Discovery and Vulnerability Coverage

The tools, providers, and asset classes HailBytes ASM covers in product. Procurement-shaped detail, not marketing.

Most ASM vendors describe coverage at the marketing layer ("comprehensive", "best-in-class"). Enterprise procurement teams need the tool list, the provider list, and the honest gaps. This page is the second-half companion to the ASM features overview for evaluators who need to verify what specifically runs inside the deployment.

Discovery Techniques

Hybrid by design. Each phase is individually toggleable per engine, so a pure-passive engine is one valid configuration.

Passive Sources

  • Certificate transparency logs (crt.sh, tlsx, CertStream live feed)
  • Passive DNS feeds
  • WHOIS
  • SecurityTrails (passive DNS history, subdomain enumeration)
  • Netlas (ASN, IP-range, and organization-level queries)
  • OSINT dorks via uncover (Shodan, Censys, Fofa, Hunter, Netlas, ZoomEye)
  • theHarvester (email, subdomain, and virtual-host OSINT across Google, Bing, DuckDuckGo, Netcraft, SecurityTrails, Hunter.io, IntelX, and more)
  • Threat-intel provider lookups (listed below)

Active Sources

  • subfinder, amass, assetfinder, alterx (subdomain + permutation)
  • bbot (multi-phase asset discovery)
  • dnsx (-axfr zone-transfer detection)
  • dnsReaper (subdomain takeover — CNAME to S3, GitHub Pages, Heroku)
  • nmap, naabu (port and service); RustScan optional (65,535 ports in ~3 s)
  • httpx, katana (HTTP probing and crawl)
  • nuclei (vulnerability templates, auto-updated daily)
  • puredns (DNS brute-force — SecLists top-1M wordlist + trickest resolvers; opt-in via run_puredns)
  • Second-order subdomain takeover (crawls alive endpoints for external host references; NXDOMAIN targets flagged High-severity)

Asset Classes Covered

Network and Edge

  • Domains, subdomains, IPs, ASNs, IP ranges
  • Open ports and exposed services
  • TLS posture (cipher, protocol, certificate, JA4 fingerprint via tlsx)
  • DNS zone-transfer exposure (dnsx -axfr)
  • Subdomain takeover (dnsReaper — dangling CNAME detection)
  • Typosquat and phishing domain detection (dnstwist opt-in)
  • CDN and WAF detection
  • Cloudflare origin IP bypass (CloudFlair + hakoriginfinder — uncovers origin servers behind the Cloudflare edge; requires Censys key)

Cloud (Native Connectors)

  • AWS (Route 53, EC2, ELB, RDS, S3, API Gateway, Lambda URLs)
  • Azure (Azure DNS, public compute, load balancers, storage)
  • Google Cloud (Cloud DNS, public compute, GCS)
  • Cloudflare (DNS, public-facing services)
  • Read-only IAM; cloud connectors run hourly by default

Web and APIs

  • Web application endpoints (httpx, katana crawl)
  • Per-endpoint technology fingerprinting (httpx -tech-detect)
  • Misconfiguration detection (nuclei templates incl. LLM/AI tags)
  • XSS (dalfox), CRLF injection (crlfuzz)
  • CORS misconfiguration (corsy — 14 probes: origin reflection, bypass patterns, wildcard-with-credentials)
  • HTTP parameter discovery (arjun — surfaces hidden params for downstream dalfox/nuclei fuzzing)
  • S3 bucket misconfig (s3scanner)
  • GraphQL: fingerprinting (graphw00f), security audit (graphql-cop), schema recovery (clairvoyance)
  • Supply-chain dependency confusion (confused — npm, PyPI, Composer, RubyGems)

Code Repositories

  • GitHub, GitLab, and Bitbucket organization scanning
  • TruffleHog and GitLeaks secret detection
  • Verified secrets promote to findings
  • Real-time public commit monitoring (polls the GitHub events API every 5 min; keyword-matched commits piped through TruffleHog — per-org opt-in)

Credential Exposure

  • Have I Been Pwned (HIBP)
  • Dehashed
  • LeakIX
  • Per-domain and per-email-pattern surfacing

SaaS Exposure (Inferred)

  • CNAME analysis to known SaaS providers
  • Certificate transparency cross-reference
  • No dedicated SaaS broker integration today

CI/CD Pipelines

  • GitHub Actions enumeration (Gato — exposed secrets, OIDC misconfig, poisoned workflows)
  • Workflow static analysis (zizmor v1.25.2 — injection, privilege escalation)
  • Requires customer-provided GitHub PAT (GitHubAPIKey); off by default
  • Findings persist as Critical / High Vulnerability rows

Threat Intelligence Providers

Twelve providers feed per-finding enrichment via the threatIntel.services.enrich pipeline. API keys are BYO; customers bring their existing provider contracts into the deployment.

