What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Microsoft Exchange OWA Zero-Day CVE-2026-42897 Exploited via Crafted Emails

What Happened

On May 14, 2026, Microsoft disclosed CVE-2026-42897, a reflected cross-site scripting (XSS) vulnerability in the Outlook Web Access (OWA) component of on-premises Microsoft Exchange Server. The flaw is already being actively exploited in the wild — attackers are sending specially crafted emails that execute arbitrary JavaScript in the victim's browser context the moment the email is opened in OWA. No clicks on links or attachments required. BleepingComputer confirmed Microsoft explicitly warned customers that real-world attacks are underway.

Technical Analysis

CVE-2026-42897 carries a CVSS score of 8.1 (High) and is classified as a spoofing vulnerability. The root cause is improper neutralization of user-supplied input during web page generation in OWA. An unauthenticated attacker crafts a malicious email containing embedded script payloads. When the recipient opens that email through the OWA interface, the script executes within the security context of the user's Exchange session. According to CVE Reports, this allows the attacker to perform actions on behalf of the authenticated user — including reading emails, modifying mailbox rules, and potentially exfiltrating credentials or session tokens. The attack surface is strictly on-premises: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) are confirmed affected. Cloud-hosted Microsoft 365 / Exchange Online environments are not impacted.

Who's Affected

Every organization running on-premises Exchange Server 2016, 2019, or SE with OWA enabled is in scope. Despite years of Microsoft pushing customers toward Exchange Online, hundreds of thousands of organizations — including governments, hospitals, financial institutions, and mid-size enterprises — still rely on on-prem Exchange. The 2021 Hafnium attacks on ProxyLogon (CVE-2021-26855) proved that on-prem Exchange remains a high-value target. CVE-2026-42897 follows the same pattern: attackers know these servers sit inside corporate networks, often with delayed patching cycles and direct access to sensitive email data. If your organization runs on-prem Exchange and hasn't patched yet, assume you are a target.

How to Protect Yourself

1. Patch immediately. Microsoft released the fix in the May 2026 Patch Tuesday update. Apply the security update to all Exchange Server 2016, 2019, and SE instances without delay. This is the single most effective action.

2. Restrict OWA access. If patching cannot happen within 24 hours, restrict OWA access to known IP ranges via firewall rules or conditional access policies. Reducing the attack surface buys time.

3. Audit mailbox rules. Attackers who successfully exploit XSS in OWA often create forwarding rules to exfiltrate emails. Check for suspicious inbox rules on high-value accounts (executives, IT admins, finance).

4. Enable MFA on all Exchange accounts. While MFA doesn't prevent the XSS execution itself, it limits the attacker's ability to reuse stolen credentials from other vectors.

5. Monitor OWA logs for anomalies. Look for unusual script execution patterns, unexpected POST requests from OWA sessions, or logins from new geolocations following email opens.

The Sable Angle

On-prem Exchange servers are a recurring blind spot in enterprise security. They sit behind the perimeter, often excluded from cloud-first security tooling, and they process the most sensitive communication in any organization. At Sable, our offensive security team routinely finds Exchange OWA exposed during external assessments — sometimes with known CVEs unpatched for months. The pattern is always the same: the server was deployed years ago, the team assumes it's "internal and safe," and no one is actively monitoring it.

This is exactly the kind of vulnerability that our research team flags during red team engagements. A single crafted email to an executive's OWA mailbox can become the entry point for full domain compromise — mailbox exfiltration, lateral movement via stored credentials, and persistence through hidden forwarding rules. If you're running on-prem Exchange, now is the time to audit your exposure, not after the next breach report hits the news.