What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Hackers Used AI to Build a Zero-Day That Bypasses Two-Factor Authentication

Key takeaway: Google's Threat Intelligence Group (GTIG) identified the first known case of cybercriminals using artificial intelligence to develop a zero-day exploit that bypasses two-factor authentication on a widely used open-source web administration tool. The planned mass-exploitation campaign was disrupted before launch — but the precedent is set.

What Happened

On May 11, 2026, Google published findings from GTIG confirming that a prominent cybercriminals used AI to craft a working zero-day exploit targeting a popular open-source web-based system administration tool. The exploit was a Python script that enabled full 2FA bypass, giving attackers authenticated access without requiring any second-factor verification from the victim.

Google detected the campaign during its planning phase and alerted the vulnerable vendor before the exploit could be deployed at scale. The company described the findings in its Q2 2026 AI Threat Tracker report, which documents how adversaries are now leveraging large language models for vulnerability discovery and exploit development.

Technical Analysis

The zero-day targeted a logic flaw in the authentication flow of the admin tool — specifically a faulty trust assumption in how the platform handles session tokens after the first factor is validated. The exploit effectively skipped the 2FA challenge entirely by crafting a post-authentication request that the server accepted as fully authenticated.

Code analysis of the exploit strongly suggests it was AI-generated. Researchers noted that the Python script contained unusual patterns, automated-style code generation artifacts, and solutions that diverge from typical manual exploit development approaches. The exploit leveraged a high-level logic vulnerability — the kind of flaw that requires understanding the application's trust model rather than memory corruption, suggesting AI contributed to the reasoning process.

This is significant because 2FA bypasses are historically among the hardest vulnerabilities to find and exploit. They require understanding the semantic intent of the authentication flow, not just technical bugs. AI has now crossed that threshold.

Who's Affected

The specific open-source tool was not publicly named by Google, consistent with responsible disclosure while a patch is developed. However, the implication is broader: any organization running open-source web administration panels with similar authentication architectures is potentially at risk. Popular tools in this category manage infrastructure worth billions of dollars — think hosting control panels, network monitoring dashboards, and DevOps admin interfaces.

The cybercriminal group behind this operation has a history of mass-exploitation campaigns, suggesting they had infrastructure ready to scan and compromise thousands of instances simultaneously once the zero-day was deployed. Google did not identify the group but described it as "prominent" and well-resourced.

The downstream risk extends to every user who depends on 2FA as their last line of defense. If AI can reason through authentication logic, any application with similar trust model flaws becomes a target.

What This Means for the Industry

This marks a historic inflection point in cybersecurity. Previously, AI-assisted attacks focused on phishing generation, social engineering, and malware obfuscation. Developing a functional zero-day exploit is categorically different — it means AI can now discover novel vulnerabilities in real software and produce weaponized code without a human reverse-engineering the binary.

Defense teams need to update their threat models. Penetration testing must now account for AI-discovered logic flaws. Authentication frameworks need adversarial testing that specifically targets trust assumptions, not just cryptographic implementations. And vendors of open-source admin tools should assume their authentication code will be analyzed by machine intelligence and harden accordingly.

How to Protect Yourself

Audit authentication flows: Review every trust assumption in your login sequence. If a session can be marked "fully authenticated" before 2FA completes, that's the exact class of flaw this exploit targets
Implement continuous session validation: Re-verify authentication state at every privileged action, not just at login. Don't trust that completing step 1 means step 2 happened
Deploy anomaly detection on admin panels: Monitor for successful admin logins without corresponding 2FA challenge events in your auth logs
Assume attackers have AI: Threat-model your applications assuming the adversary can reason through logic flaws at scale. Code review and penetration testing must evolve to match
Audit your open-source admin tools: If you run any open-source web-based administration software, contact the vendor to confirm a patch exists for this vulnerability class

The Sable Angle

At Sable, our offensive security team uses AI-assisted techniques in our red team engagements — not because AI replaces human creativity, but because it changes the timeline. Adversaries have already crossed the AI exploit development threshold. The question is whether your defenses can detect what AI builds.

Our penetration testing and red teaming services simulate exactly this class of attack: automated vulnerability discovery, logic flaw exploitation, and post-authentication bypass. We don't just scan for known CVEs — we attack your trust models. If your authentication flow has a flaw an LLM can find, we'll find it first.