Integrations

Splunk

Send ASM findings (subdomain discoveries, port openings, CVE matches, certificate changes) and SAT campaign events into Splunk via HEC or syslog. Pre-built field mappings keep correlation rules clean.

Microsoft Sentinel

Native log ingestion via Azure Log Analytics workspace. Ship findings with their full context for KQL queries and Sentinel detection rules.

Elastic / ELK

Direct webhook delivery to Logstash or Elastic Cloud, with structured JSON that maps cleanly to ECS fields for cross-source correlation.

Google Chronicle

Webhook ingestion into Chronicle’s ingestion API with the standard ASM finding schema. Compatible with YARA-L detection authoring.

Sumo Logic

HTTP source endpoint configuration for both ASM scan output and SAT campaign telemetry. Keep all security event data in one analytics platform.

IBM QRadar

Send ASM findings and SAT campaign events to QRadar via syslog (RFC 5424) or the QRadar Log Source Extension API. Pre-formatted CEF and LEEF field mappings keep correlation rules and DSM parsing clean out of the box.

Palo Alto Cortex XSIAM

Route ASM findings and SAT campaign events (phish clicks, credential captures, training completions) into Cortex XSIAM via the Cortex XSIAM HTTP Log Collector. Structured JSON payloads map directly to XSIAM’s dataset schema for instant correlation with endpoint, network, and identity telemetry — no custom parsing required.

Bring your own Cortex XSIAM tenant. Usage stays on your existing Palo Alto Networks subscription.

Generic Syslog / Webhooks

Any SIEM, log aggregator, or SOAR that accepts syslog (RFC 5424) or HTTPS webhooks works out of the box. Schema is documented in the API reference.

Jira

Auto-create issues in Jira Cloud or Data Center for new ASM findings above a severity threshold. Project routing, custom field mapping, and idempotent updates so re-discoveries append to the existing issue.

Bring your own Jira API token; usage billed by Atlassian under your existing subscription.

ServiceNow

Incident creation against ServiceNow Security Incident Response (SIR) and ITSM. Severity threshold + dedup keyed on finding fingerprint; status changes pulled back into HailBytes on the next scan cycle.

Bring your own ServiceNow instance. Usage stays on your existing ServiceNow subscription.

PagerDuty

PagerDuty Events v2 channel for critical ASM findings (newly exposed admin panels, high-CVSS CVE matches, expired certs on production hosts). Deterministic dedup_key so flapping findings don’t wake the same engineer twice; severity threshold configurable per service.

Bring your own PagerDuty integration key (usage stays on your existing PagerDuty subscription).

GitHub Issues

Triaged ASM findings open issues against any GitHub repository, including private and Enterprise Server. severity:critical … severity:info labels are appended automatically so existing repo automations sort findings without extra config.

Bring your own GitHub PAT or App credentials. Usage runs through your existing GitHub plan.

GitLab Issues

Same dispatcher pattern against GitLab.com or self-hosted GitLab. Project-level routing, severity labels, and idempotent updates so re-discoveries land on the existing issue.

Bring your own GitLab token; usage stays on your existing GitLab plan or self-hosted instance.

AWS

Route 53, EC2 + security-group ingress, ELBv2, CloudFront, S3, RDS public endpoints, API Gateway custom domains, and Lambda function URLs. Read-only IAM policy supplied; optional STS role assumption for cross-account discovery.

Bring your own AWS account. AWS API usage is billed against that account.

Azure

DNS Zones, App Service, Public IP, Storage, and Front Door via the official azure-mgmt-* SDKs. Service principal auth; Azure Government tenants supported on the same connector.

Bring your own Azure subscription; API usage stays on that subscription.

Google Cloud

Cloud DNS, Compute (NAT IPs), Cloud Run, Google Cloud Storage, and global forwarding rules. Service-account JSON or workload-identity federation for keyless auth from supported environments.

Bring your own GCP project (Google Cloud API usage stays on that project).

Cloudflare

DNS records, Workers routes, and R2 buckets via the Cloudflare REST API v4. Useful for shops with edge-resident apps that don’t resolve on the public internet without a Cloudflare hostname. HailBytes ASM also includes an origin-bypass phase: CloudFlair (Censys certificate search) combined with hakoriginfinder to confirm non-Cloudflare IPs serving the same content, surfaced as exposed-origin-ip vulnerabilities.

