What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

CVE-2026-45659: SharePoint RCE Flaw Lets Any Site Member Execute Code Remotely

A Site Member — not an admin, not a power user, just any authenticated member — can execute arbitrary code on your SharePoint Server. That is the reality of CVE-2026-45659, a deserialization remote code execution flaw Microsoft patched in its May 2026 Patch Tuesday release. With a CVSS score of 8.8, it is one of the most dangerous SharePoint vulnerabilities this year.

What Happened

On May 26, 2026, Microsoft released security updates addressing CVE-2026-45659, a remote code execution vulnerability affecting multiple versions of Microsoft SharePoint Server. The flaw stems from deserialization of untrusted data (CWE-502) — a class of vulnerability that has plagued enterprise applications for over a decade and continues to resurface in new forms.

According to InfoSec Bulletin, Microsoft's own advisory states: "Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network." The CVSS 3.1 base score of 8.8 places it firmly in high-severity territory.

As TheCyberThrone confirmed, and as also reported by Help Net Security, the attack requires only Site Member permissions (PR:L in CVSS terms) — the minimum privilege level for any user who can contribute content to a SharePoint site. No administrator, no site owner, no elevated role. If your organization grants Site Member access to employees, contractors, or partners, the attack surface is enormous.

Technical Analysis: Why This Is Dangerous

Deserialization vulnerabilities (CWE-502) are not new, but they remain among the most impactful because they turn a data-handling feature into a code execution primitive. Here is why CVE-2026-45659 is particularly concerning:

Low privilege requirement. The attacker needs only Site Member access. In most enterprises, this is the default permission level for hundreds or thousands of users — including external collaborators and contractors who may not go through rigorous security vetting.
Network attack vector. The exploit works over the network. No physical access, no social engineering, no phishing email required beyond the initial credential. An attacker who has compromised any Site Member account — through credential stuffing, password reuse, or a leaked token — can trigger the RCE directly.
Deserialization of untrusted data. SharePoint accepts serialized data as part of its normal content management workflow. If an attacker can craft a malicious serialized payload and submit it through any feature that processes user-controlled data, the server will deserialize it — and execute embedded code in the process. This is the same vulnerability class that powered the Log4Shell (Log4j) catastrophe, albeit in a different context.
SharePoint's deep integration. SharePoint Server typically runs with high-privilege service accounts and has access to the underlying Windows Server, Active Directory, SQL Server backend, and often Exchange. A successful RCE on SharePoint frequently becomes a pivot point for full domain compromise.

CVEfeed.io rates the vulnerability as high-severity with low attack complexity, meaning exploitation does not require unusual conditions or sophisticated tooling. Once a proof-of-concept becomes available — and for CVSS 8.8 SharePoint flaws, that typically happens within days of Patch Tuesday — mass scanning and exploitation follows quickly.

Impact

SharePoint is one of the most widely deployed enterprise collaboration platforms in the world. Key impact factors:

Millions of servers run SharePoint Server globally, across government, healthcare, finance, education, and defense sectors
Any authenticated user with Site Member permissions can exploit it — no admin required
Full remote code execution on the server, typically under a high-privilege service account
Deep network integration means SharePoint compromise often leads to lateral movement into Active Directory, SQL Server, and Exchange
CVSS 8.8 — high severity with low attack complexity

While CISA has not yet added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog as of this writing, the combination of low privilege requirements, network attack vector, and high-severity impact makes rapid exploitation likely. Organizations should treat this as an urgent patching priority.

How to Protect Yourself

Apply the May 2026 Patch Tuesday updates immediately. Microsoft has released patches for all supported SharePoint Server versions. If you run SharePoint Server 2016, 2019, or Subscription Edition, verify the patch is applied. This is the single most effective mitigation.
Audit Site Member permissions. Review who has Site Member access across your SharePoint sites. Remove access for users and service accounts that do not need it. Pay special attention to external guest accounts and contractor access.
Restrict or disable custom deserialization routines. As OpenCVE recommends, limit uploads of untrusted data to authorized workflows only. If your organization uses custom web parts or third-party SharePoint extensions that process serialized data, audit them for unsafe deserialization patterns.
Monitor SharePoint logs aggressively. Watch for abnormal deserialization activity, unexpected code execution events, or unusual outbound network connections from SharePoint server processes. Enable Windows Event Logging and forward logs to your SIEM.
Enforce MFA for all SharePoint access. Since the vulnerability requires authenticated access, strong multi-factor authentication raises the bar for attackers attempting to use compromised credentials.
Segment SharePoint servers. Ensure SharePoint Server instances are network-segmented from critical infrastructure. If an RCE occurs, proper segmentation limits lateral movement into Active Directory, SQL Server, and other high-value targets.

The Bigger Picture

CVE-2026-45659 is a reminder that deserialization vulnerabilities — a class many considered "well-understood" — continue to surface in major enterprise platforms. It follows a pattern: a widely deployed product accepts serialized data, a researcher finds an unsafe deserialization path, and suddenly millions of servers are one crafted payload away from full compromise.

Microsoft's Patch Tuesday this month also addressed other high-severity flaws, but CVE-2026-45659 stands out because of the low privilege bar and the sheer number of organizations running unpatched SharePoint instances. If you have not patched yet, assume the clock is ticking.