Features

Powerful Features for Modern Security Teams

Everything you need for comprehensive reconnaissance and attack surface management, in detail. Every integration, every export format, every workflow.

MSSP & Multi-Tenant

Running ASM across a client portfolio? Several features below are built for managed security providers and multi-tenant teams — Multi-Project Management and Project Quotas (hard per-client isolation and resource governance), Scheduled PDF Reports (white-label, direct-to-client delivery), SCIM 2.0 Provisioning, and Ticketing & On-Call Dispatch. See the MSSP workflow, per-client cost attribution, and resale economics →

HailBytes ASM full feature walkthrough video thumbnail

The full 11-minute product run-through, before the feature breakdown below.

Every HailBytes ASM Capability

Automated Discovery

Comprehensive subdomain enumeration using Subfinder, Amass, Alterx, BBOT, puredns (DNS brute-force against the top-1M wordlist), uncover (multi-source passive recon via Shodan, Fofa, Censys, Hunter), and theHarvester (OSINT email, subdomain, and LinkedIn org recon). All tools run in the same pipeline; results are deduped before persistence.

Port & Service Scanning

Nmap and Naabu integration for fast port scanning and service detection with banner grabbing. Naabu sweeps for open ports and Nmap confirms the services behind them, feeding the results into the same enumeration phase as HTTP probing so discovered services flow straight into vulnerability scanning.

Endpoint Enumeration

Gospider, Hakrawler, and Katana crawling for comprehensive URL discovery and attack vectors, complemented by Waybackurls and GAU for historical URLs from public archives. Together they surface live and forgotten endpoints that feed the rest of the scan pipeline.

Vulnerability Scanning

9,000+ Nuclei templates (CVEs, misconfigurations, exposed panels, default credentials, and technology fingerprinting), Dalfox for XSS, CRLF injection via crlfuzz, S3Scanner for exposed buckets, Corsy for CORS misconfiguration (14 probe types), Arjun for hidden HTTP parameter discovery, automatic second-order subdomain takeover detection, and a Shodan CVE-correlated pre-scan against known-vulnerable device classes (HP iLO, Intel AMT, Cisco Smart Install) — all individually toggleable per scan engine. Every CVE-tagged finding is enriched into a single deterministic risk score — here’s how that score works.

AI-Powered Analysis

OpenAI, Anthropic (Claude), Gemini, or local Ollama models (with NVIDIA CUDA and AMD ROCm GPU acceleration) for air-gappable vulnerability assessment, exploitation guidance, and automated reporting. Each completed scan generates an AI executive summary — severity counts, top findings, and subdomain delta vs. the prior scan — cached in the scan record and rendered as a dedicated section in PDF reports and the scan detail view.

LLM Vulnerability Reports

Auto-generate structured triage for every finding — description, business impact, remediation steps, references, and attack suggestions with exploitation steps — produced by OpenAI GPT models or a local Ollama instance (air-gappable, NVIDIA CUDA / AMD ROCm GPU acceleration). Reports are stored per-vulnerability and served from a dedicated REST endpoint, so analysts get a starting draft on every new finding without re-running the model.

Continuous Monitoring

Hatchet-scheduled scans with diffed findings and webhook alerts to Slack, Microsoft Teams, Discord, Telegram, Lark, and Twilio SMS — plus real-time GitHub commit-stream monitoring for exposed secrets: keyword-filtered polling of the public events API every 5 minutes, trufflehog confirmation, and Critical-severity findings with commit evidence, gated per-Organization and off by default.

Multi-Project Management

Per-client workspaces with role-based access control across multiple engagements. Isolation is enforced at the application layer: every query is Project-scoped through API and middleware filters, so analysts assigned to Client A cannot see Client B’s scans, findings, or targets — even on a shared instance.

Project Quotas & Cost Governance

ProjectQuota sets per-client scan-rate, target, and asset ceilings plus a monthly budget cap and alert threshold — the resource-governance mechanism for multi-tenant deployments. The /billing/projects/ rollup attributes the deployment’s cloud spend across Projects by scan-time, so MSSP operators see exactly which client is consuming compute and get alerted before a runaway scan blows a budget.

