What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Exim CVE-2026-45185 — Unauthenticated RCE in the World's Most Deployed Mail Server

Key takeaway: CVE-2026-45185 — a use-after-free vulnerability in Exim's BDAT (binary data transmission) message body parsing — allows unauthenticated remote code execution on one of the world's most widely deployed mail transfer agents. Affects Exim versions 4.97 through 4.99.2 when built with GnuTLS. Patch to 4.99.3 immediately.

What Happened

On May 12, 2026, the Exim development team released version 4.99.3 to address CVE-2026-45185, a use-after-free vulnerability in the BDAT message body parsing path. The flaw, nicknamed "Dead.Letter," affects all Exim builds using the GnuTLS library for TLS connections — which is the default on most Linux distributions. The vulnerability can be triggered by a remote, unauthenticated attacker sending a specially crafted email.

Exim is the default MTA on Debian, Ubuntu, and numerous other Linux distributions. It's estimated to handle a significant portion of the world's email traffic. The vulnerability was discovered by the XBOW research team, who notably used AI assistance to help develop the working exploit — making this the second confirmed case of AI-assisted zero-day development in the same week.

Technical Analysis

The vulnerability is a use-after-free in Exim's BDAT handling code when TLS is managed by GnuTLS. The attack works when a client sends a TLS close_notify alert before the BDAT body transfer completes, then follows up with a final byte in cleartext on the same TCP connection. This sequence causes Exim to write into a memory buffer that has already been freed, resulting in heap corruption.

The affected versions are Exim 4.97 through 4.99.2 when compiled with GnuTLS support. Builds using OpenSSL are not affected. The vulnerability is remotely reachable — meaning any internet-facing Exim instance accepting SMTP connections is potentially exploitable without authentication.

The XBOW team demonstrated that the heap corruption is exploitable for arbitrary code execution. Combined with the unauthenticated nature of the attack, this makes CVE-2026-45185 a critical-severity vulnerability. While CVSS scoring was not yet published at the time of writing, the combination of remote, unauthenticated access and code execution potential places this firmly in the 9.0+ range.

Who's Affected

Exim is one of the most widely deployed mail transfer agents in the world. It ships as the default MTA on Debian, Ubuntu, CentOS, and numerous other Linux distributions. Any organization running Exim 4.97–4.99.2 with GnuTLS on an internet-facing mail server is at risk.

The attack surface is enormous: every SMTP relay, mail gateway, and email forwarding service running affected versions is a potential target. Unlike client-side vulnerabilities, mail servers are designed to accept connections from untrusted sources — there's no user interaction required, no phishing email to click. The attacker just needs to open an SMTP connection and send the malicious BDAT sequence.

The fact that AI was used to develop the exploit lowers the barrier for other threat actors to replicate the attack. Once the technique is public, expect scanning and exploitation attempts to begin within days.

How to Protect Yourself

Upgrade to Exim 4.99.3 immediately: This is the only complete fix. Run apt update && apt upgrade exim4 (Debian/Ubuntu) or your distribution's equivalent
Verify your Exim build: Run exim -bV | grep gnutls to confirm whether your build uses GnuTLS. If it uses OpenSSL, you're not affected by this specific vulnerability
Restrict SMTP access: As a temporary mitigation, limit which IPs can connect to your SMTP port (25/587) while you patch
Monitor for exploitation: Watch Exim logs for abnormal BDAT session terminations and unexpected process crashes — heap corruption may cause Exim child processes to segfault before code execution succeeds
Consider switching to OpenSSL builds: If your distribution offers an OpenSSL-built Exim package, it's not vulnerable to this specific flaw (though you should still patch for other reasons)

The Sable Angle

Mail servers are the crown jewels of infrastructure — they handle authentication emails, password resets, and internal communications. An unauthenticated RCE on an MTA isn't just a server compromise; it's a potential gateway to every account and service that depends on email.

At Sable, our infrastructure penetration testing includes MTA-specific attack simulations — BDAT fuzzing, SMTP command injection, and TLS downgrade attacks. We test whether your mail infrastructure can withstand the kind of protocol-level attacks that automated scanners miss entirely.

This is also the second AI-assisted zero-day disclosed this week. The threat model has changed: attackers don't need deep expertise in heap exploitation when AI can help them get there. Your defenses need to assume the adversary has machine-speed exploit development.