Procurement FAQ

Commercial & business requirements

Procurement asks: What are your licensing models? Do you support MSSP / OEM white-labeling? Is there a free PoC? What is your standard support and SLA? What is time-to-value? How do you handle FX and local-entity invoicing?

HailBytes uses a per-deployment software license, not per-asset or per-IP metering, with subscription tiers by deployment size and consumption-based marketplace pricing on AWS and Azure. Inside a single deployment, per-project quotas cap targets, concurrent scans, seats, and monthly budget — the documented MSSP pattern is one shared instance with one Project per customer. MSSP and OEM white-labeling is first-class: per-tenant brand, logo, colors, "Powered by" toggle, custom CSS, and login banner are all configurable. Annual contracts are the default with multi-year discounts available via marketplace private offer.

A free PoC is always available: self-serve marketplace VM in ~10–15 minutes with example data pre-loaded, or a dedicated PoC into the customer's tenant with a 30-day default scope and a kickoff plus closeout report. Standard support is business-hours US/Mountain via [email protected] and GitHub Issues for the source-available tier; 24x7 is a contracted premium tier with a defined response matrix. International invoicing primarily routes through AWS Marketplace and Azure Marketplace, where the hyperscaler is the reseller of record — this is what eliminates most FX and local-entity friction for non-US customers.

Deep-dive links: how to buy → · PoC process → · MSSP & partner resell → · DPA →

Discovery & asset enumeration

Procurement asks: Do you automate discovery of domains, subdomains, ASNs, and IP ranges? What coverage do you have beyond network — cloud, SaaS, APIs, code repos, leaked credentials, deep/dark web? How do you handle asset attribution and false positives? Active, passive, or hybrid? Refresh cadence?

ASM runs hybrid passive and active discovery by design. Multiple tools execute in parallel per phase (subfinder, amass, assetfinder, oneforall, ctfr, tlsx for subdomain and certificate-based discovery; naabu and nmap for ports; Netlas for ASN, IP-range, and organization-level discovery). Native cloud connectors cover AWS, Azure, GCP, and Cloudflare with confidence-scored ingest. Code-repository scanning via TruffleHog and GitLeaks promotes verified secrets to findings, and leaked-credential coverage flows through HIBP, Dehashed, and LeakIX. SaaS exposure is inferred via DNS/CNAME plus certificate transparency.

Attribution is project-scoped: every discovered asset belongs to a specific Target in a specific Project, with uniqueness constraints preventing cross-project bleed. Discovery results are deduplicated on write so re-runs don't multiply findings. Refresh runs on a continuous scheduled cadence — interval, crontab, or one-off — with cloud connectors hourly by default. Near-real-time CMDB updates are supported via an HMAC-signed inbound webhook with 24h replay dedup. Honest gaps: mobile-app SAST/DAST and a dedicated dark-web crawler beyond HIBP/Dehashed/LeakIX are not in product today; partner integrations cover these signals.

Deep-dive links: ASM platform → · ASM feature index → · security architecture →

Vulnerability assessment & scanning

Procurement asks: What is your vulnerability scanning coverage across network, web app, TLS, misconfiguration, and exposed services? Do you support scheduled scans with maintenance windows? Which vuln databases and feeds do you use, and how fresh are they?

ASM scans every layer the question asks about. Network discovery runs through nmap NSE scripts and naabu; web-application coverage uses nuclei (auto-updating community plus custom templates), dalfox for XSS, and crlfuzz for CRLF injection. SSL/TLS posture per open TLS port comes from testssl and tlsx. Misconfigurations are covered by s3scanner for buckets, nuclei misconfig templates, and wafw00f. Findings are linked relationally to subdomain → IP → port → endpoint so every vuln carries full context.

Scheduling supports interval, crontab, and one-off triggers. The maintenance-window pattern is a crontab that fires only inside the window (for example 0 2-4 * * 0 for Sundays 02:00–04:00 UTC). Vulnerability feeds: CVE/NVD hydrated from three mirror sources with retry handling, CISA KEV as a first-class indexed boolean driving prioritization, EPSS per CVE, and vendor advisories inherited via daily-updated nuclei templates. Eleven threat-intel providers layer per-finding enrichment.

Deep-dive links: ASM feature index → · compliance framework mappings → · per-release security evidence →

Findings, remediation & validation

Procurement asks: Do findings include actionable remediation guidance and evidence? Can analysts trigger re-scans to validate fixes? Is there assignment and status tracking? Do you support exception management with risk acceptance and expiration? Is there SLA tracking for remediation?

