What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Privacy Policy | SableOffensive

SableOffensive ("we," "us," or "our") operates the website sable.somoswilab.com and provides penetration testing services for startups and technology companies. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services.

1. Information We Collect

When you engage our penetration testing services, we may collect the following information:

--Contact information: Name, email address, company name
--Application details: URLs, staging credentials, API documentation, repository access (provided by you)
--Scan data: Vulnerability findings, network configurations, application responses, and security assessment results gathered during testing
--Payment information: Processed securely through our payment provider; we do not store credit card details
--Communication records: Emails and messages exchanged during the engagement

2. How We Use Your Information

We use collected information exclusively for:

--Performing the penetration testing services you requested
--Generating your security assessment report
--Communicating findings and remediation recommendations
--Processing payments for our services
--Improving our testing methodologies (using anonymized, aggregated data only)

3. Non-Disclosure Agreement (NDA)

All engagements are covered by a Non-Disclosure Agreement. We are contractually bound to:

--Keep all findings, vulnerabilities, and client data strictly confidential
--Never share, sell, or disclose your information to third parties
--Never publish or reference your company or findings without explicit written consent
--Restrict access to your data to only the security researchers directly involved in your engagement

4. Data Retention and Deletion

We follow a strict data lifecycle policy:

--Scan data and vulnerability findings are permanently deleted within 30 days of report delivery
--Staging credentials and access tokens are revoked and deleted immediately after testing concludes
--Your final report is retained for 30 days to allow for follow-up questions, then deleted unless you request an extension
--Payment records are retained as required by applicable tax and accounting regulations
--You may request immediate deletion of all your data at any time by contacting us

5. GDPR and CCPA Compliance

We respect your privacy rights under the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). You have the right to:

--Access: Request a copy of all personal data we hold about you
--Rectification: Request correction of inaccurate personal data
--Erasure: Request deletion of your personal data ("right to be forgotten")
--Portability: Receive your data in a structured, machine-readable format
--Object: Object to processing of your personal data
--Opt-out of sale: We never sell personal data, but you may formally request confirmation

6. Security of Your Data

We practice what we preach. Your data is protected by:

--End-to-end encryption for all communications and file transfers
--Encrypted storage for all engagement data at rest
--Access controls limiting data to authorized researchers only
--Secure deletion procedures that overwrite data, not just remove references
--Regular security audits of our own infrastructure

7. Cookies and Tracking

Our website uses minimal, essential cookies. We do not use third-party advertising trackers or sell browsing data. We may use anonymous analytics to understand page traffic and improve our services.

8. Third-Party Services

We use a limited number of third-party services to operate our business:

--Payment processors for secure transaction handling
--Email services for engagement communications

We do not share your vulnerability data or scan results with any third party.

9. Children's Privacy

Our services are intended for businesses and individuals aged 18 and older. We do not knowingly collect information from children under 18.

10. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated revision date. For active engagements, we will notify you of any material changes via email.

11. Contact Us

For privacy-related inquiries, data access requests, or to exercise your rights under GDPR/CCPA, contact us at:

[email protected]

SableOffensive -- Based in LATAM, serving worldwide.