HailBytes ASM June 2026 Release: MSSP Portfolio Metrics, Complete pt-BR Localization & Security Hardening

The June 2026 release of HailBytes ASM focuses on completeness and operational quality rather than new surface area. The headline change is a long-requested MSSP portfolio dashboard that surfaces per-client security state without drilling into every project. Alongside it: full Portuguese (Brazil) interface localization, a correctness fix for enterprise SCIM 2.0 provisioning, Eyeballer ML classification on scan detail pages, deployable ICS/OT scan targets, several scan-view refinements, and a round of dependency and supply-chain hardening. This post covers each change and why it matters.

MSSP Portfolio View: Security Metrics at a Glance

Before this release, the All Projects page showed only project name, description, slug, and an actions menu. An operator managing five client projects might find it manageable to click into each one. An MSSP managing fifty found it untenable: there was no way to triage — to look at a list and immediately know which clients had open criticals, which scans had failed overnight, or which projects were approaching their asset budget. At scale, that turns a two-minute morning triage into a twenty-minute manual sweep, exactly the kind of round-trip where a critical finding slips through on a busy day.

The June release adds a full set of inline security metrics to the All Projects portfolio table:

• Last scan — date of the most recent scan plus a status badge (Success, Running, Failed, Aborted, or Queued). A Failed badge at a glance tells you a client's scan pipeline needs attention.
• Open findings — separate counts for open critical and open high severity findings. Rows with any unacknowledged critical are highlighted red, so the projects that need immediate attention surface to the top without sorting or filtering.
• Assets — subdomain count per project, giving a quick read on scope and growth trends across clients.
• Budget — utilisation percentage against the project's ProjectQuota. Rows approaching the alert threshold turn amber; rows over budget turn red.

The colour-coding follows a consistent logic: red rows mean something demands attention now (open criticals or a failed last scan); amber means something should be reviewed soon (approaching budget limit). For an MSSP analyst doing their morning triage pass, the portfolio view now functions as a genuine priority queue rather than a flat list.

All metrics are computed with a bounded set of grouped database queries plus the shared billing rollup that already resolves project budgets — there is no per-row query regardless of how many projects are in the portfolio, so the table stays N+1-free as portfolios grow. Both the web view and the list_projects API endpoint serve the same data contract, so integrations that consume the project list get the metrics too.

SCIM 2.0: RFC 7644-Compliant Conflict Handling

Enterprise customers using Okta, Azure AD, or another SCIM-compatible identity provider to provision HailBytes ASM users were encountering a silent provisioning failure. When an IdP attempted to create a user with a userName that already existed in the platform — a common scenario when re-running provisioning after a partial sync, or when a user was created manually before IdP management was enabled — the platform returned HTTP 400 with a raw database error string in the response body.

This matters because of how enterprise IdPs interpret SCIM error codes. RFC 7644 §3.3 specifies that a uniqueness conflict on create must return HTTP 409 with a scimType of "uniqueness". Okta and Azure AD key on exactly this response to recognise an already-provisioned user and fall back from create to update — the correct recovery path. When they receive a 400 instead, they treat it as an unrecoverable error and abort the entire provisioning run, leaving the rest of the directory unsynchronised with no clear error surfaced in the IdP console.

The fix makes the SCIM /Users endpoint fully RFC 7644 compliant for uniqueness conflicts:

• A pre-check on POST detects an existing userName and returns 409 / uniqueness before touching the database.
• PUT (user rename) maps a collision to the same 409 / uniqueness response rather than leaking database error details.
• An IntegrityError catch closes the create-vs-create race window for concurrent provisioning requests.

No changes to SCIM behaviour for non-conflict operations; the fix is scoped entirely to the conflict path and is transparent on upgrade. If your IdP provisioning was silently failing or reporting unexplained 400 errors on user creation, re-running the provisioning sync from your IdP after the update is sufficient to recover.