Every finding ships with description and remediation guidance (markdown), severity, CVSS vector and score, CVE and CWE references, source template URL, an evidence JSON blob (raw request/response from the scanner), and a screenshot path. LLM-generated impact and remediation narratives are cached with full model and version provenance, and customers who cannot send data to a hosted LLM can run Ollama locally for air-gapped operation. Re-scan validation uses a per-finding rescan_verified boolean; compliance reports key off it to differentiate fixed-and-verified from user-marked-fixed.

Status tracking covers Open / Confirmed / In Progress / Resolved / False Positive / Accepted Risk with full audit trail (status_changed_by, status_changed_at) on every transition. SLA tracking is first-class: severity-based due dates auto-compute, with started and completed timestamps and dashboards that surface SLA breach. Honest partial: exception management exists today as Accepted-Risk status with RBAC gating, but expiration dates on risk acceptance and multi-step approval chains are not yet first-class fields — they are a 2026 Q4 roadmap item.

Deep-dive links: security AI disclosure → · ASM feature index → · evidence package →

Risk scoring & prioritization

Procurement asks: Do you produce per-asset and per-finding risk scores? Can scores be calibrated to business context and compensating controls? Do you support attack-path or chained-risk analysis? Is threat intelligence embedded in prioritization?

ASM computes a composite 0–100 risk score per finding, with the score indexed for fast filtering. Inputs include severity, CVSS base score, EPSS score, CISA KEV status (boolean plus date added), asset criticality propagated from Domain to Subdomain, and per-provider threat-intel enrichment from eleven providers (Shodan, Censys, GreyNoise, VirusTotal, AbuseIPDB, HIBP, MISP, OpenCTI, OTX, Dehashed, LeakIX). Asset-level rollup is surfaced on the exposure graph and the dashboard. Business calibration uses a per-domain criticality enum plus asset tags (production, regulated, customer-facing).

Attack-path analysis ships in two views: an exposure graph with union-find clustering (subdomains, IPs, vulnerabilities as nodes; resolves-to, shares-CDN, CNAME, has-vulnerability as edges), and a directed attack-path graph with temptation ranking that orders paths by attacker desirability (high-criticality target reachable via low-friction chain). Active exploitation is signalled by CISA KEV plus GreyNoise classification plus MISP IOC matching. Honest gaps: formal compensating-control entities and per-finding MITRE ATT&CK technique mapping are on the roadmap but not in product today.

Deep-dive links: ASM feature index → · security architecture → · AI/ML use disclosure →

Integrations & APIs

Procurement asks: Is the REST API documented? What authentication is supported? Which SIEM, SOAR, and ITSM systems integrate natively? Are there webhook and event-stream paths? Do you support SAML, OIDC, and SCIM for SSO?

The REST API is documented via OpenAPI/Swagger at /swagger/ with a ReDoc UI at /redoc/ — 100+ endpoints across nine ModelViewSets. Authentication is SHA-256 hashed API keys via X-API-Key header (with expiry and last-used tracking) plus SAML 2.0 and OIDC for browser sessions. Rate limits are configured at 60 req/min authenticated, 20 req/min anonymous, 10 req/min for scan initiation. OAuth 2.0 and mTLS are not implemented today — if a procurement floor requires either, the use case can be scoped under PS.

Native dispatchers include Splunk HEC, Microsoft Sentinel, ServiceNow, Jira, Microsoft Teams, Slack, CrowdStrike Falcon LogScale, Wiz GraphQL, GitHub Issues, GitLab Issues, PagerDuty, Opsgenie, Discord, Telegram, and Lark. QRadar and Cortex XSIAM are covered via Syslog (CEF) and Webhook (JSON) — the industry-standard ingest paths these platforms accept. SSO supports SAML 2.0, OIDC, LDAP/AD, and SCIM 2.0 (tested against Okta, Entra ID, JumpCloud). Outbound webhooks are JSON; inbound CMDB-push uses an HMAC-signed webhook with 24h replay dedup. Kafka/Pulsar streaming is not native — the webhook bridges to the event broker.

Deep-dive links: integrations index → · API documentation → · product documentation →

Reporting & dashboards

Procurement asks: Are reports customizable beyond pre-configured templates? Are there management and executive dashboards with drill-down and role-based views? Can reports be scheduled, branded, exported, and delivered? Do you support multi-tenant reporting for MSSP / consulting use?

ASM ships pre-configured Executive Summary, full Vulnerability, and Reconnaissance reports, plus auditor-ready compliance reports for SOC 2 CC7.x, NIST CSF 2.0, ISO/IEC 27001:2022, HIPAA Security Rule, GLBA, PCI DSS 4.0, CIS Controls v8 IG1+IG2, GDPR Article 32, FedRAMP Moderate, NYDFS 23 NYCRR 500, and LGPD. Adding a framework is a YAML block plus a template stub. Per-project dashboards include severity tiles, scan-history timelines, exposure-graph entry, and billing-insights tiles, with drill-down to per-finding evidence and screenshots. RBAC is enforced at the ORM layer so Auditors see read-only filtered views while SysAdmins see everything.

