This page is a collection of frequently asked questions about Cobalt Strike and its setup.

1. Does Cobalt Strike 3.0 require the Metasploit Framework?

No. Cobalt Strike 3.0 and later do not require the Metasploit Framework.

2. Can Cobalt Strike 2.5 connect to a Cobalt Strike 3.0 team server?

No. Cobalt Strike 3.0 and 2.5 have different team server protocols. The Cobalt Strike 2.5 client is not compatible with the Cobalt Strike 3.0 server (and vice versa).

3. Can I update a Cobalt Strike 2.5 team server to Cobalt Strike 3.0?

It's best to create new infrastructure with Cobalt Strike 3.0 and use foreign listeners to pass accesses to it. I would not update a Cobalt Strike 2.5 server with Beacons calling back to it.

4. Does Cobalt Strike phone home?

No. Cobalt Strike does not phone home. The exception to this is the update process. When you run the update program, Cobalt Strike's update program will connect to our servers to check for and download the latest Cobalt Strike update.

5. Is it possible to update Cobalt Strike offline?

No, but it's easy to do this yourself. Cobalt Strike is distributed as one Java jar file containing the Cobalt Strike application and its resources. Install Cobalt Strike on an internet connected system, update it, and move the cobaltstrike.jar file to your private network.

6. How often is Cobalt Strike updated?

An update is posted every 1-3 months. Two months is the typical length between updates. The releasenotes.txt file captures the update history since February 2012.

7. Do I need a separate license for the Cobalt Strike team server?

No. Cobalt Strike is licensed per user, not per system. To use the update script on the team server, use one of your existing license keys. It doesn't matter which.

8. What output does Cobalt Strike's reporting engine produce?

Cobalt Strike outputs reports as PDF and MS Word documents. Raw data is available as Excel-compatible TSV files and XML.