What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Nx Console 18.95.0: How a 2.2M-Install VS Code Extension Became a Credential Stealer

What Happened

On May 18, 2026, security researchers discovered that version 18.95.0 of the Nx Console extension for Visual Studio Code had been published with malicious code designed to steal developer credentials, cloud infrastructure tokens, and CI/CD secrets. The extension — installed by over 2.2 million developers worldwide — was quietly turned into a multi-stage credential harvester targeting anyone who opened a workspace in VS Code, Cursor, or JetBrains IDEs. According to The Hacker News, the malicious version was published outside the normal CI/CD pipeline, likely using stolen maintainer credentials, and remained live on the official Microsoft VS Code Marketplace before being flagged.

Technical Analysis

The attack was notably sophisticated. The injected payload was an obfuscated ~498 KB JavaScript file that executed on every workspace activation — meaning every time a developer opened a project, the malware ran. StepSecurity's analysis revealed the payload was a multi-stage credential stealer that specifically targeted environment variables, configuration files, and shell profiles where developers typically store AWS keys, Azure tokens, GitHub PATs, and npm credentials. The extension identifier — nrwl.angular-console — made it appear legitimate, and the version bump to 18.95.0 followed enough of a pattern that automated update systems pulled it without suspicion.

The attack vector bypassed standard code review because the malicious version was pushed directly to the marketplace rather than going through the project's open-source repository. This is a pattern increasingly seen in supply chain attacks: compromise the publishing pipeline, not the source code. CyberSecurityNews reported that the payload specifically searched for .env files, ~/.aws/credentials, ~/.npmrc, ~/.docker/config.json, and shell profile files like .bashrc and .zshrc, exfiltrating found secrets to an attacker-controlled endpoint.

Who's Affected

The scale is significant. With 2.2 million installations across VS Code, Cursor, and JetBrains, Nx Console is one of the most widely used developer tooling extensions in the ecosystem. It's particularly popular among teams using the Nx build system for monorepo management — a pattern common in enterprise environments where a single compromised developer machine can expose entire cloud infrastructures. SecurityOnline noted that the attack surface extends beyond individual developers: any CI/CD pipeline that relies on credentials stored in a developer's local environment could be downstream-compromised. This follows the same playbook as the 2025 s1ngularity attack on the Nx build system itself, suggesting the Nx ecosystem is being systematically targeted by threat actors.

How to Protect Yourself

If you have Nx Console installed, take these steps immediately:

Check your version: Open VS Code → Extensions → Nx Console. If you're on version 18.95.0, uninstall immediately and revert to the last known good version.
Rotate all credentials: Assume any secrets stored in environment variables, .env files, ~/.aws/credentials, ~/.npmrc, or shell profiles on machines where the extension was installed have been compromised. Rotate AWS keys, Azure tokens, GitHub PATs, npm tokens, and Docker registry credentials.
Audit recent activity: Check cloud provider logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) for unauthorized access in the window between when you last updated the extension and now.
Pin extension versions: Use VS Code's extension auto-update pinning to prevent silent updates. Only update extensions after verifying the changelog and checking for security advisories.
Isolate secrets from dev machines: Use a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager, 1Password) rather than storing credentials in local files. This limits the blast radius of any single compromised developer workstation.

The Sable Angle

Supply chain attacks on developer tooling are no longer theoretical — they're the fastest-growing attack vector in 2026. The Nx Console compromise follows the same pattern we've tracked in our research on open-source supply chain vulnerabilities and the security gaps in startup development workflows. The common thread: attackers know that developers are the soft underbelly of enterprise security, and a single compromised extension can bypass millions of dollars in perimeter defenses.

At Sable, our offensive security team regularly tests exactly these attack paths — from compromised IDE extensions to poisoned CI/CD pipelines. If your organization uses Nx, monorepos, or any developer tooling at scale, our penetration testing and red team engagements can identify where your supply chain is exposed before an attacker finds it. The cost of a proactive assessment is a fraction of what a single stolen cloud credential can cost in a breach.