What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Iran's Nimbus Manticore Deploys AI-Assisted MiniFast Backdoor via Phishing and SEO Poisoning

An Iranian state-sponsored hacking group is using artificial intelligence to build backdoors, then delivering them through poisoned Google search results and phishing emails targeting the aviation and software sectors. The campaign, attributed to Nimbus Manticore (also tracked as Screening Serpens and UNC1549), represents a notable escalation in both tradecraft and toolchain: AI-assisted malware development combined with SEO poisoning at scale.

What Happened

Research published in May 2026 by The Hacker News and Aviatrix Threat Research linked Nimbus Manticore to a sustained espionage campaign targeting aviation and software organizations across the United States, Europe, and the Middle East. The group — widely assessed as affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) — deployed two malware families: MiniFast, a compact backdoor built with AI assistance, and MiniJunk V2, an updated variant of a previously documented loader.

The campaign follows the joint U.S.-Israeli military operation against Iran earlier in 2026, suggesting the espionage push is at least in part retaliatory intelligence gathering. As Enigma Global reported, the lures impersonate legitimate organizations in the aviation and software sectors, using fake job offers, security alerts, and software download pages as initial infection vectors.

The Dual-Channel Delivery Chain

What makes this campaign operationally significant is its dual delivery infrastructure: phishing and SEO poisoning working in parallel.

Phishing arm: Targets receive carefully crafted emails impersonating recruiters, security teams, or vendor contacts. Attachments or links lead to trojanized installers — including a fake Oracle SQL Developer package, as GBHackers documented. The SQL Developer lure is particularly clever: developers and DBAs routinely download tooling from web sources, making the trojanized package a high-confidence infection vector.

SEO poisoning arm: The group manipulates search engine results to rank malicious pages above legitimate ones. When targets search for common enterprise tools, vendor documentation, or aviation-sector resources, the poisoned results appear at the top. Users click what looks like a legitimate download page and receive the malware payload instead. As NetCrook noted, this technique "meets users where they already expect to download tools" — bypassing email security entirely.

The infection chain follows a staged approach documented by Check Point Research:

February 2026: AppDomain hijacking used to deliver MiniJunk loader
March 2026: MiniFast backdoor deployed as the primary persistence mechanism
Ongoing: SEO poisoning distributes trojanized Oracle SQL Developer and other fake tools

AI-Assisted Malware: The MiniFast Factor

The most technically notable aspect of this campaign is the use of AI-assisted development for the MiniFast backdoor. According to Aviatrix's analysis, MiniFast exhibits code patterns consistent with AI-generated output — including unusual variable naming conventions, redundant but functionally correct logic blocks, and boilerplate structures that differ from the group's historically hand-crafted tooling.

This does not mean the malware is AI-written from scratch. Rather, it suggests Nimbus Manticore is using large language models to accelerate development: generating boilerplate, suggesting evasion techniques, or translating proof-of-concept exploits into deployable backdoors faster than manual coding would allow. The operational impact is clear: faster iteration, more variants, and a shorter window between vulnerability disclosure and weaponized exploit.

Impact

Sectors at risk: Aviation, software development, and by extension any organization whose employees download development tools from the web
Geographic scope: United States, Europe, and the Middle East
Delivery channels: Phishing email + SEO poisoning (dual-channel, defense-in-depth bypass)
Attribution: Nimbus Manticore / Screening Serpens / UNC1549 (IRGC-affiliated)
Malware families: MiniFast (AI-assisted backdoor), MiniJunk V2 (loader)
Context: Escalation following joint U.S.-Israeli military operation against Iran

How to Protect Yourself

Verify software downloads. Always download development tools (SQL Developer, VS Code extensions, etc.) from official vendor sites or verified package managers. Check digital signatures on installers before execution.
Monitor search results for SEO poisoning. Train employees — especially developers and DBAs — to verify URLs before downloading. SEO poisoning is invisible to email security tools because the initial vector is a search engine, not an inbox.
Block AppDomain hijacking. Monitor for unusual .NET AppDomain activity, particularly when legitimate applications load unexpected assemblies. Endpoint detection rules for AppDomain manipulation can catch the MiniJunk delivery stage.
Deploy behavioral detection for MiniFast. Signature-based detection lags behind AI-assisted malware variants. Behavioral rules — detecting unusual process injection, credential access, or C2 beaconing patterns — are more effective against rapidly iterated backdoors.
Restrict outbound connections from developer workstations. MiniFast establishes command-and-control connections. Network-level egress filtering limits the attacker's ability to exfiltrate data even if the initial infection succeeds.
Monitor for IRGC-nexus threat actor IOCs. Check Point Research, Aviatrix, and Enigma Global have published indicators of compromise for this campaign. Ingest these IOCs into your threat intelligence platform and SIEM.

The Bigger Picture

The Nimbus Manticore campaign is a case study in how state-sponsored threat actors are adapting to the AI era. The dual-channel delivery (phishing + SEO poisoning) shows operational maturity. The use of AI-assisted malware development signals a shift in the speed and scale at which APTs can iterate on tooling.

For defenders, the takeaway is clear: the attack surface is no longer just the inbox. It is the search engine, the download page, the developer toolchain. As AI lowers the barrier to building capable malware, the advantage shifts further toward volume and speed — and the organizations that survive will be the ones that assume every download is hostile until proven otherwise.