What's new

Checking off playbook steps now saves server-side — your progress follows you across sessions and devices. Completing every step automatically marks the finding as remediated.

Monthly and on-demand reports now include per-finding threat scoring, remediation playbooks, executive summary, and pattern detection. Export as PDF or Markdown from the report detail page.

Alert rule Slack bot tokens are now stored using AES-256-GCM envelope encryption (same pattern as cloud credentials). Tokens are no longer passed through internal job queues — the delivery worker decrypts them just-in-time.

Auto-create ServiceNow incidents from critical security findings. Connect via OAuth in Sentinel → Integrations, then add a routing rule targeting 'servicenow' channel.

Connect GCP (AWS, Azure, DigitalOcean as technical preview) via /settings/cloud-providers to enable cloud asset discovery in EASM scans. Credentials are encrypted at rest with AES-256-GCM envelope encryption.

Dashboard now supports 4 themes (Dark, Midnight, Light, Paper). Theme choice syncs across your devices. Settings → Theme to change.

The flashlight effect on the login page now covers the full viewport with a regular grid of 500 realistic secrets (no more black holes). Each secret regenerates 2 seconds after the loupe leaves, creating a live-scan feel that reinforces the EASM mission. Throttled detection keeps CPU usage negligible.

The 'Done' button on the final step of section tours (Findings, Attack Surface, etc.) now hides the tour immediately on click. Previously, a silent API error could leave the tour visible with no feedback.

Web app: - Switch fonts from Space Grotesk/DM Sans to Inter (Linear/Vercel style) - Replace static icon with animated Mechanical Shutter logo (variation 02)

Redesign the marketing site shell (Nav, Footer, SiteHeader) and key pages (System Status, Changelog) from cyber/hacker dark theme to a clean Linear/Vercel light aesthetic. Switch typography from Space

Redesigned the attack surface detail panel: type-aware metadata (package health, secret entropy, cloud access), bento grid layout, resolution checkboxes, security posture indicator, CVE links, SLA tracking, and resolution history with TTR metrics. AI Executive Briefs are now persisted for audit trail.

Design: migrate from red (#C0392B) to violet (#8b5cf6) palette, matching the dashboard. Glassmorphism navbar, gradient h1, violet accents on links, tables, sidebar, code blocks, pagination.

P1: Instant Scan public page (marketing/scan) + API endpoint with GitHub org and domain DNS scanning, rate limiting, SSRF protection, redacted results.

Activity log: - Add Source 9 (copilot_audit_log) to admin activity UNION ALL query - Shows injection attempts with score, prompt excerpt, and metadata

Backend: - Add prompt injection detection (sanitizePrompt + threshold 70) on /chat - Add audit logging for all chat interactions (SOC2 CC7.2 / ISO 27001)

P1: Shield fail_on, PagerDuty Events API v2, Signal Quality dashboard, Jira Cloud bidirectional sync P2: Business Context scoring (asset criticality), Splunk HEC / Elastic

P0: Team role management (PATCH/DELETE), invoice history, Dark Web Intel v2 in sidebar, SCIM self-service UI with token management.

Status page: - Public status page at bleedwatch.com/status + status.bleedwatch.com - API endpoint polling internal services (API, Dashboard, Docs)

Demo and admin BleedWatch accounts now get a 10x rate limit multiplier to avoid 429 errors during live demos and internal testing. Affects ai-generation (100/min vs 10), scans, and all other categorie

Seed script populates 25+ tables with realistic data for demo-corp.com: 20 findings, 10 subdomains, 8 sentinel findings, 4 vuln incidents, 15 CVEs, dark web credentials, BleedRadar packages, and more.

Filter views are now persisted server-side. Share a saved view with your entire team, specific roles, or individual users. localStorage fallback ensures offline support.

API endpoints created: - POST /api/v1/copilot/chat (Anthropic SDK + fallback keywords, rate-limited) - POST /api/v1/onboarding/quick-start (demo/github/docker/npm scan trigger)

Navigate findings with an email-client-style split view: list on the left, detail panel on the right. Toggle via the Split View button in the toolbar. Keyboard shortcuts (J/K, Escape) work in both modes.

