What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Agent-as-a-Service · Offensive Security

Five pentest agents.
Your code. Real scans on isolated Kali.

Chat with authorized pentest agents. Real scans run on Sable's isolated infra. Findings analyzed by five specialists — scout, recon, triage, fixer, compliance.

150 free credits, no card. Or a one-time scan from $29 — no signup.

Start free — 150 credits Sign in

Scan your site free — instant, no signup

3 published CVEsOWASP Top 10AEGIS — open-source SOARPoC repos shipped

sable · console

roster · 5 agents

pen-scoutLIVE

Scope · engagement plan

Reads the target. Writes the rules of engagement.

▸ mapping attack surface · 4 endpoints found

pen-reconLIVE

External recon · subdomain mapping

Enumerates surface. Flags staging envs.

▸ 3 subdomains · 1 staging exposed.

pen-triageIDLE

Scanner output · false-positive cull

Reads Nuclei, ZAP, semgrep. Keeps the real ones.

▸ awaiting scan output

pen-fixerIDLE

Diff-grade remediations

Writes the patch. Cites the disclosure.

▸ idle

pen-complianceQUEUED

SOC2 · ISO27001 evidence pack

Renders findings into auditor-ready PDFs.

▸ queued · 1 job

/scope /scan /triage /fix /compliancecredits · 25

01 / OPERATORS

Five agents. One console.

Each agent is a narrow operator. Scout writes the plan; the others execute. You chat — they run real tools.

pen-scout

Scope & engagement plan

Maps your attack surface, writes the engagement plan, and tells you what NOT to scope. Start every job here.

4 credits / turnTry free →

pen-recon

External recon

Subdomain enumeration, exposed staging envs, leaked secrets, third-party drift. Hands findings to triage.

6 credits / turnTry free →

pen-triage

Finding explainer

Reads scanner output. Tells you what is real, what is noise, and what would actually hurt in production.

5 credits / turnTry free →

pen-fixer

Remediation walkthroughs

Code-level fixes for OWASP findings — Supabase RLS, Next.js routes, auth flows. Diffs you can paste.

7 credits / turnTry free →

pen-compliance

Audit & compliance

Maps findings to OWASP, PCI-DSS, SOC 2 controls. Generates the evidence pack your auditor asks for.

5 credits / turnTry free →

02 // HOW IT WORKS

Three steps. No onboarding call.

From signup to a scoped pentest in under five minutes. Everything runs in your browser; everything bills by the credit.

01Free

Sign up — 150 free credits

No card. Magic-link auth. You land in the console with Scout already waiting.

02Five specialists

Pick an agent

Scout writes the engagement plan. Recon maps the surface. Triage reads scanner output. Fixer ships diffs. Compliance preps your evidence pack.

03From $29

Need depth? Run a scan.

When chat hits its limit, hand off to a one-time pentest — $29, $79, or $199 — without leaving the thread.

Open the console

03 // REAL OPS

We ship the work the agents also do.

No fabricated logos. Three artifacts you can verify in NVD or GitHub before you spend a credit.

CVE-2026-22778

vLLM remote code execution

Published to NVD. The same recon-to-PoC workflow pen-scout walks customers through, executed end-to-end on a production AI inference server.

nvd.nist.gov

$ curl -s https://services.nvd.nist.gov/rest/json/cves/2.0 \
    ?cveId=CVE-2026-22778 | jq .vulnerabilities[0]
{
  "cvssV3": 9.8,
  "severity": "CRITICAL",
  "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}

OpenClaw / Moltbot

Three CVEs in AI gateway agents

Same agents now powering pen-fixer remediations. The fix patterns shipped here come from the actual disclosure write-ups, not blog summaries.

cve.org

$ git log --grep="CVE" --oneline -3
a7c91f2  fix: bound prompt-injection in agent router
d23b40e  fix: SSRF in moltbot fetch tool
88e1c0a  fix: path-traversal in openclaw state dir
# 3 CVEs · all patched · disclosed responsibly

AEGIS

Open-source SOAR + XDR + deception

The tooling pen-recon and pen-triage delegate to. Maintained in public; bugs filed there fix the console experience next.

github.com

$ aegis --status
soar:        running   (12 playbooks)
xdr:         running   (4 sensors)
deception:   running   (3 honeypots)
# open-source · github.com/AEGIS

From the blog

Latest research

Practical security writing for founders shipping fast — the bugs AI assistants ship, what a pentest actually finds, and how to decide what your launch needs.

View all posts

Decision Guide 10 min

Free Scan or Full Pentest? A Founder’s Decision Guide

You ran a free scan and got a grade — now what? The honest framework for whether your launch needs a real test, and what each one actually catches.

Read article

Founder’s Guide 15 min

Penetration Testing for Startups in 2026

The complete founder’s guide: what a pentest is, when to run one, realistic 2026 pricing, and the checklist for shipping safely.

Read article

Pre-Launch 9 min

Audit a Cursor or v0-Built MVP Before You Launch

Three vulnerabilities AI coding assistants introduce every time — and the 5-minute self-audit that catches them before your first user does.

