Platform updates, new features, scanner improvements, and compliance enhancements.
Eliminated potential cross-site scripting vectors in vulnerability detail views by replacing inline JSON.stringify onclick handlers with safe ID-based lookups via a data map. Affected vulnerability table rows, mobile cards, and kill-chain node clicks.
Real-time scan progress now features automatic reconnection with exponential backoff (up to 12 attempts). A visual banner shows reconnection status. Falls back to polling if the connection cannot be restored.
Vulnerability tables now distinguish between "no data" and "no filter matches" with contextual CTAs — clear filters or start a scan. Error states include specific messages and retry buttons instead of generic failures.
Pagination buttons enlarged to 36px minimum for comfortable touch interaction. Sidebar now reliably closes on panel switch for screens under 1024px. Active states added for touch feedback on mobile.
New /api/visitor endpoint for anonymous visitor tracking — records referrer, screen size, timezone, and public IP to a structured JSONL log file for marketing analytics.
Asset creation and editing now validates required fields before submission, shows a loading spinner during save, and properly disables the submit button to prevent duplicate requests.
Export your complete vulnerability inventory in CSV, JSON, or SARIF 2.1.0 format. Filter by status, severity, date range, and asset. Streaming CSV output for large datasets. Perfect for importing into Jira, ServiceNow, or Splunk.
Share your security posture with clients, auditors, and partners via a tokenized trust portal URL. Displays security grade, compliance status, vulnerability trends, and downloadable pentest certificates. No login required for viewers.
Comprehensive GraphQL API testing: introspection discovery, schema analysis for sensitive fields, injection testing (SQLi/XSS), depth/complexity DoS detection, batch query bypass, and alias abuse detection. 9 finding types with confirmed proof.
Automatic API specification discovery across 16 common paths. OWASP API Top 10 testing: BOLA, broken authentication, rate limiting, CORS misconfiguration, TRACE method, debug info leakage. Admin endpoint exposure and deprecated endpoint detection.
Server-Side Request Forgery scanner with cloud metadata endpoint probes (AWS/GCP/Azure), internal network access testing, protocol smuggling detection, and DNS rebinding checks.
Forced browsing detection, IDOR testing with sequential/UUID ID manipulation, HTTP method tampering (PUT/DELETE/PATCH on GET-only endpoints), and access control bypass testing.
12 scanners now populate proof_level (confirmed/likely/possible), evidence_structured (HTTP request/response), and evidence_chain for audit-ready findings. Covers header, SSL, XSS, Nuclei, ZAP, Nmap, DNS, IDOR, PQC, SQLMap, Commix, and Wapiti scanners.
Replaced in-memory rate limiters with PostgreSQL-backed sliding window implementation. Survives restarts, includes X-RateLimit-Limit/Remaining/Reset headers, periodic cleanup every 10 minutes. Applied to login, registration, forgot-password, and scan endpoints.
Three new formal policy pages published: Information Security Policy (10 sections), Change Management Policy (10 sections), and Data Classification Policy (10 sections). Linked from Trust Center for SOC 2 CC1 compliance evidence.
Classifies TLS ciphers, certificates, and SSH algorithms as quantum-vulnerable, hybrid, or safe. Generates a Quantum Readiness Score (0-100) with NIST FIPS 203/204 migration guidance. First self-hosted platform to offer PQC assessment.
Continuous monitoring daemon tracks subdomains, open ports, SSL certificates, DNS changes, and technology stacks. Configurable intervals per asset. Automatic alerts on new subdomains, port changes, and expiring certificates.
SVG progress ring visualization for 9 compliance frameworks (OWASP, PCI DSS, HIPAA, SOC 2, GDPR, ISO 27001, NIST CSF, CIS Controls, NIST PQC). Click-to-expand control-level detail view with animated transitions and color-coded pass/fail/warning status.
New API endpoints for GDPR Art. 15 right of access (data inventory with categories, record counts, retention) and Art. 17 right to erasure (30-day soft deletion with audit logging). Full DSAR compliance without manual intervention.
At-least-once webhook delivery with 5-stage exponential backoff (30s → 2m → 15m → 1h → 4h). HMAC-SHA256 signed payloads. Dead-letter after 5 attempts. Auto-disables after 10 consecutive failures to protect endpoints.
Context-aware AI assistant in the portal dashboard. Analyzes scan results, provides remediation guidance, explains vulnerabilities in plain language, and generates executive summaries. Accessible via chat panel or command palette (Ctrl+K).
D3.js force-directed attack graph showing vulnerability relationships and potential attack paths. MITRE ATT&CK mapping with 7 tactics and 20+ techniques. Visual representation of how vulnerabilities chain together.
Composite risk scoring combining CVSS, EPSS exploitation probability, and CISA Known Exploited Vulnerabilities (KEV) catalog. Prioritize remediation based on real-world threat data, not just theoretical severity.
OWASP LLM Top 10 testing with 21+ payloads: prompt injection, jailbreaking, data exfiltration, training data poisoning, model denial of service, insecure output handling, and excessive agency detection.
New features and scanner improvements ship weekly. Start your free scan to see the latest capabilities in action.