What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

North Korea's Lazarus Group Deploys RemotePE — A Memory-Only RAT That Leaves Zero Disk Traces

What Happened

The Lazarus Group — North Korea's most prolific state-sponsored hacking unit — has deployed a new remote access trojan called RemotePE against financial institutions and cryptocurrency firms. Unlike conventional RATs, RemotePE operates entirely in memory. It writes nothing to disk, leaving traditional file-based detection with nothing to find. Fox-IT's analysis confirms the malware injects into legitimate Windows processes and executes all payloads from memory-resident PE (Portable Executable) files — a technique designed to bypass signature-based AV and most EDR solutions.

Technical Analysis

RemotePE's core innovation is its loader. The initial stage — typically delivered through a spear-phishing document or a compromised software update — drops a small bootstrapper that never writes the full RAT to disk. Instead, it allocates executable memory in a legitimate process (commonly svchost.exe or explorer.exe), maps the PE payload into that space, and executes it via thread hijacking. NetCrook reports the loader uses API unhooking to evade user-mode EDR hooks, and direct syscalls to bypass monitoring at the kernel callback layer.

The RAT itself provides full remote desktop access, keylogging, credential harvesting from browser memory, and the ability to deploy additional modules — all without a single malicious file touching the filesystem. CyberSecurityNews has identified that Lazarus is deploying RemotePE alongside two other RAT variants in the same campaign, suggesting a multi-layered persistence strategy: if one RAT is discovered and killed, the others survive.

Who's Affected

The confirmed targets are financial services firms and cryptocurrency exchanges — sectors Lazarus has focused on for years to fund the North Korean regime. DarkDotWeb reports the campaign has active footholds in organizations across Southeast Asia and the Middle East, with initial access likely gained through targeted spear-phishing and supply chain compromises. The group's track record includes the $625M Ronin Bridge theft and the $100M Harmony Horizon attack — this is not an opportunistic threat actor.

Any organization holding significant crypto assets or processing high-volume financial transactions should consider itself a potential target. The memory-only nature of RemotePE means that even organizations with mature endpoint detection may have blind spots.

How to Protect Yourself

Defending against fileless malware requires shifting from file-based to behavior-based detection. Here is what security teams should do now:

Enable memory scanning in your EDR. Solutions like Microsoft Defender for Endpoint, CrowdStrike Falcon, and SentinelOne all offer memory inspection capabilities — but they are not always enabled by default. Verify that in-memory threat detection is active on all endpoints.
Monitor for anomalous process injection. Alert on VirtualAllocEx + WriteProcessMemory + CreateRemoteThread sequences, especially when the target is a system process. This is the classic process injection triage that RemotePE relies on.
Restrict PowerShell and WMI. Many fileless attacks use PowerShell or WMI as the initial execution vector. Implement Constrained Language Mode and WMI logging to detect abuse.
Deploy application whitelisting. If only signed, approved executables can run, the bootstrapper stage of the attack chain breaks. Use Windows AppLocker or a third-party whitelisting solution.
Assume breach for high-value targets. If your organization holds crypto assets or processes large financial transactions, run a memory forensics sweep (using Volatility or a commercial equivalent) on critical endpoints. Look for PE headers in unexpected memory regions.

The Sable Angle

Fileless malware is the natural evolution of the attacker-defender arms race. When defenders got better at scanning files, attackers moved to memory. When defenders start scanning memory, attackers will move again. The point is not to chase the latest evasion technique — it is to assume the attacker is already inside and build detection around behavior, not artifacts.

At Sable Security, our red team engagements simulate exactly this class of threat: fileless initial access, in-memory execution, and lateral movement without touching disk. We test your detection stack against the techniques Lazarus actually uses — not the ones from three-year-old threat reports. If your EDR cannot detect a memory-resident RAT, you do not have endpoint detection. You have endpoint logging. Read our research on how modern APTs exploit the gap between detection theory and detection reality.