What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Turla Upgrades Kazuar Backdoor Into Modular P2P Botnet

What Happened

On May 14, 2026, Microsoft's Security Blog published a detailed analysis of Kazuar — a backdoor operated by Turla (also known as Secret Blizzard, Venomous Bear, and Waterbug), a Russian state-sponsored APT group linked to the FSB. The report revealed that Turla has transformed Kazuar from a traditional command-and-control (C2) backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistent access to government and diplomatic networks.

BleepingComputer reported that the upgraded Kazuar now uses a decentralized P2P communication architecture, making it significantly harder to disrupt through traditional C2 takedown operations. The campaign has primarily targeted government entities, diplomatic missions, and defense organizations across Europe and Central Asia.

Technical Analysis

Kazuar is not new — Turla has operated variants of this backdoor since at least 2017. What changed in 2026 is the architecture. Palo Alto Networks' Unit 42 tracked the upgraded variant (which they call "Pensive Ursa") and documented the following technical evolution:

P2P C2 replacement: Instead of hardcoded C2 servers that can be sinkholed or blocked, Kazuar now uses a peer-to-peer network where infected nodes relay commands to each other. There is no single point of failure.
Modular plugin system: The backdoor now supports dynamically loaded plugins for credential harvesting, lateral movement, screen capture, and data exfiltration. Operators deploy only the capabilities needed for each target.
Encrypted communication: All inter-node traffic is encrypted using custom protocols, making network-level detection significantly harder.
Living-off-the-land: Kazuar leverages legitimate system tools and Windows APIs to blend with normal administrative activity, reducing the forensic footprint.

SecurityAffairs noted that the P2P architecture means that even if defenders identify and remediate some infected hosts, the botnet continues to operate through remaining peers. This is a deliberate design choice for resilience against incident response.

Who's Affected

Turla is one of the oldest and most sophisticated APT groups in operation, active since at least 2004. Their targets are consistently:

Government ministries — particularly foreign affairs, defense, and intelligence agencies
Diplomatic missions — embassies and consulates in Europe, Central Asia, and the Middle East
Defense contractors — companies supporting NATO member state militaries
Research institutions — think tanks and policy organizations working on geopolitics

Microsoft's report indicates that the upgraded Kazuar has been deployed in targeted campaigns over the past several months, with the P2P infrastructure designed to maintain access for years rather than weeks. This is not a smash-and-grab operation — it's a long-term intelligence collection platform.

How to Protect Yourself

Defending against a nation-state P2P botnet requires a different playbook than standard malware defense. Here are concrete steps:

Monitor for anomalous P2P traffic — Kazuar's P2P communication generates unusual network patterns. Deploy network detection rules for encrypted peer-to-peer connections between internal hosts, especially on non-standard ports.
Harden endpoint detection — Ensure EDR solutions are configured to detect living-off-the-land techniques (PowerShell abuse, WMI persistence, scheduled task creation). Kazuar relies heavily on these.
Implement network segmentation — Government and diplomatic networks should be strictly segmented. Lateral movement between segments should require multi-factor authentication.
Audit persistence mechanisms — Regularly scan for unauthorized scheduled tasks, registry run keys, and service installations. Kazuar uses multiple persistence methods simultaneously.
Subscribe to threat intelligence feeds — Microsoft, Palo Alto Unit 42, and CISA publish IOCs for Turla campaigns. Integrate these into your SIEM and firewall blocklists immediately.

The Sable Angle

At Sable, we track APT infrastructure evolution as part of our offensive research. The shift from centralized C2 to P2P botnets is not unique to Turla — we've documented similar patterns in our startup vulnerability research where attackers increasingly design infrastructure to survive partial takedowns.

The Kazuar evolution is a reminder that threat actors continuously upgrade their tooling. If your organization operates in government, defense, or diplomatic sectors, our red team can simulate Turla-style P2P persistence to test whether your detection and response capabilities hold up against nation-state tradecraft.