π Hai: Agentic Validation, Prioritization, Exploitation + Linear Integration π
Today, we shipped four new capabilities within Hai that help enterprise security teams move from exposure to remediation faster! This addresses the full workflow gap we keep hearing about: teams know what to find, but struggle to prove what's real, prioritize what matters, and get fixes to engineering without friction.
What's shipping:
Prove What Matters
Agentic Validation (enhanced): Now includes similar vulnerability analysis, attack path diagrams, priority determination, and exploitability signals on top of the existing coordinated checks. One trusted recommendation per finding, backed by more context and program history.
Agentic Prioritization: Validated findings ranked by business impact, not just severity. Teams can configure their own business logic to surface what matters first and prioritize with more context than just CVSS, cutting through reviewer variance at scale.
Move to Fix Faster
Agentic Exploitation: Automated exploitation for credentials exposure, XSS, and other injection vulnerabilities, with screenshot-driven proof embedded in every report. Developers get evidence, not just findings.
Linear Integration: Engineering context from Linear feeds back into validation to improve accuracy. Validated findings are pushed directly into Linear, keeping security and engineering in sync without manual handoffs.
Why it matters
Without proof of exploitability, prioritization slows down. Developers re-investigate before acting. Findings lose momentum. These capabilities cut that friction by giving teams a clear recommendation, business-tied prioritization, and evidence that moves work forward.
β
How this differentiates us
Most platforms stop at finding vulnerabilities. Hai goes further with agentic workflows that are explainable, consistent, and built on real program history. Combined with trusted researchers and expert-led triage, that's what makes our validation reliable at enterprise scale. This deepens our position as a continuous threat exposure management platform, not just a testing marketplace.
Who has access
Agentic Validation + Prioritization: All Hai Triage customers; Platform SKU customers on new pricing
Agentic Exploitation + Linear Integration: All Hai Triage customers; Platform SKU customers on new pricing
Learn more:
Product Documentation:
Unified Tagging with Scope & Rewards Groups
Unified Scope & Rewards Groups is now GA, bringing grouped scope and rewards powered by asset tags. Customers can opt in via migration from the legacy setup; no forced migration yet, but the old flow will be retired in the future with advance notice.
β
What we did:
Reward category support in Asset Inventory tag categories
New Scope & Rewards Groups setup flow with flexible asset grouping
Opt-in migration path from legacy flow (with ability to revert if needed)
Hai migration assistant for customers on the old flow
Updated Bounty table benchmarking logic to support multi-reward tables
Why we did it:
The problem: Customers with large inventories (50+ assets) or complex structures have been managing scope manually: editing assets one by one, unable to communicate different testing requirements across asset types, and keeping separate views in sync.
The solution: Asset groups powered by tags. Tag your assets once (by business unit, environment, criticality, tech stack, etc.), and organize scope and rewards automatically as you add new assets.
What grouping enables:
Different reward amounts per group (e.g., $10K for production systems, $5K for staging)
Different scope descriptions per group (e.g., "Gateway required for Group A, optional for Group B")
Asset categorization for prioritization (e.g., "High Priority" vs "Low Priority" groups visible to hackers)
Clearer communication about what's in scope and how to test different asset types, all in one unified view for both customers and hackers.
Who it helps:
Customers: flexibility to communicate nuanced scope requirements
Enterprise customers with large inventories and complex structures (rewards, scope requirements, or asset priorities)
Multi-program teams with shared infrastructure need different testing approaches per asset type
Hackers: Single source of truth - clear understanding of what's in scope, how to test it, and what bounties apply
Sales & CS: Scalable model for enterprise customers with complex environments
How to use it:
In Asset Inventory, create or select an asset tag category for grouped rewards
Mark that category as a reward category to auto-enforce uniqueness
Apply tags to relevant assets in that category
In the program, open Rewards > Scope & Rewards Groups
Select Enable new setup. Complete setup manually or use the Hai migration assistant to complete the setup
If setting up manually:
Select the asset tag category and map one or more tags to each reward group
Add the reward values, scope descriptions, and group names visible to hackers
Apply changes after review is complete by pressing Publish
Review the Scope and Rewards page to view what the researchers will see.
Need to revert? Click Revert to old flow at the top of the setup page (available during the transition period)
Whatβs next:
We will monitor migration to the new flow to determine a path to decommission the old flow. Learn more in our Scope and Rewards doc.
Report Assistant V2 is Live! π
Report Assistant V2 is now available. This release introduces a more controlled and transparent way to write and refine reports.
You can paste a draft or write directly in the form. The assistant reviews your content and highlights missing information, but it does not make changes unless you explicitly request them.
Severity, asset, and weakness fields remain fully editable throughout the process.
Read the guide to learn more.
What we did:
We rebuilt Report Assistant into an agentic experience that combines chat and structured form inputs.
In V1, the assistant actively modified reports based on prompts. In V2, you stay in control of all changes, with the assistant acting as a reviewer rather than an editor.
Why we did it:
V1 introduced friction for many users. Hackers reported frustration with strict guardrails and limited control over report content. In some cases, automatic rewrites reduced accuracy and trust in the output.
V2 addresses these issues by prioritizing user control and transparency.
Who it helps:
Primary audience:
Hackers who want to write reports faster while maintaining full control over content
Secondary benefits:
Customers and triage teams benefit from clearer, more accurate reports
Unified Tagging with Scope & Rewards Groups (Beta)
This beta introduces grouped BBP and Challenge program scope and rewards powered by asset tags, with an opt-in migration path from the legacy setup.
β
What we did
Added reward category support to Asset inventory tag categories
Launched a new Scope & rewards groups setup flow
Added an opt-in migration path from the legacy flow, with the ability to switch back to the old flow if needed
Created a Hai migration assistant for customers with the old flow already in place
Why we did it:
Customers with large or complex inventories and reward table structures need a more scalable way to manage scope and rewards. Additionally, Hackers want a clear view of the scope, reward group scope descriptions and rewards. This new view helps them see all they need to see in one place. This beta provides customers with a consistent grouping model tied to asset tagging, keeping program policy aligned across teams.
β
Who it helps:
Enterprise customers with large inventories and complex reward tiering
Teams running multiple programs with shared infrastructure
Hackers, through a clearer view of the scope and available rewards
How to use it:
This is a closed beta. Contact your Customer Success Manager to opt in.
In Asset inventory, create or select an asset tag category for grouped rewards.
Mark that category as a reward category to auto-enforce uniqueness.
Apply tags to relevant assets in that category.
In the program, open Rewards -> Scope & rewards groups.
Select Enable new setup. There is also a Hai migration assistant that can be used to complete the setup.
Select the relevant asset tag category and map one or more tags to each reward group, adding additional reward groups as needed.
Review reward values, with the ability to choose fixed or range per reward group, scope descriptions, and group names visible to hackers.
Apply changes after review is complete by pressing Save.
Review the Scope and rewards page to view what the researchers will see.
If needed, revert to the old flow by pressing the Revert to old flow button at the top of the setup page. (This may not be available after the beta.)
Learn more about unified scope and rewards groups.