HailBytes SAT: Exemption Management and Cortex XSIAM Integration

The latest HailBytes SAT release ships two features that admins running real programs — especially across regulated populations and multiple clients — have asked for repeatedly: a formal exemption management workflow with full audit logging, and native event forwarding to Palo Alto Cortex XSIAM, bringing it to parity with the existing Splunk and Microsoft Sentinel connectors.

Why Exemption Management Matters

Every awareness program eventually hits the same question: how do you legitimately exclude someone from a campaign or a training assignment without quietly editing recipient lists and losing the paper trail? An employee on parental or medical leave shouldn’t be auto-enrolled in mandatory training. An executive’s assistant may need to be scoped out of a specific simulation. A department mid-reorg may need a time-bounded pause. Handling these ad hoc — by removing people from lists or skipping them manually — works until an auditor asks why a given user has no completion record for a required module.

Exemption management turns that from an undocumented workaround into a governed, evidence-producing process. Instead of silently dropping users, an admin records a formal exemption with a reason, a scope, and an approval — and the system keeps the record.

How Exemptions Work

Exemptions are created through a request-and-approve workflow rather than a single toggle: one admin requests the exemption with a justification, and a second approves or denies it, so no individual can unilaterally exclude a user from a required program. Every state transition is written to the audit log with the actor, timestamp, and reason.

Each exemption is bound to one of three scope types, so exclusions stay as narrow as the situation requires:

• Campaign — exclude a user from a specific phishing simulation.
• Training module — exclude a user from a specific assigned training module.
• Time-bounded period — exclude a user for a defined window (for example, the duration of a leave), after which they re-enter the normal program automatically.

Because exemptions carry their own reason and lifecycle, a missing completion record is no longer an anomaly to explain — it’s an approved, dated exception with a justification attached.

Cortex XSIAM Event Forwarding

HailBytes SAT already forwards campaign and training events to Splunk and Microsoft Sentinel. This release adds a native dispatcher for Palo Alto Cortex XSIAM, posting events to the XSIAM HTTP Log Collector so simulation outcomes — clicks, submissions, reports, training completions — land in the same analytics platform as the rest of your security telemetry.

Setup follows the same pattern as the other SIEM connectors: enable the XSIAM dispatcher, supply your tenant’s HTTP Log Collector endpoint and API key, and SAT begins forwarding events as they occur. It runs alongside Splunk and Sentinel rather than replacing them, so a team mid-migration can forward to more than one destination at once. See the integrations page for the full connector list.

Compliance Implications

Both features are really about audit readiness. For SOC 2 and ISO 27001, security-awareness training is a recurring control, and the evidence auditors want is not just “we ran training” but “here is who was in scope, who completed it, and why anyone wasn’t.” A governed exemption with an approval trail answers that last question directly, and forwarding events to your SIEM/XSIAM gives you a durable, queryable record of program activity outside the SAT instance itself.

A Note for MSSPs

For MSSPs running HailBytes SAT as one VM per client, both features respect that isolation boundary: exemptions and their audit trails are per-tenant, and each client’s instance forwards to its own SIEM/XSIAM destination. There is no shared exemption pool and no cross-client event leakage — the same clean separation that makes per-tenant deployment attractive for compliance bundles in the first place.