Hai Plays offers practical solutions to streamline critical tasks. From generating a clear, concise vulnerability brief tailored for C-suite executives to assessing the likelihood of uncovering specific vulnerabilities during a pentest, allowing teams to focus their efforts where it matters most.
Why You'll Love Hai Plays:
Custom Instructions: Tailor plays with precise instructions to fit your unique needs and workflow.
Domain Knowledge: Teach Hai your organization's specific domain knowledge to ensure interactions are fully personalized and customized.
Efficiency: Say goodbye to repeatedly providing additional information about your tech stack, tone of voice, and business-critical information. Hai plays remember and seamlessly integrate this data for each prompt.
Setting up a Hai Play
Hai plays are configured on a per-user level. To set up a Hai play:
Navigate to https://hackerone.com/settings/hai_plays. Alternatively, you can click on Manage Plays from the Hai chat modal.
Click on Create new
Please provide the name, description, and custom instructions for this play. These instructions will help formulate responses when you ask Hai a question in the play. Check out our examples for inspiration on what you can do with Hai Plays.
When you’re done, click Create
Using Hai Plays
After you’ve created your Hai play, you can start using the play within the Hai chat interface.
Open the side menu by clicking on the top left icon
Select the play you want to use
Start typing your prompt or question
Hai will respond using the custom instructions given to the Hai play
Hai Play Example: Executive Vulnerability Briefing
Description: This custom prompt is designed to provide a structured, leadership-friendly overview of security vulnerabilities tailored for executive audiences like CISOs, Execs, and Board members.
Its purpose is to effectively communicate the key details and implications of identified vulnerabilities in a concise yet impactful manner.
Hai Play Instructions:
Import relevant report data based on the provided Report ID
Vulnerability Summary:
[Brief non-technical description of the vulnerability]
Technical Details:
• Vulnerability Type: [Type e.g. XSS, CSRF, etc.]
• Severity: [Severity rating]
• Affected Components: [Affected areas of application/system]
Exploitation Steps:
• [Step 1]
• [Step 2]
• ...
Impact Assessment:
[Details on the potential security, compliance, and business impact]
Relevant Categories & Compliance Implications:
• [Category/Compliance Standard 1]
• [Category/Compliance Standard 2]
• ...
Mitigation Status:
[Summarized overview of mitigation actions taken/pending]
Current Remediation State: [Contextual details on mitigation progress]
Hypothetical Risk Scenario:
[Descriptive example scenario highlighting potential real-world consequences]
All information is derived solely from the report content to ensure accuracy and relevance. I aim to provide clear, structured overviews tailored for leadership audiences.
Output:
The output balances brevity and context, using bullet points for concise information and detailed descriptions where more explanation is needed.
This prompt presents vulnerability information through an executive lens, focusing on business risks, implications, and potential impact scenarios. It empowers leadership teams to prioritize cybersecurity effectively and make informed decisions about resource allocation and risk mitigation strategies.
Hai Play Example: Vulnerability Discovery Optimizer
Description: This prompt assesses if a reported vulnerability is likely caught during penetration testing following standard methodologies like OWASP Top 10, MITRE CWE, and asset-specific test cases.
It aims to objectively determine if an issue could have been identified through HackerOne's PtaaS before production deployment, helping evaluate testing coverage and better prioritize findings.
Hai Play Instructions:
For the given security report(s), analyze the vulnerability details through the lens of the "Vulnerability Discovery Optimizer" to optimize vulnerability identification across HackerOne's penetration testing and bug bounty assessments.
Your response should:
Briefly summarize the vulnerability from the report details.
Evaluate if this issue would likely be caught during HackerOne's standard penetration testing following methodologies like OWASP Top 10, MITRE CWE, cloud provider guidance, and asset-specific test cases.
Assess the probability of this vulnerability being discovered through HackerOne's bug bounty programs and crowd-sourced security efforts.
Provide specific justifications linked to HackerOne's testing frameworks and highlight the importance of understanding the asset type/attack surface.
Avoid assumptions beyond the report. Restrict analysis to the provided content.
Recommend ways this vulnerability class could be optimally discovered earlier across the combined penetration testing and bug bounty assessment layers.
This "Vulnerability Discovery Optimizer" analysis determines if processes can be enhanced to identify issues before production through ethical hacking activities and crowdsourced security testing. The output optimizes HackerOne's vulnerability management by maximizing risk discovery.
Output:
By systematically analyzing reported vulnerabilities against the testing methodologies and frameworks followed by HackerOne's penetration testing teams, organizations can reinforce the value of utilizing Penetration Testing as a Service (PTaaS) and Bug Bounty as a combined solution:
Find gaps in testing for high-severity vulnerabilities discovered through bug bounties, and improve future PTaaS engagements.
Focus on fixing critical issues missed during a pentest but were caught by your bug bounty program.
Save money by making sure PTaaS testing is thorough from the start, reducing the need to rely on bug bounty payouts for issues that should have been found.
Use this analysis to get the most out of HackerOne's PTaaS and bug bounty programs for stronger application security.
Screenshot:
Hai Play Example: Localised Hai
Description: This prompt allows users to translate a vulnerability report into a specific language. The conversation starters allow users to specify pre-defined languages the report should be translated into.
Hai Play Instructions:
You will be provided by a language of the user's choosing.
Subsequent responses you give should be in the given language unless the users prompts you to use another language.
Conversation starters:
Englis
Spanish
German
Dutch
Screenshot:
