What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

June 2026 Patch Tuesday: An Actively-Exploited Chrome Zero-Day and a Wormable Windows RCE

Every month brings a Patch Tuesday, and most of them blur together. This one shouldn't. Two of the June 2026 fixes change the math on when you patch, not just whether you do.

The two that matter

CVE-2026-11645 is an out-of-bounds read and write in V8, the JavaScript and WebAssembly engine inside Google Chrome (CVSS 8.8). The detail that matters: it is already being exploited in the wild. Google shipped the fix on June 9. If your team or your users browse the web in Chrome — or any Chromium-based browser — this is a "today" problem, not a "this sprint" problem.

CVE-2026-45657 is a remote code execution flaw in the Windows Kernel, rated CVSS 9.8. It is unauthenticated and wormable: an attacker can run code at SYSTEM level with no user interaction, and a bug like that is the raw material for self-propagating malware. There is no confirmed exploitation yet — which is exactly the window you want to patch in.

What "actively exploited" actually changes

A normal CVSS-8 bug gives you a runway: triage, schedule, test, deploy over a couple of weeks. "Actively exploited" deletes that runway. It means a working exploit already exists, attackers are already using it, and every hour you wait is an hour you are knowingly exposed to a known technique. For CVE-2026-11645, the only correct patch timeline is "now."

The wormable kernel bug is the inverse risk: nobody is using it yet, but the moment a reliable exploit goes public, mass scanning starts within hours. The early-stage teams that get hit are the ones who told themselves "we'll get to it after the launch."

The patch-now checklist

Chrome / Chromium everywhere. Force-update Chrome on every machine, plus Edge, Brave, and anything Electron-based that bundles Chromium. Verify the version — don't assume auto-update ran.
Windows hosts, servers first. Apply the June cumulative update to internet-facing Windows servers before workstations. A wormable, unauthenticated kernel RCE is worst where it is reachable.
Inventory what you actually run. You can't patch the Chromium you forgot ships inside your desktop app or your CI runners.
Confirm, don't trust. "Patch deployed" and "patch applied and rebooted" are different states. Kernel patches usually need the reboot.

Where this fits

Patching your stack is step zero — the part you get no credit for until you skip it. What it does not cover is the code you shipped: the wildcard CORS, the secret in the repo, the auth check that isn't quite a check. That is the layer Sable scans for. But none of it matters if the box underneath is running a kernel an attacker can own for free. Patch first, then go find what your own app is leaking.