Visual Reconnaissance

gowitness screenshot capture with visual comparison across scan history. Discovered subdomains carry inline screenshots, so analysts can eyeball login portals, admin panels, and default pages and spot visual changes from one scan to the next without opening each host by hand.

REST API, MCP & WebSockets

40+ REST endpoints with OpenAPI docs, SHA-256-hashed API keys, a built-in MCP server for AI agents, and live WebSocket scan updates.

SARIF Export for GitHub Code Scanning

Vulnerability findings export as SARIF 2.1.0 on a single endpoint. Upload from any GitHub Action and findings show up in the Security tab next to CodeQL output, with dedup, dismissal, and PR-comment behaviour handled by GitHub.

Industrial Control System (ICS/OT) Scanning

Active scanning of industrial protocols (Modbus, S7, DNP3, BACnet, EtherNet/IP, IEC-104, OPC UA, CODESYS) with a per-scan authorization gate, Modbus rate limiting, and read-only safe mode on by default. Every active OT scan is audit-logged and produces a customer-ready PDF assessment report. How safe ICS/OT scanning works →

Scheduled PDF Reports

Per-Project recurring delivery of the WeasyPrint-rendered scan report (daily, weekly, or monthly), emailed directly to a client contact list under your white-label branding — no analyst in the loop. Reports pull from BrandingSettings: your logo on the cover, your product name in the footer, and your primary color as the report theme, with per-project color overrides when you need them. Includes the Asset Change Summary, the AI-Generated Scan Summary section, screenshot gallery, and per-framework compliance evidence in one PDF.

Ticketing & On-Call Dispatch

Severity-floor + deduped routing of triaged findings to Jira (Cloud or Data Center), ServiceNow (SIR + ITSM), and PagerDuty Events v2, with the same fingerprinting engine so a flapping finding doesn’t wake the same engineer twice.

SIEM & Event Forwarding

Per-Project dispatchers stream findings and scan / audit events into the SIEM your SOC already runs — Splunk (HEC or syslog), Microsoft Sentinel, Elastic / ELK, Google Chronicle, IBM QRadar (CEF / LEEF), and Palo Alto Cortex XSIAM — with a generic syslog (RFC 5424) and HMAC-signed webhook adapter for anything else. A per-integration severity floor gates which findings reach each destination, and event categories (vulnerability, scan, audit, change, brand-risk) toggle independently. See all SIEM integrations →

SIEM & Log Forwarding

Route AuditLog, Vulnerability, and scan events to your existing SIEM stack — Splunk HEC, Microsoft Sentinel (HMAC-signed), Syslog (CEF), or any generic JSON webhook endpoint. A severity floor and per-category toggles let you send Critical/High findings to Sentinel while keeping informational noise in Syslog, without a separate routing layer. The same dispatch engine feeds Jira, ServiceNow, GitHub Issues, and GitLab Issues so tickets and SIEM alerts share one configuration surface.

Cloud-Native Asset Discovery

First-party connectors for AWS, Azure, GCP, and Cloudflare pull DNS, load balancers, object stores, and edge endpoints directly from the source. Discovered assets back-link to existing scan targets so the recon pipeline picks them up without reconfiguration. An inbound HMAC-signed webhook covers everything else.

Exposure Clustering & Graph

Pure-Python union-find over the asset graph (no graph database to operate) clusters related domains, subdomains, IPs, and findings into named exposures. The force-directed cytoscape.js view at /exposure/<slug> answers “what else is on this same surface?” without an analyst joining tables.

SCIM 2.0 Provisioning

Auto-create, update, and deactivate users from Okta, Microsoft Entra ID, Google Workspace, OneLogin, or any RFC 7644-compliant IdP. Group push maps onto the existing three rolepermissions roles, with no parallel role taxonomy to maintain.

