What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

CVE-2026-9082: Unauthenticated SQL Injection in Drupal Core Lets Attackers Execute Remote Code on PostgreSQL Sites

What Happened

On May 21, 2026, the Drupal Security Advisory team released SA-CORE-2026-004, patching a highly critical unauthenticated SQL injection vulnerability tracked as CVE-2026-9082 in Drupal Core's database API layer. The flaw affects all Drupal installations using PostgreSQL as their backend database — and given PostgreSQL's advanced features, successful exploitation can escalate from SQL injection to full remote code execution (RCE) on the underlying server. Drupal.org issued the advisory with its highest severity rating, urging site administrators to patch immediately.

The vulnerability requires zero authentication. An attacker does not need a user account, a valid session, or any prior access to the Drupal site. A single crafted HTTP request to an affected endpoint is enough to trigger the injection. The Hacker News reported that the flaw was disclosed alongside a coordinated release of patches across multiple Drupal core branches, suggesting the vulnerability had been under responsible disclosure for weeks before public release.

Technical Analysis

CVE-2026-9082 lives in Drupal Core's database abstraction layer, specifically in how the PostgreSQL driver constructs certain query parameters. The flaw allows an attacker to inject arbitrary SQL into queries that were previously considered parameterized and safe. Researchers at byteiota confirmed that the injection point bypasses Drupal's built-in SQL sanitization because the vulnerable code path concatenates user-supplied input directly into a query string before the database driver processes it.

The RCE escalation is what makes this flaw especially dangerous. PostgreSQL supports powerful server-side features like COPY TO, COPY FROM PROGRAM, and large object manipulation — all of which can be abused through SQL injection to execute operating system commands. CSO Online noted that proof-of-concept exploits leveraging PostgreSQL's COPY FROM PROGRAM to achieve RCE were circulating within hours of the advisory's publication. This means a single unauthenticated HTTP request can go from SQL injection to a reverse shell on the web server.

Affected versions include Drupal 10.4.x before 10.4.6, Drupal 10.3.x before 10.3.14, and Drupal 11.0.x before 11.0.6. The vulnerability is specific to the PostgreSQL database driver — sites running MySQL or SQLite are not affected by this particular flaw. Pantheon's release notes confirmed the patched versions and recommended immediate updates for all hosted Drupal sites on their platform.

Who's Affected

Drupal powers approximately 1.2 million websites globally, including government portals, universities, healthcare systems, and enterprise platforms. While exact numbers of PostgreSQL-backed Drupal installations are not publicly available, PostgreSQL is the second most popular database backend for Drupal after MySQL, meaning hundreds of thousands of sites are potentially vulnerable. Kudelskisecurity researchers estimated that the attack surface includes a significant portion of high-value Drupal deployments, as enterprise and government sites tend to favor PostgreSQL for its advanced features and compliance certifications.

The unauthenticated nature of the attack dramatically increases the risk. Unlike authenticated vulnerabilities that require credential theft or social engineering, CVE-2026-9082 can be exploited by any attacker who can reach the Drupal site's web server. Internet-facing Drupal installations with PostgreSQL backends are at immediate risk, especially those running outdated versions that haven't applied the latest security patches.

How to Protect Yourself

1. Patch immediately. Update to Drupal 10.4.6, 10.3.14, 11.0.6, or later depending on your branch. If you cannot patch immediately, restrict access to the site via IP allowlisting or a WAF.

2. Audit your database driver. Confirm whether your Drupal installation uses PostgreSQL. Sites running MySQL or SQLite are not affected by CVE-2026-9082, but should still apply the patch as a precaution.

3. Review PostgreSQL permissions. Ensure the database user account used by Drupal has the minimum required privileges. Revoke COPY FROM PROGRAM, CREATE FUNCTION, and large object permissions if your application does not explicitly need them. This limits the RCE escalation path even if the SQL injection is triggered.

4. Deploy a Web Application Firewall (WAF). Rules targeting SQL injection patterns in Drupal database queries can provide temporary protection while patching is in progress. Both ModSecurity and commercial WAF vendors released emergency rules for CVE-2026-9082 within hours of disclosure.

5. Monitor access logs for exploitation attempts. Look for unusual database errors, unexpected COPY statements, or anomalous query patterns in your PostgreSQL logs. Early detection of exploitation attempts can prevent full compromise.

The Sable Angle

SQL injection remains one of the oldest and most reliable attack vectors in web application security, yet it continues to appear in major CMS platforms — even those with mature security teams and dedicated bug bounty programs. At Sable, our offensive security researchers regularly identify injection flaws during penetration tests of enterprise web applications, including Drupal, WordPress, and custom-built platforms.

The CVE-2026-9082 case is a textbook example of why defense in depth matters. Patching the CMS is necessary but not sufficient. Hardening the database layer, enforcing least-privilege principles, and deploying runtime application self-protection (RASP) all reduce the blast radius when — not if — a zero-day drops. If your organization runs Drupal or any other CMS at scale, our team can help you build a layered security posture that survives the next critical advisory.