Asset Intelligence is available to customers with CTEM platform entitlement.
H1 Asset Intelligence brings together Asset Inventory, Asset Discovery, and Attack Exposure Signal capabilities into a unified view called Assets. Use Assets to manage your asset inventory, monitor exposure signals, and review Hai-driven scoping recommendations.
Asset Discovery
Asset discovery identifies externally accessible assets and enriches them with metadata. You can use Asset Discovery to maintain a more complete and up-to-date inventory without relying on manual tracking.
It discovers:
Subdomains, including multi-level subdomains
Open ports and associated protocols
Detected technologies such as servers, frameworks, and cloud providers
HTTP and HTTPS service details, including SSL/TLS metadata
Scans run on a fixed weekly schedule. After each scan, results are validated, deduplicated, and used to create or update assets in your inventory.
Asset Exposure Signal
Exposure Signal is a deterministic, evidence-based score that estimates how exposed an internet-facing asset is. It combines technology, network exposure, and configuration data into a single rating.
The score is based on observable facts such as open ports, detected technologies, DNS characteristics, lifecycle data, and known vulnerability lookups. A lower score indicates fewer or lower-severity exposure indicators; a higher score indicates broader or more concerning exposure patterns.
Hai Driven Scoping Recommendations
Using data from asset classification, exposure signal, and change velocity, Hai recommends a scope class, security testing actions, and priority for newly discovered or changed assets.
This shifts the workflow from manually evaluating, classifying, and scoping each asset into a review-and-approve model where security teams act on prioritized Hai recommendations.
Permissions
Action | Permission |
View Discovery | Any organization member |
Enable or disable scanners | Assets Manager (organization-level) |
To check permissions, go to Organization settings → Members → Your account.
Get Started
Add a Root Domain, or Asset to your Asset Exposure View
For Asset Discovery, we use only root domains (e.g., ‘example.com’).
Use root domains only.
Do not enter subdomains such as api.example.com.
Complete the required fields, then click Save.
Learn more about asset details and scoping here.
Using Asset Exposure
Enable or Disable Asset Discovery Scanning:
To enable scanning:
Select the domain(s) that you want to include in continuous scanning from the table.
Click Asset scanning.
Select Asset discovery.
To disable scanning:
Select the domain(s) that you want to include in continuous scanning from the table.
Click Asset scanning.
Select Asset discovery.
When scanning is disabled, no new data is collected. Existing assets remain in your inventory.
Note: Initial Asset Discovery runs typically conclude within minutes or hours, though extensive, large-scale domain scans may require several days. Following the completion of this baseline run, discovered assets are assigned an Exposure Signal rating from minimal to severe.
Interpreting Exposure Signal:
Exposure Signal is a deterministic, evidence-based score that estimates the degree of externally observable exposure for an internet-facing asset. It is not an indicator of exploit, but rather a measurement of the likelihood of exploitable exposure calculated using a rule-based model across three signal categories:
50% of score - Technology signal
Evaluates detected technologies, software components, lifecycle status, and known vulnerability information.
Technologies may increase the signal when they are associated with end-of-life software, known CVEs, or other recognized exposure indicators.
35% of Score - Network exposure signal
Evaluates the asset’s externally reachable services, including open ports and service types. Ports commonly associated with administrative interfaces, alternate web services, databases, remote access, or other sensitive services may increase the signal.
A larger number of exposed ports may also increase the signal because it broadens the externally reachable attack surface.
15% of Score - Configuration signal
Evaluates externally observable configuration attributes such as DNS details, DNSSEC presence, IP footprint, nameserver information, and related asset metadata.
Configuration issues may increase the signal when they indicate weaker posture, unnecessary exposure, or missing defensive controls.
Note: Over time the system will account for business impact multipliers, where the raw scores are impacted by:
Asset Stability (long-lived=1.0, ephemeral=0.6) and exposure level (public=1.0, internal=0.7, private=0.5), averaged together.
Change velocity adjustment — An additive 0-20 points based on how frequently the asset changes (volatile=+15, moderate=+5, stable=0, plus a +5 bonus if changed in the last 30 days).
Using Hai Suggested Scoping
Hai-Driven Scoping Recommendations evaluate assets for risk and automatically recommend the appropriate HackerOne program scope. This reduces manual scoping work and helps improve program coverage.
Combined with Asset Discovery and Exposure Signal, these recommendations help you maintain an up-to-date view of your external attack surface. The system continuously reviews newly discovered assets and metadata changes identified during weekly scans, helping keep your program scope current without manual tracking.
How Scoping is Determined
Kick off a Hai Suggested Scoping run:
On the Attack surface page, select the assets you want included in the scoping run
Select Add selection to scope and follow prompts to assess scoping suggestions and add assets to those programs, or decline the recommendations.
CTEM Platform customers receive 10,000 scoping runs per year. Each scoping run evaluates one asset for program scope recommendations. Contact your CSM for pricing above the included annual limit.
Troubleshooting
Common Issues
No root domains found
Add a domain as a Domain-type asset in Assets → Inventory.
Scanner toggle unavailable
Verify that you have Assets Manager permissions.
Scanner not running
Confirm that scanning is enabled and wait for the next weekly run. Check the status page if needed.
No assets discovered
Verify that the domain is publicly accessible and not blocked by DNS or firewall restrictions.
If issues persist, submit a ticket at support.hackerone.com.
FAQs
Is the scanning intrusive?
No. Asset Discovery uses passive techniques and light port scanning. It does not attempt exploitation.
Where is the data stored?
Data is stored within HackerOne infrastructure and is visible only to your organization.
Can I export discovered assets?
Yes. You can export data from Asset Inventory as CSV or via the HackerOne API.
Can I delete assets?
Assets cannot be deleted, but you can archive them.
What happens if I approach the 10,000 asset Scoping Suggestion runs?
You will not be able to exceed the threshold without assigning utilization credits. Reach out to your CSM for more information.