What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

WoundTech Breach: 160K Patient Records Leaked — SSNs, Wound Photos, Clinical Notes

TL;DR — The Damage

160K+

Patients Exposed

personal & medical data

3.8TB

Data Exfiltrated

including wound photos

$10.93M

Avg Breach Cost

healthcare sector

3,000

Employees Affected

internal data also leaked

Summary: WoundTech, a U.S. wound care management platform, suffered a December 2025 breach where an unknown attacker exfiltrated 3.8TB of patient data. As of March 2026, the data is circulating on dark web forums and a class action lawsuit is underway.

What Happened

On or around December 6, 2025, Wound Technology Network, Inc. (WoundTech) — a U.S.-based provider of wound care management solutions — detected unusual activity in its network environment. The company immediately retained a third-party cybersecurity forensics firm to investigate the scope of the incident.

The investigation revealed an alarming reality: an unknown threat actor had gained unauthorized access to WoundTech's systems and exfiltrated approximately 3.8 terabytes of highly sensitive data. Breach notification letters were sent to affected individuals in early 2026, triggering legal scrutiny and a potential class action lawsuit.

WoundTech's business model — managing wound care data for hospitals, clinics, and home health agencies — means the company held some of the most sensitive medical data imaginable: active wound progression photographs, clinical treatment notes, insurance records, and patient identifiers including Social Security Numbers.

What Was Exposed

The breach is particularly severe due to the nature and sensitivity of the leaked data. The compromised dataset includes three distinct categories of information:

Patient Personal Information

Full names and dates of birth

Home addresses and phone numbers

Emergency contact information

Social Security Numbers (SSNs)

Gender and demographic data

Medical & Clinical Data

Clinical notes and treatment narratives

Medical diagnosis and treatment details

Wound progression photographs (graphic)

Health insurance information and policy details

Medical Record Numbers (MRNs)

Employee Data

Personal and professional information

Approximately 3,000 WoundTech employees

Internal HR and payroll records

Wound Photographs — A Uniquely Disturbing Exposure

The inclusion of wound progression photographs makes this breach uniquely disturbing. These are intimate clinical images taken in the context of medical care, never intended for exposure. Combined with SSNs and insurance data, affected individuals face significant risks of identity theft, insurance fraud, and emotional harm.

Timeline

The WoundTech incident followed a pattern increasingly common in healthcare breaches: a significant gap between initial compromise and public notification — roughly 70 days between detection and the first breach notifications.

Dec 6, 2025

WoundTech detects unusual network activity

Dec 2025

Third-party forensics firm retained; investigation scope determined

Jan 2026

3.8TB exfiltration confirmed; 160K+ affected records identified

Feb 2026

HIPAA breach notifications mailed to patients and employees

Feb–Mar 2026

Stolen data appears on dark web forums with partial previews

Mar 17, 2026

ClassAction.org announces class action lawsuit investigation

How Attackers Got In (What We Know)

WoundTech's public notification is sparse on technical details — a common pattern in breach disclosures designed to minimize legal exposure. Based on available evidence and similar healthcare breach profiles, the most likely attack vectors are:

1Compromised Credentials / Phishing

High

Healthcare organizations are frequent targets of credential-harvesting phishing campaigns. A single compromised VPN or remote access credential can provide initial foothold access to internal network segments containing patient databases.

2Unpatched External-Facing Systems

High

Medical technology vendors often run legacy systems with delayed patch cycles. Vulnerabilities in internet-exposed services (VPN appliances, RDP endpoints, web applications) are a leading entry point for healthcare attackers.

3Third-Party Vendor Access

Medium

WoundTech's platform integrates with hospitals, clinics, and home health agencies. Compromised API credentials or vendor portal access could provide a path into the core data environment.

4Insider Threat

Low

Less likely but not impossible — healthcare insider threats account for roughly 35% of incidents, often motivated by financial gain from selling medical records on dark web markets.