Bring your own Cloudflare API token. Usage stays on your existing Cloudflare plan.

Inbound asset webhook

For everything else: POST /api/v1/webhooks/assets/ accepts the same shape the cloud connectors emit. HMAC-SHA256 signing, 24-hour replay-dedup keyed on event id. Useful for Terraform pipelines, internal CMDBs, or any provider HailBytes doesn’t ship a connector for yet.

New connector? One file.

Adding a tenth provider is one file under cloudConnectors/connectors/ plus one tuple entry in CloudCredential.PROVIDER_CHOICES. Open an issue or a PR, or use the inbound webhook in the meantime.

Shodan

Internet-scan enrichment for IPs and hosts. Annotate ASM findings with banner data, port history, and Shodan tags — plus pre-scan CVE correlation: a registry of Shodan version-exclusion queries (HP iLO 4, Intel AMT, Cisco Smart Install, exposed ADB) flags known-vulnerable products on scan target IPs before nuclei runs. Opt in via run_shodan_cve_correlation in the engine YAML.

Bring your own Shodan API key (usage stays on your existing Shodan plan).

Censys

Host + certificate enrichment from the Censys universal search index. Useful when Shodan’s coverage misses a particular ASN.

Bring your own Censys API ID + secret. Usage runs through your existing Censys plan.

GreyNoise

Background-noise classification for IPs that helps suppress findings tied to internet-wide scanners and known benign infrastructure.

Bring your own GreyNoise API key; usage stays on your existing GreyNoise plan.

VirusTotal

File hash + URL + domain reputation. Annotate findings with VT detections, related campaigns, and submission history.

Bring your own VirusTotal API key. Usage runs through your existing Google / VirusTotal plan.

AbuseIPDB

IP reputation scoring sourced from AbuseIPDB’s community-reported abuse confidence index.

Bring your own AbuseIPDB API key (usage stays on your existing AbuseIPDB plan).

Have I Been Pwned

Breach-history checks for emails surfaced during recon (OSINT findings, exposed contact addresses).

Bring your own HIBP API key. Usage runs through your existing Have I Been Pwned plan.

MISP

Self-hosted MISP instances. Pull IoCs from your private feeds; works alongside the SaaS providers without preference.

Bring your own MISP instance. No upstream billing; you operate the server.

OpenCTI

STIX-native threat-intel platform integration. Match ASM findings against your OpenCTI graph of campaigns, intrusion sets, and indicators.

Bring your own OpenCTI instance (no upstream billing; you operate the server).

AlienVault OTX

Open Threat Exchange pulses for IoC enrichment. Free tier covers most enrichment volumes; subscriptions available for higher quotas.

Bring your own OTX API key (free tier or AT&T subscription as applicable).

SecurityTrails

Passive DNS history and subdomain enumeration. Enriches discovered assets with historical DNS records, infrastructure pivots, and WHOIS chain data to surface shadow IT and forgotten subdomains.

Bring your own SecurityTrails API key (usage stays on your existing SecurityTrails plan).

STIX 2.1 / TAXII 2.1 server

Each Project becomes one TAXII collection on /api/v1/taxii/2.1/. Object ids are deterministic UUIDv5 so re-published bundles update objects in place. Useful when downstream platforms (OpenCTI, MISP, Anomali) expect to pull rather than be pushed.

OpenVEX 0.2.0 export

Vulnerability export endpoint accepts ?format=openvex per the OpenVEX 0.2.0 spec. Drop-in for Sigstore / Cosign attestation chains and any toolchain that consumes VEX statements alongside SBOMs.

GitHub Action

Two-mode action published to the GitHub Marketplace: trigger a scan and fetch SARIF, or POST an asset list to the inbound webhook. Dockerised on a ~50 MB Alpine image so cold starts stay fast on hosted runners.

Bring your own GitHub repository; Action minutes stay on your existing GitHub plan.

GitLab CI

Drop-in GitLab CI template that calls the shared hailbytes-scan.sh. Self-hosted or GitLab.com runners; SAST-style report import in MR widgets via the SARIF artifact.

