What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

DarkSword: The iOS Exploit That Hacks iPhones Just By Visiting a Website

TL;DR: 270 Million Vulnerable iPhones

270M

iPhones Vulnerable

running iOS 18.x

Vulns Chained

3 zero-days

Clicks Required

drive-by via website

Threat Actors

state + commercial

Impact: DarkSword has been active since November 2025 — 4+ months before disclosure. At least 4 threat actor groups (Russian SVR, commercial spyware vendors) deployed it against journalists, activists, executives, and government officials. Patch: iOS 18.7.5.

What Happened: A Zero-Click iPhone Hack in the Wild

On March 18, 2026, Google GTIG, iVerify, and Lookout jointly disclosed DarkSword — a sophisticated iOS exploit kit capable of completely compromising iPhones running iOS 18 with no user interaction beyond visiting a website.

The attack is devastatingly simple from the victim's perspective: visit a compromised website in Safari. Nothing looks wrong. No prompts. No downloads. Yet within seconds, DarkSword has chained six vulnerabilities, escaped the browser sandbox, escalated to kernel privileges, and deployed a full-featured infostealer.

iOS versions affected

18.0 – 18.6.2

Active since

November 2025

Estimated compromised

Tens of thousands

Patch released

iOS 18.7.5 (Mar 18)

The US Government Connection

WIRED's investigation found DarkSword appears to be built on a toolkit originally developed by or for a US government intelligence contractor — a pattern echoing EternalBlue and NSO Group. The intelligence community is calling it a "major operational security failure."

The Six-Stage Exploit Chain

DarkSword's sophistication lies in the precise sequencing of six distinct exploits that together transform a website visit into complete device ownership.

1WebKit Remote Code ExecutionCVE-2025-31277

Memory corruption in JavaScriptCore (Safari's JS runtime). Crafted JavaScript triggers the bug, giving attackers code execution inside the WebKit/Safari renderer process — no interaction needed.

2First Sandbox Escape — GPU SubsystemZero-Day #1

An unpatched zero-day in the iOS GPU driver escapes the App Sandbox. GPU drivers are historically vulnerable because low-level hardware access inherently weakens isolation boundaries.

3Second Sandbox Escape — dyldZero-Day #2

Belt-and-suspenders: a second zero-day in the iOS dynamic linker (dyld) ensures sandbox escape even if the GPU path is blocked. Redundancy signals nation-state-grade engineering.

4Kernel Privilege EscalationZero-Day #3

A third zero-day in the iOS kernel itself escalates from user-space to kernel privileges. Code signing bypassed. MDM monitoring defeated. Every file, process, and memory location accessible.

5Payload Deployment & PersistenceKnown CVE (patched)

Known vulnerability (exploited before patch availability) used for payload deployment and surviving partial device restores.

6Anti-Detection & EvasionKnown CVE (patched)

Final stage hardens the implant against detection tools and MDM compliance checks. Devices appear compliant to enterprise MDM while fully compromised.

Final Payload — Data Harvested

iMessages + Signal/WhatsApp databasesHIGH VALUE

Photos and camera roll

Saved passwords (iCloud Keychain)HIGH VALUE

Crypto wallet data and seed phrasesHIGH VALUE

Contact lists and call history

Location history

Corporate VPN certificatesHIGH VALUE

MDM enrollment tokensHIGH VALUE

Email and calendar data

The Russian Connection & the Leaked Toolkit

SecurityWeek confirmed the Russian APT behind DarkSword is the same actor responsible for "Coruna" — a separate iOS exploit targeting Ukrainian officials in late 2025. This group is assessed to be SVR (Russia's Foreign Intelligence Service) or a closely affiliated contractor.

Primary state actor

SVR (Russia)

Commercial vendors

2+ confirmed

Estimated devices hit

Tens of thousands

Toolkit origin

US Gov contractor (suspected)

Commercial Spyware Proliferation

Google GTIG confirmed at least two commercial surveillance vendors have integrated DarkSword capabilities into their products. These vendors sell to law enforcement and intelligence agencies worldwide — meaning the exploit has effectively proliferated to dozens of governments. iVerify estimates the campaign hit tens of thousands of devices, concentrated in Eastern Europe, the Middle East, and among journalists and executives in Western countries.

Why iOS Wasn't as Secure as Apple Claimed

The "iOS Is Secure" Myth

Apple markets iOS as the world's most secure mobile platform. For most users against commodity threats, this is practically true. But DarkSword illustrates the gap between "secure against most attackers" and "secure against nation-states with multi-million-dollar exploit budgets."