Enterprise & Security

Single sign-on via your IdP, with SCIM 2.0 auto-provisioning from Okta, Microsoft Entra ID, Google Workspace, OneLogin, or any RFC 7644-compliant provider — plus LDAP / Active Directory direct-bind for orgs that haven’t moved to SAML. Role-based access control spans three roles (SysAdmin, Pen Tester, Auditor) and eight granular permissions, with TOTP two-factor authentication and audit logging across the platform. Under the BYOC model the full stack runs inside your own AWS or Azure account, so you control data residency, retention, encryption keys, and access policies — HailBytes never sees your scan data.

Threat Intelligence (BYO)

Enrich findings against 15 providers — Shodan, Censys, GreyNoise, VirusTotal, AbuseIPDB, Have I Been Pwned, MISP, OpenCTI, AlienVault OTX, SecurityTrails, BinaryEdge, DeHashed, LeakIX, GitHub (secret-leak discovery), and DestroyList — whichever you already pay for. Per-provider TTL + daily quota + stale-fallback so a flaky upstream doesn’t stall the pipeline.

DevSecOps Pipeline Integration

Published GitHub Action plus drop-in templates for GitLab CI, Jenkins, CircleCI, and Azure Pipelines. All five share one hailbytes-scan.sh + the public POST /api/v1/action/initiate-scan/ endpoint, so a future API change is one search-and-replace, not five divergent updates. Zapier listing covers the long-tail destinations (Slack, Asana, Linear, Notion).

CI/CD Attack-Surface Scanning

Gato detects malicious-workflow and OIDC token-abuse paths in GitHub Actions; zizmor statically analyses .github/workflows/ for misconfigurations and secret-exposure risks. Findings land in the same vulnerability pipeline as every other ASM phase — exposure graph, SIEM forwarding, ticketing dispatchers. Opt-in via the cicd_scan engine YAML block; bring your own GitHub Personal Access Token.

Cloudflare Origin IP Bypass Discovery

Cloudflare-fronted hosts only expose Cloudflare’s edge IPs to scanners — the origin server stays invisible. HailBytes ASM uses Censys certificate matching (CloudFlair) and response-body fingerprinting (hakoriginfinder) to find the real origin IP, surfacing the attack surface your WAF was hiding (open ports, admin panels, unproxied services) as exposed-origin-ip findings. Requires a Censys key.

Bug-Bounty Ingestion

Pull HackerOne and Bugcrowd reports into HailBytes ASM. Triaged / accepted / resolved reports promote to Vulnerability rows automatically, so they enter SIEM forwarding, ticketing, exposure graph, and compliance reports alongside scanner findings. Informative / duplicate / N-A submissions stay informational.

Enterprise & Federal Surface

STIX 2.1 / TAXII 2.1 server (one collection per Project), OpenVEX 0.2.0 export, LDAP / Active Directory direct-bind for orgs that haven’t moved to SAML, and PAM-backed secrets via vault://, azure-kv://, and aws-sm:// references. Thirteen compliance frameworks ordered for US Enterprise procurement: SOC 2 Type II, NIST CSF 2.0, HIPAA, GLBA (North American) lead, followed by LGPD (Latin American), ISO 27001 (global), and IEC 62443 (industrial / OT).

Multi-Language UI

The full ASM interface — login, dashboard, scan results, and compliance reports — renders in seven locales: English, Brazilian Portuguese, Spanish, Canadian French, German, Japanese, and Korean. The locale is set at the tenant level, so the entire session is consistent from the first login with no mid-session switching.

ICS / OT Attack Surface Coverage

scada-scanner extends ASM into industrial control systems and operational technology networks with active protocol enumeration for Modbus, S7, DNP3, BACnet, EtherNet/IP, and IEC-104. Opt-in per scan engine, with safe mode on by default and a required per-scan authorization acknowledgement before any active probing starts. OT exposures enter the same exposure graph, compliance reports (IEC 62443), and ticketing dispatchers as IT findings. Every ICS/OT assessment includes an Assessment Scope table — showing every check evaluated and its result, so auditors see what was tested, not just what was found — plus a branded customer-facing PDF report.