Sidebar collapsible groups: - Nav groups (Detect, Secure, Scan, Comply, Respond, System) collapse with chevron toggle, persisted in localStorage

Loading UX: - Replace "Loading..." text with SkeletonTable/SkeletonStat on findings, overview, hosts, incidents pages

Keyboard Shortcuts (useTriageShortcuts hook): - J/K or arrows to navigate table rows with violet focus indicator - X to toggle selection, C/F/R/A for status actions (confirm/FP/remediate/accept)

Findings List: remove inline selects, compact stat banner, reduce table columns (10→8), rose border-left for live+critical, demote File View CTA.

Added collapsible filter panel with: - Toggle button with active filter count badge - Tag-style filter buttons (violet when active)

- ScoreGauge: SVG circle fills with ease-out cubic animation on scroll entry, counter increments from 0 to target value - Risk Score: uses ScoreGauge circular progress instead of plain number

- Header: text-xl tracking-tight - All accent references → violet - Table: denser cells (px-4 py-3.5), bg-surface header

Wrapped Exposure Intelligence in <details> with score badge in summary. Open by default when score >= 60 (high exposure), collapsed otherwise. All content preserved — just reordered for action-first

- Removed Rotation Guide button (actions now in header) - Removed Status card from sidebar (redundant with header actions) - Added Check validity CTA at top of sidebar

Both sections use native <details> elements — no JS overhead. Closed by default since they're audit/reference data, not decisional. CISO sees them when needed, they don't clutter the primary flow.

Remove the inner 3-column grid (2/3 content + 1/3 sidebar) from the overview section. Details and Validity cards now flow inline in the main column, reducing visual nesting and improving information d

Structural and visual redesign of the Finding Detail page: - Remove tab navigation (Overview/Evidence/Timeline/Validity/OSINT/Resolution)

- Add "ai-generation" rate limit: 10/min per tenant for /brief and /sigma (both call Claude Haiku — expensive API tokens) - Add "heavy-compute" rate limit: 10/min per tenant for /export/sbom and

- Lift scanning state from RowActionMenu to parent HostsPage - Show spinner next to subdomain name during scan - Pulse animation on the entire row while scanning

Full release detail is pending in the production changelog feed.

Full release detail is pending in the production changelog feed.

Full release detail is pending in the production changelog feed.

Claude-powered plain-English attack surface analysis with top 3 priority actions for CISOs

Server-side CycloneDX 1.5 and SPDX 2.3 export with real services, CPE, and TLS data

See open ports, dangerous services, and CVEs for each host with severity badges

- Domain selector: dropdown restricted to client's active monitored domains (fetched from /hosts API), no more free text input - Tutorial section: 3-step guide with CISO/DevSecOps tips, toggleable

Compare subdomains between any two scan dates with timeline, filter tabs, and CSV/JSON export

Daily compliance score snapshots with 90-day trends for NIS2, SOC2, GDPR, PCI-DSS, ISO27001

Cross-reference your assets with ingested IOCs from CISA KEV, OTX, URLhaus, and ThreatFox

Compare subdomains between any two scan dates with enriched context and CSV/JSON export

Detect historically exposed .env, .git, admin panels and backups via the Wayback Machine

Frontend: - New /attack-surface page with two tabs: Attack Graph (ReactFlow DAG) and ATT&CK Coverage (MITRE heatmap grid with severity-colored cells)

5-step incident response playbooks attached to every critical and high severity finding

Get AI-generated Sigma detection rules for CVEs with Splunk, Elastic, and Sentinel exports

Detect supply chain typosquatting in npm and PyPI packages using Levenshtein analysis

Visualize your exposure across ATT&CK techniques with an interactive heatmap

Backend enforces domain limits per company plan (starter=1, pro=10, business/enterprise=unlimited). Locked domains return summary only (subdomain count), never actual data — no CSS bypass possible.

Every finding must pass through ModernBERT (local, <5ms) before being reported. Decisive classifications (>0.85 secret, <0.30 non-secret) skip Haiku. Ambiguous cases (0.30-0.85) escalate to Haiku.

Full release detail is pending in the production changelog feed.

Full release detail is pending in the production changelog feed.

Full release detail is pending in the production changelog feed.

Full release detail is pending in the production changelog feed.

