What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

cPanel Zero-Day CVE-2026-41940: Authentication Bypass Hit 1.5M Servers Before Patch

What Happened

On April 28, 2026, cPanel pushed an emergency patch for CVE-2026-41940 — a critical authentication bypass vulnerability in cPanel & WHM and WP Squared carrying a CVSS score of 9.8. The flaw had been exploited as a zero-day since at least February 23, 2026, meaning attackers had roughly two months of unrestricted access to hosting servers before a fix was available. Rapid7 confirmed active exploitation in the wild, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog within days of disclosure.

SecurityWeek reported that the bug was "exploited as a zero-day for months" — a rare admission that underscores how long attackers operated undetected. SecurityWeek noted that a public proof-of-concept was already circulating by the time the patch dropped, dramatically widening the attack surface.

Technical Analysis

CVE-2026-41940 is a pre-authentication remote authentication bypass. According to Picus Security's technical analysis, the exploit chains three distinct weaknesses: a CRLF injection in cPanel's session writer, an encryption-skip triggered by a malformed cookie, and a quirk in how cPanel caches sessions that allows an attacker to "promote" the injected payload into a privileged login session. No valid credentials are required at any point in the chain.

The vulnerability affects all cPanel & WHM versions after 11.40, including WP Squared. Patched versions range from 11.110 through 11.136, depending on the specific product line. The attack vector is network-based with low complexity — meaning any attacker who can reach the cPanel management port (2083/2087) can attempt exploitation without prior authentication.

Who's Affected

cPanel & WHM powers an estimated 1.5 million servers worldwide, making this one of the most consequential hosting infrastructure vulnerabilities of 2026. Picus Security estimates that the majority of these servers were running vulnerable versions at the time of disclosure. The two-month exploitation window means that any server running an unpatched version during February–April 2026 should be considered potentially compromised.

The downstream impact extends far beyond the hosting providers themselves. Each compromised cPanel server can host hundreds or thousands of customer websites, email accounts, and databases. A single successful authentication bypass gives the attacker root-level administrative control — the ability to create accounts, modify DNS records, access email, and deploy malware across every site on the server.

How to Protect Yourself

If you run cPanel & WHM or WP Squared, take these steps immediately:

Patch now. Update to the latest patched version (11.110+ for cPanel & WHM, 136.1.7+ for WP Squared). If you haven't updated since before April 28, assume your server may have been accessed.
Audit access logs. Review /usr/local/cpanel/logs/access_log and /var/log/messages for suspicious activity dating back to February 2026. Look for unexpected session creations or account modifications.
Rotate all credentials. Change root passwords, API tokens, and service account keys. Any credential stored on the server may have been exposed.
Check for unauthorized accounts. Run whmapi1 listaccts and verify every account. Attackers frequently create backdoor accounts with elevated privileges.
Enable two-factor authentication. If not already enforced, require 2FA for all cPanel and WHM accounts immediately. This limits the impact of any future authentication bypass.
Restrict management port access. Limit inbound connections to ports 2083 and 2087 to known IP ranges using your firewall. This reduces the attack surface for network-based exploits.

The Sable Angle

Supply chain and infrastructure-level vulnerabilities like CVE-2026-41940 are exactly the kind of threat that traditional vulnerability scanners miss — especially when the exploit chain involves session manipulation rather than a simple buffer overflow. At Sable, our offensive security team routinely tests hosting control panels, cloud management interfaces, and multi-tenant infrastructure for authentication bypass paths that automated tools can't find.

If you're a hosting provider or manage cPanel infrastructure at scale, our research on startup infrastructure vulnerabilities covers the attack patterns we see most often in shared hosting environments. The bottom line: patching is necessary but not sufficient. You need adversarial testing that simulates how actual attackers chain low-severity flaws into full server takeovers.