API Reference

Drive HailBytes SAT and HailBytes ASM from your own code, your CI/CD pipeline, or an AI agent. Both products expose a REST API and a Model Context Protocol (MCP) server on the same instance.

Choose Your Interface

REST API

For traditional automation: scripts, CI/CD jobs, dashboards, and webhook receivers.

JSON over HTTPS
Pagination via DRF page parameters
Server-side filters per resource
Same auth model as the web UI

MCP Server

For AI agents (Claude, Cursor, Windsurf, the Anthropic SDK). Streamable HTTP transport, 16 tools, no glue code.

Native tool-use without writing wrappers
Targets, scans, recon data, vulns, OSINT
Cross-tool chaining with the SAT phishing engine
See the full MCP reference →

Authentication

HailBytes ASM

Generate API keys from Administration › API Keys › Add Key. Keys are SHA-256 hashed at rest and shown only once at creation.

curl https://your-asm-host/api/listTargets/ \
  -H "X-API-Key: $HAILBYTES_ASM_KEY"

Keys can have expiration dates. Expired or deactivated keys are rejected automatically. Browser sessions also work for endpoints called from the UI; CSRF token required when not using X-API-Key.

HailBytes SAT

Generate API keys from Account Settings › API Key. SAT preserves the upstream phishing-engine REST contract for backward compatibility.

curl https://your-sat-host/api/campaigns/ \
  -H "Authorization: Bearer $HAILBYTES_SAT_KEY"

The header Authorization: Bearer <key> is the documented form. The legacy ?api_key= query parameter still works but is discouraged because it leaks into request logs.

HailBytes ASM: Core Endpoints

Paths shown without the host. All paths return JSON unless noted.

Method	Path	Purpose
`POST`	`/api/add/target/`	Add a target domain to a project.
`GET`	`/api/listTargets/`	Paginated list of targets, with vuln counts and last-scan timestamps.
`GET`	`/api/listSubdomains/`	Discovered subdomains with status, screenshots, IP, ports, tech.
`GET`	`/api/listEndpoints/`	Crawled URLs with response codes, content type, GF tags.
`GET`	`/api/listVulnerability/`	Findings filterable by severity (0–4), CVE, target, scan.
`POST`	`/api/v1/action/initiate-scan/`	Public scan-init endpoint shared by the GitHub Action, all four CI templates (GitLab CI / Jenkins / CircleCI / Azure Pipelines), and the Zapier Start-scan action. One canonical entry point so quota / engine / Celery-dispatch logic lives in `initiate_scan_for()` only.
`GET`	`/api/v1/vulnerability/export/`	Vulnerability export. `?format=sarif` returns SARIF 2.1.0 for GitHub Code Scanning; `?format=openvex` returns OpenVEX 0.2.0 for Sigstore / Cosign attestation chains.
`GET`	`/api/v1/taxii/2.1/`	TAXII 2.1 server root. One TAXII collection per Project; STIX 2.1 bundle ids are deterministic UUIDv5 so re-publishes update objects in place. Useful for OpenCTI, MISP, and Anomali clients that prefer to pull.
`GET`	`/api/v1/scim/v2/`	SCIM 2.0 provisioning root (Users, Groups, ServiceProviderConfig, ResourceTypes, Schemas). Bearer auth uses the existing `X-API-Key` credential.
`POST`	`/api/action/initiate/subtask/`	Run a targeted subscan (port scan, vuln scan, screenshot, etc.).
`POST`	`/api/action/stop/scan/`	Abort a scan or subscan; revokes its Celery tasks.
`GET`	`/api/scan_status/`	Pending, running, completed, and aborted scans for a project.
`GET`	`/api/listScanHistory/`	Historical scan records with finding-count rollups.

Severity codes

0 Info · 1 Low · 2 Medium · 3 High · 4 Critical

Scan status codes

-1 Pending · 0 Initiated · 1 Scanning · 2 Completed · 3 Failed · 4 Aborted

HailBytes ASM: Worked Examples

Add a target and start a scan

# Add the target to a project
curl -X POST https://your-asm-host/api/add/target/ \
  -H "X-API-Key: $ASM_KEY" \
  -H "Content-Type: application/json" \
  -d '{
        "domain_name": "example.com",
        "slug": "client-pentest",
        "organization": "Example Corp"
      }'

# domain_id comes back in the response. Start a scan from
# the UI, or initiate a subscan via the API.

Pull only Critical vulns from the latest scan

curl "https://your-asm-host/api/listVulnerability/?\
project=client-pentest&severity=4" \
  -H "X-API-Key: $ASM_KEY" \
  | jq '.results[] | {name, http_url, cvss_score}'

Re-screenshot a set of subdomains

curl -X POST https://your-asm-host/api/action/initiate/subtask/ \
  -H "X-API-Key: $ASM_KEY" \
  -H "Content-Type: application/json" \
  -d '{
        "subdomain_ids": [1523, 1524, 1525],
        "tasks": ["screenshot", "fetch_url"]
      }'

Wait for a scan to finish in CI

SCAN_ID=156
until curl -s "https://your-asm-host/api/scan_status/?\
project=client-pentest" \
  -H "X-API-Key: $ASM_KEY" \
  | jq -e ".scans.completed[] | select(.id==$SCAN_ID)" \
  > /dev/null
do sleep 30; done

HailBytes SAT: Core Endpoints

SAT preserves the upstream phishing-engine REST contract for backward compatibility, with additional endpoints for the post-click training quiz, certificates, and audit-log export.