Why Drive-By Attacks Work on iOS

Apple's App Store model prevents unapproved app installations — but does nothing against browser exploits. Worse: Apple requires every iOS browser (Safari, Chrome, Firefox) to use WebKit as its engine. One WebKit zero-day = every browser on every iPhone simultaneously vulnerable.

MDM Bypass — The Enterprise Wake-Up Call

DarkSword's kernel-level access lets it bypass and manipulate MDM controls. Organizations using MDM to monitor employee iPhones may have received false "compliant" signals for fully compromised devices. This is a systemic assumption failure in enterprise mobile security.

The Patch Adoption Race

Apple released iOS 18.7.5 on disclosure day (March 18). But as of March 20, only ~15-20% of eligible devices have updated — leaving 200M+ iPhones still exposed to a publicly disclosed, actively exploited attack chain.

How to Protect Your iPhone and Your Organization

P0NowEveryoneUpdate to iOS 18.7.5 or iOS 26.3

# Settings → General → Software Update
# This patches all 6 DarkSword vulnerabilities
# If on iOS 26 beta → update to 26.3
# Every minute unpatched = open attack surface

P0NowHigh-Risk TargetsEnable Lockdown Mode

# Settings → Privacy & Security → Lockdown Mode
# Journalists, activists, executives, legal/finance teams
# Significantly limits WebKit attack surface
# Reduces some functionality — worth it for targeted individuals

P124hEnterpriseEnforce MDM Update Policy

# Require iOS 18.7.5+ within 48-72h via MDM
# Devices on vulnerable iOS → revoke corp resource access
# Cross-reference MDM compliance with iVerify
# DarkSword can SPOOF MDM compliance status

P124hCrypto UsersRotate Crypto Wallets if Exposed

# DarkSword specifically targets seed phrases
# If iPhone accessed crypto apps Nov 2025 – Mar 18, 2026
# AND device was not on latest iOS throughout:
# → Assume seed phrases COMPROMISED → rotate to new wallet

P21 weekEnterpriseiOS Threat Hunt for High-Value Employees

# Deploy iVerify or similar for device integrity checks
# Apple default MDM tools DON'T detect kernel compromise
# Target: executives, legal, finance, comms, IT admins
# Look for DarkSword IoCs in Nov 2025 – Mar 18 window

Impact: Geographic & Product Scope

Known Victim Distribution

🇺🇦Ukraine

22%

🇺🇸United States

18%

🇩🇪Germany

🇬🇧United Kingdom

🇫🇷France

🇵🇱Poland

🇮🇱Israel

🇧🇷Brazil

🌍Others

26%

Affected Products

Apple iPhone — iOS 18.0 through 18.6.2

VULNERABLE→Fixed in iOS 18.7.5

Apple iPhone — iOS 26.0 through 26.2 (beta/early)

VULNERABLE→Fixed in iOS 26.3

Patch Adoption (Mar 20)

~18%

~200M+ devices still exposed

Attack & Disclosure Timeline

Nov 2025

Google GTIG detects first DarkSword activity; targets concentrated in Ukraine and Eastern Europe

Dec 2025 – Feb 2026

DarkSword proliferates to commercial spyware vendors and additional state actors; attacks expand globally

Mar 3, 2026

WIRED reports "possible US government iPhone-hacking toolkit" is now in foreign hands — foreshadowing the disclosure

Mar 18, 2026

Joint disclosure by Google GTIG, iVerify, and Lookout; Apple releases iOS 18.7.5 patching all 6 vulnerabilities

Mar 18, 2026

Apple issues urgent advisory; NBC News reports mass hacking campaigns targeting journalists and executives

Mar 19–20, 2026

WIRED, SecurityWeek, Mashable, Time confirm 270M vulnerable iPhones; multiple CERTs issue emergency advisories

References

WIRED: Hundreds of Millions of iPhones Can Be Hacked With DarkSword Google GTIG: The Proliferation of DarkSword Lookout: Attackers Wielding DarkSword Threaten iOS Users iVerify: DarkSword iOS Exploit Enterprise Risk SecurityWeek: DarkSword iOS Exploit Kit Used by State-Sponsored Hackers CSA Research: DarkSword Full-Chain iOS Zero-Day WIRED: A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies

Concerned About Mobile Threats in Your Organization?

DarkSword targets executives, legal, finance, and communications teams — exactly the people with access to your most sensitive data. Get a mobile security assessment before the next zero-day campaign hits.

Mobile Security Assessment Follow @Alejandxr_

This research was compiled for defensive purposes. Update your iPhone.