Changelog

Six New Scan Phases: CI/CD, Second-Order Takeover, Parameter Discovery, Shodan CVE Correlation, Cloudflare Origin Bypass & AI Scan Summary

A May 25–26 feature wave expanded the scan pipeline across CI/CD, web, network, and code-leak attack surface, and added an AI-written executive summary to every scan.

• CI/CD attack-surface scanning (Gato + zizmor). A new cicd_scan phase enumerates GitHub Actions workflows for exposed secrets, OIDC misconfigurations, and poisoned-workflow patterns (Gato) and statically analyses workflow YAML for injection and privilege escalation (zizmor). Per-Organization opt-in with a customer-provided GitHub PAT; findings surface as Critical/High Vulnerabilities. Discovery coverage →
• Second-order subdomain takeover detection. Crawls alive endpoints for external host references (scripts, iframes, objects) and flags any resolving to NXDOMAIN as High-severity — catching dangling CDN, SaaS, and API references that CNAME-only checks miss.
• HTTP parameter discovery (arjun). A new parameter_discovery phase surfaces hidden parameters on alive endpoints and feeds them into the nuclei, dalfox, and crlfuzz fuzz passes. Off by default.
• Shodan CVE-correlated scanning. A pre-vulnerability-scan step runs a registry of Shodan version-exclusion queries (HP iLO 4, Intel AMT, Cisco Smart Install, exposed ADB) against target IPs, persisting matches as Vulnerabilities before nuclei runs. Requires a Shodan API key; off by default.
• Cloudflare origin IP bypass (CloudFlair + hakoriginfinder). A new origin_bypass phase classifies A records against Cloudflare CIDRs, queries Censys for TLS-certificate matches, and confirms candidates by response-body hashing — surfacing the real origin as exposed-origin-ip findings. Requires Censys credentials; off by default.
• CORS misconfiguration scanning (corsy). 14 CORS probes (origin reflection, prefix/suffix bypass, null-origin trust, wildcard-with-credentials, and more) added as an opt-in sub-task within vulnerability_scan.
• AI-powered scan summary. Each completed scan now generates an LLM executive narrative (OpenAI / Anthropic / Gemini / Ollama) — severity distribution, top findings, and surface drift vs. the prior scan — cached per scan and rendered both as a collapsible card in the scan detail view and as a dedicated section in the PDF report. Skips silently when no provider is configured.
• Real-time public commit monitoring. A 5-minute cron polls the GitHub public events API for commits matching per-Organization keyword filters (apex domain, brand name, service IDs) and pipes matches through trufflehog. Confirmed secrets surface as Critical Vulnerabilities; the raw secret value is never stored. Per-Organization opt-in.
• puredns DNS brute-force. puredns v2.1.1 added as an opt-in step in subdomain_discovery using the SHA-pinned SecLists top-1M wordlist, flowing into the same dedup pipeline as passive sources.

All third-party integrations use bring-your-own credentials; usage is billed by the upstream vendor per your existing engagement. New scan phases are off by default and opt-in per scan engine.

Cortex XSIAM Dispatcher, ICS/OT Coverage & Multi-Year Pricing

New SIEM dispatcher, industrial protocol scanning, a dashboard rendering fix, and multi-year reservation tiers.

• Palo Alto Cortex XSIAM dispatcher. Route ASM findings directly into Cortex XSIAM via the HTTP Log Collector. Structured JSON maps to XSIAM’s dataset schema for immediate correlation with endpoint, network, and identity telemetry — no custom parsing required. Bring your own XSIAM tenant. SIEM integrations →
• ICS/OT coverage via scada-scanner. Passive protocol fingerprinting for Modbus, DNP3, EtherNet/IP, BACnet, and S7. Discovered OT assets promote to Asset rows with asset_type=ot and enter the existing findings pipeline (exposure graph, ticketing dispatchers, compliance reports) alongside IT findings. ICS/OT integrations →
• Attack-path chart rendering fix. Resolved a JavaScript rendering regression that prevented attack-path and directed-attack-path visualizations from loading in the dashboard. No data was affected; the fix is display-layer only.
• Multi-year reservation pricing. Year 2 reservations carry a 10% discount; Year 3 carries 15%. Requires a signed order form. Pricing →

All third-party integrations use bring-your-own credentials; usage is billed by the upstream vendor per your existing engagement.

