Mar 20, 2026
Features
- Groups — source system updates: Under Advanced Options when editing a group (above Group Rules), Update Source System is on by default. Turn it off to stop pushing verdict, status, notes, and comments back to the integration for detections involving assets in that group. Learn more
Mar 17, 2026
Features
- Comments & Timelines: Cases and detections now use a unified timeline where you can add, edit, and delete comments, attach images (drag-and-drop or paste), and review system activity alongside discussion
- Custom Groups: Create your own user or endpoint groups with per-group Chat Ops and Containment controls. Learn more
- Case details card updated with new layout and consistent MTTV/MTTD/MTTC thresholds across case and home dashboards
- AI chatbot now renders markdown tables with horizontal scrolling in chat responses
- System log now records group modification events
- Team settings members table now shows phone numbers
Mar 13, 2026
Features
- Integrations now receive richer closure comments when cases or detections are closed — verdict, summary, actor, MTTV, and details link
- Webhook-only integrations (Wiz, Darktrace, Wordfence): webhook modal auto-opens on first connect with “View setup instructions” link
- IP details page now shows Related Users based on private IP address associations
- Cortex XDR: enriched detection context with process fields, hardware ID, and causality actor — reduces over-escalation
- Palo Alto Cortex: Rare RDP session remapped to Lateral Movement, Uncommon SSH session to Outbound Connection
- Suspicious Kerberos authentication remapped to Lateral Movement
- SentinelOne: late stage lateral movement categorization additions
- CrowdStrike: user threatgraph metadata fetched in detection enrichment
- Okta: actor extraction from authentication logs
- CIR custom detections: detections starting with [CIR] categorized as custom
- Microsoft: improved license selection
- Tightened categorization group filters to prevent wrong rule matches
- AI summary now uses “related detection” instead of “threat indicator”
- Password reset errors now surface to users instead of failing silently
- Fixed team switching
- Fixed OFAC evaluation
Mar 12, 2026
New & Updated Integrations
- New ServiceNow Change Requests collaboration integration (beta). Checks recent change requests during endpoint triage and automatically recategorizes detections tied to planned changes, reducing noise from authorized admin activity
- New Zscaler ZPA (Syslog) network integration. Forward ZPA logs to Wirespeed via syslog with dedicated branding and attribution in the integrations catalog
- AI chatbot is now generally available
- IP detail page reorders sections for private IPs — Related Endpoints and Related Users are promoted above Cases and Detections
- “Add Integration” buttons are now hidden for non-admin users
- Microsoft UAL
UserLoggedInandUserLoginFailedevents now mapped as OCSF Authentication with full enrichment matching sign-in logs - Defender XDR: map “Suspicious PowerShell-driven file creation and deletion” alerts to Endpoint Evasion
- CrowdStrike
SuspiciousPrivEscremapped from Live Off The Land to Endpoint Persistence - CrowdStrike asset extraction now checks both target endpoint and domain controller hostnames
- Palo Alto Cortex XDR detections now show associated users in the asset list
- Orca Security detections now prefer
DetailsoverDescriptionfor source description, fixing empty narratives - AI summary no longer incorrectly classifies non-managed users (root, cron, service accounts) as technical/non-technical
- SafeBreach simulation matching improved with multi-node evaluation, run deduplication, and IP extraction from OCSF evidences
- Fixed team settings inbox input dark mode styling
- Fixed Halcyon integration fetching when no tenant ID is present
- Fixed user deletion failing when user had created custom detections
Mar 05, 2026
Features
- Integrations now track license usage and display a summary on the integration’s details page
- Containment settings show a posture summary banner with status and quick links to Identity/Endpoint sections
- Containment banner contrast improved in dark mode
- Fixed LOTL masquerade reasoning for endpoint detections when file names include full paths
- Restored contain user/endpoint actions for non-technical LOTL scenarios
- Fixed escalation emails not saving in the team settings form
- Fixed service provider csv exports
Feb 27, 2026
New & Updated Integrations
- New Halcyon anti-ransomware endpoint integration. Import alerts and manage endpoints from Halcyon, with detection enrichment, artifact extraction, and OCSF-mapped evidence for ransomware-related threats
- New Halo ITSM ticketing integration (beta). Create and sync incident tickets bi-directionally — cases and detections in Wirespeed automatically create Halo tickets, and status changes sync back via webhook. Supports configurable ticket categories, teams, and custom fields
- New Horizon3 NodeZero simuliation integration. Validates detections against active pentest/simulation activity — correlates escalated detections with Horizon3 ops to reduce noise from authorized security testing
- Updated Cisco Duo now supports user syncing and containment: disable and re-enable users in Duo directly from Wirespeed when containing or uncontaining identities.