Read article

Research 9 min

I scanned 100 vibe-coded apps. 73 had a BOLA.

What we found inside 100 AI-built MVPs — and why the bug that breaches startups is invisible to every free external scanner.

Read article

04 / CREDITS

Pay only what you use. No seats. No contracts.

Credits power agent turns. A scope conversation is 4. A recon job is 6. Compliance evidence is 5. Top up when you need.

$9USD

100 credits · $0.09 / credit

Try the console. 20-ish agent turns. No card to start, 150 free credits on signup.

Top up

most picked

$29USD

500 credits · $0.058 / credit

A real engagement — scope, recon, triage, fixes. The pack most operators land on.

Top up

$99USD

2000 credits · $0.0495 / credit

Multi-app coverage or a quarter of triage work. Hands back to scans when depth is needed.

Top up

05 / OR — Need a one-time pentest instead?

Skip the chat. Fixed scope, fixed price, PDF in 24–48h. Pick a tier below.

06 / SCAN TIERS

Fixed scope. Fixed price.

No enterprise pricing. No monthly fees. One scan, one PDF, PoC repos included.

Secure checkout · USD · No subscription

Pre-Launch Check

Perfect for MVPs and landing pages

$39$29USD

Landing pages, portfolios, simple MVPs

Security headers analysis
Exposed secrets detection
CORS misconfiguration check
Basic OWASP coverage
PDF report in 24-48h
Email support

Most picked

Founder Shield

For SaaS with user data

$99$79USD

SaaS apps, user auth, payment flows

Everything in Pre-Launch Check
BOLA / IDOR vulnerability testing
API endpoint discovery
Authentication flow analysis
Full OWASP Top 10 coverage
30-min consultation call
Priority support

Scale Secure

Complete security assessment

$299$199USD

Funded startups, enterprise clients

Everything in Founder Shield
SQLi & XSS deep testing
Infrastructure scanning
Compliance report (OWASP, PCI)
Re-test after fixes included
Slack/Discord support channel
Security badge for your site

Launch pricing for the next 5 clients only.

Traditional pentesting firms charge $10,000–$50,000+ for the same coverage.

Compare plans

Feature	Pre-Launch	Founder Shield	Scale Secure
Security Headers
Secrets Detection
CORS Check
Basic OWASP
Full OWASP Top 10	—
BOLA / IDOR Testing	—
API Discovery	—
Auth Flow Analysis	—
SQLi & XSS Deep Test	—	—
Infrastructure Scan	—	—
Consultation Call	—	30 min	60 min
Re-test After Fixes	—	—
Compliance Report	—	—
Delivery Time	24-48h	2-3 days	3-5 days

50% money back if we find zero issues

Reports include compliance mapping for

OWASPPCI-DSSHIPAAGDPRSOC 2

07 / ONGOING COVERAGE

Continuous monitoring, billed monthly.

One-time scans catch today's issues. Continuous plans keep watching — automated re-scans, alerts, and reporting every month. Billed immediately, cancel anytime.

24/7 monitoring

Auto re-scan

Instant alerts

Always covered

Starter

Essential monitoring for small projects

$49/moUSD

Billed monthly · cancel anytime

Weekly automated scans
1 domain included
Email alerts
OWASP Top 10 coverage
Monthly security report

Pro

Complete protection for growing startups

$149/moUSD

Billed monthly · cancel anytime

Daily automated scans
3 domains included
Slack & Discord alerts
Full vulnerability coverage
Real-time dashboard
API endpoint monitoring
Compliance tracking

Enterprise

Maximum security for scale-ups

$399/moUSD

Billed monthly · cancel anytime

Continuous 24/7 scanning
Unlimited domains
All alert channels + PagerDuty
Advanced threat detection
Custom dashboard & reports
Dedicated response team
API access + custom integrations

Cancel anytime — no long-term contracts, no setup fees

01 // THE PROBLEM

AI-generated code ships fast. It also ships the bugs.

Cursor, v0, Bolt, Lovable generate functional code in seconds. They do not sanitize inputs, validate tokens, or check authorization. Your AI assistant is an intern who ships to production.

73%AI MVPs · critical vulns89%Headers grade F61%BOLA / IDOR present

What we see, every week

A query missing a single ownership check — and every user becomes admin.

BOLA and IDOR are the most-reported class in our scans. They land in shipped code because the LLM completed the query — but skipped the predicate that proves the caller owns the row.

api/user/[id]/route.tsBOLA · critical

// AI-generated handler — no ownership check
const user = await db.user.findFirst({
  where: { id: req.params.id },
});

// pen-triage would add:
//   where: { id: req.params.id, ownerId: session.uid }
//   ↑ one predicate. every record stays private.

07 / PROVEN RESULTS

Real startups. Real vulnerabilities.

Anonymized findings from 6 real security assessments. No brand names — just stacks, vulnerabilities, and outcomes.

