What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Crunchyroll Breach: 6.8M Users Exposed via Supply Chain

TL;DR: What Happened

6.8M

Users Exposed

unique email addresses

100GB

Data Stolen

in under 24 hours

Support Tickets

downloaded from Zendesk

Compromised Employee

at Telus BPO in India

Bottom line: On March 12, 2026, malware on a Telus International BPO employee's workstation gave attackers Okta SSO tokens for Crunchyroll's Zendesk. Over 24 hours, 8 million support tickets were downloaded before access was revoked. No direct Crunchyroll infrastructure compromise was needed.

What Happened

On March 12, 2026, a threat actor deployed malware on the workstation of a Telus International employee based in India. Telus International is a business process outsourcing (BPO) firm that handles customer support operations for Crunchyroll, the world's largest anime streaming platform owned by Sony.

The malware harvested the employee's Okta SSO session tokens, effectively granting the attacker seamless access to Crunchyroll's internal support infrastructure — no password required, no MFA challenge to beat.

Using those stolen credentials, the attacker accessed Crunchyroll's Zendesk platform and spent approximately 24 hours systematically downloading support ticket data before Crunchyroll detected the unauthorized access and revoked the session. By then, 100GB of data — including 8 million support tickets — had left the building.

Technical Analysis: The Attack Chain

This is a textbook supply chain credential compromise. The attacker didn't need to breach Crunchyroll's infrastructure directly — they found a softer target in a third-party vendor with privileged access.

1Initial Access via Malware

Malware deployed on a Telus International BPO employee's workstation in India — likely via phishing or malicious download.

2Okta SSO Token Theft

Session tokens harvested from browser/memory. MFA is irrelevant — auth already happened. The attacker becomes the employee.

3Zendesk Access

Stolen tokens grant full access to Crunchyroll's Zendesk customer support platform — the same access a legitimate Telus agent has.

424-Hour Exfiltration

8 million support tickets (100GB) downloaded before Crunchyroll detects the unauthorized session and revokes access.

why-okta-tokens-are-devastating.md

# Stolen session token != stolen password

MFA status: ✓ Enabled

MFA bypassed: ✓ Yes — auth already happened

System sees: Valid active session

Token theft = attacker IS the authenticated user

What Was Stolen

Email Addresses

6.8M unique

Risk: Phishing

IP Addresses

All affected users

Risk: Geolocation

Partial Card Details

Truncated numbers

Risk: Social engineering

Support Ticket Content

8M tickets

Risk: Rich context for attacks

Behavioral Data

Viewing history, analytics

Risk: Profiling

Why Support Ticket Content Is Especially Dangerous

Support tickets contain what users told support agents in plain language — their address, their payment method, the last show they watched, the device they were using. Attackers now have rich context to craft hyper-personalized phishing emails that reference your actual account history. "We noticed an issue with your subscription to [exact show you asked about last month]" is far more convincing than generic spam.

Impact: Who Is at Risk

Crunchyroll reports over 15 million paying subscribers globally, with the largest user bases in the United States, Brazil, and Japan. This breach exposed approximately 45% of their subscriber base by unique email. If you've ever contacted Crunchyroll support, your data is likely in this set.

Targeted Phishing

Attackers know your shows, your issues, your support history. Expect convincing fake billing emails.

Credential Stuffing

Your email will be fed into credential stuffing tools against banking, gaming, and other platforms.

Identity Theft

IP + email + behavior + partial card = a surprisingly complete profile for social engineering.

Legal Exposure

Crunchyroll already faces a class-action lawsuit over data sharing. This breach significantly amplifies it.

How to Protect Yourself

If you're a Crunchyroll subscriber:

Change Crunchyroll password immediately

Use a strong, unique password you don't use anywhere else.

Enable 2FA on your account

Two-factor authentication adds a layer attackers can't bypass with stolen passwords.

Check haveibeenpwned.com

See if your email has appeared in other breaches — this won't be the last use of these addresses.

Watch for phishing emails

Attackers know your support history. Emails about billing issues, subscription problems, or your favorite shows are suspect.

Change passwords on reused accounts

Gaming, banking, streaming — anywhere you reused the same password.

Monitor your credit card

Look for small unauthorized charges, especially under $5 that might be testing a card's validity.

For organizations using BPO or third-party vendors:

Audit BPO vendor access

Do they really need full Zendesk access? Principle of least privilege applies to third parties too.

Implement session token binding

Tie Okta sessions to device fingerprints and IP ranges. A token from India shouldn't work from a new IP without re-auth.

Deploy EDR on vendor workstations

Require BPO partners to meet your endpoint detection standards contractually.

Set data egress limits in Zendesk

8 million tickets shouldn't be downloadable in 24 hours. Volume-based anomaly detection would have caught this earlier.

Anomaly detection on SSO patterns

A BPO employee suddenly bulk-downloading millions of records is a detectable signal. Build the alert.

The Bigger Picture

The Crunchyroll breach is the latest in a growing pattern of supply chain attacks targeting BPO providers. Organizations increasingly outsource customer support and data processing to third parties — and attackers have learned that these vendors often have the same access as insiders but with weaker security controls.

2023

Okta Support Vendor Breach

Attackers compromised a customer support system at an Okta vendor, exposing session tokens for Cloudflare, BeyondTrust, and 1Password.

2024

Snowflake Campaign

Credential theft via contractor malware led to breaches at Ticketmaster, Santander Bank, and AT&T — all through the same third-party access pattern.

2026

Crunchyroll / Telus BPO

Malware on a BPO employee's workstation → stolen Okta tokens → 6.8M anime fans' data exfiltrated via Zendesk.

The Pattern Is Clear

Your security is only as strong as your weakest vendor's endpoint security. As SSO and cloud SaaS adoption accelerates, stolen session tokens — not stolen passwords are becoming the primary attack vector. The industry needs to treat token theft with the same urgency as password breaches.

References

BleepingComputer: Crunchyroll probes breach after hacker claims to steal 6.8M users' data Cybernews: Sony anime streamer Crunchyroll was breached via Telus hack PCMag: Crunchyroll Investigating Possible Breach Involving 100GB of User Data Cybersecurity News: Crunchyroll Data Breach — Threat Actor Claims Exfiltration of 100GB Screen Rant: Crunchyroll Officially Responds to Data Breach With New Statement

Do You Have Third-Party Vendors with Privileged Access?

Supply chain attacks target your vendors, not you directly. We audit your third-party access landscape and help you close the gaps before attackers find them.

Supply Chain Security Audit Follow @Alejandxr_

This analysis was produced for defensive and educational purposes only. All data sourced from public reporting.

Crunchyroll Breached via Telus Supply Chain Attack