Changelog
Material platform updates for HailBytes SAT and HailBytes ASM. Minor security patches and incremental improvements ship continuously to marketplace deployments and aren’t individually called out here.
Safe Active ICS/OT Scanning: Authorization Gate, Rate Limiting & PDF Assessment Reports
Active industrial-protocol scanning is now gated behind explicit per-scan authorization, rate-limited at the Modbus layer, and produces a customer-facing PDF assessment report. These changes build on the passive ICS/OT fingerprinting shipped in May.
- Explicit authorization gate for active ICS/OT scans. Active probes to industrial protocols (Modbus, S7, DNP3, BACnet, EtherNet/IP, IEC-104) can disrupt fragile OT equipment. ASM now requires a per-scan acknowledgement (
ics_ot_acknowledged) before any active ICS/OT engine launches. The gate is enforced server-side in both the UI and the REST API; it cannot be pre-accepted in a saved configuration or bypassed client-side. Discovery coverage → - Modbus scanner rate limiting and safe-mode default. The Modbus scanner accepts a
rate_limit(probes/second) and throttles via a monotonic clock so time-sensitive PLC/HMI devices are not overwhelmed. Safe mode is ON by default and issues the minimum probe per device; the three checks are OT-001 (unauthenticated register read), OT-002 (cleartext Modbus TCP), and OT-003 (default HMI credentials). - Assessment scope table in ICS/OT reports. Reports now list every evaluated check alongside its severity, CVSS score, and result (Confirmed / No exposure detected), so “no findings” reads as a positive assertion rather than an absence of information. Summary statistics lead with “checks evaluated.”
- Customer-facing ICS/OT PDF report. A branded assessment report with severity badges, CVSS metadata, CWE reference links, and an optional Markdown summary for CI artifact publishing — mapping onto IEC 62443 and NERC CIP documentation needs.
Active ICS/OT engines remain off by default and opt-in per scan engine. Full release notes →
- Explicit authorization gate for active ICS/OT scans. Active probes to industrial protocols (Modbus, S7, DNP3, BACnet, EtherNet/IP, IEC-104) can disrupt fragile OT equipment. ASM now requires a per-scan acknowledgement (
Medium Findings Surfaced in MSSP Portfolio & CEF Syslog Severity Fix
Two targeted fixes improve portfolio fidelity for MSSP operators and restore correct priority ordering in Syslog/CEF SIEM dispatches.
- Medium findings now visible in the Projects portfolio. The Open Findings column on the All Projects view previously rendered badges only for Critical and High severity. A project with open Medium findings but zero Critical or High showed “None” — masking aging Mediums that commonly breach 30-day remediation SLAs before they surface in client QBRs. Medium findings are now shown alongside Critical and High; “None” is reserved for projects clean across all three tiers. HailBytes ASM →
- CEF syslog severity mapping corrected. The Syslog (CEF) SIEM dispatcher was writing the raw ASM severity integer directly into the RFC 5424 PRI byte. Because ASM and syslog severity run in opposite directions (ASM Critical = 1; syslog Critical = 2 / highest priority), Critical findings were arriving at your SIEM as low-priority events. The mapping is now correctly inverted: ASM Critical → syslog 2, High → 3, Medium → 4, Low → 6. No configuration change is required; all active Syslog/CEF integrations pick up the fix automatically. SIEM integrations →
Stability Update: PDF Downloads, Workflow Dispatch, Tool Arsenal & Form Submission Fix
A post-release patch wave resolves five user-facing bugs surfaced by automated testing after the June 5 release. All fixes ship in marketplace images published from June 9 onward; no configuration change is required.
- PDF report download. Reports now trigger a browser download (
Content-Disposition: attachment) instead of rendering inline. The?format=htmlpreview path is unchanged. - Superuser control visibility. Django superuser accounts now see all permission-gated UI controls (delete buttons, admin menus) without requiring an explicit SysAdmin role assignment. Non-superuser role boundaries are unaffected.
- Background workflow dispatch. Scans, drift checks, cloud-discovery jobs, exploitDB refreshes, and snapshot workflows now run asynchronously via Hatchet as intended. Following the hatchet-sdk v1 upgrade, all seven dispatch call sites were silently falling back to in-process execution; the v0
hatchet.admin.run_workflow()API they used was removed in v1. Migrated toruns.create(). - Tool Arsenal seeded on fresh installs. A data migration (
scanEngine.0031) loads the 16-tool catalog (nuclei, subfinder, httpx, ffuf, and others) when the table is empty, so new deployments no longer show a blank Tool Arsenal. - Add Target form submission. The double-click guard disabled submit buttons synchronously, stripping the submitter’s
name=valuefrom the POST before the browser serialized the form. The bulk-add, CSV-import, and IP-target paths all branch on that field; without it they silently added zero targets. Fixed by deferring the disable one event-loop tick.