Complete Portuguese (pt-BR) Frontend Localization

The May 2026 release shipped multi-language interface support including Portuguese (Brazil), with the platform's Django template layer fully translated. However, a meaningful category of strings was not covered: UI text rendered dynamically by the TypeScript frontend — toast notifications, empty-state messages, form validation errors, bulk-action delete confirmations, and tooltip titles. Because these strings originated in TypeScript rather than Django templates, they were not captured in the initial translation pass. Users with pt-BR selected would see the platform in Portuguese throughout most of the application, then encounter English strings when form validation fired or a deletion was confirmed.

The June release wraps all 97 of these strings in gettext() calls across 11 TypeScript source files and adds matching pt-BR translations to the JavaScript catalog, increasing it from 459 to 556 message IDs. Fragment-concatenation patterns — where a sentence was assembled from separately-translated pieces — were refactored into placeholder-based message IDs, which produces grammatically correct translations in languages where word order differs from English. The translation is compiled at build time via GNU msgfmt --check-format rather than runtime substitution, so a malformed translation fails the build rather than rendering garbled text in a customer session.

For MSSP operators with Brazilian clients, this closes the last visible gap between the English and Portuguese interfaces. Client-facing sessions, shared dashboards, and guided walkthroughs now display uniformly in Portuguese — from logging in through triaging findings to exporting a compliance report — without language-switching artifacts mid-workflow.

Eyeballer ML Badges on the Scan Detail Page

Eyeballer is HailBytes ASM's built-in ML model for screenshot classification: it analyzes captured screenshots of discovered web interfaces and labels them by type — login pages, admin panels, default configurations, error pages, parked domains, and similar — with a confidence percentage. The classification helps analysts quickly identify which discovered assets are worth investigating first.

Prior to this release, those classifications were only visible on the standalone subdomains page. When analysts drilled into a specific scan's detail view — where they typically perform per-scan review and triage — the subdomain table showed discovery data but not the Eyeballer labels, forcing a context switch to correlate the screenshot classification with the rest of the scan findings.

The detail-scan page now renders the Eyeballer label and confidence percentage as an inline badge in the subdomain results table, using the same badge styling as the subdomains page (e.g., Login Page 94%). The confidence score matters for triage: a 94%-confident "Login Page" classification warrants different handling than a 51%-confident one. No configuration is required — the badge renders automatically whenever Eyeballer classification data is present for a subdomain in the scan results.

Live ICS/OT Scan Targets: Modbus, S7, SNMP, BACnet

Following the IEC 62443 compliance framework and industrial protocol fingerprinting added in May, this release ships deployable live targets to demonstrate and validate ASM's industrial protocol scanning against real services rather than synthetic data. The demo stack includes two components:

• DVWA (Damn Vulnerable Web Application) — a web target with known vulnerabilities covering OWASP Top 10 categories, serving as the IT-side counterpart for combined IT/OT assessment scenarios.
• Conpot — an open-source ICS honeypot that emulates a Siemens S7-300 PLC and exposes Modbus TCP (port 502), S7comm (port 102), SNMP (port 161/UDP), and BACnet (port 47808/UDP) on the network.

When the Conpot target is registered with ASM and scanned, the platform's industrial protocol fingerprinting detects the exposed services, maps them to IEC 62443 control gaps (externally reachable control-system interfaces), and generates findings with industrial-context severity scoring. Terraform modules for both AWS and Azure deploy the targets into the same VPC or VNet as an ASM instance, with ingress locked to the scanner's CIDR range and egress blocked; a local Docker Compose variant is also available for single-host demos. A register_demo_target management command registers the deployed host as a scan target and optionally initiates the first scan, including the ICS/OT acknowledgement gate that governs industrial protocol scanning.

For organizations evaluating HailBytes ASM for OT security, this provides a verifiable proof-of-concept: the same scan engine, protocol detection, and IEC 62443 framework mapping that would run against production infrastructure — against an isolated, intentionally vulnerable target. The targets are intended for lab and demonstration use, not production deployment.

