What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Oracle E-Business Suite CVE‑2026‑46817: Critical Authentication Bypass in Oracle Payments

What Happened

On June 30, 2026, security outlets reported that CVE‑2026‑46817, a critical authentication‑bypass vulnerability affecting the Oracle Payments module of Oracle E‑Business Suite, is being actively exploited in the wild. The vulnerability carries a CVSS score of 9.8, indicating a severe impact. According to The Hacker News, attackers can reach the vulnerable component over the network without any valid credentials.

Technical Analysis

The flaw resides in the Oracle Payments component of Oracle E‑Business Suite. It is classified as an improper privilege management or authentication bypass issue. Unauthenticated attackers who can reach the affected HTTP endpoints can gain privileged access to the Oracle Payments system, potentially taking full control of the ERP module. The vulnerability affects versions 12.2.3 through 12.2.15 of the suite. No public proof‑of‑concept or detailed exploit mechanics have been disclosed; the specific technical details of the attack vector remain undisclosed, as highlighted by both Security Affairs.

Who’s Affected

Enterprises running the affected Oracle Payments module across a broad range of industries are at risk. While exact numbers of impacted installations are not publicly known, the vulnerability’s severity and the fact that it is being actively exploited suggest a wide exposure. The recent activity mirrors previous attacks on Oracle ERP products, such as the exploitation of CVE‑2026‑35273 in Oracle PeopleSoft PeopleTools by the ShinyHunters group earlier in 2026.

How to Protect Yourself

Apply the latest Oracle Critical Patch Update (CPU). Oracle released a patch for CVE‑2026‑46817 in its most recent Critical Patch Update of the previous month. Administrators should verify the patch is applied and restart the affected services.
Restrict network access. Limit exposure of the Oracle Payments web endpoints to trusted internal networks or VPNs. Use firewalls or Web Application Firewalls (WAF) to block unauthenticated traffic.
Monitor for suspicious activity. Review web server logs for unusual requests to Oracle Payments URLs and set up IDS/IPS signatures that can detect attempts to exploit authentication bypasses.
Conduct regular security assessments. Validate that all Oracle E‑Business Suite instances are patched and not exposed to the internet without proper controls.

The Sable Angle

Sable helps organizations identify exposed Oracle E‑Business Suite instances and verify that the required CPU patches are applied. Our assessments focus on discovering internet‑facing ERP deployments, testing for unauthenticated access, and providing remediation guidance. By partnering with Sable, you can gain confidence that your Oracle Payments environment is not susceptible to the current exploitation trend. Learn more about our services at Sable pricing.