The
scanEngine.0031migration runs automatically on startup and is safe on existing deployments (no-op if tools are already loaded). Full release notes →- PDF report download. Reports now trigger a browser download (
MSSP Portfolio Metrics, SCIM IdP Compatibility Fix & Security Supply-Chain Hardening
A June 5 update delivers a long-requested MSSP portfolio dashboard, a critical SCIM 2.0 fix for enterprise IdP provisioning, and a round of CVE-resolved dependency floors.
- Per-client security metrics in the Portfolio view. The All Projects table now shows, for every client workspace: last scan date and status badge (Success / Running / Failed / Aborted / Queued), open critical and high finding counts (rows with unacknowledged criticals flagged red), subdomain asset count, and budget utilisation against each project’s configured quota (amber at the alert threshold, red over budget). Operators no longer need to open each project to see which clients need attention — the full portfolio state is visible at a glance. Computed with bounded grouped aggregates, so the table stays N+1-free regardless of portfolio size. HailBytes ASM →
- SCIM 2.0 IdP provisioning fix (Okta, Azure AD). A duplicate
userNameon user create or rename now returns HTTP 409 withscimType: "uniqueness", as required by RFC 7644 §3.3. Okta and Azure AD key on exactly this response to recognise an already-provisioned user and fall back from create to update — previously a conflicting username returned a raw 400 that aborted the entire provisioning run. The fix is server-side; no configuration change required. SSO & SCIM integrations → - Security & supply-chain hardening. The archived
bleachHTML sanitiser (Mozilla end-of-lifed it January 2024) was replaced withnh3, which strips disallowed tags by default and ships stricter XSS defaults under active maintenance. Dependency floors were tightened to close latent exposure to CVE-2026-39892 (cryptographybuffer overflow), CVE-2026-44431/44432 (urllib3resource exhaustion and header leak), and CVE-2026-4539 (pygmentsReDoS). Security → - Reproducible hatchet image builds. The DNS resolver wordlist used by the subdomain-discovery worker (16,808 entries) is now vendored in the repository instead of fetched from a force-pushed upstream at build time, eliminating a mutable reference that caused intermittent image-build failures.
The SCIM fix and dependency floor bumps are included in all marketplace images published after June 5, 2026; no configuration change is required.
Complete Portuguese (pt-BR) UI Localization & Table Pagination Fix
Brazilian Portuguese is now fully localized across the entire interface, and a table pagination display bug in the vulnerability and subdomain drill-down views is resolved.
- Complete Portuguese (pt-BR) UI localization. 97 previously untranslated strings in the TypeScript UI layer (toast notifications, empty-state messages, form-validation errors, delete confirmations, tooltip titles) are now translated for Brazilian Portuguese users. The translation catalog grew from 459 to 556 entries across 11 source files. HailBytes ASM is now 100% localized for pt-BR in both the Django template layer and the TypeScript frontend bundle. HailBytes ASM →
- Vulnerability and subdomain table pagination display fix. The DataTables Scroller extension was rendering
_PAGE_/_PAGES_as literal text rather than computed page numbers in the vulnerability and subdomain drill-down tables. Page numbers now display correctly; no data was affected.
Go 1.25 Security Update & Build Pipeline Hardening
A security-focused maintenance release resolving eleven-plus Go standard-library CVEs including a HIGH-severity finding, fixing a race condition in concurrent database-migration tests, and hardening the CI/CD build pipeline.
- Go 1.25 toolchain security update. The Go toolchain was upgraded from 1.24 to 1.25.10, resolving eleven-plus stdlib CVEs — including at least one HIGH-severity finding — present in the prior runtime. The
go.modand Docker build image were updated in tandem so all release artifacts (the admin server binary, phish server, and background worker) are compiled with the patched runtime. No functional or behavioral changes for end users. SCA tooling (AWS Inspector, Azure Defender for Cloud) will see these findings clear after the update. Security posture → - Concurrent migration test isolation fix. A race condition that caused intermittent failures when database migration tests ran in parallel is resolved, restoring deterministic CI results. No runtime schema is affected.
