Cobalt Scoping Assistant

A lightweight tool to record web application usage for penetration test scoping

The Cobalt Scoping Assistant helps Cobalt customers quickly scope web application penetration tests by recording a live browsing session and automatically extracting the information needed to define test coverage. How it works: Start a recording, browse the target application as you normally would, then stop and export. The extension captures everything in the background without interrupting your workflow — and recording continues seamlessly across new tabs. What gets captured: - Unique dynamic pages visited (pages that issue mutating HTTP requests (POST, PUT, PATCH, DELETE)). - API endpoints and routes (detected from network requests). - All internal links found on the pages the user visits. - Technology stack fingerprints inferred from HTTP headers, cookies, and URL patterns (e.g. Rails, Django, WordPress, GraphQL, PHP, and many more). Domain filtering: Focus your recording on specific domains so third-party resources, CDNs, and analytics noise are excluded from your export. Built-in presets automatically filter out common static asset providers (Google APIs, Cloudflare, jsDelivr, etc.). Privacy-first: All data is processed and stored locally in your browser. Nothing is sent to any external server. The exported JSON file must be manually provided to Cobalt by you. Export format: Results are exported as a structured JSON file containing visited dynamic pages, discovered API routes, and inferred technologies — ready to feed directly into your scoping workflow.