- Calendar date picker now has year and month dropdown selectors for faster navigation
- SentinelOne now ingests unified alerts for broader detection coverage and richer enrichment data
- Linux endpoint detections are now automatically recategorized to Live Off The Land (LOTL) when all associated endpoints are Linux
- Removed noisy RMM detections from Darktrace
- CrowdStrike file matching now checks
OriginalFilenamefrom version info for more accurate file risk classification - Fixed null host grouping incorrectly clustering unrelated detections
- Fixed private credential exposure classification for theft-of-passwords detections
- External users are now excluded from ChatOps notifications
- Fixed button overlap on ChatOps settings page
- Fixed “Learn More” animation in Manage Exclusions
- Fixed FortiAnalyzer syslog ingestion
Feb 25, 2026
Features
- Service provider dashboard now displays a stacked bar chart for Cases by Client, breaking down case counts by severity (Critical, High, and Other) with tooltips and period filtering for 7, 30, 90, and 365-day windows
- New “External” user category automatically identifies third-party contractors, vendors, and external guests in your directory. External users can also be tagged manually from the user detail page or directory table actions menu
- Have I Been Pwned (HIBP) detections now automatically match to existing open or escalated cases by integration and category, reducing duplicate case creation for ongoing breach monitoring
- New verdict rule automatically closes VPN login alerts for external users — contractors and guests typically authenticate from uncontrolled locations, and this rule reduces noise from expected behavior
- Improved user identity correlation with bidirectional username-to-email matching — when only a username or email is available, Wirespeed now resolves the corresponding identity from your directory for more accurate alert attribution
Feb 24, 2026
UI/UX Improvements
- Team Analytics page now loads progressively — each section renders independently with skeleton loading for a significantly faster experience
- Integrations browse page now shows available integrations first when no filters are active, making it easier to find and add new integrations
- Home dashboard metric thresholds now match the Cases dashboard for consistent performance color-coding
- Navigation sidebar on mobile now properly closes when navigating to a new page
- Login hunts now close detections when failed logins are identified, reducing noise from unsuccessful authentication attempts
- Microsoft risk dismissals are no longer automatically trusted — Wirespeed continues its own independent analysis for more thorough threat detection
- Fixed RMM verdict rule incorrectly classifying detections with no associated files as admin-installed tools
- Fixed containment alerts incorrectly firing during cooldown periods or duplicate containment attempts
- Fixed team analytics statistics endpoint returning incorrect data
Feb 22, 2026
Features
- Test Mode is now indicated by a prominent full-width banner with an inline toggle to disable it directly, replacing the previous header pill
- Okta
threatSuspectedevents are now ingested and classified as login detections, expanding identity threat visibility for suspicious authentication activity - Monitors now correctly respect disabled verdict rules, ensuring your customized verdict configurations are honored during automated analysis
- Detections page loads significantly faster — results render immediately while total counts load in the background
- Added 1-day and 7-day timeframe options to Cases and Detections dropdowns for more granular filtering
- Password fields on login and registration pages now include a show/hide toggle for easier input verification
- Endpoint details page now displays the integration platform source
- Updated MTTV thresholds on the Cases dashboard for more accurate performance color-coding (green < 3 min, yellow 3–10 min, red > 10 min)
- Updated registration page with revised Terms of Service and Privacy Policy language
- Expanded detection categorization mappings with new low-confidence triage rules across network, lateral movement, discovery, and custom detection categories
- CrowdStrike detections tagged as “ignored” are now automatically closed as benign
- System log now shows the specific reason when a user is locked due to being disabled in a linked integration
- Fixed “Was Contained” filter on Cases and Detections to include both manually and automatically contained items
- Fixed stale case auto-close logic incorrectly closing new detections when creating replacement cases
- Fixed bulk close ChatOps filter not properly filtering by detection criteria
Feb 19, 2026
Features
