What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

ADT Confirms Data Breach: ShinyHunters Claim 10 Million Records Stolen

What Happened

On April 23, 2026, the ShinyHunters extortion group posted on a leak forum what they claim to be approximately 10 million customer records belonging to ADT — the largest residential security provider in the United States. ADT publicly confirmed the intrusion within 24 hours of the leak appearing, telling BleepingComputer that an unauthorized third party had "obtained certain customer information" and that the company's security team had since contained the access.

The company is now contacting affected customers and offering complimentary credit monitoring, but the leaked sample published by the attackers — names, email addresses, home addresses, and references to active service contracts — has already been independently confirmed by multiple security outlets including CyberInsider and UndercodeNews. Several customers contacted by reporters were able to verify their own records in the leaked sample.

Technical Analysis: How ShinyHunters Likely Got In

ADT has not publicly disclosed the initial access vector, and the company's official statement is restricted to language about "unauthorized access to a portion of our environment" without specifying whether the breach hit a customer-facing application, an internal admin panel, or a third-party SaaS provider. That ambiguity is itself a signal: in our experience auditing companies that disclose breaches with this exact phrasing, the most common root causes are credential reuse against an admin login, an exposed API endpoint without rate limiting, or compromise of a marketing or CRM tool that holds a customer mirror.

ShinyHunters' historical playbook reinforces those hypotheses. The group has spent the last 24 months running a consistent operation against cloud-hosted data warehouses and SaaS admin panels, taking advantage of customer accounts that lacked multi-factor authentication. Threat-research analysis of the ADT incident notes that the same group has previously compromised dozens of large enterprises throughout 2025 and early 2026 — Ticketmaster, Santander, AT&T, and a long list of less prominent victims — using nothing more sophisticated than valid credentials harvested from infostealer logs and a willingness to go straight to public extortion when the victim refuses to pay.

If ADT followed the pattern of those earlier victims, the kill chain looks like this: an employee or contractor's workstation was infected with a generic infostealer at some point in 2025; that infostealer captured a session cookie or credential to a corporate SaaS (most commonly a data warehouse, CRM, or ticketing system); the credential ended up for sale on Russian Market or a comparable broker; ShinyHunters bought it for low three-digit dollars; they logged in, ran SELECT * against the customer table, exfiltrated, and then opened the extortion conversation on TOX or a private channel before going public when negotiations stalled.

Who's Affected and What Was Exposed

The leaked sample published by ShinyHunters indicates the following fields per record: full name, email address, physical home address, phone number, and service plan reference. Notably, the leaked data so far does not appear to include payment card numbers, social security numbers, or alarm system credentials — which would be far more dangerous and which ADT has explicitly said are not affected.

That said, the combination of name + home address + active home-security service contract is itself an unusually sensitive dataset. ADT's customer base skews toward homeowners specifically because they have something to protect: jewelry, electronics, sometimes weapons, occasionally high-net-worth occupants. A motivated burglary crew with this list has a directly actionable target file. The downstream risk here is not identity theft in the traditional sense — it's physical targeting, especially for the subset of customers who installed ADT precisely because they were already concerned about being targeted.

For the ShinyHunters operators themselves, the value in this dataset is not the fields per se but the leverage. Public extortion of a brand whose entire value proposition is "keeping your home safe" is exactly the kind of headline the group has cultivated for two years.

How to Protect Yourself if You're an ADT Customer

Change your ADT account password today, even though the leak does not appear to include passwords. If you have reused that password anywhere else, change it everywhere — and switch to a password manager so you don't have to do this exercise again next time.
Enable multi-factor authentication on the ADT customer portal and on any account where your ADT email is the recovery address. The fact that ShinyHunters has now confirmed they have your email means it is on every targeted phishing list for the foreseeable future.
Be skeptical of any communication referencing your ADT service in the next 90 days. "Your ADT system needs an urgent firmware update — click here to authorize it" is the obvious phishing pretext, and it will be running. ADT will not ask you to authorize anything via email link; if you receive something that looks important, navigate to adt.com directly and log in.
Check whether your home address appears on people-search and data-broker sites. If it does, request removal — California, Colorado, and a growing list of states require brokers to honor opt-outs. The combination of a verified home address on a public broker plus a known ADT service contract is a particularly clean target for harassment or burglary.
If you are a high-profile or high-net-worth customer, treat this as a strong nudge to audit your physical security posture independently — alarm code rotation, neighbor awareness, package handling. The breach itself does not give attackers your alarm code, but it tells them you have one worth bypassing.

The Sable Angle

What stands out about the ADT incident, and almost every ShinyHunters incident before it, is how unsophisticated the attack pattern is relative to the size of the prize. There is no zero-day. There is no nation-state implant. There is a stolen session cookie or a reused password and an admin endpoint that did not enforce MFA. The breach is the predictable consequence of a known control gap that nobody owned closing.

In the offensive engagements we run at Sable, we surface this exact category of finding inside roughly 80% of mid-market and enterprise environments we test. The pattern is so consistent that we built our standard methodology around it: prove that a single leaked credential, given current MFA coverage and current admin-endpoint exposure, is sufficient to reach the customer or financial dataset. We do that work before ShinyHunters does, and we hand the customer a remediation path that is short, specific, and ordered by exploitability — not by CVSS theater. If you want to know whether an attacker with a single $50 credential could repeat the ADT outcome on your environment, our research on third-party credential exposure is a reasonable place to start, and the conversation about a focused engagement is the next step.