Powerful Features for Modern Security Teams
Everything you need for comprehensive reconnaissance and attack surface management, in detail. Every integration, every export format, every workflow.
Running ASM across a client portfolio? Several features below are built for managed security providers and multi-tenant teams — Multi-Project Management and Project Quotas (hard per-client isolation and resource governance), Scheduled PDF Reports (white-label, direct-to-client delivery), SCIM 2.0 Provisioning, and Ticketing & On-Call Dispatch. See the MSSP workflow, per-client cost attribution, and resale economics →
The full 11-minute product run-through, before the feature breakdown below.
Every HailBytes ASM Capability
Automated Discovery
Comprehensive subdomain enumeration using Subfinder, Amass, Alterx, BBOT, puredns (DNS brute-force against the top-1M wordlist), uncover (multi-source passive recon via Shodan, Fofa, Censys, Hunter), and theHarvester (OSINT email, subdomain, and LinkedIn org recon). All tools run in the same pipeline; results are deduped before persistence.
Port & Service Scanning
Nmap and Naabu integration for fast port scanning and service detection with banner grabbing.
Endpoint Enumeration
Gospider, Hakrawler, and Katana crawling for comprehensive URL discovery and attack vectors.
Vulnerability Scanning
Nuclei templates (3,000+ CVEs), Dalfox for XSS, CRLF injection via crlfuzz, S3Scanner for exposed buckets, Corsy for CORS misconfiguration (14 probe types), Arjun for hidden HTTP parameter discovery, automatic second-order subdomain takeover detection, and a Shodan CVE-correlated pre-scan against known-vulnerable device classes (HP iLO, Intel AMT, Cisco Smart Install) — all individually toggleable per scan engine.
AI-Powered Analysis
OpenAI, Anthropic (Claude), Gemini, or local Ollama models (with NVIDIA CUDA and AMD ROCm GPU acceleration) for air-gappable vulnerability assessment, exploitation guidance, and automated reporting. Each completed scan generates an AI executive summary — severity counts, top findings, and subdomain delta vs. the prior scan — cached in the scan record and rendered as a dedicated section in PDF reports and the scan detail view.
LLM Vulnerability Reports
Auto-generate structured triage for every finding — description, business impact, remediation steps, references, and attack suggestions with exploitation steps — produced by OpenAI GPT models or a local Ollama instance (air-gappable, NVIDIA CUDA / AMD ROCm GPU acceleration). Reports are stored per-vulnerability and served from a dedicated REST endpoint, so analysts get a starting draft on every new finding without re-running the model.
Continuous Monitoring
Hatchet-scheduled scans with diffed findings and webhook alerts to Slack, Microsoft Teams, Discord, Telegram, Lark, and Twilio SMS — plus real-time GitHub commit-stream monitoring for exposed secrets: keyword-filtered polling of the public events API every 5 minutes, trufflehog confirmation, and Critical-severity findings with commit evidence, gated per-Organization and off by default.
Multi-Project Management
Per-client workspaces with role-based access control across multiple engagements. Isolation is enforced at the application layer: every query is Project-scoped through API and middleware filters, so analysts assigned to Client A cannot see Client B’s scans, findings, or targets — even on a shared instance.
Project Quotas & Cost Governance
ProjectQuota sets per-client scan-rate, target, and asset ceilings plus a
monthly budget cap and alert threshold — the resource-governance mechanism for
multi-tenant deployments. The /billing/projects/ rollup attributes the
deployment’s cloud spend across Projects by scan-time, so MSSP operators see exactly
which client is consuming compute and get alerted before a runaway scan blows a budget.
Visual Reconnaissance
gowitness screenshot capture with visual comparison across scan history.
REST API, MCP & WebSockets
40+ REST endpoints with OpenAPI docs, SHA-256-hashed API keys, a built-in MCP server for AI agents, and live WebSocket scan updates.
SARIF Export for GitHub Code Scanning
Vulnerability findings export as SARIF 2.1.0 on a single endpoint. Upload from any GitHub Action and findings show up in the Security tab next to CodeQL output, with dedup, dismissal, and PR-comment behaviour handled by GitHub.
Scheduled PDF Reports
Per-Project recurring delivery of the WeasyPrint-rendered scan report (daily, weekly, or monthly), emailed directly to a client contact list under your white-label branding — no analyst in the loop. Includes the Asset Change Summary, the AI-Generated Scan Summary section, screenshot gallery, and per-framework compliance evidence in one PDF.