- Stale cases older than 5 days are now automatically closed and replaced with a new case when a fresh detection arrives, keeping case queues current and reducing analyst fatigue from outdated investigations
- New lateral movement verdict rule automatically closes detections with low or informational source severity, reducing noise from benign lateral movement events
- New Network Discovery verdict category under Network automatically closes routine network discovery activity as benign, reducing noise from expected scanning behavior
- Trial teams now see a persistent banner displaying remaining trial days with a direct “Upgrade Now” link
- Hovering over automated user tags (e.g., VIP, NHI) now displays a tooltip showing the automation rule and matching pattern that applied the tag
- Integrations are now organized into refined categories — Endpoint, Identity, Network, Cloud, SaaS, Email, and Remote Access — for easier browsing and clearer subscription entitlement mapping
- Noise reduction statistics now display with proper decimal rounding for more accurate reporting
Feb 18, 2026
Features
- Service provider clients page redesigned with a stats panel showing aggregated metrics and advanced filtering by containment status, HVA/VIP flags, demo/test mode, and escalation email source
- Custom detection test queries now support configurable timeframes (1, 7, 14, 30, or 90 days) for more flexible backtesting
- Added “Copy link” button on the Events page to share direct URLs to the current query, including search filters and team context
- Improved verdict time accuracy by measuring actual processing duration rather than queue time
- Navigation counts between 1M and 10M now display one decimal place (e.g., “2.7m” instead of “3m”) and pagination totals are comma-formatted
- Integration custom fields can now be edited directly from the connected integrations list
- New entity chips in detection descriptions for users, endpoints, and integrations with inline logos
- Fixed Events page search not persisting in URL when switching between basic and advanced query modes
- Fixed duplicate verdict categories and misaligned search on the Verdicts settings page
- Improved CrowdStrike detection enrichment with better file path extraction and macro file hash support
- New Darktrace detection category mappings
- New Orca Security detection category mappings
- Mimecast blocked URL events now correctly categorized as blocked actions
- Improved AITM session hunt accuracy by grouping authentication events by session ID
- Fixed VIP title matching to prevent false positives (e.g., “Onboarding Coordinator” no longer incorrectly tagged as a board member VIP)
- Fixed boolean and JSON custom fields not saving correctly in the integration update form
Feb 13, 2026
Integrations
- New Custom SMTP integration allows customers to use their own SMTP server for ChatOps notification emails
- Improved email directionality tagging across Vectra, Google, Mimecast, and Checkpoint Harmony integrations
- Subscription tier system (Identity, Core, Unlimited) to manage integration entitlements per account
- Service provider clients page now displays team member counts per client
- ChatOps messages are now suppressed for actively contained users
- File path risk assessment for living-off-the-land binary detection
- New verdict rules for low-severity outbound network connections and VIP phishing scenarios
- Significantly improved Endpoints page performance for large datasets with optimized queries and debounced search
- Added Endpoints by Source card to the endpoints dashboard with source filtering
- Consolidated duplicate integration sources in endpoint and user stats
- Shortened number formatting in Users and Endpoint stats panels (e.g., 1.3M)
- Improved OAuth integration connection pages with clearer success and error states
- Fixed bulk case closure not properly updating detection status
- Fixed CrowdStrike IOC domain detections being miscategorized as Endpoint Execution
- Fixed integration enable/disable toggle not working correctly
- Fixed double scrollbar on Endpoints and Users list views
- Fixed filter dropdowns closing on first checkbox selection
- Fixed containment modal text clipping for long names
Feb 10, 2026
Integrations
- Palo Alto Networks Cortex integration added for importing alerts and managing endpoints from Cortex XDR/XSIAM
- Cisco Secure Access integration added for log ingestion
- Cases can refresh the notes and logs from CrowdStrike Falcon alerts
- Improved SentinelOne endpoint sync with UUID support
- User and endpoint tables now support billable filter for service provider billing
- SMS ChatOps invite reset allows admins to resend enrollment emails to users who previously reached max attempts
- System log now has Security Events Only filter for quick filtering of security-related events