Scheduled delivery supports daily, weekly, and monthly cron with per-report recipient lists, severity floors, and criticality filters. Branding is first-class: logo, colors, fonts, custom CSS, login banner, and "Powered by" toggle — the documented MSSP pattern. Export formats are PDF (WeasyPrint default), HTML preview, CSV, and JSON; XLSX export is an honest gap (CSV imports cleanly into Excel). Delivery channels: email recipient list, Slack incoming webhook, generic JSON POST webhook, or on-demand via API. Multi-tenant reporting uses one Project per customer, with per-project branding, SIEM destinations, scheduled reports, and cost rollup.

Deep-dive links: compliance framework mappings → · MSSP & partner resell → · ASM feature index →

Platform architecture, security & compliance

Procurement asks: What is your deployment model and data residency? What is your posture on LGPD, GDPR, ISO 27001, and SOC 2 Type II? How is data segregated, encrypted, retained, and deleted? How granular is RBAC for multi-business-unit deployment? What is your availability SLA and incident communication?

The deployment model is Bring-Your-Own-Cloud (BYOC): every customer is a single-tenant instance running in their own AWS or Azure account. HailBytes operates no multi-tenant SaaS data plane. Data residency is whichever region the customer picks — including AWS GovCloud (US), Azure Government, and Brazilian regions sa-east-1 and brazilsouth. On-prem via Docker Compose is supported. SOC 2 Type 2 direct with Jack Moore Group is in late-stage contracting, target attestation 2026-H2 to 2027-Q1, contingent on observation-window completion. LGPD and GDPR are addressed in the published DPA with David McHale designated as encarregado and DPO. ISO 27001 is deferred and re-evaluated post SOC 2 Type 2.

Segregation is structural — the customer cloud account is the isolation boundary. Sensitive fields (API keys, OAuth tokens, LDAP bind passwords, SIEM credentials) are encrypted at the ORM layer; everything else uses cloud-provider disk encryption. TLS protects every external endpoint, with TLS-verify toggles on Sentinel, Splunk HEC, Wiz, ServiceNow, and Jira. Retention is configurable per deployment. Deletion at contract termination is a customer operation — they destroy the VM/AMI, since the data was never in HailBytes' infrastructure to begin with. RBAC supports three roles (SysAdmin, PenetrationTester, Auditor) across eight permission categories, scoped to Project and Organization, with SSO/SCIM/LDAP group mapping. Vendor-side SLA is 99.5% availability of update servers and advisory pipeline; critical advisories ship within 72 hours of confirmed exploitable CVE.

Deep-dive links: trust center hub → · BYOC architecture → · BYOC deep-dive → · SOC 2 roadmap → · CAIQ-Lite → · LGPD & GDPR posture → · LGPD residency → · subprocessors → · BCP/DR → · insurance → · DPA →

AI, automation & CTEM alignment

Procurement asks: Where is AI/ML used in attribution, false-positive reduction, prioritization, and remediation guidance? Where is the human in the loop? How does the platform align with Gartner's Continuous Threat Exposure Management (CTEM) phases?

AI is used today primarily for remediation-guidance generation — the LLM writes description, impact, and remediation narratives per finding, cached with full model and version provenance. Provider choice is OpenAI, Anthropic, Gemini, or Ollama running locally for air-gapped operation with NVIDIA CUDA and AMD ROCm GPU support. Attribution is deterministic today (hostname matching, certificate SAN, BGP/ASN ownership), not ML-driven. Prioritization is rule-based composite scoring (CVSS + EPSS + KEV + business criticality + threat intel), not ML. Honest framing: ML-based false-positive reduction is not in production yet; today FPs are handled deterministically via dedup, exclude lists, and manual mark-as-FP with audit trail.

On CTEM alignment, the five phases map directly: Scoping via Targets, Domains, Organizations, and Projects with per-project quotas; Discovery across 30+ tools, four cloud connectors, eleven threat-intel providers, and code-leak scanning; Prioritization via the composite risk score, exposure graph, and attack-path temptation ranking; Validation via the rescan_verified workflow and per-finding evidence + screenshot; Mobilization via 17+ SIEM, ticketing, and notification destinations with remediation SLA tracking.

Deep-dive links: security AI disclosure → · ASM feature index → · ASM platform →

Page maintenance: this procurement FAQ is reviewed quarterly against the live questionnaire-answer source-of-truth, the published trust package, and the compliance roadmap. Last reviewed: 2026-05-24. Discrepancies between this umbrella page and a linked deep-dive should be reported to [email protected]; the deep-dive is always authoritative.