What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Cisco SD-WAN Auth Bypass CVE-2026-20182 Added to CISA KEV

What Happened

CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalog on May 14, 2026, giving Federal Civilian Executive Branch agencies a hard deadline of May 17, 2026 — just three days — to remediate. The vulnerability is a critical authentication bypass in Cisco Catalyst SD-WAN Controller with a maximum CVSS score of 10.0. Cisco confirmed active exploitation in the wild, meaning attackers are already leveraging this flaw to gain administrative access to SD-WAN control planes without valid credentials. BleepingComputer reported that Cisco itself classified the flaw as maximum severity.

Technical Analysis

CVE-2026-20182 (CWE-287: Improper Authentication) resides in the control connection handshaking mechanism of Cisco Catalyst SD-WAN Controller. According to SOCRadar's analysis, the peering authentication mechanism does not work correctly, allowing an unauthenticated attacker to send crafted requests that bypass expected authentication checks during peering or control-connection establishment. The result: full administrative access to the SD-WAN control plane without any valid credentials. Tenable confirmed that CISA issued Emergency Directive 26-03 in response, underscoring the severity. The attack vector is network-adjacent — the attacker needs to reach the SD-WAN control plane, but in many deployments this is accessible from the public internet or through compromised branch devices.

Who's Affected

Any organization running Cisco Catalyst SD-WAN Controller (formerly Viptela) in their WAN infrastructure is potentially affected. SD-WAN is the backbone of enterprise connectivity — it manages traffic across branch offices, data centers, and cloud environments. A compromise of the SD-WAN control plane gives an attacker the ability to redirect traffic, intercept data, push malicious configurations to every edge device, and establish persistent access across the entire WAN. Government agencies are the most urgent case given the CISA KEV deadline, but every enterprise running Cisco SD-WAN should treat this as a critical priority. The flaw is part of a continued pattern of exploitation targeting Cisco SD-WAN control-plane components, suggesting attackers have developed specialized tooling for this platform.

How to Protect Yourself

1. Patch immediately. Cisco has released a software update that addresses CVE-2026-20182. Apply it to all Catalyst SD-WAN Controller instances — both on-premises and cloud-hosted — as soon as possible. The CISA KEV deadline is May 17 for federal agencies; private sector organizations should match that urgency.

2. Restrict control-plane access. If patching cannot happen within 24 hours, restrict access to the SD-WAN control plane to known management IPs only. Block all unauthorized access to control-plane ports at the firewall level.

3. Audit peering relationships. Review all active peering connections and control-plane handshakes for anomalies. Look for unexpected peering attempts or connections from unknown devices.

4. Monitor for configuration changes. An attacker with admin access will likely push malicious configurations to edge devices. Enable configuration change alerting and compare current configs against known-good baselines.

5. Review Cisco's IOCs. Cisco's security advisory includes indicators of compromise. Cross-reference these with your logs to determine if you've already been targeted.

The Sable Angle

SD-WAN infrastructure is one of the most underestimated attack surfaces in enterprise networks. Most security teams focus on endpoints and cloud workloads, but the WAN control plane is the connective tissue of the entire organization. When an attacker compromises the SD-WAN controller, they don't just get into one network — they get into every network. At Sable, our red team engagements routinely uncover exposed SD-WAN management interfaces during reconnaissance, often with default credentials or missing patches.

CVE-2026-20182 is a textbook example of why infrastructure-level vulnerabilities deserve the same urgency as endpoint CVEs. A CVSS 10.0 auth bypass in the system that controls your entire WAN is not a "next sprint" problem — it's a "drop everything" problem. If you're running Cisco SD-WAN and haven't verified your patch status today, that should be your first task this morning.