Active Exposure

  • Shodan (passive enrichment + active CVE-correlation queries pre-vulnerability-scan; requires ShodanAPIKey)
  • Censys
  • GreyNoise (active classification, scanner traffic)
  • SecurityTrails (passive DNS history, subdomain enumeration)

Reputation and IOC

  • VirusTotal
  • AbuseIPDB
  • MISP (customer-side instance, IOC matching)
  • OpenCTI
  • OTX (AlienVault)

Credential and Leak Data

  • Have I Been Pwned (HIBP)
  • Dehashed
  • LeakIX

Vulnerability Database Feeds

CVE / NVD

Hydrated from three NVD-mirror sources with retry handling on HTTP 429 and 503. Per-CVE EPSS score fetched and cached for exploit-likelihood weighting in the composite risk score.

CISA KEV

First-class field on every Vulnerability: kev_date_added plus an indexed is_known_exploited boolean. Drives prioritization and the in-product KEV-only filter.

Vendor Advisories

Inherited via nuclei templates, which are auto-updated daily and pull vendor proof-of-concepts.

Proprietary Research

Customer-side enrichment via the twelve threat-intel providers listed above; per-finding risk_score is enriched on every lookup result.

CTEM Framework Alignment

Direct mapping to Gartner's five Continuous Threat Exposure Management phases.

Scoping

Targets, Domains, Organizations, and Projects with per-Project quotas. RBAC and SSO group-to-role mapping confine scope per team.

Discovery

40+ tools in a multi-phase Hatchet pipeline, four cloud connectors, CI/CD pipeline scanning (Gato + zizmor), twelve threat-intel providers, code-leak scanning.

Prioritization

Composite 0-to-100 risk score per Vulnerability. Inputs: CVSS, EPSS, KEV, business criticality, threat-intel enrichment. Exposure graph and directed attack-path with temptation ranking for chained risks.

Validation

rescan_verified workflow on each finding. Manual and scheduled re-scans. Per-finding evidence and screenshot for re-confirmation. Compliance reports differentiate "fixed and verified" from "marked-fixed by user".

Mobilization

17+ SIEM, ticket, and notification destinations. Scheduled PDF reports per Project. SLA tracking against Vulnerability.remediation_due_date with breach surfacing on the dashboard.

Honest Coverage Gaps

Areas where HailBytes ASM does not provide first-class coverage today, with the path partners and customers use as a workaround.

Mobile Application Coverage

No mobile SAST or DAST in product today. Partner integration via the webhook dispatcher is the documented path; partner mobile-scan findings can be ingested as Vulnerability rows through the HMAC-signed inbound webhook.

Dark and Deep Web Crawling

HIBP, Dehashed, and LeakIX surface the credential and exposure signals most procurement teams need from dark-web sources. A dedicated dark-web crawler is on the 2026 H2 evaluation list but is not in product today.

ICS / OT Scanning (Partial)

The opt-in, authorization-gated scada-scanner phase (scada-scanner + Redpoint NSE) actively detects and fingerprints Modbus, S7, DNP3, BACnet, EtherNet/IP, and IEC-104 services. Modbus deep-assessment (unauthenticated register reads, cleartext TCP, default HMI credentials via pymodbus) shipped in May 2026; deep vulnerability assessment for DNP3 and S7 beyond detection remains on the roadmap. Full IT-side surface of OT environments (corporate DNS, jump hosts, vendor-portal exposure) was already covered.

MITRE ATT&CK Mapping

Active-exploitation signals come from CISA KEV, GreyNoise active classification, and MISP IOC matching. Formal per- finding ATT&CK technique mapping is not implemented today. Roadmap item.

Related References