- CI build caching. Compiled Go tool binaries and stylelint dependencies are now cached across CI runs, reducing build times and improving the reliability of marketplace image publishes.
This security update is included in all HailBytes SAT marketplace images published after June 2, 2026. No configuration change or administrator action is required; the updated runtime is applied on next image pull.
- Go 1.25 toolchain security update. The Go toolchain was upgraded from 1.24 to 1.25.10, resolving eleven-plus stdlib CVEs — including at least one HIGH-severity finding — present in the prior runtime. The
Deployment Reliability Hardening & Localized Demos
A maintenance cluster focused on marketplace bring-up reliability, plus localized product demos and a credential-handling hardening fix. No configuration change is required; the fixes ship in marketplace images published from May 28 onward.
- More reliable stack bring-up. Resolved nginx TLS certificate permission errors under
cap_drop: ALL, replaced the Hatchet engine healthcheck with an external TCP probe, and corrected the Hatchet engine startup configuration — eliminating intermittent first-boot failures on fresh marketplace deployments. - Credential-handling hardening. Removed a default empty-password fallback on the credential model so blank passwords can no longer be silently accepted.
- Localized product demos. Demo recording and narration now support seven locales, matching the multi-language UI already shipped on the platform.
- More reliable stack bring-up. Resolved nginx TLS certificate permission errors under
Six New Scan Phases: CI/CD, Second-Order Takeover, Parameter Discovery, Shodan CVE Correlation, Cloudflare Origin Bypass & AI Scan Summary
A May 25–26 feature wave expanded the scan pipeline across CI/CD, web, network, and code-leak attack surface, and added an AI-written executive summary to every scan.
- CI/CD attack-surface scanning (Gato + zizmor). A new
cicd_scanphase enumerates GitHub Actions workflows for exposed secrets, OIDC misconfigurations, and poisoned-workflow patterns (Gato) and statically analyses workflow YAML for injection and privilege escalation (zizmor). Per-Organization opt-in with a customer-provided GitHub PAT; findings surface as Critical/High Vulnerabilities. Discovery coverage → - Second-order subdomain takeover detection. Crawls alive endpoints for external host references (scripts, iframes, objects) and flags any resolving to NXDOMAIN as High-severity — catching dangling CDN, SaaS, and API references that CNAME-only checks miss.
- HTTP parameter discovery (arjun). A new
parameter_discoveryphase surfaces hidden parameters on alive endpoints and feeds them into the nuclei, dalfox, and crlfuzz fuzz passes. Off by default. - Shodan CVE-correlated scanning. A pre-vulnerability-scan step runs a registry of Shodan version-exclusion queries (HP iLO 4, Intel AMT, Cisco Smart Install, exposed ADB) against target IPs, persisting matches as Vulnerabilities before nuclei runs. Requires a Shodan API key; off by default.
- Cloudflare origin IP bypass (CloudFlair + hakoriginfinder). A new
origin_bypassphase classifies A records against Cloudflare CIDRs, queries Censys for TLS-certificate matches, and confirms candidates by response-body hashing — surfacing the real origin asexposed-origin-ipfindings. Requires Censys credentials; off by default. - CORS misconfiguration scanning (corsy). 14 CORS probes (origin reflection, prefix/suffix bypass, null-origin trust, wildcard-with-credentials, and more) added as an opt-in sub-task within
vulnerability_scan. - AI-powered scan summary. Each completed scan now generates an LLM executive narrative (OpenAI / Anthropic / Gemini / Ollama) — severity distribution, top findings, and surface drift vs. the prior scan — cached per scan and rendered both as a collapsible card in the scan detail view and as a dedicated section in the PDF report. Skips silently when no provider is configured.
- Real-time public commit monitoring. A 5-minute cron polls the GitHub public events API for commits matching per-Organization keyword filters (apex domain, brand name, service IDs) and pipes matches through trufflehog. Confirmed secrets surface as Critical Vulnerabilities; the raw secret value is never stored. Per-Organization opt-in.
- puredns DNS brute-force. puredns v2.1.1 added as an opt-in step in
subdomain_discoveryusing the SHA-pinned SecLists top-1M wordlist, flowing into the same dedup pipeline as passive sources.
All third-party integrations use bring-your-own credentials; usage is billed by the upstream vendor per your existing engagement. New scan phases are off by default and opt-in per scan engine.
- CI/CD attack-surface scanning (Gato + zizmor). A new
Cortex XSIAM Dispatcher, ICS/OT Coverage & Multi-Year Pricing
New SIEM dispatcher, industrial protocol scanning, a dashboard rendering fix, and multi-year reservation tiers.