Cortex XSIAM Dispatcher & Exemption Management

SAT gains the same Cortex XSIAM SIEM path that shipped for ASM, plus an audit-grade exemption workflow for regulated and MSSP deployments.

• Palo Alto Cortex XSIAM dispatcher. SAT campaign events (phishing clicks, credential submissions, training completions, reported phish) now POST as JSON batches to Palo Alto’s HTTP Log Collector, mirroring the existing Splunk and Sentinel dispatchers, with a SIEM entry in the Integrations settings tab. Bring your own XSIAM tenant. SIEM integrations →
• Exemption management. Admins can record excusals for individual users from a campaign, training module, or quiet-period window through a requester → approver workflow with enforced separation of duty (requester ≠ approver). Every state transition (request, approve, reject, revoke, expire) is logged for SOC 2, HIPAA, and ISO 27001 evidence, and overdue exemptions expire automatically. HailBytes SAT →

Customer-Facing Release Highlights for Security Teams and MSSPs

This combined release note rolls up the April 2026-to-mid-May 2026 SAT improvements into a customer-facing summary for product buyers, managed security teams, and MSP operators.

• More visibility into risk, reporting, and campaign performance. Historical risk snapshots, trend reporting, billing and alerting controls, and better insight into template-library activity and phishing risk trends help teams understand what changed and why.
• Stronger support for multi-tenant operations. Cloned templates, system-level library flags, forwarded-report handling, follow-up review persistence, and AutoPhish template/page/group pools make managed content easier to govern across tenants.
• More integrations and workflow handoff options. Expanded forwarding and export support now aligns with common security-tool and cloud destinations, including Microsoft Sentinel, S3, Azure Blob, SFTP, ServiceNow, Jira, PagerDuty, Proofpoint TAP, Mimecast, Slack, Teams, and Twilio channels.
• Broader simulation and training coverage. QR code lure coverage, Twilio SMS and voice channels, and expanded training content make simulation programs more realistic and more complete.
• Cleaner enterprise and MSSP administration. Improved multi-tenant rollups, demo/showcase workflows, integrations discovery, SCIM / SAML / OIDC / MFA support, and better onboarding and empty-state handling simplify day-to-day administration.
• Better release quality and deployment confidence. Strengthened test coverage, streamlined release workflows, improved migration support, and schema/CI hardening reduce production risk for marketplace deployments.

This release is the customer-facing consolidation of the April 1 onward commit stream. See the product page for the updated positioning and feature summary.

Enterprise Capabilities & Long-Tail Standards

The biggest HailBytes ASM release since launch. Enterprise identity, cloud-native asset discovery, threat intelligence, an exposure graph, CI/CD integrations, alerting and ticketing dispatchers, secrets backends, standards-body export formats, and seven additional compliance framework reports.

