What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Two Critical CVEs Hit Hugging Face: TGI DoS (CVE-2026-0599) and LeRobot Unauthenticated RCE (CVE-2026-25874)

What Happened

Hugging Face — the world's largest AI model hosting platform — is dealing with two critical vulnerabilities in its core infrastructure projects. CVE-2026-0599 (CVSS 7.5) affects Text Generation Inference (TGI), the company's production serving engine, and allows unauthenticated remote attackers to crash host machines through unbounded external image fetching. CVE-2026-25874 (CVSS 9.8) affects LeRobot, Hugging Face's open-source robotics learning framework, and allows unauthenticated remote code execution via unsafe pickle deserialization over gRPC. Both vulnerabilities require zero credentials, zero user interaction, and minimal technical skill to exploit (SentinelOne, Cloud Security Alliance).

CVE-2026-0599 — TGI Unbounded Image Fetch (DoS)

Text Generation Inference is Hugging Face's production-grade serving engine used by thousands of organizations to deploy large language models and vision-language models (VLMs) at scale. The vulnerability exists in TGI version 3.3.6 and below, specifically when operating in VLM mode.

The attack vector is deceptively simple: when the TGI router processes user input containing Markdown image links (![](url)), it performs a blocking HTTP GET request to fetch the referenced image, reading the entire response body into memory and cloning it before any size validation or token limit check occurs. An attacker can supply URLs pointing to arbitrarily large resources — or simply flood the server with requests containing many image tags — to exhaust memory, saturate network bandwidth, and spike CPU utilization simultaneously (GitHub Advisory GHSA-j7x9-7j54-2v3h).

Key facts:

Affected: text-generation-inference < 3.3.7
Attack vector: Unauthenticated HTTP requests with crafted Markdown image links
Impact: Memory exhaustion, bandwidth saturation, CPU overutilization, host crash
Default config makes it worse: Default deployments lack both memory usage limits and authentication
The vulnerability triggers even if the request is later rejected for exceeding token limits — the damage happens during input validation, before rejection logic runs
Patched in: TGI 3.3.7, which adds proper bounds checking and resource controls for external image fetching

CVE-2026-25874 — LeRobot Unauthenticated RCE via Pickle

LeRobot is Hugging Face's framework for training and deploying machine learning policies on real robotic hardware. It is not a web application — it controls physical robots. The vulnerability resides in the async inference PolicyServer component, which listens on a network port and deserializes incoming data using Python's pickle.loads() — on unauthenticated, unencrypted gRPC channels (PurpleOps).

The attack requires nothing more than network access to the PolicyServer port. An attacker crafts a malicious serialized Python object; when pickle.loads() deserializes it, embedded system commands execute with the permissions of the running process. No credentials. No multi-step chain. No user interaction (Resecurity).

Key facts:

Affected: LeRobot all versions through 0.5.1
CVSS 3.1: 9.8 (Critical) — CWE-502: Deserialization of Untrusted Data
Attack vector: Crafted pickle payload over unauthenticated gRPC to PolicyServer
Impact: Full arbitrary OS command execution on the host
Physical safety risk: LeRobot controls real robotic hardware. RCE means an attacker could cause service disruption, sabotage, or physical safety incidents if robots are connected
Unpatched as of April 28, 2026 public disclosure: A fix is planned for v0.6.0 but has not yet shipped

Who's Affected

These vulnerabilities hit two distinct but overlapping audiences:

TGI (CVE-2026-0599): Any organization running Hugging Face's Text Generation Inference in production — particularly those using VLM mode with models like LLaVA, IDEFICS, or any vision-capable deployment. Given that TGI is the recommended serving backend for Hugging Face Inference Endpoints, the blast radius includes a significant portion of the AI production ecosystem.
LeRobot (CVE-2026-25874): Robotics labs, manufacturing environments, and research institutions running LeRobot's PolicyServer in any network-accessible configuration. The physical safety dimension makes this especially urgent for any deployment connected to real hardware.
Shared risk: Organizations using both TGI and LeRobot in their AI/ML pipeline face compounded exposure — a DoS vector on the inference side and an RCE vector on the robotics side.

How to Protect Yourself

For CVE-2026-0599 (TGI):

Upgrade to TGI 3.3.7 immediately. This is the patched version with proper bounds checking on external image fetching.
If you cannot upgrade: Disable VLM mode entirely if your deployment does not require vision-language model support. This eliminates the attack surface.
Enable authentication on all TGI endpoints. The default deployment lacks auth — adding it reduces the unauthenticated attack surface.
Set memory limits on TGI containers/processes to limit the impact of any successful memory exhaustion attempt.
Monitor for anomalous request patterns — inputs with excessive Markdown image tags or repeated large-payload requests.

For CVE-2026-25874 (LeRobot):

Isolate the PolicyServer immediately. Since no patch has shipped yet, network-level containment is the primary defense. Block all external access to the PolicyServer port.
Disable async inference if your workflow does not require it. This removes the vulnerable code path entirely.
Audit for prior compromise. Check logs for unexpected gRPC connections to the PolicyServer port. Look for anomalous process execution or unexpected network connections from the LeRobot host.
Plan for v0.6.0. Monitor the LeRobot repository for the patched release and upgrade as soon as it ships.
If connected to physical hardware: Consider disconnecting robots from the network until the PolicyServer is patched or isolated. The physical safety risk is real and unmitigated by software alone.

The Sable Angle

These two CVEs expose a pattern that offensive security teams have been flagging for years: the AI/ML supply chain is the new attack surface. TGI and LeRobot aren't traditional IT infrastructure — they're specialized AI tooling that most security teams haven't inventoried, let alone hardened. Yet they run production workloads, control physical hardware, and process untrusted user input.

The pickle deserialization in CVE-2026-25874 is a vulnerability class that's been known since 2011 — it's not novel, it's neglected. The unbounded fetch in CVE-2026-0599 is a resource exhaustion pattern that's been understood for decades. These aren't zero-days in the traditional sense; they're zero-days in the attention sense. The AI ecosystem is moving faster than the security practices around it.

At Sable, our offensive engineers include AI/ML infrastructure in every engagement scope — because attackers certainly are. If you're running TGI, LeRobot, or any AI serving stack in production, reach out before someone else finds these gaps for you. Check our research archive for more on AI supply chain threats.