What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Grafana GitHub Token Theft: Codebase Downloaded, Ransom Rejected

What Happened

On May 17, 2026, Grafana Labs disclosed that an unauthorized party gained access to its internal GitHub environment using a compromised token and downloaded the company's full source code. The attacker then attempted to extort the company with a ransom demand. Grafana refused to pay. According to The Hacker News, the breach did not expose customer data or disrupt Grafana's operations, but the theft of a production codebase is a worst-case scenario for any software vendor.

The group behind the extortion attempt has been identified as CoinbaseCartel, a threat actor that has previously targeted development infrastructure. Hackread reported that Grafana's security team detected the intrusion, revoked the compromised token, and engaged law enforcement rather than negotiating with the attackers.

Technical Analysis

The attack vector was straightforward: a single GitHub token with sufficient permissions to clone repositories was leaked or stolen. No zero-day exploit, no malware, no phishing campaign. Just a credential that opened the door to the entire codebase.

This is consistent with a broader pattern in 2026. Netcrook's analysis notes that "not every breach starts with malware. Sometimes it starts with a token: a small piece of digital trust that behaves much like a password." The attacker used the token to authenticate against GitHub's API, enumerate repositories, and clone Grafana's source code — all without triggering standard access alerts because the requests appeared to come from a legitimate credential.

The key failure: the token likely had broader permissions than necessary and was not monitored for anomalous usage patterns such as bulk repository cloning from an unusual IP or at an unusual time.

Who's Affected

Grafana Labs is the company behind Grafana, the open-source analytics and monitoring platform used by over 1 million organizations worldwide. While Grafana confirmed that customer data was not compromised in this incident, the theft of the full source code creates downstream risk:

Security researchers and attackers can now audit the codebase for undisclosed vulnerabilities, potentially discovering zero-days before patches are available.
Supply chain risk increases if the attacker modifies and redistributes trojanized versions of Grafana components.
Competitive intelligence — proprietary features, architecture decisions, and unreleased roadmap items are now exposed.
Developer trust — Grafana's contributor community and enterprise customers rely on the company's ability to protect its development infrastructure.

This is the same playbook that hit Microsoft, Samsung, and Nvidia via the LAPSUS$ group: steal source code, demand ransom, and leak if unpaid. The difference this time is that Grafana said no.

How to Protect Yourself

If your organization uses GitHub (or any source control platform), these are the concrete steps to take today:

Audit all tokens and PATs — List every personal access token, OAuth token, and machine account credential in your GitHub organization. Revoke any that are unused or over-permissioned. Phemex's coverage recommends treating token rotation as a critical security control, not an afterthought.
Enforce least-privilege scopes — No token should have organization-wide read access unless absolutely necessary. Scope tokens to specific repositories and specific actions.
Enable IP allowlisting — Restrict token usage to known IP ranges. Bulk clone operations from unexpected geographies should be impossible.
Monitor for anomalous API usage — Set alerts for bulk repository access, unusual clone volumes, or access from new IP addresses. GitHub Enterprise supports audit log streaming to SIEM platforms.
Rotate tokens on a schedule — Treat tokens like passwords: rotate them regularly and immediately after any personnel change.

The Sable Angle

At Sable, we see this pattern constantly in our offensive assessments. Development infrastructure — GitHub, GitLab, CI/CD pipelines, artifact repositories — is consistently the least defended and most valuable attack surface in modern organizations. Attackers know that one token can unlock more than any phishing email.

Our research into AI agent vulnerabilities and startup security gaps has shown that the shift to cloud-native development has outpaced security tooling. If you're running Grafana, managing GitHub organizations, or building CI/CD pipelines, our offensive team can help you find the exposed tokens and misconfigurations before CoinbaseCartel does.