- Palo Alto Cortex XSIAM dispatcher. Route ASM findings directly into Cortex XSIAM via the HTTP Log Collector. Structured JSON maps to XSIAM’s dataset schema for immediate correlation with endpoint, network, and identity telemetry — no custom parsing required. Bring your own XSIAM tenant. SIEM integrations →
- ICS/OT coverage via scada-scanner. Passive protocol fingerprinting for Modbus, DNP3, EtherNet/IP, BACnet, and S7. Discovered OT assets promote to
Assetrows withasset_type=otand enter the existing findings pipeline (exposure graph, ticketing dispatchers, compliance reports) alongside IT findings. ICS/OT integrations → - Attack-path chart rendering fix. Resolved a JavaScript rendering regression that prevented attack-path and directed-attack-path visualizations from loading in the dashboard. No data was affected; the fix is display-layer only.
- Multi-year reservation pricing. Year 2 reservations carry a 10% discount; Year 3 carries 15%. Requires a signed order form. Pricing →
All third-party integrations use bring-your-own credentials; usage is billed by the upstream vendor per your existing engagement.
Cortex XSIAM Dispatcher & Exemption Management
SAT gains the same Cortex XSIAM SIEM path that shipped for ASM, plus an audit-grade exemption workflow for regulated and MSSP deployments.
- Palo Alto Cortex XSIAM dispatcher. SAT campaign events (phishing clicks, credential submissions, training completions, reported phish) now POST as JSON batches to Palo Alto’s HTTP Log Collector, mirroring the existing Splunk and Sentinel dispatchers, with a SIEM entry in the Integrations settings tab. Bring your own XSIAM tenant. SIEM integrations →
- Exemption management. Admins can record excusals for individual users from a campaign, training module, or quiet-period window through a requester → approver workflow with enforced separation of duty (requester ≠ approver). Every state transition (request, approve, reject, revoke, expire) is logged for SOC 2, HIPAA, and ISO 27001 evidence, and overdue exemptions expire automatically. HailBytes SAT →
Both features are included in all HailBytes SAT marketplace images published after May 22, 2026. The Cortex XSIAM dispatcher requires your XSIAM tenant credentials configured in Settings → Integrations; exemption management is available immediately with no configuration required.
Customer-Facing Release Highlights for Security Teams and MSSPs
This combined release note rolls up the April 2026-to-mid-May 2026 SAT improvements into a customer-facing summary for product buyers, managed security teams, and MSP operators.
- More visibility into risk, reporting, and campaign performance. Historical risk snapshots, trend reporting, billing and alerting controls, and better insight into template-library activity and phishing risk trends help teams understand what changed and why.
- Stronger support for multi-tenant operations. Cloned templates, system-level library flags, forwarded-report handling, follow-up review persistence, and AutoPhish template/page/group pools make managed content easier to govern across tenants.
- More integrations and workflow handoff options. Expanded forwarding and export support now aligns with common security-tool and cloud destinations, including Microsoft Sentinel, S3, Azure Blob, SFTP, ServiceNow, Jira, PagerDuty, Proofpoint TAP, Mimecast, Slack, Teams, and Twilio channels.
- Broader simulation and training coverage. QR code lure coverage, Twilio SMS and voice channels, and expanded training content make simulation programs more realistic and more complete.
- Cleaner enterprise and MSSP administration. Improved multi-tenant rollups, demo/showcase workflows, integrations discovery, SCIM / SAML / OIDC / MFA support, and better onboarding and empty-state handling simplify day-to-day administration.
- Better release quality and deployment confidence. Strengthened test coverage, streamlined release workflows, improved migration support, and schema/CI hardening reduce production risk for marketplace deployments.
This release is the customer-facing consolidation of the April 1 onward commit stream. See the product page for the updated positioning and feature summary.
Enterprise Capabilities & Long-Tail Standards
The biggest HailBytes ASM release since launch. Enterprise identity, cloud-native asset discovery, threat intelligence, an exposure graph, CI/CD integrations, alerting and ticketing dispatchers, secrets backends, standards-body export formats, and seven additional compliance framework reports.
- SCIM 2.0 provisioning. Auto-create and deactivate users from Okta, Microsoft Entra ID, Google Workspace, and OneLogin. Identity providers →
- LDAP / Active Directory direct-bind. For organizations not yet on SAML or OIDC; first successful auth assigns the configured role, with attributes refreshed on each login.
