What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

CVE-2026-41940: cPanel Authentication Bypass Hit 1.5M Servers Before Anyone Noticed

What Happened

On April 28, 2026, cPanel issued an emergency security update for an authentication bypass vulnerability tracked as CVE-2026-41940 with a CVSS score of 9.8. The flaw affects cPanel & WHM (WebHost Manager) and WP Squared, and it was already being exploited in the wild as a zero-day for months before the patch dropped. BleepingComputer confirmed that a proof-of-concept exploit was publicly available within hours of disclosure.

The scale is significant: over 1.5 million cPanel instances are estimated to be exposed to the internet, according to Picus Security. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a hard deadline to patch.

Technical Analysis

CVE-2026-41940 is a CRLF injection vulnerability in cPanel & WHM's authentication flow. By injecting carriage return and line feed characters into specific HTTP requests, an unauthenticated attacker can bypass the authentication mechanism entirely and gain direct access to WHM administrative functions — no credentials required. Rapid7's analysis confirms the attack can be executed with a single crafted HTTP request.

The vulnerability exists in how cPanel parses certain HTTP headers during the authentication handshake. The CRLF injection allows an attacker to terminate the authentication check prematurely and inject a forged session response, effectively telling the server "this user is already authenticated." From there, the attacker has full WHM access — the same level of control as a hosting provider's root administrator.

According to SecurityWeek, the flaw was exploited as a zero-day for months before cPanel became aware, meaning attackers had a significant head start on compromising hosting infrastructure worldwide.

Who's Affected

Any organization running unpatched cPanel & WHM instances is at risk. This includes:

Shared hosting providers — the largest attack surface, with thousands of customer sites per server
Managed WordPress hosts — many rely on WHM for server management
Internal development servers — cPanel instances running on private networks are still vulnerable to insider threats or lateral movement
WP Squared users — the related management platform is also affected by the same flaw

The downstream risk is severe: a single compromised WHM instance gives an attacker access to every website and database on that server. For shared hosting providers, that could mean thousands of customer sites, email accounts, and databases exposed in one shot.

How to Protect Yourself

If you run cPanel & WHM, take these steps immediately:

Apply the security update now. cPanel released patches on April 28, 2026. Update to the latest build via the cPanel interface or run upcp from the command line. See the official advisory.
Audit WHM access logs. Look for suspicious authentication patterns — particularly requests with unusual HTTP headers or CRLF characters in the request stream. Check logs going back several months given the zero-day exploitation window.
Rotate all credentials. Assume any WHM, root, or account-level credentials on affected servers may have been compromised during the zero-day period.
Restrict WHM access by IP. Limit WHM access to known administrative IPs only. This reduces the attack surface even if a similar vulnerability emerges in the future.
Monitor for indicators of compromise. Check for unauthorized cron jobs, new user accounts, modified configuration files, or unexpected outbound connections from your servers.

The Sable Angle

Authentication bypass vulnerabilities like CVE-2026-41940 are exactly the kind of flaws our offensive team looks for during penetration tests. A single CRLF injection that skips authentication entirely is a red-teamer's dream — and a defender's nightmare. The fact that this went undetected as a zero-day for months tells you something important about the state of hosting infrastructure security: most providers aren't monitoring for anomalous authentication patterns at the HTTP header level.

At Sable, we approach infrastructure security from an attacker's perspective. Our research team tracks vulnerabilities like this in real time, and our offensive engagements simulate exactly this kind of attack chain — from initial access through full server compromise. If your organization relies on cPanel or any hosting management platform, now is the time to validate your defenses before the next zero-day drops.