- Integration logs view now supports pagination for better performance with large datasets
- Users page redesigned with stats panel, type filters, and source filtering
- Endpoints can now be tagged automatically as Domain Controllers
- Account activity emails will alert you when an integration needs your attention
- Enhanced file risk assessment in email detections to improve accuracy of malware identification
- User detail page now shows integration source and icon
- User first and last names are now optional in profile and registration
- Redesigned case detail page header for clearer case context
- Tagging rules and custom detection modals now use slide-over sheets
- Integration connect flow supports collapsible Advanced Options for optional configuration fields
- Added clear button to users and endpoints More Filter dropdown
Feb 4, 2026
UI/UX Improvements
- Endpoint dashboard now shows OS distribution chart, live/contained stats, and redesigned search filters
- Containment dialog now shows live loading status when refreshing asset states
- Integration detail pages with creation date, status badge, event stats, log level legend
- Enhanced integrations browse page with connection status filter and clearer styling for connected integrations
- Authentication locations now display region/state for more precise location context
- Removed duplicate header on Team Analytics page
- Fixed bug preventing team settings from saving when support email was not configured
- Optimized tagging of unmanaged users
- CrowdStrike detections now extract IPv4/IPv6 IOCs as IP address observables
- In CrowdStrike true/false positives tags are now applied when the case is updated in Wirespeed
- New and improved detection categorizations for persistence and other techniques
- Domain Takeout alerts from Google Alert Center now properly categorized
- Improved endpoint name matching to handle special characters
Jan 29, 2026
Integrations
- Bitwarden integration added for organization event logs
- Check Point Firewall and SonicWall added as first class firewall log ingestion integrations
- Improved email detection analysis with sender/receiver direction tracking
- Streamlined custom detection creation flow so you can build and save detections in one place
- Redesigned Integrations page with category filtering, grid/list views, and improved connect modal
- New hierarchical navigation and breadcrumbs for Verdict settings
- Fixed Events table empty state alignment
Jan 27, 2026
Features
- Successful brute force detections are now categorized as Login events
- Optimized how we track progress on Events queries
- API keys pages now use table layout with clearer empty states
Jan 26, 2026
Features
- Notification frequency can now be managed from the Profile page
- User tagging rules now support regex matching
- Updated theme switcher to make dark mode toggle more prominent
Jan 23, 2026
Platform
- Upgraded to the Bun 1.3.6 runtime
- 1Password integration added for audit events, item usages, and sign-in attempts monitoring
- Orca Security integration added for cloud security alerts
- Simplified JAMF Pro integration setup - you can now paste the JSON configuration directly
- Integration enable/disable actions are now logged to the system audit log
- Bulk Actions! Close multiple cases at once from the Cases table
- Generic syslog and JSON integrations support custom labels for easy identification
- Team API keys can be created independently of user accounts
- Redesigned profile page with organized sections for user details, notification settings, and API keys
- Users can now edit their profile information including name, phone number, and timezone
- Improved containment dialog with better asset selection and clearer actions
- New verdict configuration UI with tree navigation and search to easily find and configure rules
- Added ability to review and apply secure defaults across all verdict categories at once
- Clearer timeline messages when searching for related authentication events
- Service providers: Demo clients are now hidden by default in cases/detections tables
Jan 15, 2026
UI/UX Improvements
- Added OS search filter to endpoints table for easier endpoint filtering by operating system
- Improved containment UI in detection pages with better button and panel layout
- Enhanced dark mode contrast for toggles, selects, inputs, and text fields for better visibility
- Updated filter button to visually show applied filters with a clear button for easier filter management
- Improved mobile UX for action panels with better alignment and responsiveness
- Updated input component styling for consistency across the application
- Updated documentation tooltips for better user guidance
- Added
countIffunction for Events queries
