HackerOne Blog

How We Escalate Critical Reports Faster Using Hai + Automations

Martzen Haagsma
Product Security Engineer
HackerOne Hai Orb Logo

At HackerOne, we use our own platform to strengthen our internal security, testing new workflows in real conditions before recommending them to customers. In one recent example, we built an automation that scans incoming reports for patterns linked to high-impact vulnerabilities and immediately alerts our team when something matches.

 

As Customer Zero, we work closely with our own security team to continuously improve workflows, helping surface high-impact vulnerabilities faster and reduce triage fatigue. External Connectors for Automations power this workflow, enabling us to trigger actions across tools based on report content. This helps us detect issues faster, reduce manual triage, and keep our team focused on the highest-risk findings.

Behind the Build: What Sparked the Idea

A few weeks ago, a Critical-severity bug bounty report remained in the “New” lane longer than it should have. Not because anyone dropped the ball, but because it looked like just another submission in a high-volume queue.

 

This sparked an internal discussion: How can we better spot emerging patterns in high-severity reports? For example, when multiple critical submissions point to a shared root cause, a systemic misconfiguration, or even signs of active exploitation?

 

We’ve seen that serious issues rarely appear alone. Similar critical reports often come in quick succession, which pushed us to rethink how we surface these patterns.

 

We knew we needed a better way to connect the dots sooner. So, we built an automation to flag clusters of critical activity and immediately alert our security team.

Catching the Signals Early

Here’s how it works behind the scenes. The automation runs on every new report and looks for signs that multiple critical submissions may be connected:

 

  1. Queries all new reports submitted in the last 24 hours.

  2. Prompts Hai, HackerOne’s AI security agent, with a custom prompt.

  3. If Hai says yes, it escalates the report with an alert to Slack (via a webhook).

  4. Our team sees a message like this:

 

Hai Escalator Message
Hai Escalator Message

How The Escalation Works (Prompt + Flow)

At the heart of the escalation is a structured flow that combines automation logic with a carefully designed AI prompt. It starts when a new report is submitted to our program, which triggers an automation that looks at all Critical-severity reports from the last 24 hours.

 

These report IDs are passed to Hai with a tailored prompt. The goal is to identify shared root causes, systemic flaws, or signs of active exploitation that might justify escalation.

 

Here’s an excerpt from the prompt:

 

“Your task is to assess whether any combination of these reports describes the same root cause and a pattern requiring immediate action. Only recommend escalation if the overlap is real and justifies a broader response, not just category similarity.”

Hai analyzes the input and replies with a structured decision, like:

<vulnerableReportIds>3153143,3153052</vulnerableReportIds>
<decision>true</decision>

 

If escalation is warranted, the automation, using External Connectors, immediately notifies the #hackerone-on-hackerone-alerts Slack channel with direct links to the reports.

 

The full flow looks roughly like this:

 

Escalation flow diagram created by Hai Insight Agent
Escalation flow diagram created by Hai Insight Agent

This setup helps us catch high-impact issues early, surface patterns that might otherwise go unnoticed, and reduce the time between submission and response.

Slack Integration via External Connectors

Using Automations’ new External Connectors capability, we connected the flow directly to our Slack workspace. The result: a real-time alert in our #hackerone-on-hackerone-alerts channel that our on-duty engineers can immediately act on, but you can just as easily connect it to other systems.

See It in Action: Pattern Detected, Incident Averted

A recent example shows exactly how this performs under pressure.

The Timeline

  • 12:44 UTC – Report 1 submitted
  • 12:47 UTC – Report 2 submitted
  • 12:58 UTC – Report 3 submitted

Hai recognized a shared root cause across the reports and triggered an alert in Slack for Product Security and Triage:

“All three represent variants of the same root access failure in HackerOne’s triage system. The consistent timing and similar impact suggest a systemic issue rather than isolated bugs.”

The Outcome

  • Researcher discovery: 28 minutes after introduction
  • Pattern detected: immediately
  • Issue remediated: 1 hour 52 minutes after initial report

What could have been a major incident became a fast, coordinated response, powered by intelligence and automation that turns raw report data into immediate action.

Why This Matters

  • Faster awareness: We surface urgent patterns early, enabling our team to act faster.
  • Better collaboration: Engineers and triagers now share early context.
  • More insights: We surface systemic vulnerabilities early.
  • Early dogfooding: We're testing the External Connectors feature before GA.

 

We’re excited about what’s next, from GitHub webhooks to JIRA integrations. External Connectors unlock a whole new category of automations that extend your vulnerability workflows beyond the platform.

Let us know what you’d build with it and share your automations with us here.

Hai