Creates 11 tables required by the EASM Phase 0-5 pipeline workers: - scan_cloud_assets (Phase 0: cloud import) - discovered_assets (Phase 1: raw discovery)

Replace the arbitrary 60s countdown with a proper UX: - Animated banner above table showing scan domains and status - Smart polling every 8s that auto-stops when data actually changes

Origin discovery: - Pass SHODAN_API_KEY to origin-discovery jobs for SSL cert-based origin IP search - Fix scanId to use real UUID instead of string (was causing metrics insert errors)

New ScanScopeModal replaces the browser prompt() with a proper modal that: - Shows existing domains with subdomain count and last scan time - Allows adding new domains with validation

Full release detail is pending in the production changelog feed.

Wire up the full EASM FlowProducer pipeline that was coded but never activated: - Dockerfile: add nmap, whatweb, katana, asnmap, uncover, tlsx, interactsh-client

Configure severity thresholds, delivery channels, and recipients for CVE alerts in Settings.

Enterprise/Premium get instant alerts, Professional gets 6h digests, Starter/Trial gets daily digests. Includes CVE storm protection and Resend batch API integration.

- Instant alert template with severity badge, CVSS/EPSS scores, CISA KEV badge, remediation steps with shell commands, vendor/NVD links - Batch digest template with severity-grouped CVE cards, summary

- BullMQ worker generates AI-verified alert templates after CVE sync - Uses Claude Haiku with tool_choice for guaranteed JSON structured output - Dedup: skips existing verified templates, re-generates

- BullMQ worker on easm-cve-rescan queue, 04:00 UTC daily via cron registry - Re-correlates CVEs for all companies with EASM services (catches new CVEs) - Detects patch availability changes and dispat

Full release detail is pending in the production changelog feed.

- Add correlateCvesForEasmServices(companyId) — queries easm_services with CPE, batched CVE pagination - Add version-compare.ts — multi-ecosystem version comparison (semver + numeric segment fallb

- Create easm_services Drizzle table with columns per spec Section 2.1 - Unique constraint on (company_id, subdomain_id, port, protocol) - Indexes on company_id, subdomain_id, cpe

Host detail page: - New WAF/CDN Protection card (amber theme) when CDN detected in tech stack - Shows: provider, IP protection status, origin discovery result

Scanner Dockerfile: add nuclei, subfinder, httpx, naabu, dnsx, trivy + dnsutils (all used by tools/oss-runner.ts via execFile — were completely missing from container)

Hero card with gradient mesh (emerald + accent) containing: - Badge "Autonomous AI" + title "Your AI Pentester" - Pricing comparison: ~$10 vs $15,000+ (strikethrough)

- Subtitle: dynamic status line with last scan time, host count, root domains, and new-this-week count (green highlight) - 4 KPI cards: Total Hosts (purple), Root Domains (red accent),

- PageMetrics: icon type changed from string to ReactNode - Hosts: 🌐 → globe SVG (accent) - Findings: 🔍 → magnifying glass SVG (accent)

3-state pattern: zero data → hero showcase, data present → normal UI. Dark Web: "No Exposed Credentials Found" hero with green "Monitoring

Two subtle CSS animations on the Sentinel onboarding hero: - Gradient mesh "breathing": 3 radial gradients (red accent + blue) that slowly scale and shift, creating an organic AI pulse effect.

Replace bland "not configured" message with full product showcase: - Hero section with AI badge, value proposition, and CTA - 6-card capabilities grid: monitoring, auto-remediation, SLA

New /wscs/overview page with: - Health Score ring (0-100, green/yellow/red based on findings) - 4 KPI cards: Active Targets, Open Findings, Assets Monitored, Recent Scans

ScanTracker component polls active scans every 10s globally: - "Scan in progress" toast when a scan starts (info, 5s) - "Scan complete — X findings" toast with "View Results →" link

Remediation: - Detects Next.js → recommends 1-line fix (subresourceIntegrity: true) instead of generic openssl hash commands

- Checkbox column for multi-select hosts - Select all / individual toggle - Export toolbar appears on selection:

- Migration 0096: create 9 Intel tables (packages, versions, scores, competitor_intel, advisories, changelog, deep_scans, llm_tasks, llm_usage) + 14 enums + pg_trgm extension for fuzzy search

- Scan Now shows spinner while scanning, green checkmark on success, "Rate limited" on 429 - WSCS scan: 1 scan/target/60s cooldown + 10 scans/company/hour

These endpoints are called on every page load from the layout. Wrap in try/catch to return empty data instead of 500 on transient DB errors.

FeatureGate component wraps premium content with a blurred preview, lock icon, value proposition, and upgrade CTA. Applied to CSP Generator (Enterprise) and PCI DSS Compliance (Professional).