- Updated Microsoft IDP categorization rules
- Optimized user automations to reduce false positives and incorrect tagging
- Fixed incorrect calculation of Mean Time To Respond (MTTR) and Mean Time To Detect (MTTD) metrics in team statistics
Jan 12, 2026
- Added Team API Keys allowing admins to create service account API keys for programmatic access at the team level
Jan 9, 2026
UI/UX Improvements
- Added secure defaults preview dialog allowing you to review and selectively apply recommended security settings before changes are made
- Added category filter to exclusion backtesting to test against specific detection categories
- Improved automation UX with tabbed interface, renamed “Automations” to “Tagging Rules”, and added live preview when creating rules
- Updated navigation hierarchy and removed onboarding link for cleaner navigation
- Added empty states to tables and widgets across the application for better user guidance
- Improved events table with advanced vs basic layout options and fixed dropdown menu behavior
- Fixed case search UI disappearing when filters return no results
- Removed warning screen when switching teams for a smoother team switching experience
- Added white-labeling the platform name to case logs
- Enhanced SafeBreach integration to handle detections with multiple IP addresses
- CrowdStrike domain controllers are now automatically tagged as Highly Valued Assets (HVA)
- Unmapped SentinelOne high-severity detections now escalate properly
- Improved primary file IOC detection to better highlight the actual threat indicator in detection summaries
- Added Impacket, SecretsDump, and GoToResolve to the tool catalog
- Fixed Python tool detection to avoid false positives with malware names
- Phishing connections from mobile devices are now automatically closed
- Some detections are now mapped to informational events to reduce noise
- Service providers can no longer add integrations (integrations only work at client tenant level)
Jan 7, 2026
- Added ability to skip onboarding for faster team setup
- Service providers can now opt out of subscribing to notifications when creating a team
- Improved UI layout for custom detections and exclusions pages with action buttons now at the top right
- Improved detection categorizations for evasion and discovery alerts
Dec 31, 2025
- Fixed bug where team inbox escalation emails were incorrectly updated when switching teams.
Dec 27, 2025
- Added support for multiple team inboxes, allowing teams to configure and manage multiple email inboxes for case notifications
- Improved search UX with a new clearable input component across the application
- Added light and dark mode logos for Okta and AWS integrations
- Improved UI performance for the sidebar, users page, and endpoints page
- Enhanced SentinelOne STAR alert processing with better user and device extraction
- Fixed bug where automation tag rules failed to tag users correctly
- Improved OAuth JWT security with token expiration and versioning
Dec 18, 2025
- SafeBreach integration added so that detections can be correlated to both actively running or past simulations
- Added support for SentinelOne STAR alerts
- Upgraded the Azure blog SDK used for syncing Entra sign-in logs
- Improved JWT usage when adding integrations
Dec 11, 2025
- Enhanced status transition handling for cases and detections to prevent race conditions
- Added new RMM tools to our catalog
- Improved Crowdstrike categorizations
- Updated how productivity events are tagged to improve query performance
- Jira comments are now marked as private when created in Jira Service Desk context
Dec 4, 2025
- Added a Chat Ops status so that you can easily view cases and detections actively awaiting user feedback
- More details about chat ops and containments have been added to the timeline and summary views
- Improved Activity Summary emails, offering a more concise view of your env health and what requires your attention
- A new dedicated Activity Summary email for Service Providers to give them a view of all clients
- Events and WEL queries now support regex matching
- Fixed bug where endpoints that failed to lookup would overwrite existing endpoint data
- Fixed SentinelOne URL link issue
- Improved performance for ingestion of historic detections
- Improved search endpoint performance
- Added new items to our RMM tool catalog
Nov 5, 2025
- Initial support for Gmail subscriptions
- Case and Detection tables now have the ability to filter by Integration
- Crowdstrike Falcon Cloud Security is now parsed and ingested. No need to update your existing integration, it will begin to pull if present.
- Added a new configuration in Verdicts where you can stipulate what to do if a monitor cannot run (for example if there is not enough data for the monitor, then escalate!)
