What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Free Scan or Full Pentest? A Decision Guide for Founders Shipping a Vibe-Coded MVP

Every founder shipping an AI-built MVP hits the same fork in the road the week before launch. You ran a free security scanner, it gave you a grade, and now you're staring at a decision nobody prepared you for: is that scan enough, or do you actually need to pay someone to break into your app?

This guide answers that honestly. Not "you always need a $15,000 pentest" (you usually don't) and not "a free scan is fine, ship it" (it usually isn't). The right answer depends on three things: what you built, who your first users are, and what you're storing. Let's make the decision concrete.

The short version: a free scan tells you whether your front door is locked. A pentest tells you whether someone can walk through the walls. Most pre-launch founders need the first immediately and the second before they touch real customer data. If you're storing other people's data behind a login, you've already crossed the line where "free scan only" becomes negligent.

What a free scan actually checks (and what it can't)

A free security scan — including the free headers scan we run — is an unauthenticated, external look at your site. It hits your public URL the way an anonymous visitor (or a bot) would, and reports what it can see from the outside. That's genuinely useful, and it catches a surprising amount:

Missing security headers — no HSTS, no Content-Security-Policy, no X-Frame-Options. These are the difference between "clickjacking and XSS are hard" and "clickjacking and XSS are trivial." 89% of startup sites we scan fail this.
TLS / HTTPS misconfiguration — mixed content, weak redirects, missing HTTPS enforcement.
Information leakage in responses — verbose server headers, framework versions, stack traces leaking into production.
Obvious surface-level exposure — a public .env, an open /admin with no auth, a directory listing you forgot to disable.

Here's the hard limit: a free scan only sees what's reachable without logging in. It cannot test the logic behind your auth wall, because it doesn't have an account. And the most dangerous bugs in modern MVPs — the ones that actually leak your customers' data — live entirely behind the login.

What a free scan will never catch

If you built your MVP with Cursor, v0, Lovable, or Bolt, your most likely catastrophic bug is BOLA (Broken Object-Level Authorization, also called IDOR). It's when a logged-in user can read or modify another user's data by changing an ID in a request. We scanned 100 vibe-coded apps and 73 of them had a BOLA. A free external scan finds zero of them, because finding one requires logging in as User A and successfully fetching User B's records.

Here's the bug that ends startups, and why a scanner can't see it:

// app/api/invoices/[id]/route.ts — the auth check is there...
export async function GET(req, { params }) {
  const session = await getServerSession(authOptions)
  if (!session) return Response.json({ error: 'unauthorized' }, { status: 401 })

  // ...but the OWNERSHIP check is missing.
  const invoice = await db.invoice.findUnique({ where: { id: params.id } })
  return Response.json(invoice)
}

To a scanner, that endpoint returns 401 Unauthorized — it looks secure. To a logged-in attacker iterating /api/invoices/1 → /api/invoices/2, it returns every customer's billing data. The fix is one clause (where: { id: params.id, ownerId: session.user.id }), but no unauthenticated tool can tell you it's missing.

The same blind spot applies to the rest of the bugs that matter most after launch:

Supabase / Firebase tables without Row-Level Security — the public anon key in your client bundle can read tables you never meant to expose. 83% of exposed Supabase instances have this.
Privilege escalation — a normal user flipping a role field, or hitting an admin route that only checks "logged in," not "is admin."
Auth-flow flaws — password reset tokens that don't expire, session fixation, OAuth state that isn't validated.
Injection behind forms — SQL/NoSQL injection in a search box that the scanner never authenticated past.
Business-logic abuse — negative quantities, coupon stacking, race conditions on credit. No automated tool understands your business rules.

The decision framework

Run the free scan first, always. It's free, it takes three seconds, and if you fail the headers check you have homework before anything else is worth doing. Then use this to decide what comes next.

A free scan is enough (for now) if ALL of these are true:

Your app is a static or marketing site with no login and no user data.
You're pre-users — a waitlist or a landing page, nothing behind auth yet.
You store no personal data, no payments, no credentials belonging to anyone but you.