- HTTP security analyzer checks 6 required headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) with deep CSP and HSTS analysis, plus info leak detection (

Browse security scores, advisories, malware feed, and deep scan results for 4M+ open-source packages with SEO-optimized pages.

Browse security scores and threat intelligence for 4M+ open-source packages at /intel.

- Standalone worker polls BleedWatch server /pull endpoint every 10s - Executes LLM tasks via local Ollama instance with configurable model - Heartbeat every 30s reports GPU utilization, VRAM, temp vi

- Public advisory API routes (list, detail, per-package, RSS/JSON feeds) - Admin advisory review queue (approve/reject/edit/disclose endpoints) - Package search API with pg_trgm fuzzy matching

- Aikido vuln scraper (every 6h) and Socket alert scraper (every 4h) - Aikido/Socket score scrapers (monthly refresh, top 50K packages) - LLM vuln-digest prompt for rewriting raw intel into BleedWatch

- Add Drizzle schema for all 8 tables: packages, package_versions, package_external_scores, competitor_intel, bleedwatch_advisories, changelog_entries, package_deep_scans, llm_remote_tasks, llm_usage

- Add ggshield-validator.ts: optional secondary validation via GitGuardian API with data sovereignty warning, non-zero exit handling, and finding merging - Add semantic-analyzer.ts: Claude Haiku FP re

- Add ag_secret_scans and ag_secret_findings tables to agentguard schema - Register 4 MCP tools: scan-file, scan-directory, scan-staged, get-findings - Integrate @bleedwatch/cli scanContent() as prima

- ThreatFox adapter: fetches IOCs with Auth-Key, parses JSON, normalizes types - URLhaus adapter: CSV bulk download, parses malware URLs with status tracking - MalwareBazaar adapter: recent sample met

- 6 Drizzle tables: cti_sources, cti_indicators, cti_indicators_rejected, cti_sync_log, cti_feed_candidates, cti_whitelist - GIN indexes on tags/mitre_techniques arrays for fast array lookups - 2 mate

Download framework assessment PDFs with control-by-control analysis and inferred SBOM summaries.

View framework compliance scores (NIS2, ISO 27002, NIST CSF) and inferred SBOM with CVE details for each host.

- CycloneDX 1.6 JSON builder with VEX annotations, evidence.identity, and bleedwatch:sbom-type=inferred-external metadata property - 7+1 API endpoints at /api/v1/compliance/ with TypeBox schema valida

- Scoring engine computes per-framework scores (NIS2, ISO27002, NIST CSF 2.0) from finding→control mappings with severity-based scoring - BullMQ worker (compliance-assessment queue) processes both S

- Create packages/db/src/schema/compliance.ts with 5 tables: complianceFrameworks, cfmControls, findingControlMappings, scanComplianceAssessments, inferredSbomComponents

Composite GitHub Action for automated secret + compliance scanning with SARIF upload to Code Scanning.

- Move WhatWeb wrapper to packages/shared for reuse across pipelines - Add theHarvester wrapper with free-source-only configuration - Create EASM WhatWeb enrichment worker (Phase 2, after http-probing

- Add static MITRE ATT&CK mapping table in @bleedwatch/shared with technique metadata (ID, name, URL) for all 22 sentinel finding types - Add attackTechniques jsonb field to sentinelFindings schema +

WPScan Sentinel adapter that only runs on domains where WordPress is detected in techStack. Includes shared tool wrapper with JSON parsing (plugins/themes keyed by slug, vuln_api quota tracking), oss-

- Move WhatWeb wrapper to packages/shared for reuse across pipelines - Add theHarvester wrapper with free-source-only configuration - Create EASM WhatWeb enrichment worker (Phase 2, after http-probing

Replaces basic test email HTML with production-quality template: - White logo header + severity badge - Finding details card with classification badge

Replaces flat 18-item list with 6 logically grouped sections: - Dashboard (home) - Detect: Issues, Vulnerabilities, Exposure, Threat Intel

The table container used overflow-hidden which cut off the Details button and right columns on smaller screens. Changed to overflow-x-auto with min-w-[900px] on the table so it scrolls horizontally on

- White horizontal logo on dark background for all 7 templates - Standardized footer: unsubscribe link, privacy/terms/security links - GDPR Article 6(1)(f) legal notice

Admin sidebar: - Add outbound, calibration, watcher, activity links to dashboard admin section

- Replace innerHTML with safe DOM methods (createElement/textContent) to prevent stored XSS via malicious severity/email fields - Use crypto.timingSafeEqual for admin API key comparison

Files were accidentally removed during merge. Restored from Ralph's original commits for deployment to dedicated VPS (178.104.1.45).