Ticketing & On-Call Dispatch
Severity-floor + deduped routing of triaged findings to Jira (Cloud or Data Center), ServiceNow (SIR + ITSM), and PagerDuty Events v2, with the same fingerprinting engine so a flapping finding doesn’t wake the same engineer twice.
Cloud-Native Asset Discovery
First-party connectors for AWS, Azure, GCP, and Cloudflare pull DNS, load balancers, object stores, and edge endpoints directly from the source. Discovered assets back-link to existing scan targets so the recon pipeline picks them up without reconfiguration. An inbound HMAC-signed webhook covers everything else.
Exposure Clustering & Graph
Pure-Python union-find over the asset graph (no graph database to operate)
clusters related domains, subdomains, IPs, and findings into named exposures. The
force-directed cytoscape.js view at /exposure/<slug> answers
“what else is on this same surface?” without an analyst joining tables.
SCIM 2.0 Provisioning
Auto-create, update, and deactivate users from Okta, Microsoft Entra ID, Google Workspace, OneLogin, or any RFC 7644-compliant IdP. Group push maps onto the existing three rolepermissions roles, with no parallel role taxonomy to maintain.
Threat Intelligence (BYO)
Enrich findings against Shodan, Censys, GreyNoise, VirusTotal, AbuseIPDB, Have I Been Pwned, MISP, OpenCTI, and AlienVault OTX, whichever you already pay for. Per-provider TTL + daily quota + stale-fallback so a flaky upstream doesn’t stall the pipeline.
DevSecOps Pipeline Integration
Published GitHub Action plus drop-in templates for GitLab CI, Jenkins, CircleCI, and
Azure Pipelines. All five share one hailbytes-scan.sh + the public
POST /api/v1/action/initiate-scan/ endpoint, so a future API change is
one search-and-replace, not five divergent updates. Zapier listing covers the
long-tail destinations (Slack, Asana, Linear, Notion).
CI/CD Attack-Surface Scanning
Gato detects malicious-workflow and OIDC token-abuse paths in GitHub Actions; zizmor
statically analyses .github/workflows/ for misconfigurations and
secret-exposure risks. Findings land in the same vulnerability pipeline as every other
ASM phase — exposure graph, SIEM forwarding, ticketing dispatchers. Opt-in via the
cicd_scan engine YAML block; bring your own GitHub Personal Access Token.
Cloudflare Origin IP Bypass Discovery
Cloudflare-fronted hosts only expose Cloudflare’s edge IPs to scanners — the
origin server stays invisible. HailBytes ASM uses Censys certificate matching (CloudFlair)
and response-body fingerprinting (hakoriginfinder) to find the real origin IP, surfacing
the attack surface your WAF was hiding (open ports, admin panels, unproxied services) as
exposed-origin-ip findings. Requires a Censys key.
Bug-Bounty Ingestion
Pull HackerOne and Bugcrowd reports into HailBytes ASM. Triaged / accepted / resolved
reports promote to Vulnerability rows automatically, so they
enter SIEM forwarding, ticketing, exposure graph, and compliance reports alongside
scanner findings. Informative / duplicate / N-A submissions stay informational.
Enterprise & Federal Surface
STIX 2.1 / TAXII 2.1 server (one collection per Project), OpenVEX 0.2.0 export,
LDAP / Active Directory direct-bind for orgs that haven’t moved to SAML,
and PAM-backed secrets via vault://, azure-kv://, and
aws-sm:// references. Twelve compliance frameworks ordered for US Enterprise
procurement: SOC 2 Type II, NIST CSF 2.0, HIPAA, GLBA (North American) lead,
followed by LGPD (Latin American), ISO 27001 (global), and IEC 62443 (industrial / OT).
Multi-Language UI
The full ASM interface — login, dashboard, scan results, and compliance reports — renders in seven locales: English, Brazilian Portuguese, Spanish, Canadian French, German, Japanese, and Korean. The locale is set at the tenant level, so the entire session is consistent from the first login with no mid-session switching.
ICS / OT Attack Surface Coverage
scada-scanner extends ASM into industrial control systems and operational
technology networks with active protocol enumeration for Modbus, S7,
DNP3, BACnet, EtherNet/IP, and IEC-104. Opt-in per scan engine, with safe mode on by
default and a required per-scan authorization acknowledgement before any active probing
starts. OT exposures enter the same exposure graph, compliance reports (IEC 62443), and
ticketing dispatchers as IT findings. Every ICS/OT assessment includes an Assessment
Scope table — showing every check evaluated and its result, so auditors see
what was tested, not just what was found — plus a branded customer-facing PDF report.