Bring your own GitLab project. Runner minutes stay on your existing GitLab plan.

Jenkinsfile

Declarative-pipeline snippet with credentials binding and SARIF archival. Works on Jenkins LTS 2.426+ on Linux and Windows agents.

Bring your own Jenkins controller (you operate the server).

CircleCI

Reusable orb-style job template that wraps hailbytes-scan.sh and uploads SARIF as a build artifact for downstream gating.

Bring your own CircleCI org; credit usage stays on your existing CircleCI plan.

Azure Pipelines

YAML template for Azure DevOps pipelines, including service-connection setup for the API key and a step that fails the build on critical findings via the SARIF result count.

Bring your own Azure DevOps org. Pipeline minutes run through your existing Microsoft plan.

Generic SARIF 2.1.0

The same SARIF file works in any SARIF-aware tool: Sonatype, Snyk dashboards, VS Code extensions, custom build agents. Schema is the standard upstream SARIF spec, with no HailBytes-specific extensions and no vendor lock.

Slack

Native Block Kit notifier with per-channel routing for SAT campaign events (launched, completed, reported, training failed) and ASM findings. Signed retries, exponential back-off, audit-logged.

Microsoft Teams

Native Adaptive Card notifier riding the same event bus as Slack. Per-channel routing, per-event toggles, signed delivery, with deep-links back into the SAT or ASM UI.

PagerDuty

Page on-call for high-severity ASM findings or critical SAT events (e.g. compromised admin credential simulation). Standard Events API v2 webhook.

Opsgenie

Opsgenie Events v2 alert channel with EU/US region selection and severity-floor filtering. Same dedup-key contract as PagerDuty so a HailBytes finding lands in exactly one alert per upstream tool, regardless of which paging vendor your team uses.

Bring your own Opsgenie API key (usage stays on your existing Atlassian subscription).

Discord

Webhook alerts for ASM new findings and SAT campaign events. Per-channel routing lets you separate critical-severity ASM alerts from informational scan-complete notifications in dedicated channels.

Lark (Feishu)

Webhook-based alert delivery for ASM findings and SAT events via the Lark Incoming Webhook API. Supports both Lark International and Feishu, making it the right choice for teams with APAC operations.

Email Digest

Daily or weekly digest emails summarizing SAT campaign progress and ASM surface drift, sized for executive stakeholders who don’t live in the security tools.

Okta

SCIM 2.0 provisioning + SAML 2.0 / OIDC SSO. Auto-create, update, and deactivate users from the Okta directory; group provisioning via the REST API today.

Microsoft Entra ID (Azure AD)

Enterprise SSO via OIDC or SAML, plus SCIM 2.0 auto-provisioning. Supported on both AWS and Azure marketplace deployments.

Google Workspace

OIDC SSO via the Google identity provider. Supported on both SAT and ASM for employee SSO and admin console access.

JumpCloud / OneLogin / Auth0

Any standards-compliant SCIM 2.0 + OIDC / SAML 2.0 IdP. Per-tenant configuration so each MSP client can bring its own IdP.

Keycloak / PingFederate

Self-hosted IdPs work the same way as the SaaS providers. Use the OIDC recipe for SSO and the REST API for user management until SCIM is wired into the IdP side.

Generic OIDC / SAML 2.0

Drop-in support for any OIDC-compliant or SAML 2.0 IdP. The recipes cover endpoint URLs, claim mapping, and signing-cert rotation.

LDAP / Active Directory

Direct-bind backend with two-step bind (service-account search + user re-bind) for organizations that haven’t moved to SAML/OIDC yet. First successful auth assigns the configured rolepermissions role; subsequent logins refresh first / last / email from LDAP attributes. Self-hosted only, with no upstream billing.

HashiCorp Vault

Reference secrets as vault://path/to/secret#field. Supports KV v2; AppRole, token, and Kubernetes auth. Backends import their SDK lazily so installs without Vault don’t need hvac.

Bring your own Vault cluster (you operate the server).

Azure Key Vault

Reference secrets as azure-kv://<vault>.vault.azure.net/secret-name. Workload-identity or client-credentials auth via the official azure-keyvault-secrets SDK.