- Submit to Flow now creates a branch + commit + PR via dedicated GitHub App - Re-submitting an edited spec updates the existing PR (no duplicate PRs) - PR status widget with auto-refresh polling (15s

Generate, preview, and manage embed tokens with one-click iframe snippet copy.

- Add `embed_tokens` table to schema (UUID token, scopes, origin lock, revocable) - Add Settings Embeds API: list, create, revoke tokens (authenticated, tenant-scoped) - Add public `/api/v1/embed/:tok

Add, delete, scan, and toggle monitoring for hosts directly from the dashboard.

Add, update, delete, and re-scan hosts via API endpoints.

Add CI schema-drift job running scripts/check-migrations.sh on PRs affecting DB/API/web/scanner paths. Set continue-on-error until pre-existing drift is resolved. Update deployment guide with migratio

- Click-to-expand detail modal with full opportunity info - Status action buttons: Start Spec, Implement, Mark Shipped, Reject, Re-open - Status progress bar on cards (detected -> specced -> implement

Real-time CVE feed banner, risk summary cards, auto-refresh, and EPSS/KEV quick filters on the vulnerabilities page.

- GET /feed: last 10 CVEs affecting tenant with host/dep counts, sorted by recency + EPSS - GET /stats: enhanced with trending CVE, severity breakdown (medium/low), coverage metrics - POST /sync: trig

New Premium plan with 50 assets, 2h scan cycles, 200 AI classifications/month, and priority support.

View matched CVEs on host detail pages and affected hosts on vulnerability pages.

View and filter all team member actions from Settings > Activity — share links, comments, scans, and more.

New easm:api-discovery worker that complements subfinder/uncover with direct API calls to sources not supported by ProjectDiscovery:

The worker takes up to 46s (AI Sonnet timeout + fallback). The previous 30s polling (10 x 3s) expired before the resolution was ready, then showed 'Resolution generated' with no data.

useState/useRef inside an IIFE callback violates Rules of Hooks. React requires hooks at the top level of a component, not inside callbacks or conditionally rendered blocks.

The button had no visual feedback after clicking and required a manual page refresh to see the result.

Three visual improvements for the Overview dashboard: 1. KPI CARDS — hover lift + glow + icon scale

The animated background on the scan header was stuttering because Tailwind's pulse animation uses opacity, which forces full repaints on large elements with radial-gradient + blur.

New .githooks/post-commit hook that automatically adds changelog entries based on conventional commit messages:

New grouped view for findings: see all findings per file with tab navigation, unread indicators, and a prioritized Action Plan (Immediate / Review / Build Fix) with completion tracking.

Findings are now classified as Secret, Exposure Intel, or Not a Secret. Exposure Intel findings (account IDs, hostnames, bucket names) get precautionary guidance instead of false alarms.

Contextual developer guidance: exact ignore file entries to prevent future exposure, with a Create Fix PR button that opens a pull request on your GitHub repository.

Secret values are no longer sent to the AI classification service. The system uses computed fingerprints (prefix, entropy, character distribution) instead — full GDPR compliance.

Exposure Intel findings show Recommendation Guide (not Rotation Guide), orange Exposure Review (not red Mitigation), and green Regulatory Status confirming no GDPR action is required.

Enriched vulnerability details with EPSS probability gauge, KEV banner, affected packages breakdown, and exploit information.

Configure alert rules per channel (email, Slack, webhook), view alert history with acknowledgement tracking, and test all channels in one click.

New overview tiles for total dependencies, critical CVEs, MTTD/MTTR metrics, and vulnerability trends — all visible at a glance.

Verify your dependencies against known vulnerabilities and malware signatures before they reach production. Install with `npx bw-shield verify`.

Broken GitHub App connection? Reset everything in one click from the Shield dashboard — no need to contact support.

Shield now detects vendored/private packages in Python (pyvenv, dist-info, .whl) and Go (vendor/modules.txt) in addition to NPM.

If GitHub App installation fires before authentication, a recovery banner now lets you claim the installation without contacting support.