- Cloud asset discovery. First-party connectors for AWS (Route 53, EC2, ELBv2, CloudFront, S3, RDS, API Gateway, Lambda), Azure (DNS Zones, App Service, Public IP, Storage, Front Door, including Azure Government), GCP (Cloud DNS, Compute, Cloud Run, Cloud Storage), and Cloudflare (DNS, Workers routes, R2). Inbound asset webhook for everything else. Cloud Security integrations →
- Threat-intelligence enrichment. Bring-your-own credentials for nine providers: Shodan, Censys, GreyNoise, VirusTotal, AbuseIPDB, Have I Been Pwned, MISP, OpenCTI, and AlienVault OTX. Threat-intel providers →
- Exposure graph. Force-directed visualization that clusters related domains, subdomains, IPs, and findings into named exposures, so an analyst can see what else lives on the same surface without joining tables manually.
- Ticketing & alerting dispatchers. Jira (Cloud + Data Center), ServiceNow (SIR + ITSM), PagerDuty Events v2, Opsgenie Events v2 (EU/US regions), GitHub Issues, and GitLab Issues, all with severity-floor filtering and deterministic dedup keys so a finding lands in exactly one alert per upstream tool. Ticketing setup →
- CI/CD integrations. GitHub Action published to the GitHub Marketplace, plus templates for GitLab CI, Jenkins, CircleCI, and Azure Pipelines. Public scan-initiation API and a Zapier app for everything else. CI/CD integrations →
- Bug-bounty ingestion. Pull HackerOne and Bugcrowd reports into the same triage, ticketing, exposure-graph, and compliance-reporting flow as scan findings. Bug-bounty →
- Standards-body export formats. SARIF 2.1.0 for GitHub Code Scanning and any SARIF-aware tool, STIX 2.1 / TAXII 2.1 server for OpenCTI / MISP / Anomali clients, and OpenVEX 0.2.0 for Sigstore / Cosign attestation chains.
- Enterprise secrets backends. Reference credentials stored in HashiCorp Vault, Azure Key Vault, or AWS Secrets Manager rather than holding them in HailBytes. Secrets & PAM →
- Scheduled PDF reports. Recurring per-Project report delivery on a daily, weekly, or monthly cadence, with the existing report template (asset change summary, screenshots, compliance evidence). Reporting details →
- Additional compliance framework reports. Added (North American): HIPAA Security Rule, CIS Controls v8 IG1 + IG2, FedRAMP Moderate, and NYDFS 23 NYCRR Part 500. Added (global): ISO/IEC 27001:2022 and GDPR Article 32. HailBytes ASM ships eleven compliance framework reports total, ordered North American → Latin American → global for US Enterprise procurement. Compliance coverage →
All third-party integrations use bring-your-own credentials; usage is billed by the upstream vendor per your existing engagement.
Programmatic Deployment & MCP Reference
Operator-facing documentation expanded for teams deploying via infrastructure-as-code or driving HailBytes from AI agents.
- One-shot AWS and Azure CLI deployment guides. Step-by-step AWS CLI and Azure CLI walkthroughs, with CloudFormation and ARM/Bicep alternatives and AWS GovCloud / Azure Government variants.
- MCP server reference. Documentation for the 16 MCP tools, with ready-to-paste configs for Claude Desktop, Claude Code, Cursor, Windsurf, and the Anthropic Python SDK.
- API reference rewritten. Accurate endpoint paths, authentication, rate limits, and the full audit-log taxonomy for both products.
Enterprise & Agent Release
The biggest HailBytes SAT release since launch. New enterprise identity surface, an MCP server for AI agents, deeper training and risk features, and a hardened image pipeline across AWS Marketplace and Azure Marketplace.
- MCP server with 14 tools. Drive HailBytes SAT from Claude Desktop, Claude Code, Cursor, Windsurf, or any Anthropic SDK with MCP support. Reference →
- SAML 2.0 SSO from the dashboard. Configurable in the UI alongside OIDC; supports Microsoft Entra ID, Okta, OneLogin, and PingIdentity. Tutorial →
- SCIM 2.0 provisioning. Auto-create and deactivate users from any compliant identity provider. Tutorial →
- MSSP white-label & seat caps. Per-tenant branding flows through UI, reports, certificates, and outbound emails; configurable seat caps per organization. Tutorial →
- Phish triage queue with reporter accuracy. User-reported emails feed into a triage queue with reporter scoring and SOAR forwarding. Tutorial →
- Risk-based auto-enroll & just-in-time training. Click an event, get a coaching moment; repeat clickers auto-enrolled into remediation tracks. Tutorial →
- Training tracks & dashboard redesign. Multi-module curricula, branded certificates, KPI sparklines, repeat-clicker watchlist, and threat-trend toggle. Tutorial →
- Executive reports. Branded board-ready PDF or JSON, with optional AI-generated narrative summary. Tutorial →
- AES-256-GCM encryption at rest. All PII (names, emails, captured credentials) encrypted in the database.
