What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

CVE-2026-20131: Cisco Firewall Zero-Day Exploited 45 Days Before Patch

TL;DR: A Perfect 10

10.0

CVSS Score

maximum severity

Days of Zero-Day

before patch released

Auth Required

fully unauthenticated

ROOT

Access Level

on compromised device

Impact: Interlock ransomware exploited CVE-2026-20131 for 45 days before Cisco patched it on March 4, 2026. A single unauthenticated HTTP request was enough to achieve root code execution on Cisco Secure Firewall Management Center.

What Happened: A Perfect CVSS 10.0

On March 4, 2026, Cisco released patches for a maximum-severity vulnerability in its Secure Firewall Management Center (FMC) — the centralized management platform used by enterprises worldwide to control Cisco firewall policies, configurations, and monitoring.

CVE-2026-20131 earned a CVSS score of 10.0 — the highest possible. The math is alarming:

Attack Vector

Network

Authentication

None

User Interaction

None

Impact

Root RCE

45-Day Head Start for Attackers

The real story isn't the vulnerability — it's that Interlock ransomware had been exploiting this zero-day since January 26, 2026, a full 37 days before Cisco released a patch, and 51 days before it became public knowledge. Enterprises believed their firewalls were protecting them. They were wrong.

Technical Analysis: Java Deserialization as a Skeleton Key

The vulnerability class — insecure deserialization — is well-understood but notoriously difficult to eliminate from large Java codebases. CVE-2026-20131 means Cisco Secure FMC's web interface accepted attacker-controlled serialized Java objects without sufficient validation.

1Craft Gadget Chain Payload

Attacker uses ysoserial or similar toolkit to generate a malicious serialized Java byte stream. The payload contains a gadget chain — a sequence of legitimate Java library method calls that, when chained during deserialization, execute arbitrary OS commands.

2Send Unauthenticated HTTP POST

The attacker sends a single HTTP POST to the FMC web management interface. No authentication cookie, no session token, no credentials required. The vulnerability sits in a pre-auth code path that processes serialized Java objects.

3Deserialization Triggers RCE

FMC deserializes the attacker-controlled byte stream. The gadget chain executes. Because the FMC web application runs with root privileges, the attacker immediately has a root OS shell on the management appliance.

4Post-Exploitation: Network Takeover

With root on FMC, Interlock operators modify firewall rules, extract network topology and credentials, pivot to all managed Cisco Firepower appliances, deploy ransomware to connected systems, and establish persistent backdoors.

Amazon MadPot — Threat Intelligence Honeypot

Amazon's MadPot is a global threat intelligence honeypot network that mimics real-world services to attract and analyze attacker activity. MadPot sensors detected Interlock exploit traffic against FMC-like services in late January 2026.

By cross-referencing attack signatures with Cisco's advisory released weeks later, AWS threat intelligence confirmed the attacks predated the patch by over a month. AWS CISO CJ Moses disclosed the findings publicly on March 18, 2026.

Interlock Ransomware: Who They Are

First Observed

October 2024

Approach

Double Extortion

Targeting

Enterprise + Critical Infra

Sophistication

High — Zero-Day Capable

Why Firewalls Are a Strategic Target

Sit at network perimeters with visibility into all traffic

Hold network topology maps and configuration secrets

Compromising them enables silent traffic manipulation without triggering endpoint alerts

Trusted by downstream systems — enables lateral movement at scale

Rarely scanned by internal vulnerability management tools (who scans the thing doing the scanning?)

The 45-Day Window: How Did They Get It?

Interlock's ability to weaponize this zero-day suggests three possibilities: independent discovery through FMC research, purchase from a private zero-day market, or a nation-state partner sharing the exploit. The Cloud Security Alliance's analysis suggests the latter two are more probable given the quality of the exploit and the speed of weaponization.

Impact: Who Was Affected

Affected Products

Cisco Secure Firewall Management Center (FMC) Software

All 7.x versions prior to March 4, 2026 patch

AFFECTED

Cisco Firepower Management Center (legacy FMC)

All versions prior to patch

AFFECTED

Exposed Instances by Region

🇺🇸United States

38%

🇩🇪Germany

12%

🇬🇧United Kingdom

🇫🇷France

🇯🇵Japan

🇧🇷Brazil

🇦🇺Australia

🇮🇳India

🌍Others

18%

Financial Impact

Average Ransom Demand

for enterprise targets

$2.3M

Range Observed

depending on org size

$500K–$8M

Victim Data Published

before public disclosure

Feb 2026

Interlock published stolen victim data on its dark web leak site in February 2026 — before Cisco announced the vulnerability. Victims had no idea how they were compromised.

How to Protect Your Organization

P0NowPatch FMC to Latest Version

# Cisco released fixes on March 4, 2026
# Upgrade all FMC instances to patched version
# Check: Cisco Security Advisory cisco-sa-fmc-rce-NKhnULJh

P0NowRemove FMC from Internet

# FMC web management should NEVER be internet-facing
# If exposed: treat as FULLY COMPROMISED and isolate
iptables -A INPUT -p tcp --dport 443 -s MGMT_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

P024hAudit Access Logs (Jan 26 – Mar 4)

# Look for anomalous POST requests to FMC web UI
# Unexpected logins from unknown IPs
# Config changes not made by your team
# New admin accounts or modified credentials

P11 weekCheck for Persistence Mechanisms

# If IoCs found before patch date:
# Assume environment is FULLY COMPROMISED — not just FMC
# Interlock establishes persistent backdoors post-access
# Engage IR team for full investigation

P21 monthOut-of-Band Management Network

# All FMC/ASDM/SSH access → isolated OOB network only
# Accessible exclusively from hardened jump server via MFA
# Privileged Access Workstations (PAWs) for FMC access
# Patch management program that includes security appliances

For Startups and SMBs

If you're using Cisco FMC as a smaller organization, consider whether you need the full FMC platform or whether a simpler firewall management approach — with a smaller attack surface — is appropriate for your scale. The FMC is an enterprise tool with an enterprise-grade attack surface.

Attack & Disclosure Timeline

Jan 26, 2026

Interlock begins exploiting CVE-2026-20131 as a zero-day — 37 days before patch

Late Jan – Feb 2026

Amazon MadPot honeypot sensors detect Interlock exploit traffic targeting Cisco FMC interfaces

Feb 2026

Interlock publishes stolen victim data on dark web leak site — victims had no idea how they were compromised

Mar 4, 2026

Cisco releases patch for CVE-2026-20131 alongside 47 other FMC vulnerabilities; CVSS 10.0 disclosed

Mar 5, 2026

Dark Reading, SecurityWeek report on the maximum-severity Cisco FMC patch batch

Mar 18, 2026

AWS CISO CJ Moses publicly discloses Interlock's pre-patch zero-day exploitation; Amazon MadPot data released

Mar 19–20, 2026

SecurityWeek, The Hacker News, SC Media, Help Net Security confirm 45-day exploitation window; emergency patching guidance issued

References

Cisco Security Advisory: CVE-2026-20131 Amazon AWS Blog: Interlock Ransomware Campaign SecurityWeek: Cisco Firewall Vulnerability Exploited as Zero-Day The Hacker News: Interlock Exploits Cisco FMC Zero-Day Cloud Security Alliance: Interlock's 45-Day Zero-Day CVE Record: CVE-2026-20131

Running Cisco FMC in Your Environment?

If your FMC wasn't patched before March 4 — or was ever internet-exposed — you may have been compromised without knowing it. Get a professional security assessment.

Security Assessment Follow @Alejandxr_

This research was compiled for defensive purposes. Patch your systems.