CRIT CVE-2025-31324 · SAP NetWeaver RCE · observed in wild HIGH CVE-2025-29824 · Windows CLFS privilege escalation CRIT Citrix NetScaler — auth bypass · 11k exposed MED Cisco ASA · memory disclosure HIGH Ivanti CSA · path traversal CRIT FortiGate · stack overflow in sslvpnd FEED · cisa.kev · loading… CRIT CVE-2025-31324 · SAP NetWeaver RCE · observed in wild HIGH CVE-2025-29824 · Windows CLFS privilege escalation CRIT Citrix NetScaler — auth bypass · 11k exposed MED Cisco ASA · memory disclosure HIGH Ivanti CSA · path traversal CRIT FortiGate · stack overflow in sslvpnd FEED · cisa.kev · loading…
The HAX Platform v 4.2 · in production

Recon. Analyse. Act.

HAX is the AI-assisted offensive security reconnaissance platform XContent RED uses on real engagements — now available to your team. Continuous attack-surface discovery, dark-web intelligence, and AI-prioritised remediation in a single operator console.

Tiers
3
Scans
44types
Sources
120+feeds
Uptime
99.97%
hax.xcontent.red / tenant: acme-financial / surface
live
surface › acme-financial › overview
24h 7d 30d 90d
Critical
7
+2 · 24h
High
12
+1 · 24h
Assets
1,842
+14 discovered
MTTR
6.2d
–1.4d · 30d
activity feed ● live
!
CVE-2023-3519 on admin.acme — Citrix unauth RCE · auto-paged on-call
14m
!
RDP newly exposed on 203.0.113.44:3389 · delta vs 24h baseline
2h
14 credential pairs matching corporate domain on leakbase.cx
6h
O365 OAuth grant — unusual mailbox scope · tenant:acme
9h
Finding #41 verified remediated — jenkins anonymous · closed
11h
ai prioritisationclaude-haiku
P1 · Citrix RCEpatch
P1 · RDP exposedisolate
P1 · 14 leaked credsrotate
P2 · Cert expiryrotate
discoverylast sweep · 04:18
subdomains+12
services+3
cert changes2
§ 01 · How it works

Three phases. Continuous loop.

HAX doesn't stop at scanning. It runs a continuous loop — discover what's exposed, contextualise the threat, and provides the fix. Built by operators, for operators.

01 RECON

See what attackers see.

Continuous attack-surface enumeration across DNS, certificates, ASN ranges, public code, leaked configs, and thousands of dark-web sources — not a one-shot scan.

  • Subdomain & service discovery
  • Dark web & ransomware leak feeds
  • Brand impersonation findings
02 ANALYSE

Cut through the noise.

Findings are identified by CVE, CVSS and an indication whether the exploit is active in the wild (CISA KEV). AI prioritisation surfaces the things that matter most.

  • AI-driven exploit-path scoring
  • Findings mapped straight to controls
03 ACT

Reports tailored to audience.

Critical alerts directed to WhatsApp, SMS or webhook. Red Team Engineers and Customers can route findings to either XContent or your own support desk. HAX closes the loop — you can verify remediation once it's marked as done.

  • WhatsApp / Service Desk / Teams alert
  • Auto-generated executive PDFs
  • Re-test & verify on remediation
§ 02 · Capabilities

Built like an operator console.

Every surface in HAX was designed by people who run real engagements. No marketing dashboards. No vanity charts. Just the views that move incidents to closed.

CAPABILITY · 01

Continuous attack-surface map

Every external asset your organisation accidentally publishes — across subsidiaries, M&A debt, shadow IT, and forgotten cloud accounts — discovered, fingerprinted, and tracked over time.

  • Passive & active enumeration
  • Asset diff alerts on every sweep
attack surface · acme-financial● scanning
asset warning critical
CAPABILITY · 02

Dark-web & brand intelligence

We watch the places your security team can't — initial access broker forums, ransomware leak blogs, credential dumps, Telegram channels — and surface only what matches your domains, executives, and code repositories.