- Comprehensive audit logging. Admin actions captured with IP, user agent, and affected resource; CSV / JSON export and configurable retention.
- AI-generated phishing templates. OpenAI or self-hosted Ollama produce campaign templates from a brief.
- Send-rate limiting per campaign. Stagger delivery to avoid spam-filter rate triggers and overwhelmed mail relays.
- Microsoft Entra ID group import. Pull a target list straight from your directory.
- Hardened image pipeline. Ubuntu 24.04 base; AWS AMI and Azure Compute Gallery image published per build; air-gap-friendly self-hosted fonts.
Enterprise Hardening & Performance
The marketplace baseline image picked up a stack of hardening and performance changes that ship continuously to deployed instances.
- Pooled database connections. Eliminates connection-storm failures on busy multi-tenant deployments.
- Faster first-scan readiness. Pre-built tooling cuts time-to-first-scan from over 20 minutes to under 5.
- Strict Content Security Policy. Defense-in-depth XSS mitigation in the web UI, on top of existing input sanitization.
- Hardened Ubuntu 24.04 baseline. Trimmed kernel parameters, package set, and SSH daemon configuration; ciphers restricted to current best-practice values.
- Expanded audit taxonomy. Twenty-one categories of state change now recorded with actor, IP, user agent, and resource.
- Application-layer rate limits. Anonymous 20/min, authenticated 200/min, scan initiations 10/min.
- Native ARM64 + AMD64 container images. Graviton and Ampere instances run without emulation.
HailBytes Attack Surface Management Platform Launch
Continuous external reconnaissance and vulnerability-assessment platform, deployable in five minutes through AWS Marketplace and Azure Marketplace.
- Modernized container infrastructure. Updated base images, improved health checks, and faster scan engine initialization.
- AI-powered finding analysis. OpenAI and self-hosted Ollama (NVIDIA / AMD GPU) for triage and contextual summarization.
- Coordinated scan pipeline. Subdomain enumeration, port and service scanning, vulnerability detection, and change tracking on a single pipeline.
- Structured reporting. Deep-link routing into Jira, Slack, and any SIEM that accepts webhook or syslog input.
- MCP server with 16 tools. Native Model Context Protocol support for AI-agent orchestration via Claude, Cursor, and Windsurf.
- Government cloud support. AWS GovCloud and Azure Government deployments at launch.
HailBytes Security Awareness Training Platform Launch
Self-hosted phishing-simulation and security-awareness training platform built from the ground up for enterprise deployments. Deployable through AWS Marketplace and Azure Marketplace at $0.24/vCPU/hour, with no per-seat pricing.
- Recurring training campaigns. Schedule sends across segments with frequency, difficulty, and audience controls.
- Interactive post-click quizzes. Built-in training modules shown to employees the moment they click a simulated phishing link.
- Branded certificates of completion. PDF certificates produced per-employee for compliance evidence.
- Per-tenant branding and OIDC SSO. Logo, favicon, colors, support URL, email-from name, and identity-provider configuration all per-tenant for MSSP multi-client deployments.
- AI-generated phishing templates. OpenAI and Ollama options for generating campaign templates without vendor template lock-in.
- Audit-log surface. JSON and CSV export plus REST API and webhooks for direct SIEM ingestion.
How Updates Reach Your Instance
HailBytes is a marketplace-managed deployment. Minor updates (security patches, dependency upgrades, scan-rule refreshes, template-library additions) ship continuously to running instances without administrator action.
Versions follow v1.<build-number>, where the build number increments with each release pushed to the AWS Marketplace and Azure Marketplace galleries. HailBytes SAT and HailBytes ASM track their own build counters independently. Material updates that change behavior, add a top-level capability, or affect compliance evidence are announced here, in the blog, and via the monthly newsletter.
Stay Current
Subscribe to the monthly newsletter for material platform updates, security advisories, and new tutorials.
Stay Ahead of the Threat Landscape
Get monthly security insights, deployment guides, and exclusive early access to new features for HailBytes SAT and HailBytes ASM.