What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Ivanti EPMM CVE-2026-6973 RCE Is Under Active Exploit

What Happened

Ivanti disclosed on May 7, 2026 that CVE-2026-6973 — a high-severity remote code execution flaw in Endpoint Manager Mobile — is being exploited in the wild as a zero-day. The vulnerability allows an authenticated attacker with admin privileges to execute arbitrary code on on-prem EPMM servers running version 12.8.0.0 and earlier. The flaw stems from Improper Input Validation and was patched in EPMM versions 12.6.1.1, 12.7.0.1, and 12.8.0.1, as first reported by BleepingComputer.

CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog the same day, giving all U.S. federal agencies until May 10, 2026 (Sunday) to patch. The KEV listing now includes 34 Ivanti product vulnerabilities total, 12 of which have been abused by ransomware operations, according to SecurityWeek.

Technical Analysis

CVE-2026-6973 is an Improper Input Validation weakness. Unlike the January 2026 Ivanti EPMM zero-days — CVE-2026-1281 and CVE-2026-1340, which allowed unauthenticated remote code execution — this flaw requires an attacker to already have admin-level credentials on the target EPMM server.

Makes it less dangerous in isolation. Except that is likely not how it is being used. Ivanti itself noted that customers who rotated credentials after January's CVE-2026-1281 and CVE-2026-1340 incidents face "significantly reduced" risk from CVE-2026-6973. SOCRadar's analysis suggests CVE-2026-6973 may be chained with the earlier unauthenticated RCE flaws — an attacker exploits one of the January CVEs to gain admin access, then chains it to CVE-2026-6973 for full code execution. That would turn three separately-serious bugs into a single unauthenticated-to-RCE pipeline.

The May 2026 EPMM update also patches four additional high-severity vulnerabilities that were not observed exploited: CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. These enable privilege escalation, certificate impersonation, arbitrary method invocation, and information disclosure. One of them — CVE-2026-7821 — can be exploited without admin privileges but only affects users with Apple Device Enrollment configured.

Note the scope limitation: only on-prem EPMM is affected. Ivanti Neurons for MDM (the cloud-based UEM platform), Ivanti EPM, Ivanti Sentry, and all other Ivanti products are not vulnerable to CVE-2026-6973.

Who's Affected

Shadowserver tracks over 850 Ivanti EPMM IP addresses exposed to the internet — 508 in Europe and 182 in North America. Ivanti serves more than 40,000 customers through over 7,000 partners worldwide, spanning government agencies, healthcare, financial services, and critical infrastructure.

EPMM is a mobile device management (MDM) platform. Compromise of an MDM server gives an attacker control over enrolled devices: pushing malicious configuration profiles, wiping devices, exfiltrating corporate data, and pivoting into the internal network. For organizations that rely on EPMM to manage executive phones, field-worker tablets, or point-of-sale terminals, ownership of the MDM plane effectively means ownership of the fleet.

Chinese threat actors have historically targeted Ivanti product flaws in zero-day campaigns. Security Week reported that Chinese APT groups are "often believed" to be behind attacks on Ivanti vulnerabilities, including the January 2026 EPMM zero-days. The operational pattern is consistent: discover a perimeter-facing management appliance, chain to RCE, and establish persistent access to the internal network.

How to Protect Your Organization

Patch EPMM to 12.8.0.1 immediately. If you cannot take down the EPMM server this weekend, apply the incremental patch for your branch (12.6.1.1 or 12.7.0.1). The May 2026 update addresses CVE-2026-6973 and four other high-severity flaws. This is the single most important action.
Rotate all EPMM admin credentials today. CVE-2026-6973 requires admin access. If your EPMM admin passwords have not been rotated since January's CVE-2026-1281 and CVE-2026-1340 advisories, assume they are compromised. Rotate them now — before you patch, not after.
Audit admin accounts on your EPMM server. Remove any accounts that do not need administrative access. Review login logs for suspicious admin activity, especially from unexpected source IPs or outside business hours. EPMM roles are granular — use the principle of least privilege.
Restrict network access to the EPMM management interface. If your EPMM admin panel is reachable from the internet, move it behind a VPN or restrict access by source IP. Shadowserver's number (850 exposed instances) means many organizations are running EPMM with its admin interface directly internet-facing.
Check whether you were already compromised in January. If you did not rotate credentials after the January 2026 zero-days (CVE-2026-1281 and CVE-2026-1340), run a forensic review of your EPMM logs. An attacker who gained admin access in January could still have valid credentials to exploit CVE-2026-6973.

The Sable Angle

MDM infrastructure is one of the most overlooked attack surfaces in enterprise security. A single management plane controls thousands of endpoints — phones, tablets, scanners — and it is almost always deployed with verbose admin privileges and minimal network segmentation. That is exactly why Ivanti EPMM has been a recurring target: breach the MDM, and you own the device fleet without touching a single endpoint.

This is the kind of attack surface Sable's offensive testing routinely flags in penetration tests. Exposed management appliances, overprivileged service accounts, unchained CVEs that form a complete attack path — these are not theoretical risks. Our red team engagements in the startup and enterprise space consistently find that the most damaging pivots start from perimeter-facing infrastructure management tools, not from end-user workstations. If your organization runs Ivanti EPMM or any on-prem MDM platform, a focused assessment of your device management plane is a high-value next step.