What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Iran Wiped 200K Stryker Devices via Microsoft Intune

TL;DR — The Scope of Destruction

200K+

Devices Wiped

in a single night

Countries Hit

simultaneous wipe

50TB

Data Stolen

from Stryker

56K

Employees Idled

across 61+ countries

Two separate attacks in 48 hours: Stryker (world's largest medical device company) and Intuitive Surgical (da Vinci robots) were both compromised between March 11–13, 2026. Handala used Microsoft Intune as a global kill switch — no malware required.

Two Giants Brought Down in One Week

1Mar 11 — Stryker Corporation

At 3:30 AM EST, Handala triggered simultaneous factory resets on 200,000+ corporate devices across 79 countries. No malware deployed — they hijacked Stryker's own Microsoft Intune MDM platform and used it as a global kill switch.

2Mar 12–13 — Intuitive Surgical

The maker of da Vinci surgical robots disclosed that attackers used a phishing email to steal employee credentials, accessed internal admin systems, and exfiltrated customer contact data and employee corporate records.

Critical note: Neither company's medical devices were operationally affected — da Vinci robots kept operating, Stryker implants weren't remotely controlled. But the business damage was catastrophic, and the attack methods exposed vulnerabilities affecting virtually every enterprise using MDM platforms.

Stryker: How Handala Used Intune as a Weapon

This attack is technically unprecedented. The 4-step chain required zero malware, zero CVEs, and was invisible to traditional endpoint detection tools.

Credential Compromise

Handala obtained credentials for a Stryker Intune administrator account. Likely via phishing, credential stuffing against a leaked database, or compromise of a privileged Entra ID (Azure AD) account.

Intune Enumeration

With admin access, attackers gained full visibility into Stryker's device fleet — 200,000+ endpoints across 79 countries: laptops, workstations, mobile phones, and enrolled servers.

Simultaneous Data Exfiltration

While preparing the wipe, Handala exfiltrated 50TB of corporate data first — ensuring they had the intelligence before destroying access.

Mass Wipe Command — 3:30 AM EST

Factory reset commands issued through Intune to ALL enrolled devices simultaneously. No malware. No exploits. Legitimate MDM functionality, weaponized at global scale.

Real-World Impact

56,000+ employees across 61 countries lost access to all corporate devices simultaneously

Manufacturing operations, order processing, and global shipping disrupted

Maryland paramedics lost ECG transmission capability to hospitals — direct patient safety impact

Office shutdowns across 79 countries; full device fleet rebuild required

50TB of corporate data exfiltrated before the wipe completed

Who is Handala?

Handala (also known as Handala Hack Team or Void Manticore) is an Iran-linked hacktivist group that historically targets entities perceived as adversaries of Iran — particularly U.S. and Israeli companies. Security researchers at Securonix have tied the group to Iranian state interests. The Stryker attack is characterized as geopolitically motivated retaliation amid heightened Middle East tensions in early 2026.

Intuitive Surgical: The Classic Phishing Playbook

The Intuitive Surgical breach reads like a textbook credential phishing case — deceptively simple, devastatingly effective.

Phishing Email

Attack Vector

Admin Network

Access Point

None (da Vinci safe)

Devices Affected

An Intuitive employee received a phishing email convincing enough to capture their corporate credentials. The attacker then accessed Intuitive's internal administrative network, exfiltrating:

Customer data: contact information, business records, and account details for healthcare providers

Employee data: corporate data belonging to Intuitive staff

Business information: internal records and communications

The Significance of Timing

Two major medtech companies breached within 48 hours raises serious questions. Were they coordinated? Were attackers probing the sector opportunistically after seeing Stryker's exposure? Cybersecurity researchers are actively investigating potential connections between the two incidents.

The MDM Attack Vector: A Wake-Up Call

If your company manages devices with Microsoft Intune, SCCM, Jamf, or any MDM platform, this section is your threat model. A compromised MDM admin account is effectively a god-mode key to your entire device fleet.

With it, an attacker can:

Wipe All Devices Simultaneously

A single admin command destroys your entire device fleet. No malware needed.

CRITICAL

Push Malicious Apps to All Devices

Deploy ransomware, spyware, or keyloggers to every employee at once.

CRITICAL

Harvest Full Device Inventory

Complete map of your infrastructure — hardware, software, users, locations.

HIGH

Remove Security Controls

Modify compliance policies to disable AV, EDR, disk encryption at scale.

HIGH

Rotate Certs — Lock Out Admins

Revoke certificates to prevent legitimate administrators from regaining control.

HIGH

Access Full M365 Ecosystem

Intune admin often implies access to email, SharePoint, Teams via Entra ID.

CRITICAL

“A New Threat Category” — Security Affairs

The Stryker attack represents the first confirmed large-scale use of a legitimate MDM platform as a destructive weapon — without deploying a single line of malicious code. Traditional endpoint detection tools see Intune commands as legitimate. There is nothing to flag. No AV signature. No behavioral anomaly. Just routine MDM operations at a scale that destroys an entire enterprise overnight.

