What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Free Scan for Exposed API Keys — Find & Fix It | SableOffensive

What Is Exposed API Keys?

Exposed secrets are one of the most common — and most damaging — vulnerabilities in modern web apps. An API key, database URL, or service token that ships to the browser, gets committed to a public repo, or sits in a readable config file can be extracted in seconds. With it, an attacker can run up your cloud bill, read your database, send mail as you, or pivot deeper. Minification and obfuscation do not protect secrets; only keeping them server-side does.

How Exposed API Keys Shows Up

Secrets in the client bundle

Keys compiled into frontend JavaScript (e.g. NEXT_PUBLIC_/build-time vars) are visible to anyone who opens DevTools.

Committed to version control

.env files, master.key, and hardcoded tokens pushed to git remain in history even after deletion, and public repos are scraped automatically.

Service keys that bypass everything

A leaked Supabase service_role key or cloud root credential grants full access regardless of your app-level rules.

Third-party token abuse

Leaked Stripe, OpenAI, Twilio, or webhook tokens let attackers spend your money or impersonate your services.

How the Sable Scan Detects It

Live bundle scanning

We scan your served JavaScript and API responses against 100+ secret patterns and flag the exact key and location.

Exposed config detection

We test for publicly reachable .env, config, and credential files.

Validated, not guessed

Findings are confirmed by an agent so you get real leaks with remediation, not regex false positives.

Check Your App for Exposed API Keys

Create a free account and let the agents test your app. Every finding is validated with a proof-of-concept and remediation. 150 founder credits, no credit card.

Get 150 Free Credits

Frequently Asked Questions

Are minified API keys safe in frontend code?

No. Minification only compresses code; the values are still readable in the browser. Any key in a client bundle can be extracted in seconds. Keep secrets on a backend the client calls. Sable scans your live bundle and reports exactly which key is exposed.

I deleted a key from git — am I safe?

Not until you rotate it. Git history retains deleted secrets, and public repos are scraped within minutes of a push. Always rotate any key that was ever committed. Sable helps confirm whether exposed keys are still live.

Is the security scan really free?

Yes. The Headers Scan runs instantly with no signup. For the full agent scan you create a free account and get 150 founder credits with no credit card required — enough to run real scans against your app on demand. Paid credit packs and monthly tiers exist for continuous testing, but you can start for free.

How does Sable scan my app?

Sable runs autonomous pentesting agents (pen-scout, pen-recon, pen-triage, pen-fixer, pen-compliance) that map your attack surface, test against the OWASP Top 10, validate every finding with a proof-of-concept, and re-test after you ship a fix. You chat with the agents on demand instead of waiting weeks for a manual engagement.

Will the scan break or slow down my production app?

No. Scans are designed to be safe and non-destructive. We demonstrate impact with proof-of-concept evidence rather than causing damage, and we never exfiltrate or alter your data.

Scan for Other Vulnerabilities

Wildcard CORS Missing CSP SQL Injection Exposed OpenAPI Weak TLS