What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

NGINX Rift: 18-Year-Old Heap Overflow Lets Attackers Hijack One-Third of the Web

What Happened

On May 13, 2026, security researcher depthfirst disclosed a heap-based buffer overflow in NGINX's ngx_http_rewrite_module — a vulnerability that has been sitting in the codebase, undetected, for 18 years. Tracked as CVE-2026-42945 and codenamed NGINX Rift, the flaw carries a CVSS v4.0 score of 9.2 (Critical) and enables unauthenticated remote code execution or denial-of-service via a single crafted HTTP request. A working proof-of-concept exploit was published on GitHub the same day. According to The Hacker News, the bug was introduced in NGINX version 0.6.27 back in 2008 and is present in every release through 1.30.0.

Technical Analysis

The vulnerability stems from an inconsistency in the two-pass script execution engine of ngx_http_rewrite_module. When a rewrite, if, or set directive is followed by an unnamed Perl-Compatible Regular Expression (PCRE) capture (such as $1, $2) with a replacement string containing a question mark (?), the resulting string length is miscalculated. This causes a heap buffer overflow in the NGINX worker process. Depthfirst's technical writeup confirms that on systems with Address Space Layout Randomization (ASLR) disabled, the overflow is exploitable for arbitrary code execution. Even with ASLR enabled, the overflow reliably crashes the worker process, enabling denial-of-service. SOC Radar reports that the attack requires no authentication, no prior access, and no existing session — a single HTTP request is sufficient.

The conditions for exploitation are specific but not rare: the server must use rewrite directives with unnamed PCRE captures and replacement strings containing ?. This pattern is common in URL rewriting rules, reverse proxy configurations, and many standard NGINX setups. NGINX Plus and NGINX Open Source are both affected.

Who's Affected

NGINX powers roughly one-third of all web servers worldwide — an estimated 300+ million sites. While not every NGINX deployment uses the specific rewrite pattern required for exploitation, the sheer scale makes this one of the most widely impactful vulnerabilities of 2026. CyberSecurityNews notes that the flaw has been present in every NGINX release for 18 years, meaning the vulnerable code has been compiled, deployed, and running in production environments across virtually every industry and geography. High-value targets include e-commerce platforms, API gateways, content delivery networks, and government portals — all common NGINX use cases. CyberPress confirms that the PoC exploit is publicly available on GitHub, lowering the barrier for mass exploitation.

How to Protect Yourself

1. Audit your NGINX configurations immediately. Search all nginx.conf and included config files for rewrite directives that use unnamed captures ($1, $2) with replacement strings containing ?. This is the specific pattern that triggers the overflow.

2. Update to the patched version. F5 (NGINX's parent company) has released patches. Upgrade to the latest stable release as soon as possible. If immediate patching isn't feasible, consider temporarily disabling affected rewrite rules.

3. Enable ASLR if not already active. While ASLR does not prevent exploitation entirely, it significantly raises the bar for remote code execution. Verify with cat /proc/sys/kernel/randomize_va_space (should return 2).

4. Restrict HTTP request patterns at the WAF layer. Deploy or update WAF rules to detect and block requests targeting the rewrite module's PCRE handling. Look for anomalous query strings with unmatched capture references.

5. Monitor worker process health. Unexpected NGINX worker restarts can indicate active exploitation attempts. Set up alerts for worker process crashes and review access logs for suspicious request patterns.

The Sable Angle

Vulnerabilities like NGINX Rift are exactly why offensive security research matters. An 18-year-old bug sitting in one of the internet's most critical infrastructure components — undetected until now — is a sobering reminder that the attack surface is always larger than you think. At Sable, we build offensive tooling that finds these gaps before adversaries do. Our research team actively tracks critical CVEs and publishes deep-dive analyses so defenders can act fast. See our recent research on Hugging Face double-CVE and Dirty Frag Linux kernel escalation for more examples of how we turn raw vulnerability data into actionable intelligence.

If your organization runs NGINX in production — and statistically, it almost certainly does — this is a patch-now situation. The PoC is public, the exploit conditions are well-documented, and the affected codebase is everywhere. Talk to our team about proactive infrastructure auditing before the next 18-year-old bug surfaces.