Shipped
Continuous reconnaissance
Subdomain enumeration, service fingerprinting, certificate transparency monitoring, port discovery, and asset attribution running on configurable cadence.
Roadmap
From visibility
From visibility
to verified impact.
Hax was born to answer the question "are we exposed?" in real time. The next chapter answers "and what does that exposure actually let an attacker do?"
Flagship — In progress
Platform-initiated
Platform-initiated
penetration testing.
Today Hax tells you where you are exposed. The next major release moves the platform from passive reconnaissance and vulnerability identification into authenticated, safe exploitation — confirming impact instead of just exposure.
Automated, scope-bound exploitation playbooks for the highest-impact classes: exposed credentials, misconfigured cloud storage, leaked API keys, and authenticated RCE chains. Findings move from "potential" to "confirmed" with reproducible evidence.
- Scope-bound, customer-approved playbooks only
- Evidence package per confirmed finding
- Auditable execution trail
- Fully reversible safe-mode exploitation
Shipped
Available today
Shipped
Vulnerability scanning
Active and passive scanning across discovered hosts with severity scoring, exploit mapping, and historical drift tracking.
Shipped
Dark web sweeps
Direct integration with Flare for stealer log forensics, paste site monitoring, breach datasets, and underground forum chatter.
Shipped
Multi-channel alerting
WhatsApp, Slack, Teams, email, and webhook delivery with severity routing and acknowledgement.
Shipped
Compliance mapping
Automatic mapping of findings to POPIA, GDPR, ISO 27001, and NIST CSF controls.
In progress
Next 90 days
In progress
Flagship
Platform-initiated penetration testing
Move from passive reconnaissance and vulnerability identification to authenticated, safe exploitation — confirming impact rather than just exposure.
Automated, scope-bound exploitation playbooks for the most common high-impact classes: exposed credentials, misconfigured cloud storage, leaked API keys, and authenticated RCE chains. Findings move from "potential" to "confirmed" with reproducible evidence.
In progress
Asset attribution v2
Smarter ownership inference for shared infrastructure, third-party SaaS, and shadow IT. Fewer false attributions, fewer ignored alerts.
In progress
Custom intelligence sources
Pluggable enrichment pipelines for organisations with their own threat intelligence feeds or sector-specific sources.
Next up
Next 6 months
Next
Supply-chain risk graph
Map the third-party SaaS, open-source, and infrastructure dependencies surfaced during reconnaissance — and continuously monitor each for breach indicators.
Next
Executive briefing builder
On-demand exec-ready PDF briefings synthesised from the past month of findings, scoped to a specific entity or threat class.
Next
Tenant SSO + SCIM
Enterprise identity for multi-tenant deployments. Microsoft Entra, Okta, and SCIM provisioning.
Research track
Exploring
Research
AI-assisted exploit chain inference
Use the platform's historical exploitation data to predict likely attack paths through newly-discovered infrastructure.
Research
Red team co-pilot
Surface platform findings directly into the workflows of human red teamers and pen testers — the platform does the recon, the operator picks targets.
Influence the roadmap
Building this with our customers.
Half the items above started life as a customer request. If a piece of intelligence is missing from your security stack, tell us.