What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Crunchyroll Breach: How a Telus Supply-Chain Compromise Let Attackers In

Crunchyroll was not hacked directly. The attacker entered through a side door held open by a third-party contractor — and that distinction matters enormously for how defenders should respond. The breach we covered earlier (Crunchyroll: 100GB Stolen via a Telus Employee) established the facts. This piece goes deeper on the supply-chain mechanics, the Telus vector specifically, and the concrete indicator categories defenders should build detection around.

The Attack Chain, Step by Step

The structural logic of the Crunchyroll breach is textbook third-party pivot, but the details matter for defenders building detection:

Step 1 — Initial compromise at Telus Digital. Telus Digital, the outsourcing arm of the Canadian telecom, was breached earlier in March 2026 by the ShinyHunters group. The initial vector involved credentials found within previously exfiltrated Salesforce data — credentials that gave legitimate cloud access to Telus systems. This established attacker presence inside Telus Digital's environment.
Step 2 — Employee credential access. With presence inside Telus Digital, the attacker identified employee accounts assigned to Crunchyroll support operations. Telus Digital provides customer support and business-process outsourcing for large platforms including Sony-owned properties. Those employees had standing credentials to Crunchyroll's internal systems — ticketing, analytics, support tooling — as part of their daily workflow.
Step 3 — Lateral move to Crunchyroll systems. The attacker used the compromised Telus employee credentials to authenticate to Crunchyroll's internal systems. No exploit, no phishing of Crunchyroll employees directly, no vulnerability in Crunchyroll's perimeter. The identity verification passed because the credentials were legitimate.
Step 4 — Rapid exfiltration before detection. Approximately 100GB of data was extracted within 24 hours before Crunchyroll revoked the access. The speed and targeting of the exfiltration — customer ticketing records, internal analytics environments, employee data — indicates the attacker arrived with a map, not a shovel.

Why the Supply-Chain Angle Changes the Threat Model

A direct breach of Crunchyroll — exploiting a CVE in their perimeter, credential-stuffing their admin portal — would be detectable through standard defenses: web application firewall alerts, anomalous login attempts, rate limiting. The Telus pivot circumvents all of that because the access is expected.

Telus employee accounts authenticating to Crunchyroll support systems is normal. The IP ranges, the user agents, the behavioral patterns all look like routine contractor access. Anomaly-based detection trained on "what does a Crunchyroll employee look like" will miss an attacker using a Telus employee's legitimate session — unless you're also modeling "what does this specific third-party account normally do."

This is the core difficulty of supply-chain attacks on the victim side: the signal you need to detect the attack looks like legitimate behavior at every individual check point. It only becomes suspicious when you integrate across context — this account normally handles 50 tickets per shift, and tonight it bulk-queried 2 million records.

Indicators of Compromise: Categories to Hunt

Publishing specific hashes, IP addresses, or domain IOCs for this incident without verified forensic sourcing would be irresponsible — those details change quickly and fabricated IOCs cause more harm than no IOCs. What defenders can act on immediately are the indicator categories and the detection logic for this class of attack.

Authentication anomalies at the third-party session boundary:

Contractor or vendor accounts authenticating at unusual hours relative to their established pattern (a Telus-assigned support agent who always works 9–5 ET suddenly active at 2 AM)
Concurrent sessions from the same contractor account from geographically inconsistent IPs
Contractor account password or MFA token changes immediately followed by high-volume data access
VPN or anonymization infrastructure (Tor exit nodes, datacenter IP ranges) on contractor-assigned accounts that normally authenticate from residential or corporate ranges

Data access volume anomalies:

Bulk query patterns against ticketing or CRM systems from accounts that normally handle individual records
API calls with unusually high page-size parameters or pagination loops that enumerate entire table ranges
Export or download events on data objects the contractor account has never accessed in its behavioral baseline
Repeated access to internal documentation, runbooks, or infrastructure notes — reconnaissance behavior before targeted exfiltration

Exfiltration signals:

Outbound data transfer volume from contractor session that exceeds the 99th percentile for that account or account class
Data staged in intermediate locations (temp folders, download directories) that are accessed in rapid succession
Access to data outside the contractor's documented operational scope — a support agent querying analytics dashboards or employee records

How to Hunt This in Your Environment

If you use third-party vendors with standing access to your systems, the investigation should start with your identity and access management logs. The specific queries depend on your stack, but the logic is:

Baseline contractor account behavior. Pull 90 days of authentication and access logs for every vendor/contractor account class. Build a normal envelope: what hours, what IPs, what resources, what data volumes.
Alert on deviations, not just thresholds. A contractor who normally reads 200 records per session accessing 200,000 is not caught by a raw-count threshold set at 500,000. It is caught by a deviation-from-baseline alert: this account accessed 1,000x its normal volume.
Map your third-party access inventory explicitly. For every vendor with standing access: what systems, what permissions, what data classification. Most organizations have a partial answer to the first question and no answer to the third.
Scope your blast radius assumption correctly. If a vendor like Telus Digital is breached, assume every employee account with access to your systems is compromised until proven otherwise — not just the specific account implicated. Revoke and re-provision, don't triage account by account.

The Broader Pattern

Crunchyroll-via-Telus is the latest in a long chain: Target via HVAC contractor (2013), SolarWinds via software update infrastructure (2020), Uber via Lapsus$ contractor credential (2022), LastPass via a DevOps engineer's home workstation (2022). The vector is always a trusted third party whose security posture the victim organization cannot directly control but whose access they implicitly extend trust to.

The solution is not to eliminate third-party access — that is not operationally viable. The solution is to stop treating third-party access as a binary (has access / does not have access) and start treating it as a monitored surface with the same rigor as internal privileged access: least privilege scoping, behavioral baselining, anomaly detection, and rapid revocation playbooks that activate when the vendor reports a breach — not after you've finished your own investigation.

Crunchyroll had 24 hours between initial access and revocation. With better third-party behavioral monitoring, that window shrinks significantly. The data volume exfiltrated is a direct function of detection velocity.

For context on the upstream Telus Digital compromise that made this possible, see our analysis of the ShinyHunters breach of Telus Digital. For a practical framework on third-party access auditing, Sable's engagement model includes a vendor access inventory as a standard deliverable in every assessment.