What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Sample Pentest Report | See What You Get | SableOffensive

Every Report Includes

Executive Summary

High-level overview for founders and stakeholders

Scope & Methodology

What was tested and how

Risk Summary

Finding count by severity with risk score

Detailed Findings

Each vulnerability with reproduction & fix

Remediation Roadmap

Prioritized fix order based on impact

Penetration Test Report

SABLE-RPT-2026-XXXX

CONFIDENTIAL

Executive Summary

SableOffensive conducted a penetration test of [REDACTED]'s web application during February 2026. The assessment identified 2 critical, 1 high, 1 medium, and 1 low severity findings. The most critical issues involve unauthorized data access (IDOR) and exposed service credentials that bypass database security policies.

Critical

High

Medium

Low

Info

Detailed Findings

SABLE-001

Broken Object Level Authorization (IDOR) on User Profile API

CRITICALCVSS 9.1

Category: A01:2021 - Broken Access Control

Endpoint: GET /api/users/[REDACTED]

Description

The user profile API endpoint allows any authenticated user to access other users' profile data by modifying the user ID parameter. No server-side authorization check validates that the requesting user owns the requested resource.

Impact

An attacker can enumerate and access all user profiles including email addresses, billing information, and connected accounts. With approximately 2,400 users in the database, this exposes the complete user dataset.

Steps to Reproduce

1.Authenticate as User A (test account)
2.Send GET /api/users/{USER_A_ID} -- returns own profile (expected)
3.Change ID to User B: GET /api/users/{USER_B_ID}
4.Full profile data for User B is returned (unauthorized)
5.Increment IDs to enumerate all users

Remediation

Add server-side authorization middleware that validates the requesting user's session matches the requested resource. Example for Next.js API route:

// Before (vulnerable)
export async function GET(req, { params }) {
  const user = await db.users.findById(params.id);
  return Response.json(user);
}

// After (fixed)
export async function GET(req, { params }) {
  const session = await getSession(req);
  if (session.userId !== params.id) {
    return new Response('Forbidden', { status: 403 });
  }
  const user = await db.users.findById(params.id);
  return Response.json(user);
}

SABLE-002

Exposed Supabase Service Role Key in Client Bundle

CRITICALCVSS 9.8

Category: A02:2021 - Cryptographic Failures

Endpoint: JavaScript bundle: /_next/static/chunks/[REDACTED].js

Description

The Supabase service_role key is hardcoded in the client-side JavaScript bundle. This key bypasses all Row Level Security (RLS) policies and provides full database access.

Impact

An attacker with this key can read, modify, and delete any data in the Supabase database, bypassing all security policies. This is equivalent to direct database admin access.

Steps to Reproduce

1.View page source or open DevTools > Sources
2.Search for "supabase" in JavaScript bundles
3.Find service_role key: eyJhbGci...[REDACTED]
4.Use key with Supabase client to bypass RLS
5.Full CRUD access to all tables confirmed

Remediation

Move the service_role key to server-side only. Use the anon key for client-side operations and ensure RLS policies are properly configured.

// .env.local (never expose to client)
SUPABASE_SERVICE_ROLE_KEY=eyJhbGci...

// next.config.js - ensure server-only
// DO NOT prefix with NEXT_PUBLIC_

// Server-side usage only:
import { createClient } from '@supabase/supabase-js'
const supabaseAdmin = createClient(
  process.env.SUPABASE_URL!,
  process.env.SUPABASE_SERVICE_ROLE_KEY! // server only
)

SABLE-003

Cross-Site Scripting (XSS) via User Display Name

HIGHCVSS 7.5

Category: A03:2021 - Injection

Endpoint: POST /api/settings/profile

Description

The user display name field does not sanitize HTML/JavaScript input. When displayed in the team dashboard, the unsanitized name executes in other users' browsers.

Impact

An attacker can inject JavaScript that executes in other team members' browsers, enabling session hijacking, data exfiltration, and account takeover of admin users.

Steps to Reproduce

1.Navigate to Profile Settings
2.Set display name to: <img src=x onerror=alert(document.cookie)>
3.Save profile
4.Open team dashboard as another user
5.XSS payload executes in victim's browser

Remediation

Sanitize all user input before rendering. Use React's built-in XSS protection (avoid dangerouslySetInnerHTML) and add server-side input validation.

// Server-side validation
import { z } from 'zod';

const profileSchema = z.object({
  displayName: z.string()
    .min(1)
    .max(50)
    .regex(/^[a-zA-Z0-9 _-]+$/,
      'Only letters, numbers, spaces, hyphens')
});

// Validate before saving
const validated = profileSchema.parse(req.body);

SABLE-004

Missing Rate Limiting on Authentication Endpoints

MEDIUMCVSS 5.3

Category: A07:2021 - Identification and Authentication Failures

Endpoint: POST /api/auth/login

Description

The login endpoint has no rate limiting. An attacker can make unlimited authentication attempts, enabling brute force and credential stuffing attacks.

Impact

Attackers can perform credential stuffing using leaked password databases, or brute force weak passwords without any throttling or account lockout.

Steps to Reproduce

1.Send 100+ login requests in rapid succession
2.No rate limiting or CAPTCHA triggered
3.All requests processed normally
4.No account lockout after failed attempts

Remediation

Implement rate limiting with progressive delays and account lockout after failed attempts.

// Using upstash/ratelimit for Next.js
import { Ratelimit } from '@upstash/ratelimit';

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, '60 s'),
});

// In auth handler:
const { success } = await ratelimit.limit(ip);
if (!success) {
  return new Response('Too many attempts',
    { status: 429 });
}

SABLE-005

Security Headers Not Configured

LOWCVSS 3.7

Category: A05:2021 - Security Misconfiguration

Endpoint: All responses

Description

The application does not set critical security headers including Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security.

Impact

Missing headers increase the attack surface for clickjacking, MIME-type sniffing attacks, and reduce the effectiveness of browser security features.

Steps to Reproduce

1.curl -I https://[REDACTED].app
2.Missing: Content-Security-Policy
3.Missing: X-Frame-Options
4.Missing: Strict-Transport-Security
5.Missing: X-Content-Type-Options

Remediation

Add security headers in next.config.js or middleware.

// next.config.js
const securityHeaders = [
  { key: 'X-Frame-Options', value: 'DENY' },
  { key: 'X-Content-Type-Options', value: 'nosniff' },
  { key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains' },
  { key: 'Content-Security-Policy',
    value: "default-src 'self'; script-src 'self'" },
];

Full Reports Also Include

Remediation Timeline

Prioritized fix order -- which vulnerabilities to fix first based on exploitability and business impact.

Security Posture Score

Overall security rating from A to F, with specific areas of strength and weakness identified.

Code-Level Fixes

Copy-pasteable code snippets specific to your stack. Not generic advice -- real implementations.

Get Your Own Security Report

Same depth, same quality. Reports delivered within 24-48 hours. Starting at just $29 for MVPs.

Start Security Scan -- $29 Our Methodology