What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

aegis-deploy / v1.4 / production since April 2026

AEGIS, deployed on your stackin 48 hours.

AEGIS is the open-source XDR+SOAR+SIEM+Deception platform. We are the team that built it. We install, tune, and hand it back to you in two days. The source stays yours.

$499 setup Optional $99/mo monitoring AGPL-3.0, audit the code

What you walk away with

Three outcomes worth more than the bill. Everything else is bonus.

Block ransomware C2 in under 500 ms

AEGIS rolls back encrypted files and severs C2 callbacks faster than a human can read the alert. We tune the SOAR playbooks to your environment so it does not page you for noise.

Catch supply-chain compromise before it reaches prod

533 YARA rules and 122 Sigma detections wired into your CI/CD and runtime. AEGIS flags the suspicious dependency the moment it lands, not after the breach post-mortem.

Get SOAR without buying Splunk

Enterprise SIEMs start at $50k/year. AEGIS is AGPL-3.0, runs on your hardware, and ships with 10 playbooks. We install and tune it for the price of a single Splunk seat.

48 hours, three steps

Same flow we run on our own Mac Mini. Repeated, not invented for you.

Day 1

Install

Docker Compose deploys the 4 core containers on your host. We provision the Pi firewall agent if you want IP blocking at the gateway. Honey-AI honeypots come online by hour 6.

Day 2

Tune

We baseline your traffic, dial in Sigma rule thresholds, and write 2 custom SOAR playbooks specific to your stack. False positives are killed before handoff.

Day 3

Handoff

You get a 30-minute walkthrough, a runbook for the 5 alerts you will see most, and a private Slack/email line to the team for the first 30 days. Source is yours. Code is open.

Pricing

One-time setup. Monitoring is opt-in. No annual contract.

Start here

Deploy

$499one-time

5-layer pipeline: 18 μs fast-path, AI triage, honeypots, SOAR, mesh
122 Sigma rules + 533 YARA rules tuned to your environment
10 SOAR playbooks (iptables, ransomware rollback, IOC mesh)
Rasputin Pi firewall agent (optional, included in setup)
30-day post-install support window
Source code stays yours forever — AGPL-3.0, no vendor lock

Monitoring

$99/ month, optional

We watch the AEGIS dashboard 24/7 and triage critical alerts
Monthly tuning pass — new rules, false-positive cleanup
Incident response on critical detections within 1 hour
Cancel anytime. No annual contract.

We run AEGIS on our own infrastructure.

Production since April 2026 on our Mac Mini node. 11/11 detection on the in-house test suite. The code is AGPL-3.0 and the repository is public. You can read it before you pay us anything.

github.com/alejadxr/AEGIS

Book the install window

Drop your email. We will reply within 24 hours with a short discovery form and the next available 48-hour window.

Prefer to talk first? Email [email protected] directly.

Need a one-off pentest while you wait?

Sable Pre-Launch Check — $29