• SCIM 2.0 provisioning. Auto-create and deactivate users from Okta, Microsoft Entra ID, Google Workspace, and OneLogin. Identity providers →
• LDAP / Active Directory direct-bind. For organizations not yet on SAML or OIDC; first successful auth assigns the configured role, with attributes refreshed on each login.
• Cloud asset discovery. First-party connectors for AWS (Route 53, EC2, ELBv2, CloudFront, S3, RDS, API Gateway, Lambda), Azure (DNS Zones, App Service, Public IP, Storage, Front Door, including Azure Government), GCP (Cloud DNS, Compute, Cloud Run, Cloud Storage), and Cloudflare (DNS, Workers routes, R2). Inbound asset webhook for everything else. Cloud Security integrations →
• Threat-intelligence enrichment. Bring-your-own credentials for nine providers: Shodan, Censys, GreyNoise, VirusTotal, AbuseIPDB, Have I Been Pwned, MISP, OpenCTI, and AlienVault OTX. Threat-intel providers →
• Exposure graph. Force-directed visualization that clusters related domains, subdomains, IPs, and findings into named exposures, so an analyst can see what else lives on the same surface without joining tables manually.
• Ticketing & alerting dispatchers. Jira (Cloud + Data Center), ServiceNow (SIR + ITSM), PagerDuty Events v2, Opsgenie Events v2 (EU/US regions), GitHub Issues, and GitLab Issues, all with severity-floor filtering and deterministic dedup keys so a finding lands in exactly one alert per upstream tool. Ticketing setup →
• CI/CD integrations. GitHub Action published to the GitHub Marketplace, plus templates for GitLab CI, Jenkins, CircleCI, and Azure Pipelines. Public scan-initiation API and a Zapier app for everything else. CI/CD integrations →
• Bug-bounty ingestion. Pull HackerOne and Bugcrowd reports into the same triage, ticketing, exposure-graph, and compliance-reporting flow as scan findings. Bug-bounty →
• Standards-body export formats. SARIF 2.1.0 for GitHub Code Scanning and any SARIF-aware tool, STIX 2.1 / TAXII 2.1 server for OpenCTI / MISP / Anomali clients, and OpenVEX 0.2.0 for Sigstore / Cosign attestation chains.
• Enterprise secrets backends. Reference credentials stored in HashiCorp Vault, Azure Key Vault, or AWS Secrets Manager rather than holding them in HailBytes. Secrets & PAM →
• Scheduled PDF reports. Recurring per-Project report delivery on a daily, weekly, or monthly cadence, with the existing report template (asset change summary, screenshots, compliance evidence). Reporting details →
• Additional compliance framework reports. Added (North American): HIPAA Security Rule, CIS Controls v8 IG1 + IG2, FedRAMP Moderate, and NYDFS 23 NYCRR Part 500. Added (global): ISO/IEC 27001:2022 and GDPR Article 32. HailBytes ASM ships eleven compliance framework reports total, ordered North American → Latin American → global for US Enterprise procurement. Compliance coverage →

All third-party integrations use bring-your-own credentials; usage is billed by the upstream vendor per your existing engagement.

Programmatic Deployment & MCP Reference

Operator-facing documentation expanded for teams deploying via infrastructure-as-code or driving HailBytes from AI agents.

• One-shot AWS and Azure CLI deployment guides. Step-by-step AWS CLI and Azure CLI walkthroughs, with CloudFormation and ARM/Bicep alternatives and AWS GovCloud / Azure Government variants.
• MCP server reference. Documentation for the 16 MCP tools, with ready-to-paste configs for Claude Desktop, Claude Code, Cursor, Windsurf, and the Anthropic Python SDK.
• API reference rewritten. Accurate endpoint paths, authentication, rate limits, and the full audit-log taxonomy for both products.

Enterprise & Agent Release

The biggest HailBytes SAT release since launch. New enterprise identity surface, an MCP server for AI agents, deeper training and risk features, and a hardened image pipeline across AWS Marketplace and Azure Marketplace.

