What's New in HailBytes SAT: Exemption Management & Cortex XSIAM Integration

Two enterprise features just landed in HailBytes SAT: a built-in exemption management system for governing who is in and out of a campaign, and a native Palo Alto Cortex XSIAM integration for routing campaign telemetry into your SOC. Here's what each one does and why it matters.

Exemption management with a real approval workflow

Every security-awareness program eventually hits the same question: who legitimately should not receive a given simulation? Employees on medical leave, a team in the middle of a production incident, an executive's assistant during a board week, a contractor outside the training mandate. Handling these ad hoc — by editing target lists or quietly skipping people — destroys the auditability that makes the program defensible to an auditor in the first place.

HailBytes SAT now models exemptions as first-class, governed objects. An exemption has a scope — a specific campaign, a specific training_module, or a time-bound period — and a mandatory reason. It moves through an explicit five-state machine with a two-step approval:

• requested → approved or rejected
• approved → revoked or expired

Rejected, revoked, and expired are terminal. Because a request and its approval are separate steps by separate people, no single user can quietly exempt themselves or a colleague — and every transition is written to the audit log with who, when, and why. The result is that “this person didn't get the phish” is always answerable with a documented, approved, time-bounded exemption rather than a gap in the data. Exemptions are tenant-scoped, so in a multi-client MSSP deployment one client's exemptions are never visible to another.

This matters most for the compliance programs SAT already supports — SOC 2, HIPAA, PCI-DSS 12.6 — where an auditor wants to see not just completion rates but a clean account of every documented exception.

Native Cortex XSIAM integration

SAT already forwards campaign and interaction events to Splunk, Microsoft Sentinel, and other destinations. This release adds Palo Alto Cortex XSIAM as a first-class target: campaign and risk events forward directly to a Cortex XSIAM HTTP Log Collector, so phishing-simulation signal — who clicked, who submitted credentials, who reported — lands in the same platform your SOC already uses to correlate endpoint, network, and identity telemetry.

Like every HailBytes integration, it's bring-your-own-tenant: you point SAT at your own XSIAM HTTP Log Collector endpoint with your own credentials, and the events flow from your instance to your SIEM with no third-party hop in between. For a SOC running detections on user behavior, a repeat credential-submitter in a simulation is exactly the kind of signal worth correlating against real authentication events.