Key indicator: The 3.8TB exfiltration volume suggests the attacker had prolonged, persistent access — enough time to identify, package, and exfiltrate the most valuable data without triggering automated detection systems.

The Healthcare Breach Epidemic

The WoundTech incident is not an anomaly — it's part of a catastrophic trend in healthcare cybersecurity. The numbers tell the story:

700+

Breaches in 2024–2025

63.5% increase from 2023

275M

Records exposed

Largest in U.S. history

$10.93M

Average breach cost

14th consecutive year #1

69%

Caused by ransomware

Of all compromised records in 2024

$408

Per-record cost

Highest of any industry

For LATAM healthtech startups that handle medical data — even indirectly, through integrations with U.S. providers or HIPAA-adjacent workflows — these statistics represent existential risk. A single breach of this nature can generate $10M+ in costs, legal fees, regulatory fines, and reputational damage that no early-stage company survives.

HIPAA Implications & Legal Exposure

WoundTech is now facing a multi-front legal battle with consequences spanning federal regulation, civil litigation, and state enforcement:

HIPAA Breach Notification Rule (45 CFR §164.400)

Organizations must notify affected individuals within 60 days of discovering a breach. Failures can result in fines up to $1.9 million per violation category per year.

OCR Investigation

The HHS Office for Civil Rights (OCR) will likely investigate WoundTech's security posture. Previous OCR settlements for similar breaches have ranged from $100,000 to over $16 million.

Class Action Lawsuit

Multiple law firms have announced investigations. U.S. courts have increasingly certified class actions for healthcare breaches where plaintiffs can demonstrate increased risk of identity theft.

State Attorney General Actions

Several states (California, New York, Texas) have active data privacy enforcement that can layer additional penalties on top of federal HIPAA fines.

The combination of a large breach (160K+ individuals), highly sensitive data (SSNs + medical records + wound photos), and the data appearing on dark web forums before notification letters arrived creates a textbook case for maximum regulatory and legal exposure.

How to Protect Your Healthcare Startup

If you're building or running a healthtech startup — in LATAM or with any U.S. healthcare integrations — the WoundTech breach is your roadmap of what not to do. Here's what to implement today:

P0Zero-Trust Network Architecture

Segment your network so a compromised endpoint cannot access your entire patient database. Medical data should live in isolated network zones with strict access controls.

P0MFA Everywhere

Every remote access point — VPN, admin panels, cloud consoles — must require multi-factor authentication. Most healthcare breaches begin with a single compromised password.

P1Data Classification & Minimization

Don't store what you don't need. Audit your data inventory regularly. Retaining old wound photographs 'just in case' creates liability, not value.

P1Anomaly Detection for Exfiltration

A 3.8TB exfiltration doesn't happen in minutes. Implement DLP and network monitoring that alerts on unusual outbound data transfer volumes.

P1Vendor Security Assessments

If you integrate with third-party systems or give API access to partners, audit their security posture. A breach in your vendor's system is your breach legally and reputationally.

P2HIPAA-Compliant Encryption

All PHI must be encrypted at rest and in transit. Unencrypted data is indefensible under HIPAA. This is table stakes.

Regular Penetration Testing

Healthcare systems are among the most targeted — and among the least tested. A professional pentest can identify the exact vulnerabilities an attacker would exploit before they do.

Sources & References

WoundTech Official Breach Notice ClassAction.org — Lawsuit Investigation DailyDarkWeb — Technical Analysis Brinztech — Breach Alert HIPAA Journal — Healthcare Breach Statistics IBM/Ponemon — Cost of Healthcare Data Breach

¿Tu startup healthtech resistiría un ataque como este?

Sable puede auditarte antes de que lo haga un atacante. Especialistas en seguridad para healthtech, LATAM, y cualquier sistema con datos médicos.

Healthcare Security Audit Follow @Alejandxr_

Este análisis es para propósitos de concientización y defensa. Toda la información está basada en notificaciones públicas de breach, reportes de organizaciones de seguridad, y filings legales disponibles públicamente.

WoundTech Breach: 160,000 Patient Records Leaked