What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Dirty Frag: Chained Linux Kernel Flaws Give Root on Every Major Distribution

What Happened

On May 7, 2026, a chained Linux kernel privilege escalation vulnerability called Dirty Frag was publicly disclosed after an embargo break. The exploit combines two previously unknown kernel flaws — CVE-2026-43284 in the xfrm-ESP subsystem and CVE-2026-43500 in the RxRPC subsystem — to achieve deterministic, near-certain root access from an unprivileged local account. A public proof-of-concept exploit was published on GitHub within hours of disclosure, and Microsoft confirmed active exploitation in the wild on May 8.

The vulnerability affects all major Linux distributions running kernels released since 2017, including Ubuntu, Red Hat Enterprise Linux, Fedora, Debian, and Amazon Linux. CVE-2026-43284 was patched in the mainline Linux kernel shortly after disclosure; CVE-2026-43500 patches are still rolling out to distributions as of this writing.

Technical Analysis

Dirty Frag belongs to the same vulnerability class as CopyFail (CVE-2026-31431), which was disclosed just eight days earlier. Both exploits abuse the Linux kernel's page-cache behavior to achieve arbitrary write primitives. The key difference: Dirty Frag is more reliable and does not depend on race conditions.

The attack works in two stages. First, the attacker exploits CVE-2026-43284, a page-cache write flaw in the IPsec ESP (xfrm) subsystem. By manipulating ESP fragment handling through the kernel's networking stack, an unprivileged user can write controlled data into shared page-cache memory. Second, CVE-2026-43500 targets the RxRPC (Remote Procedure Call) subsystem, providing a second page-cache write primitive that operates on different kernel memory regions. Chaining these two writes allows the attacker to overwrite critical kernel data structures — specifically, credentials and security contexts — to escalate from UID 0-nobody to full root.

According to Qualys' technical analysis, the exploit achieves "deterministic, near-certain root access" without requiring timing-sensitive race conditions. This makes it significantly more practical than CopyFail, which required precise timing to succeed. The public PoC by researcher Hyunwoo Kim (@v4bel) demonstrates the full chain in under 30 seconds on unpatched systems.

Who's Affected

The scope is enormous. Any Linux system running a kernel from 2017 onward is potentially vulnerable. That covers:

Ubuntu 18.04 LTS and later (including 24.04 LTS) — Ubuntu published fixes on May 8
Red Hat Enterprise Linux 7, 8, and 9 — Red Hat issued RHSB-2026-003 with patches for CVE-2026-43284
Fedora 35 and later
Debian 10 (Buster) and later
Amazon Linux 2 and 2023
Most cloud-hosted Linux instances, CI/CD runners, Kubernetes nodes, and shared hosting environments

The vulnerability is local — it requires an existing unprivileged account on the target system. In practice, this means any multi-user environment, any container escape scenario, or any compromised low-privilege service account becomes a launchpad for full root takeover. The Cloud Security Alliance flagged AI/ML infrastructure as particularly high-risk, since shared GPU clusters and ML training environments often run with multiple untrusted users on the same kernel.

How to Protect Yourself

1. Patch your kernel immediately. CVE-2026-43284 has patches in mainline Linux. Update to the latest stable kernel for your distribution. For RHEL, apply the RHSB-2026-003 advisory. For Ubuntu, run sudo apt update && sudo apt upgrade linux-image-generic.

2. Verify CVE-2026-43500 patch status. This second CVE is still being rolled out. Check your distribution's security tracker. If no patch is available yet, apply the interim mitigations below.

3. Restrict kernel module loading. If you don't use IPsec (ESP) or RxRPC in your environment, blacklist the vulnerable modules: add install esp4 /bin/false and install rxrpc /bin/false to /etc/modprobe.d/blacklist-dirtyfrag.conf. This blocks the attack vector without requiring a full kernel update.

4. Audit local user access. Since Dirty Frag is a local exploit, reduce your attack surface by removing unnecessary user accounts, enforcing least-privilege access, and monitoring for suspicious local activity. Tools like Sysdig and Falco can detect the exploit signature in real time.

5. Harden container boundaries. If you run containers, ensure they use user namespaces, drop all unnecessary capabilities, and mount the root filesystem read-only where possible. A container escape combined with Dirty Frag gives an attacker root on the host.

The Sable Angle

Dirty Frag is a textbook example of why offensive security testing matters. The vulnerability sat undiscovered in the Linux kernel's networking stack for nearly a decade — the affected code paths date back to 2017. Chained LPE exploits like this are exactly what red teams look for during post-compromise assessments: the difference between a low-privilege foothold and full domain control.

At Sable, our offensive research team tracks kernel-level vulnerabilities as part of our vulnerability research program. We've covered similar kernel exploitation chains in our analyses of vLLM RCE and MoltBot. If your infrastructure runs multi-tenant Linux workloads — cloud instances, CI/CD pipelines, Kubernetes clusters — our penetration testing engagements include kernel exploitation testing to find these chains before attackers do. The window between public PoC and mass exploitation is shrinking. Patch now.