• MCP server with 14 tools. Drive HailBytes SAT from Claude Desktop, Claude Code, Cursor, Windsurf, or any Anthropic SDK with MCP support. Reference →
• SAML 2.0 SSO from the dashboard. Configurable in the UI alongside OIDC; supports Microsoft Entra ID, Okta, OneLogin, and PingIdentity. Tutorial →
• SCIM 2.0 provisioning. Auto-create and deactivate users from any compliant identity provider. Tutorial →
• MSSP white-label & seat caps. Per-tenant branding flows through UI, reports, certificates, and outbound emails; configurable seat caps per organization. Tutorial →
• Phish triage queue with reporter accuracy. User-reported emails feed into a triage queue with reporter scoring and SOAR forwarding. Tutorial →
• Risk-based auto-enroll & just-in-time training. Click an event, get a coaching moment; repeat clickers auto-enrolled into remediation tracks. Tutorial →
• Training tracks & dashboard redesign. Multi-module curricula, branded certificates, KPI sparklines, repeat-clicker watchlist, and threat-trend toggle. Tutorial →
• Executive reports. Branded board-ready PDF or JSON, with optional AI-generated narrative summary. Tutorial →
• AES-256-GCM encryption at rest. All PII (names, emails, captured credentials) encrypted in the database.
• Comprehensive audit logging. Admin actions captured with IP, user agent, and affected resource; CSV / JSON export and configurable retention.
• AI-generated phishing templates. OpenAI or self-hosted Ollama produce campaign templates from a brief.
• Send-rate limiting per campaign. Stagger delivery to avoid spam-filter rate triggers and overwhelmed mail relays.
• Microsoft Entra ID group import. Pull a target list straight from your directory.
• Hardened image pipeline. Ubuntu 24.04 base; AWS AMI and Azure Compute Gallery image published per build; air-gap-friendly self-hosted fonts.

Enterprise Hardening & Performance

The marketplace baseline image picked up a stack of hardening and performance changes that ship continuously to deployed instances.

• Pooled database connections. Eliminates connection-storm failures on busy multi-tenant deployments.
• Faster first-scan readiness. Pre-built tooling cuts time-to-first-scan from over 20 minutes to under 5.
• Strict Content Security Policy. Defense-in-depth XSS mitigation in the web UI, on top of existing input sanitization.
• Hardened Ubuntu 24.04 baseline. Trimmed kernel parameters, package set, and SSH daemon configuration; ciphers restricted to current best-practice values.
• Expanded audit taxonomy. Twenty-one categories of state change now recorded with actor, IP, user agent, and resource.
• Application-layer rate limits. Anonymous 20/min, authenticated 200/min, scan initiations 10/min.
• Native ARM64 + AMD64 container images. Graviton and Ampere instances run without emulation.

HailBytes Attack Surface Management Platform Launch

Continuous external reconnaissance and vulnerability-assessment platform, deployable in five minutes through AWS Marketplace and Azure Marketplace.

• Modernized container infrastructure. Updated base images, improved health checks, and faster scan engine initialization.
• AI-powered finding analysis. OpenAI and self-hosted Ollama (NVIDIA / AMD GPU) for triage and contextual summarization.
• Coordinated scan pipeline. Subdomain enumeration, port and service scanning, vulnerability detection, and change tracking on a single pipeline.
• Structured reporting. Deep-link routing into Jira, Slack, and any SIEM that accepts webhook or syslog input.
• MCP server with 16 tools. Native Model Context Protocol support for AI-agent orchestration via Claude, Cursor, and Windsurf.
• Government cloud support. AWS GovCloud and Azure Government deployments at launch.

HailBytes Security Awareness Training Platform Launch

Self-hosted phishing-simulation and security-awareness training platform built from the ground up for enterprise deployments. Deployable through AWS Marketplace and Azure Marketplace at $0.24/vCPU/hour, with no per-seat pricing.

• Recurring training campaigns. Schedule sends across segments with frequency, difficulty, and audience controls.
• Interactive post-click quizzes. Built-in training modules shown to employees the moment they click a simulated phishing link.
• Branded certificates of completion. PDF certificates produced per-employee for compliance evidence.
• Per-tenant branding and OIDC SSO. Logo, favicon, colors, support URL, email-from name, and identity-provider configuration all per-tenant for MSSP multi-client deployments.
• AI-generated phishing templates. OpenAI and Ollama options for generating campaign templates without vendor template lock-in.
• Audit-log surface. JSON and CSV export plus REST API and webhooks for direct SIEM ingestion.