Attack Timeline

Mar 11 — 3:30 AM EST

Handala triggers mass Intune wipe: 200,000 Stryker devices factory-reset simultaneously

Mar 11, 2026

Stryker confirms cyberattack; 56,000 employees lose device access across 61+ countries

Mar 11, 2026

Handala claims responsibility via Telegram; releases sample of alleged 50TB stolen data

Mar 11, 2026

Maryland paramedics report loss of ECG transmission capability to hospitals — direct patient safety impact

Mar 12, 2026

Intuitive Surgical detects unauthorized access to internal admin network via phishing credentials

Mar 13, 2026

Intuitive Surgical publicly discloses breach; confirms da Vinci platforms unaffected

Mar 14–16, 2026

Security researchers link both attacks to broader Iran-linked threat campaign; Stryker device recovery begins

Mar 17–18, 2026

Cybersecurity Dive, Security Affairs, Krebs on Security publish analyses; Intune attack classified as new threat category

Geographic Scope: 79 Countries Hit

Affected Operations by Region

🇺🇸

United States35%

HQ operations for both companies

🇮🇪

Ireland12%

Stryker Cork headquarters

🇩🇪

Germany8%

EU operations disrupted

🇯🇵

Japan7%

Asia-Pacific medtech operations

🌍

Other (75 countries)38%

Global simultaneous wipe

Why Healthcare & Medtech Are Under Siege

These attacks don't exist in a vacuum. Healthcare and medtech have become priority targets for nation-states and cybercriminals for converging reasons:

700+

Breaches in 2024–2025

+63.5% vs 2023

275M

Records exposed

Largest in U.S. history

$10.93M

Avg breach cost

#1 all industries, 14 consecutive years

$408

Per-record cost

10× the value of financial records

Financial Motivation

Healthcare records sell for $408/record on black markets — 10× the value of financial records. Medtech companies hold both patient data and critical operational IP.

Geopolitical Motivation

Nation-states (Iran, China, Russia, North Korea) view medtech as high-impact targets: disrupting supply chains creates civilian pressure; stealing device IP enables strategic technology transfer.

Operational Security Lag

Medtech companies prioritized device safety certifications over IT security. Many run legacy OT systems alongside modern cloud infrastructure — complex, difficult-to-defend attack surfaces.

How to Protect Your Organization

Whether you're a medtech enterprise or any company running MDM platforms, these two attacks define your threat model for 2026. Immediate actions:

P0Privileged Identity Management (PIM)

MDM admin accounts must use just-in-time (JIT) access — admins request elevated permissions only when needed, with approval workflows and automatic expiration. Zero persistent admin sessions.

P0Alert on Every Intune Admin Login

Flag ANY Intune admin sign-in. Mass device operations (>10 devices in a short window) should require manual approval before execution.

P0Break-Glass Accounts

Maintain 2–3 emergency admin accounts completely offline with credentials in physical secure storage — not accessible via the same cloud infrastructure that could be compromised.

P1Conditional Access Policies

Restrict Intune admin portal access to specific IP ranges, managed devices, and MFA-required sessions. Block access from unrecognized geographies.

P1Hardware Security Keys (FIDO2)

Standard MFA (SMS, TOTP) can be bypassed by sophisticated phishing. Hardware keys (YubiKey, Passkeys) are phishing-resistant by design — mandatory for all privileged accounts.

P1Immutable Offline Backups

Maintain offline, immutable backups of critical configurations and systems. A wiper attack only achieves its goal if recovery is impossible. Know your RTO before you need it.

P1Backup MDM Configurations

Export and version-control your Intune policies and device configurations regularly. Recovery from a mass wipe requires clean baselines.

P2Vendor & Third-Party MDM Access Audits

If third-party vendors have MDM access to your environment, you've extended your attack surface to their security posture. Audit and restrict it.

Incident Response Drill

Simulate a mass wipe event. Do you know how long it takes to restore 1,000 devices? 10,000? Know this number before you need it. Stryker is still rebuilding its fleet weeks later.

Sources & References

Intuitive Surgical Official Statement Krebs on Security — Handala Wiper Attack Security Affairs — Intune as Weapon (No Malware)Cybersecurity Dive — Intuitive Surgical Phishing Breach Securonix — Handala / Void Manticore Group Analysis Reuters — Iran-linked hackers claim Stryker attack State of Surveillance — Technical Breakdown

¿Tu empresa usa Microsoft Intune, Jamf, o cualquier MDM?

El ataque a Stryker redefinió el riesgo empresarial. Sable puede auditar tu postura de seguridad MDM y accesos privilegiados antes de que Handala lo haga primero.

MDM & Privileged Access Audit Follow @Alejandxr_

Este análisis es para propósitos de concientización y defensa. Toda la información está basada en divulgaciones públicas, reportes de organizaciones de seguridad, y fuentes de medios verificadas.

Iran Wiped 200,000 Devices Using Microsoft Intune

TL;DR — The Scope of Destruction

Two Giants Brought Down in One Week

Stryker: How Handala Used Intune as a Weapon

Real-World Impact

Who is Handala?

Intuitive Surgical: The Classic Phishing Playbook

The MDM Attack Vector: A Wake-Up Call

“A New Threat Category” — Security Affairs

Attack Timeline

Geographic Scope: 79 Countries Hit

Affected Operations by Region

Why Healthcare & Medtech Are Under Siege

How to Protect Your Organization

Sources & References

¿Tu empresa usa Microsoft Intune, Jamf, o cualquier MDM?

Free Security Headers Check

Full Pentest — from $29