What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

NGINX Rift: CVE-2026-42945 — An 18-Year-Old Heap Overflow Now Under Active Exploitation

It lived in NGINX's source code for 18 years before anyone noticed. Now it has a CVE, a codename, a public proof-of-concept, and active exploitation in the wild.

CVE-2026-42945, dubbed NGINX Rift, is a heap buffer overflow vulnerability in ngx_http_rewrite_module — one of the most widely used modules in the NGINX web server ecosystem. With a CVSS score of 9.2, it allows unauthenticated attackers to crash NGINX worker processes via crafted HTTP requests, and may enable full remote code execution when ASLR (Address Space Layout Randomization) is disabled on the target system.

As of May 26, 2026, VulnCheck and multiple researchers have confirmed active exploitation in the wild — just days after public disclosure.

What Is NGINX Rift?

The vulnerability is a heap buffer overflow in the ngx_http_rewrite_module, the module responsible for NGINX's rewrite directive. This module is foundational — it handles URL rewriting, redirections, and conditional request routing for virtually every NGINX deployment.

According to the NVD entry, an unauthenticated attacker can exploit this flaw by sending crafted HTTP requests that trigger the overflow in the worker process heap. The immediate effect is a worker process crash (denial of service), but the underlying heap corruption opens the door to arbitrary code execution on systems where ASLR does not provide sufficient protection — such as older kernels, containers with ASLR disabled, or embedded deployments.

What makes this vulnerability architecturally alarming: the rewrite module is not optional. It is compiled into NGINX by default and is used in the vast majority of configurations. If you run NGINX and use rewrite directives (or any framework/framework plugin that generates them), your attack surface includes this code path.

18 Years in the Wild Before Disclosure

Researchers traced the vulnerable code back to 2008, making this an 18-year-old bug that survived every audit, fuzzing pass, and security review NGINX has undergone in nearly two decades. That timeline means the flaw was present through NGINX's explosive growth period, powering an estimated 30-40% of the world's web servers at peak adoption.

The Makko technical analysis confirms the vulnerability can be triggered under specific rewrite configurations by an unauthenticated remote attacker. A working proof-of-concept exploit is publicly available, lowering the barrier for opportunistic exploitation significantly.

Impact: DoS Today, RCE Tomorrow

The confirmed and theoretical impact breaks down as follows:

Denial of Service (confirmed): Crafted requests crash NGINX worker processes. Repeated exploitation can exhaust the worker pool, taking down all services behind the NGINX instance.
Remote Code Execution (conditional): On systems where ASLR is disabled — common in containers, IoT devices, older Linux kernels, or misconfigured cloud instances — heap corruption can be weaponized for code execution with the privileges of the NGINX worker (typically www-data or nginx user).
Affected products: NGINX Open Source and NGINX Plus. KnightLi's analysis documents specific version ranges and rewrite configurations that trigger the overflow.
CVSS 9.2 — rated Critical. Unauthenticated, low complexity, no user interaction required.

The active exploitation confirmation from SecurityWeek and VulnCheck means this is not theoretical. Attackers are scanning for and hitting unpatched NGINX instances right now.

How to Protect Yourself

If you run NGINX — in production, staging, or even development — act on this today:

Upgrade your NGINX packages immediately. Patches are available for both NGINX Open Source and NGINX Plus. Check your vendor's advisory for the correct patched version for your deployment. If you cannot upgrade immediately, see the mitigation in step 4.
Audit your rewrite directives. Review every rewrite block in your NGINX configurations. The KnightLi analysis documents which specific rewrite patterns are most dangerous — audit those first.
Enable and verify ASLR. Ensure ASLR is active on all systems running NGINX: cat /proc/sys/kernel/randomize_va_space should return 2. This does not prevent the DoS but blocks the code-execution path.
Apply virtual patching if you cannot upgrade immediately. Use a WAF (ModSecurity, AWS WAF, Cloudflare) to block crafted HTTP requests that match the exploit signature. Akamai published pattern details you can use to craft WAF rules.
Monitor worker process health. Set up alerting for NGINX worker restarts and crash spikes. A single crash may be noise; a pattern of crashes on a production instance is exploitation.
Scan your exposure. Run VulnCheck, Qualys, or Nessus scans against your NGINX instances to confirm you are not running a vulnerable version. Do not assume your cloud provider has patched this for you unless they have explicitly confirmed it.

The Bigger Pattern

NGINX Rift is part of an uncomfortable trend in 2026: critical vulnerabilities discovered in foundational open-source code after more than a decade of undetected existence. The 18-year dormancy of this heap overwrite mirrors similar discoveries in cURL (CVE-2023-38545, 9 months preview), xz (CVE-2024-3094, 2 years planted), and now NGINX's rewrite core.

These are not bugs in obscure edge-case features. They are bugs in the infrastructure that the internet runs on — and attackers are getting faster at weaponizing disclosed vulnerabilities. The window between disclosure and active exploitation has collapsed from weeks to days.

If you run NGINX, patch today. Not tomorrow. Today.