Bring your own Azure subscription; Key Vault operations stay on that subscription.

AWS Secrets Manager

Reference secrets as aws-sm://region/secret-name#json-key. IAM-based auth using the same provider chain as the AWS cloud connector.

Bring your own AWS account. Secrets Manager API usage stays on that account.

scada-scanner

Active protocol enumeration for ICS/OT protocols: Modbus, S7, DNP3, BACnet, EtherNet/IP, and IEC-104. Opt-in per scan engine and gated behind a per-scan authorization acknowledgement — active probing only starts once the operator confirms they are authorized to scan the target. Safe mode is on by default and limits probe width to read-only, single-register checks; active-probe rate limiting is configurable per scan; all OT scan activity is audit-logged. Findings persist as Vulnerability rows tagged source=scada_scanner and flow into the standard pipeline — exposure graph, SIEM forwarding, ticketing dispatchers, and compliance reports (including the IEC 62443 evidence template) treat OT findings the same as IT findings.

Every ICS/OT assessment generates a branded customer-facing PDF report with an Assessment Scope section (scan mode, protocols, and target list), protocol-by-protocol findings, severity breakdowns, and an executive summary — delivered as a scheduled email or uploaded as a build artifact from the assessment workflow.

Deploy alongside your existing HailBytes ASM instance; scans stay inside your network perimeter. The customer is responsible for ensuring authorization before running active OT probes.

HackerOne

One BugBountyProgram row per HackerOne handle. Pulls reports on a schedule, normalises severity onto the HailBytes 0–4 scale, and back-links each promoted report to the matching ASM target.

Bring your own HackerOne API token; program fees stay on your existing HackerOne engagement.

Bugcrowd

Same model for Bugcrowd-run programs: pulls submissions, promotes triaged findings, and keeps informative submissions out of the vuln queue. Useful when a program runs on Bugcrowd but the rest of vuln management lives in HailBytes ASM.

Bring your own Bugcrowd API key (program fees stay on your existing Bugcrowd engagement).

Outlook Phish Reporter add-in

Ribbon button on Microsoft 365, Outlook desktop, web, and mobile. Posts the raw .eml to the SAT Reported Inbox; idempotent on duplicate clicks.

IMAP shared mailbox

Point SAT at any IMAP mailbox (phish@, security@) and it polls, parses, and triages reports without an add-in. Useful for shops that can't push add-ins through their tenant.

REST API ingest

Custom report buttons (Gmail, Slack, internal portals) post directly to /api/v1/reports/phish with the original message as multipart/form-data.

Microsoft 365

Direct send + tenant allowlist configuration so simulated phishes reach inboxes instead of Defender quarantine. Covers Advanced Delivery Policy setup.

Google Workspace

SMTP relay configuration plus admin console allowlist rules so Gmail’s spam filtering doesn’t silently drop simulation emails.

SendGrid / Mailgun / SES

Any transactional SMTP provider works for outbound delivery. DMARC / SPF / DKIM alignment is documented in the deliverability tutorial.

AWS Marketplace

One-click deploy with charges flowing through your existing AWS bill and counting toward AWS EDP commits. SAT and ASM each ship as a separate marketplace listing with a 30-day free trial.

Azure Marketplace

Same one-click deployment story on Azure, with charges counting toward Azure MACC commits. Supports private offers for annual and multi-year terms.

REST API

Full programmatic access to SAT campaigns, ASM scans, findings, user records, and the new POST /api/v1/action/initiate-scan/ shared by the GitHub Action, all four CI templates, and the Zapier app. Use it to build internal dashboards, custom integrations, or compliance evidence pipelines.

Webhooks

Subscribe to SAT and ASM events in real time. Standard JSON payloads with HMAC signing so your integration code can verify authenticity. Inbound asset webhook also documented for cloud-asset push.

Zapier

Single Zapier listing wired into a HailBytes ASM REST-hook subscribe / unsubscribe flow plus a Start-scan action. One Zap covers every Zapier destination (Slack, Asana, Linear, Notion, Google Sheets, and the rest) without HailBytes shipping a connector for each.

Bring your own Zapier account. Task usage stays on your existing Zapier plan.