation | CLOUD Act Score | Key Risk |
|---|---|---|---|
| Cobalt.io | Delaware C-Corp (US) | 18/25 | Danish Paradox + Persistent PtaaS + HPE strategic alignment |
| HackerOne | Delaware C-Corp (US) | 18/25 | Vulnerability Sovereignty Paradox + Francisco Partners PE |
| Bugcrowd | Delaware C-Corp (US) | 17/25 | CrowdTriage human analysts + Insight Partners/Paladin Capital |
| Synack | Delaware C-Corp (US) | 20/25 | NSA/CIA founders + FedRAMP High + DOD IL4 |
| Intigriti | Belgian NV | 0/25 | None — EU-native |
| YesWeHack | French SAS | 0/25 | None — EU-native |
| Yogosha | French SAS | 0/25 | None — ANSSI-certified |
The Danish Paradox illustrates a broader principle for EU procurement: the founder's nationality, the company's origin story, and the marketing narrative are legally irrelevant to CLOUD Act jurisdiction. What matters is the corporate domicile. Cobalt Labs Inc. is a Delaware C-Corp. That determination ends the sovereignty analysis.
EU organisations seeking PtaaS capabilities with genuine data sovereignty should evaluate Intigriti (Belgium), YesWeHack (France), and Yogosha (France) before engaging Cobalt's platform. For organisations already using Cobalt, the Persistent PtaaS Risk warrants immediate review of data retention policies, the GDPR Art.28 DPA, and whether a Schrems II Transfer Impact Assessment has been completed that accounts for Cobalt's FedRAMP-in-progress government sector trajectory.
This analysis applies the sota.io CLOUD Act framework (D1–D5, 25-point scale) to assess US data compellability risk for EU organisations. Scores reflect publicly available information as of May 2026. Not legal advice — consult your DPO and legal counsel for GDPR compliance decisions.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.