What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Three Microsoft Defender Zero-Days Under Active Attack; Two Remain Unpatched

What Happened

On April 14, 2026, Microsoft released its Patch Tuesday updates addressing over 160 vulnerabilities, including two zero-day flaws in Windows Defender. Within days, security researchers revealed that a total of three distinct zero-day vulnerabilities in Microsoft Defender were being actively exploited in the wild — with two remaining unpatched as of late April. (SecurityWeek)

The disclosure triggered an emergency directive from CISA, ordering federal agencies to patch the BlueHammer vulnerability within 72 hours. The flaws allow attackers to bypass Microsoft's built-in antivirus protection entirely, granting full system access on compromised machines. (BleepingComputer)

Technical Analysis

The three zero-days — named BlueHammer, RedSun, and UnDefend — target different components of the Windows Defender ecosystem but share a common goal: disabling real-time protection to deploy malware undetected. (Help Net Security)

CVE-2026-33825 is the identifier tied to both BlueHammer and RedSun vulnerabilities. This flaw exploits a race condition in the Windows Defender update verification process, allowing a local attacker to inject malicious code during the signature update cycle. The attack achieves SYSTEM-level privileges by hijacking the MpDefenderCore service. The third vulnerability, UnDefend, targets the Windows Security GUI component, enabling attackers to manipulate the user interface and hide disabled protection status from administrators. All three flaws affect Windows 10 and Windows 11 systems running Microsoft Defender with real-time protection enabled.

Who's Affected

The attack surface is enormous. Microsoft Defender ships pre-installed on over 1 billion Windows devices worldwide, making this one of the most significant security incidents of 2026. While Microsoft patched BlueHammer and RedSun in the April 14 Patch Tuesday, the UnDefend vulnerability remains unpatched as of April 21. (SecurityWeek)

Federal agencies in the United States face the most immediate risk. CISA's emergency directive applies to all civilian executive branch agencies, requiring patching within 72 hours of the advisory. However, the private sector and international organizations remain exposed until Microsoft releases a complete fix.

How to Protect Yourself

Apply the April 2026 Patch Tuesday updates immediately — this addresses BlueHammer and RedSun. Verify the update status via Windows Update or your patch management console.
Monitor for disabled real-time protection — use PowerShell commands or SIEM rules to alert when the Windows Security center reports protection as disabled or expired.
Implement application control policies — restrict execution of unsigned binaries in sensitive directories to limit the impact of a successful exploit.
Deploy additional endpoint detection — consider third-party EDR solutions as a compensating control while the Defender vulnerabilities remain partially unpatched.
Audit privileged accounts — the BlueHammer exploit requires local access, so limiting admin privileges reduces the attack chain feasibility.

The Sable Angle

These vulnerabilities underscore a uncomfortable truth: even the security tools we trust most can become attack vectors. At Sable, our offensive security team has spent years demonstrating how endpoint protection can be turned against users. The BlueHammer and RedSun flaws are textbook examples of the kind of vulnerabilities we identify during red team engagements — flaws that exist not because of unknown unknowns, but because defenders assume their tools are trustworthy.

Our research into Windows Defender internals has contributed to the broader security community's understanding of these attack surfaces. We believe that transparent disclosure — even when uncomfortable for vendors — ultimately strengthens defensive capabilities. Organizations that wait for vendor patches alone will always be one step behind. Proactive threat hunting, regular red team exercises, and defense-in-depth architecture are the only sustainable path forward.