  • Flare ingestion + custom collectors
  • Executive impersonation tracking
  • Leaked credentials & session cookies
  • Ransomware leak-blog monitoring
  • Your data in other ransom data leaks
darkweb · acme-financial live
JV
j.vermeer@acme-financial.co.zaCFO
Finance · Executive
leakbase.cx2h ago · Q3-leak.zip
SP
s.patel@acme-financial.co.za
SecOps
forum.zk19h ago · combo
RM
r.molefe@acme-financial.co.za
Engineering
ransomh.onion1d ago · session cookie
CAPABILITY · 03

AI-prioritised remediation

Not another red-amber-green dashboard. HAX routes the right finding to the right engineer with reproduction steps, suggested patch, and verification logic — and pages on-call when the issue is hostile enough to warrant it.

  • WhatsApp / Service Desk / Teams alert
  • Verification on remediation
# sec-oncall14:32
hax-bot
P1 · CRIT CVE-2023-3519 on admin.acme-financial.co.za. Citrix NetScaler unauth RCE. Active exploitation in wild.
→ paged: ciso, secops-lead, ir-retainer
jira · ACME-SEC14:33
hax-bot opened ACME-SEC-1294
Patch Citrix NetScaler appliance — repro & verification steps attached. Owner: infra-platform. SLA: 4h.
→ verified on remediation · auto-close
CAPABILITY · 04

Compliance evidence, automatic

Every HAX finding maps to controls in ISO 27001, NIST CSF, PCI DSS, and POPIA. Auditors get evidence. CISOs get coverage gaps. Engineering gets back to work.

  • Control-framework mapping
  • POPIA / GDPR breach playbooks
control coverage · iso 27001 annex a
ISO
NIST
PCI
POPIA
A.5 Org
A.8 Asset
A.9 Access
A.12 Ops
A.16 Incident
CAPABILITY · 05

Two reports. One engagement.

Engineers get a technical artifact with reproduction and remediation steps. Boards get a narrative with risk-adjusted insights. Both written from the same evidence — no translation loss.

  • Auto-generated technical PDF
  • Board-grade executive summary
  • Quarterly cadence summaries
▌ TECHNICAL · 84pp

Finding #07 — Citrix NetScaler RCE

7crit
12high
31med
▌ EXECUTIVE · 12pp
One unpatched perimeter appliance undoes twelve months of controls investment.
R 38–64mbreach cost
R 340kremediation
§ 03 · The differentiator

What makes HAX different.

Most attack-surface tools stop at the perimeter. HAX was built by red teamers, so it goes where adversaries go — and watches the places they trade access.

dark-web matches · acme-financial · 30d live
CF
cfo@acme-financial.co.zaVIP
Executive · Finance
stealc/log14m ago · stealer log
VP
vpn-user-pool · 14 pairs
VPN credential combo
leakbase.cx2h ago · Q3-leak.zip
RW
"Acme treasury" mention
Ransomware leak blog
akira-h.onion9h ago · index page
SC
session cookie · admin.acme
Initial access broker
forum.zk11d ago · USD 4,200
GH
aws-keys · acme-internal
Public GitHub gist
gist.github.com2d ago · key revoked
01

We watch where access is sold.

If your environment is being shopped, HAX will alert you.

02

VIP & executive monitoring.

Stealer-log ingestion matched against your executive roster. We alert when a board member's credentials surface — usually within hours of the dump.

03

Code & secret leak detection.

Public GitHub gists, paste sites, Discord dumps. HAX matches domain mentions against your organisation faster than anyone else.

§ 04 · Get access

Get your first recon report in 48 hours.

Tell us your domain. We'll scope a no-obligation assessment and surface what's exposed — attack surface, dark-web exposure, and AI-prioritised remediation. If it's useful, we'll talk pricing.

▌ Request access
Get a sample report
We work directly with your team — no resellers, no partner programme intermediaries.
← back to XContent RED