If that's you, fix your headers, enable HTTPS properly, and get back to building. Come back when you add a login.

You need a real test the moment ANY of these is true:

You have a login and a database — the instant users can create accounts, BOLA and broken access control become your #1 risk, and only an authenticated test finds them.
You store customer PII, health, financial, or messaging data — a single IDOR here is a disclosure email and possibly a regulatory event.
You're taking payments or handling money/credits — business-logic abuse is invisible to scanners and expensive when found in production.
A customer or investor is asking about security — "we ran a free scanner" is not an answer to a B2B procurement questionnaire.
You built it with an AI assistant and never wrote the auth middleware yourself — the failure modes are predictable and consistent, which is exactly why they need a human to chase the chains.

"Real test" doesn't have to mean a $15,000 enterprise pentest

This is where founders freeze. They assume the only options are "free scanner" and "hire a Big Four firm for the price of a developer." There's a middle that's built exactly for pre-launch startups: a focused, authenticated pentest scoped to your actual app — your auth flows, your API objects, your data isolation — not a 200-page compliance artifact you don't need yet.

That's the gap Sable fills. A real human runs an authenticated test against your stack, calibrated for indie and early-stage codebases, and you get back the findings that actually matter — with proof-of-concept repos so you can see and reproduce the bug, not just a CVSS number. A Pre-Launch Check starts at $29, which is roughly the cost of the lunch you'd buy the security consultant you can't afford.

The rule of thumb: match the test to the blast radius. No users, no data → free scan. Login plus data → authenticated pentest before you onboard customer #1. Payments, PII at scale, or an enterprise buyer → a recurring engagement with continuous monitoring, because the bugs come back every time your AI assistant generates a new route.

The launch-week sequence that actually works

Run the free scan today. It's the cheapest signal you'll ever get. Scan your site free →
Fix every red header. Copy-paste configs exist for Next.js, Vercel, Nginx, and Cloudflare; this is an afternoon, not a sprint.
Do the 5-minute self-audit on your own auth: log in as two users and try to read each other's data. If you can, you have a BOLA and you are not ready to launch.
Get an authenticated test before user #1 if you store anyone's data. This is the step that separates the founders who make the news from the ones who don't.
Re-test on every major release. AI assistants regenerate the same bug classes each time you add a feature — security isn't one-and-done.

FAQ

Can't I just run an open-source scanner like OWASP ZAP myself?

You can, and you should learn it. But automated scanners — free or open-source — share the same blind spot: they don't understand your business logic or your data-ownership model, which is where the dangerous bugs live. They find the easy 30%. The 70% that ends startups needs a human who can log in as two users and chain three small flaws into a full data breach.

How much does a startup pentest actually cost in 2026?

Enterprise engagements run $10k–$30k and are scoped for codebases you don't have yet. Startup-focused testing is dramatically cheaper because the scope is tight: Sable's Pre-Launch Check is $29, Founder Shield $79, and Scale Secure $199. The point isn't "cheap" — it's right-sized. You're paying for the auth-flow and access-control findings, not a compliance binder.

I passed the free scan with an A. Am I safe?

You have good headers. That's the front door. It says nothing about whether a logged-in user can read another user's records, which is the bug that actually breaches startups. An A on the free scan and a BOLA in your API can coexist happily — we see it constantly.

Do I need this if I'm using a no-code platform?

Yes, and arguably more. No-code and AI-code platforms ship the same default-insecure patterns (RLS disabled, missing ownership checks) at scale, and the CVE-2025-48757 Lovable disclosure exposed 170+ generated apps — one with 13,000 user records — through exactly this class of bug.

The bottom line

A free scan is necessary and almost never sufficient. Run it first — it's free and it's honest about your external surface. But the moment your app has a login and a database, the decision is already made for you: the bugs that matter are invisible from the outside, and you need someone to log in and try the doors.

Start where it costs nothing. Run the free scan now, fix what it flags, and if you're storing anyone's data behind a login, book the $29 Pre-Launch Check before you onboard your first real user. Your future self — the one not writing a breach-disclosure email during launch week — will thank you.