What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

CVE-2026-32202: APT28 Exploits Incomplete Windows Patch to Steal NTLM Hashes Zero-Click

What Happened

On April 27, 2026, Microsoft revised its advisory for CVE-2026-32202 — a Windows Shell spoofing vulnerability originally patched in April's Patch Tuesday — to confirm active exploitation in the wild. The initial patch had been incomplete, leaving a zero-click credential-theft vector wide open. Within 48 hours, CISA added the flaw to its Known Exploited Vulnerabilities catalog and ordered all federal agencies to patch by May 12, 2026 — just six days from now. The Hacker News first reported the advisory revision, and multiple security firms subsequently confirmed the exploitation chain.

Technical Analysis

CVE-2026-32202 carries a CVSS base score of 4.3 (Medium) — a number that dramatically understates the operational risk. The vulnerability is a protection mechanism failure in Windows Shell that allows an attacker to craft a malicious .LNK (shortcut) file that, when viewed in File Explorer or even previewed, forces Windows to automatically open a UNC path pointing to an attacker-controlled SMB server. This triggers an outbound SMB connection that leaks the victim's NTLMv2 hash — no clicks required beyond browsing to the folder. FullstackEvolved's analysis details how the coerced authentication flow works end-to-end.

The root cause traces back to an incomplete February 2026 patch for a related zero-day. That earlier fix blocked remote code execution but left the NTLM coercion path intact. SecurityWeek confirmed that the residual vector was exploitable as a zero-day, and that APT28 (Fancy Bear / Sednit) was actively leveraging it before the April correction. Help Net Security reported that Microsoft corrected its advisory metadata on April 27 to reflect the true exploitation status after initially publishing incorrect information on April 14.

Who's Affected

Every organization running unpatched Windows endpoints is at risk. The attack surface is massive: any Windows version that received the incomplete February patch without the April correction is vulnerable. The zero-click nature of the exploit means users don't need to open a file — merely browsing to a directory containing a crafted LNK (delivered via email attachment, USB drive, or network share) is enough to leak credentials. DecryptionDigest documented the full attack chain including IOCs and noted that APT28 has historically targeted government agencies, defense contractors, and critical infrastructure operators with exactly this class of NTLM coercion attack. The downstream risk is severe: captured NTLMv2 hashes can be cracked offline or used in NTLM relay attacks to authenticate to other services, potentially achieving lateral movement and domain escalation.

How to Protect Yourself

1. Apply the April 2026 Patch Tuesday update immediately. If your endpoints haven't received the corrected patch for CVE-2026-32202, prioritize this above all other updates. CISA's May 12 deadline applies to federal agencies, but every organization should treat this as critical.

2. Block outbound SMB (TCP 445) at the network perimeter. Since the attack relies on coerced SMB connections to an attacker-controlled server, blocking outbound SMB to the internet eliminates the exfiltration path. This is a well-known mitigation for NTLM coercion attacks.

3. Enforce SMB signing and disable NTLM where possible. While NTLMv2 hash leakage is the immediate threat, enabling SMB signing prevents relay attacks using captured hashes. Transitioning to Kerberos authentication reduces the NTLM attack surface entirely.

4. Audit LNK file handling in email gateways and endpoint protection. Configure email filters to strip or quarantine .lnk attachments. Ensure endpoint detection tools are configured to flag suspicious UNC path references in shortcut files.

5. Monitor for anomalous outbound SMB connections. Network monitoring for unexpected TCP 445 connections to external IPs is a high-fidelity detection signal for this exact attack pattern.

The Sable Angle

NTLM coercion attacks are a staple of modern red team operations — and they're far more common in real-world breaches than most organizations realize. At Sable, our offensive security team regularly identifies NTLM relay and hash leakage paths during penetration tests, often finding that the same misconfigurations that enable CVE-2026-32202 exploitation are present in production environments for months or years before a threat actor leverages them.

The pattern here is familiar: an incomplete patch creates a residual attack surface, a nation-state group finds it first, and the window between disclosure and mass exploitation shrinks every year. If your organization is still relying on patch compliance alone without validating that patches actually close the full attack chain, you're operating on faith rather than evidence. Our research team publishes exactly these kinds of post-exploitation analyses to help defenders understand not just what was patched, but what residual risk remains.