What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Microsoft Dismantles Fox Tempest: The $9K Malware-Signing Service Behind Ransomware's Trust Exploit

What Happened

On May 19, 2026, Microsoft announced the takedown of Fox Tempest, a malware-signing-as-a-service (MSaaS) operation that weaponized the company's own Artifact Signing system to give criminal malware the appearance of legitimate, trusted software. According to The Hacker News, the operation created over 1,000 fraudulent code-signing certificates and supported cybercriminal campaigns tied to ransomware, information stealers, and malware loaders. Microsoft seized websites and took down hundreds of virtual machines running the service, which had been operating as a commercial enterprise charging between $5,000 and $9,000 per signing.

Technical Analysis

Fox Tempest's business model was elegant in its abuse of trust. Microsoft's own security blog detailed how the operation exploited the Artifact Signing system — a legitimate Microsoft service designed to help developers prove the provenance and integrity of their software. By obtaining fraudulent certificates through this system, Fox Tempest gave ransomware and malware the digital equivalent of a government-issued ID: security tools, endpoint defenders, and operating systems would see a valid signature and treat the code as trusted.

The technical implications are significant. Code-signing certificates are one of the last lines of defense against malware execution. When a binary is signed with a trusted certificate, it bypasses SmartScreen warnings, application whitelisting policies, and many endpoint detection rules. CyberSecurityNews reported that cryptocurrency analysis links Fox Tempest to ransomware affiliates behind families including Qilin, Akira, and INC, with revenues reaching millions of dollars. The service didn't just sign one-off malware samples — it provided ongoing signing infrastructure that allowed ransomware gangs to continuously re-sign their tools as certificates rotated or were revoked.

Who's Affected

The scope of Fox Tempest's impact is global. The Register reported that the service compromised thousands of machines and networks worldwide, including at least 12 machines owned and operated by Microsoft itself — a detail that underscores how even the company providing the signing infrastructure was not immune to its abuse. Organizations in healthcare, critical infrastructure, and enterprise sectors were among the victims, though Microsoft has not released a full victim count.

The 1,000+ fraudulent certificates represent a systemic trust problem. Even with the takedown, certificates that were already issued and deployed in the wild may still be valid until their expiration dates or until explicit revocation. Organizations that relied on code-signing validation as a security control may have unknowingly trusted malware signed by Fox Tempest for weeks or months before the takedown.

How to Protect Your Organization

The Fox Tempest takedown is a reminder that code-signing trust is not absolute. Here's what security teams should do:

Audit your code-signing trust policies: Don't treat a valid signature as proof of safety. Implement additional controls — reputation scoring, behavioral analysis, and application allowlisting based on specific publisher identities rather than generic signature validation.
Monitor for revoked certificates: Check whether any software in your environment was signed by certificates associated with Fox Tempest. Microsoft is expected to publish a list of affected certificates — cross-reference it against your asset inventory.
Implement defense-in-depth for endpoint security: Code-signing bypass is a known attack technique. Layer your defenses with EDR behavioral detection, memory scanning, and network-level indicators of compromise rather than relying solely on signature-based trust.
Review your own signing infrastructure: If you operate a code-signing pipeline, audit it for abuse. Ensure that signing keys are stored in HSMs, that signing operations require multi-party authorization, and that all signing events are logged and monitored.
Threat-hunt for known IOCs: Microsoft and security vendors are publishing indicators of compromise related to Fox Tempest-signed binaries. Run these against your environment to identify any prior compromises.

The Sable Angle

Fox Tempest represents a trend we see constantly in offensive security: attackers don't break trust — they buy it. Rather than spending months developing a zero-day exploit, ransomware gangs paid $5,000-$9,000 for a legitimate code-signing certificate and bypassed millions of dollars in security infrastructure. This is the same pattern we've tracked in our research on startup security gaps and critical infrastructure vulnerabilities — the weakest link is rarely the cryptography; it's the trust model built on top of it.

At Sable, our red team engagements regularly test whether an organization's trust in signed code, verified vendors, or authenticated users can be exploited. The Fox Tempest takedown is a case study in why that testing matters. If your security model assumes that signed code is safe, our penetration testing and adversary simulation services can show you exactly how an attacker would exploit that assumption — before a ransomware gang does it for real.