Method	Path	Purpose
`GET, POST`	`/api/campaigns/`	List or create campaigns.
`GET`	`/api/campaigns/{id}/results`	Per-recipient send / open / click / submit / report events.
`GET, POST`	`/api/templates/`	Email templates (HTML, text, attachments).
`GET, POST`	`/api/pages/`	Landing pages (with optional credential capture).
`GET, POST`	`/api/groups/`	Target groups and recipient lists.
`GET, POST`	`/api/smtp/`	Sending profiles (SES, SendGrid, custom relay).
`GET`	`/api/quiz-results/`	Post-click training quiz attempts and pass/fail status.
`GET`	`/api/certificates/`	Per-recipient PDF training-completion certificates.
`GET`	`/api/audit/`	Audit-log export (JSON or CSV) for SIEM ingestion.

HailBytes SAT: Worked Examples

Schedule a campaign

curl -X POST https://your-sat-host/api/campaigns/ \
  -H "Authorization: Bearer $SAT_KEY" \
  -H "Content-Type: application/json" \
  -d '{
        "name": "Q2 Baseline",
        "template": {"name": "Office365 MFA Reset"},
        "page":     {"name": "Office365 Login"},
        "smtp":     {"name": "SES Production"},
        "groups":   [{"name": "Engineering"}],
        "launch_date":  "2026-06-01T13:00:00Z",
        "send_by_date": "2026-06-08T17:00:00Z"
      }'

Pull users who clicked but didn’t pass the quiz

curl "https://your-sat-host/api/quiz-results/?\
campaign_id=42&passed=false" \
  -H "Authorization: Bearer $SAT_KEY" \
  | jq '.results[] | {email, score, attempted_at}'

Stream audit log to a SIEM

# Pull only events newer than the last cursor
curl "https://your-sat-host/api/audit/?since=$LAST_TS&format=json" \
  -H "Authorization: Bearer $SAT_KEY" \
  | curl -X POST https://siem.example.com/_bulk \
      -H "Content-Type: application/x-ndjson" \
      --data-binary @-

Generate a certificate PDF

curl -L "https://your-sat-host/api/certificates/?\
recipient=user@example.com&campaign_id=42" \
  -H "Authorization: Bearer $SAT_KEY" \
  -o certificate.pdf

Rate Limits

HailBytes ASM enforces rate limits at the application layer. Limits are per IP for unauthenticated traffic and per API key (or session) for authenticated traffic.

Anonymous: 20 requests / minute
Authenticated (REST or MCP): 200 requests / minute
Scan initiations: 10 / minute
Webhook deliveries: retried with exponential backoff on 5xx

On limit, the API returns 429 Too Many Requests with a Retry-After header. Build a backoff into clients; do not poll tighter than the limit.

Self-hosted operators can adjust limits in the Django settings; they live in DEFAULT_THROTTLE_RATES and SCAN_THROTTLE_RATE. Marketplace deployments inherit the defaults.

Inbound asset webhook

POST /api/v1/webhooks/assets/ accepts the same shape that the first-party cloud connectors emit. Useful when you want to push assets discovered by Terraform, an internal CMDB, or a cloud provider HailBytes doesn’t ship a connector for yet.

Authentication: HMAC-SHA256 over the raw request body, sent in X-HailBytes-Signature. Shared secret per webhook config.
Replay protection: 24-hour replay-dedup keyed on the event_id field; duplicate posts are accepted with a 200 but ignored.
Persistence: rows land in CloudAsset and back-link to targetApp.Domain / startScan.Subdomain so the existing scan pipeline picks them up.
Schema: documented in the API reference above (asset type, identifier, address, tags, source).

Outbound webhooks

HailBytes ASM events

scan.started
scan.completed
scan.failed
vulnerability.discovered (filtered by min severity)
subdomain.new (delta vs previous scan)

Configure under Notifications. Slack, Discord, Telegram, Lark, and generic JSON-POST destinations supported.

HailBytes SAT events

campaign.launched
campaign.completed
email.sent / email.opened
link.clicked
credentials.submitted
email.reported (user reported phishing)
training.completed

Audit Trail

Every action taken through the REST API, MCP server, or web UI is recorded with the actor, IP, user agent, and target resource. The action taxonomy is normalized across products so a single SIEM rule covers both.

Tracked actions include: target add / remove, scan start / stop, engine create / edit / delete, API-key create / revoke, login success / failure, password change, role change, project add / remove, organization add / remove, vulnerability state change, campaign create / launch / cancel, template add / edit, group add / edit, SMTP profile add / edit, settings change, and report generation. Pull the log via /api/audit/ or stream it to a SIEM webhook in real time.

Driving HailBytes from an AI Agent?

The MCP server is the fastest path. Connect once, the agent has tools for the entire reconnaissance and phishing workflow.

View MCP Reference →