Scan-View Quality-of-Life Improvements

Three smaller but analyst-facing refinements ship alongside the headline changes:

Humanized one-off scheduled-scan display. The scheduled scans list shows task cadence for each scan — "Daily", "Weekly on Monday", "Monthly", and similar. One-off (clocked) tasks previously displayed a raw Python datetime representation like 2026-06-15 09:00:00+00:00. They now render as "Once on Jun 15, 2026 at 09:00 UTC", matching the readable format used throughout the platform. Status badges also adopt the platform's soft-badge variants, and the cadence configuration form wraps cleanly on narrower viewports instead of overflowing.

DataTable pagination fix. The vulnerability and subdomain tables use DataTables' Scroller extension to virtualize row rendering for large result sets. Without explicit handling, the Scroller pagination path could leak the literal placeholder tokens _PAGE_ and _PAGES_ instead of the actual page numbers. A buildPageInfoCallback() now computes current and total pages at draw time and injects them into the display, with wording matching the non-Scroller pagination used elsewhere. The fix applies to the vulnerability, subdomain, and endpoint tables on the detail-scan page.

Styled PDF report HTML preview. HailBytes ASM generates PDF reports using WeasyPrint, which can take 30–90 seconds for large scan datasets. Appending ?format=html to a report URL now renders a fully styled in-browser preview — cover page, section sheets, severity-badged tables, asset change summary, screenshot gallery, and footer branding — rather than triggering a PDF download. A @media screen block and HTTP-accessible asset URLs (versus WeasyPrint's file:// URIs) make the preview visually match the final document, so teams can spot-check layout and branding before generating the PDF.

Security & Supply-Chain Hardening

This release also ships security improvements that don't surface in the UI but matter for organizations evaluating HailBytes ASM's security posture during procurement.

bleach → nh3. Mozilla's bleach library was archived in January 2024 and receives no further security patches. HailBytes ASM used it to sanitise user-supplied content in PDF report fields and the administrator-configurable login banner. It has been replaced with nh3 (version 0.3.5), a Rust-backed sanitiser under active maintenance. The migration is a drop-in replacement with one improvement: nh3 manages anchor rel attributes itself via link_rel="noopener noreferrer", which is stricter than the previous behaviour. The same HTML tags remain permitted and rendered output is visually identical.

CVE dependency floor bumps. Three pip-audit findings are cleared by raising minimum version floors:

• cryptography ≥ 46.0.7 — addresses a buffer overflow (CVE-2026-39892). Applied to both the web and hatchet images.
• urllib3 ≥ 2.7.0 — addresses resource exhaustion and a header leak (CVE-2026-44431, CVE-2026-44432).
• pygments ≥ 2.20.0 — addresses a ReDoS in the AdlLexer (CVE-2026-4539).

The resolved lock files were already at safe versions; the floor changes close the latent gap where a dependency resolver could otherwise select a vulnerable release. SCA tooling (AWS Inspector, Azure Defender) will see these findings clear after the update.

Reproducible hatchet image builds. The resolvers.txt DNS wordlist used by subdomain discovery was previously fetched at build time from a pinned commit in the trickest/resolvers repository. That repository force-pushes its auto-updated history, so any pinned SHA eventually becomes an orphaned ref that returns a 404 — breaking the entire hatchet image build, a failure mode that had already caused one outage. The wordlist is now vendored directly in the repository and COPYed into the image, making builds fully reproducible with no build-time network dependency on a mutable upstream. A README documents the refresh process.

Upgrading

This release is available on the AWS Marketplace and Azure Marketplace. Existing deployments update by pulling the latest Docker image. No data migration or reconfiguration is required for any of the changes in this release.

The MSSP portfolio metrics appear immediately on the All Projects page after upgrading. The SCIM fix takes effect automatically — if your IdP had marked provisioning as errored for existing users, trigger a manual sync after the update to recover. The pt-BR translations, Eyeballer badges, scheduled-scan display, pagination fix, and report preview are all active immediately. The ICS/OT demo targets are opt-in and require manual deployment via the Terraform modules; they are not started by default in production deployments.