Mobile App Backend

Social Media Startup

24h delivery

Risk: 9.2/10

Node.js + Custom Server

2Critical

3High

4Medium

Server fully compromised — unauthorized access confirmed

Real IP exposed behind CDN, bypassing DDoS protection

Directory listing enabled — source code and configs accessible

Report delivered in 24h. Critical infrastructure rebuilt from scratch.

SaaS Platform

EdTech Startup

Client: Isai A.

24h delivery

Risk: 7.2/10

Next.js + Supabase

4High

5Medium

SSRF vulnerability via known CVE — internal network access possible

Server IP exposed through DNS misconfiguration

Insecure cookies and missing HSTS headers

All high-severity issues patched within 72 hours.

Desktop App + Landing

AI Startup

24h delivery

Risk: 7.8/10

React + Discord + Electron

1Critical

1High

2Medium

Discord webhook token exposed in client code — full channel takeover

Hardcoded API credentials in desktop app bundle

Missing Content Security Policy on landing page

Webhook rotated and secrets moved to backend within 24 hours.

Online Raffle Platform

E-commerce Startup

24h delivery

Risk: 5.5/10

Next.js + Supabase + Stripe

1High

4Medium

TLS 1.0/1.1 still enabled — vulnerable to downgrade attacks

Supabase project URL disclosed in client-side code

Missing CSP allows potential XSS exploitation

TLS hardened and security headers implemented same week.

Exam Certification App

EdTech Platform

48h delivery

Risk: 6.4/10

React + Vercel + REST API

3High

4Medium

11 vulnerabilities found across web app and API

Sensitive exam data accessible through API enumeration

Missing rate limiting on authentication endpoints

Full remediation completed before platform launch.

Corporate Website

Industrial Tech

24h delivery

Risk: 5.8/10

WordPress + Custom Plugins

2High

3Medium

Outdated WordPress plugins with known CVEs

Admin login page exposed without brute-force protection

Sensitive internal paths disclosed via error pages

Plugins updated, WAF configured, admin hardened.

“Report delivered in less than 24 hours. Found issues our team completely missed.”
— SaaS Founder

6 real assessments completed · all anonymized · stacks & findings only

05 // HOW WE COMPARE

Autonomous + researcher-grade.

Most security tools force a tradeoff: speed (AI scanners) or depth (traditional firms). Sable runs both — autonomous scans on isolated Kali, then validated by humans who file CVEs.

Capability	Sable	Traditional firms	AI-only scanners
Delivery time	24-48h	2-4 weeks	Continuous
Starting price	$29	$10,000+	Free–$200/mo
OWASP Top 10 coverage
Manual validation
AI-code / LLM app audit		Rare	Limited
Startup-stack specialization	Supabase · Next.js · Vercel	Generic	Generic
Published CVEs	3	Varies	None
Fix guidance in report	Code-level	High-level	Generic
Money-back guarantee	50% if no findings

Comparison data from public pricing pages and standard SaaS pentest deliverables · Q2 2026

09 / LEAD MAGNET

Free: Startup security checklist

15-point checklist covering the most common security mistakes in AI-built MVPs. Used by 50+ founders.

No spam. PDF downloads instantly when you submit.

10 / FAQ

Questions, answered.

Pentest basics, scope, delivery, guarantees, AI-code security — the canonical FAQ.

Still have questions?

Five pentest agents.Your code. Real scans on isolated Kali.

Five agents. One console.

Scope & engagement plan

External recon

Finding explainer

Remediation walkthroughs

Audit & compliance

Three steps. No onboarding call.

Sign up — 150 free credits

Pick an agent

Need depth? Run a scan.

We ship the work the agents also do.

vLLM remote code execution

Three CVEs in AI gateway agents

Open-source SOAR + XDR + deception

Latest research

Free Scan or Full Pentest? A Founder’s Decision Guide

Penetration Testing for Startups in 2026

Audit a Cursor or v0-Built MVP Before You Launch

I scanned 100 vibe-coded apps. 73 had a BOLA.

Pay only what you use. No seats. No contracts.

Fixed scope. Fixed price.

Pre-Launch Check

Founder Shield

Scale Secure

Compare plans

Continuous monitoring, billed monthly.

Starter

Pro

Enterprise

AI-generated code ships fast. It also ships the bugs.

A query missing a single ownership check — and every user becomes admin.

Real startups. Real vulnerabilities.

Social Media Startup

EdTech Startup

AI Startup

E-commerce Startup

EdTech Platform

Industrial Tech

Autonomous + researcher-grade.

Free: Startup security checklist

Questions, answered.

What is pentesting?

What is the difference between pentesting and a vulnerability scan?

What is the OWASP Top 10?

What is BOLA (Broken Object Level Authorization)?

What is ethical hacking?

What is a security audit?

How long does a security scan take?

What do I need to provide?

What if you find zero vulnerabilities?

Is my data safe with you?

How does SableOffensive compare to traditional pentesting firms?

How do I check my security headers for free?

What is the Supabase security checklist for startups?

What are the most common Next.js API security vulnerabilities?

What should be on a startup security audit checklist?

Five pentest agents.
Your code. Real scans on isolated Kali.