What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

France's ID Agency Breach Exposes 19 Million Passport and National ID Records

On April 15, 2026, the French government agency responsible for issuing passports, national ID cards, and driver’s licenses detected a cyberattack on its online portal. By April 22, the agency — known as France Titres (formerly ANTS, Agence Nationale des Titres Sécurisés) — confirmed unauthorized access had occurred. A hacker operating under the aliases "breach3d" and "ExtaseHunters" claimed to have exfiltrated between 18 and 19 million records and began shopping the data on cybercriminal forums.

French prosecutors took an unusual step: on April 30, they publicly linked the intrusion to a 15-year-old individual, highlighting how low the barrier to entry has become for attacks against critical government infrastructure.

What Happened

France Titres is the centralized platform through which French citizens apply for and renew identity documents. It handles the country’s most sensitive personal data: passport details, national ID card numbers, driver’s license information, and biometric reference data. The agency processes millions of requests annually from all French territories.

According to the BleepingComputer report, the attacker exploited a vulnerability in the agency’s web-facing infrastructure to gain access to internal databases. The hacker then posted samples of the stolen data on a dark web forum, claiming the full dataset contained records for up to 19 million individuals — roughly a third of France’s population. TechCrunch confirmed that French authorities acknowledged the breach but noted the investigation was ongoing and the exact scope remained under assessment.

The Register reported on April 30 that French prosecutors had identified a 15-year-old suspect linked to the mega-breach — a detail that underscores both the accessibility of offensive tooling and the sophistication gap in government defenses.

What Data Was Exposed

The compromised dataset allegedly includes login identifiers, full names, email addresses, dates of birth, postal addresses, places of birth, phone numbers, and account-level metadata tied to identity document applications. Cybernews reported that passport and national ID card data were among the exposed records, making this one of the largest government identity breaches in European history.

SC Media’s analysis noted that the breach potentially affected both individual and professional accounts, meaning businesses and government employees who used France Titres for administrative procedures may also be impacted.

Who’s Affected

France Titres serves all French citizens and residents. If the upper bound of 19 million records is accurate, approximately 28% of France’s 68 million residents had personal data exposed. The breach spans multiple data categories:

Passport holders — biometric references, document numbers, issue/expiry dates
National ID card holders — card numbers, photo references, address history
Driver’s license holders — license numbers, issue jurisdictions
Professional accounts — business identifiers for entities using France Titres for employee documentation

Phishing risk is immediate. The exposed email addresses and personal details create highly convincing spear-phishing material. Fraudsters can craft messages impersonating French government services, reference real document numbers, and target millions of citizens simultaneously.

How to Protect Yourself

If you’ve used France Titres or hold French identity documents, take these steps now:

Monitor for phishing. Expect emails and SMS messages impersonating government services. Verify any communication through official channels — never click links in unsolicited messages referencing your identity documents.
Freeze or flag your identity. Contact France Titres or ANSSI (the French national cybersecurity agency) to request a fraud alert on your identity record. This won’t prevent new document fraud but adds a verification layer.
Rotate credentials. If you used the same password on France Titres as other services, change it immediately. Enable MFA on all accounts that support it.
Verify document authenticity. If you receive a new identity document in the mail you didn’t request, report it to local police and France Titres immediately — stolen personal data can be used to fraudulently order replacements.
Watch for identity loan fraud. Exposed names, dates of birth, and addresses are prime inputs for synthetic identity creation and loan fraud. Check your credit reports with French credit agencies for unauthorized activity.

Why This Matters Beyond France

Government identity systems are high-value targets. They contain verified, accurate, and comprehensive personal data — exactly what fraudsters need for large-scale identity theft campaigns. The France Titres breach joins a growing list of 2026 government and critical infrastructure compromises that includes the Medtronic medical device breach and the Itron utility breach.

The fact that a teenager has been linked to this attack is not a novelty — it’s a signal. Offensive tooling, exploit kits, and dark web marketplaces have lowered the skill floor to the point where the bottleneck is motivation, not capability. Defenders at the national level need to assume that their perimeter will be tested by actors of every age and skill level, and design accordingly.

The Sable Angle

At Sable, we see government agencies and critical infrastructure operators face the same attack surface problems the private sector does — legacy systems, underfunded security teams, and perimeter-first architectures that crumble once an attacker gets a foothold. Our medtech breach research showed how a single unpatched third-party entry point can cascade into thousands of patient records. France Titres is the same pattern at national scale.

Sable Offensive runs penetration tests and red team operations against exactly these kinds of high-value government and identity platforms. The engagements aren’t checkbox exercises — they simulate what a motivated 15-year-old with a Kali laptop and six hours of free time would actually find. If your agency manages identity documents, passports, or biometric data, your threat model needs to include the France Titres scenario as a baseline assumption, not a hypothetical.