- New category mappings for Defender’s suppressed and discovery events
- Endpoint Exploitation added as a new category
- Jamf Protect integration now logs when your token is expired
- Improved extraction of parent process files
Nov 3, 2025
- AI verdicts for live off the land executions are now shown in the detection timeline
- Thinkst Canary console settings now map to informational event
- Simplified table filters, all filters can now be found at the right-hand side of the search bar
Oct 28, 2025
- Improved Case and Impact UI on mobile devices
- Exclusion creations, edits, and deletions are now tracked in the system log
- Increased the amount of data extracted from Jamf Protect detections
- Chat Ops tests are now easier with typeahead user searching
- Various SMS chatops improvements
- Fixed how we extract command line arguments for SentinelOne
- Remapped how we handle Entra Connect tampering
- Fixed a bug in manager chatops verdicts
- Added average MTTV, MTTD, and MTTR to cases
Oct 24, 2025
- 🍞 Upgraded to the Bun 1.3 runtime
- Improved background job processing for added resiliency during long-running jobs
- Added non-interactive sessions in Microsoft sign-in logs
- Verdict rules can now insert a friendly explanation into your timeline
- Added new categories for private credential exposure for VIPs, evasive activities in email, and more
Oct 22, 2025
- SMS chat ops is now available! Learn more here
- Mimecast integration added
- AI analysis for some live off the land executions is now live
- Automated impact identification is now in beta testing, Wirespeed will identify all activities performed by a user after suspicious activity is alerted on.
- Fixed API bug when attempting to enable LOTL endpoint auto containment
- Directory/Endpoint tag automations are now logged to the system log
- Case reopening is now added to the case timeline
Oct 10, 2025
- Improved next steps granularity when containment is partially successful
- Added detection from 3 new RMM tools
- Add 200 new detection mappings for Vectra integrations
- CSV exports are now available on the cases and detections pages. Exports have a limit of 100k rows.
- Bug fix for billable user counts on the Clients page for service providers
Oct 8, 2025
- Improved retry handling for ticket creation in external systems
- Cases with >24 hours of delay from the source are now closed automatically
- Benign chat ops responses are now saved as exclusions
- Refactored login verdict handling to remove low confidence verdict rules
- New experimental AI analysis for live off the land executions is now being run in read-only mode
- Verdict is now available in the Case details view
- Reduced false positives for suspicious email identification after a suspicious login
- Team, Case, and User deletion bug fixes
- Service Providers can now whitelabel the following:
- Email “from” name
- Email reply-to address
- In-product support button email address
- Email signature and footer address
- Historic Cases can now be reopened for further inspection
Sep 29, 2025
- Increased webhook durability
- Enhanced file grouping
- Optimized memorary usage on detection consumption
- Improved JSON parsing date parsing
- Enhanced OAuth client credential grant handling
- Fixed monitor logic for better accuracy
- Improved duplicate detection lookups
- Updated bun version
Sep 25, 2025
- Vectra integration is now available!
- Enhanced NATS consumer durability
- Prevented chat ops when a monitor is already active
- Enhanced chat ops to avoid notifying users who have timed out recently
- Improved HVA value handling to not override manually set values during endpoint syncing
- Optimized malware algorithms
- Added categorizations for Falcon Cloud Security
- Allowed VIP chat ops during testing
Sep 17, 2025
- Improved AITM behavior detection
- Improved unicode handling
- Upgraded Crowdstrike Falcon endpoint syncs to use bulk fetching
- Refactored enrichment to analyze files concurrently
Sep 15, 2025
- Updated our algorithm to more accurately detect live off the land scenarios
- Improved JSON parsing across all integrations
- Adjusted our parser to better support inconsistencies observed in Microsoft data
- If a detection is added to a case, ticket integrations (e.g. Jira) will note so via a comment
Sep 10, 2025
- Service Provider name will now be used in client Timelines
- Team list now identifies external members, easing Service Provider team management
- Improve monitoring so that detection monitors in the same case stay in sync with one another
- Improve date parsing for syslog ingestion
- Update Jira Cloud integration to faciliate templated summary and optional sending of closed detections
- Fixed bug where the IP page would not load for private IP addresses
Sep 9, 2025
- 20 new and updated integration categorizations
- Simulated breach detection
- Identification and new verdict rules for masquerading files
- Added category for Business Email Compromise (BEC), was previously mapped to Login alerts
- Added category for Account Compromise
- Added category for Lateral Movement
- Fixed bug on events page where click-to-search functionality duplicated values
- Clients table for Service Providers is now sortable
- Improved detection of authorized RMM tools
- Active monitors are displayed below escalated cases in the navigation bar
Aug 31, 2025
- 11 new and updated integration categorizations
Aug 28, 2025
- Webhooks are now processed asynchronously to increase reliability
- Billable users & endpoints are available underneath your Team page, or the Clients page for service providers
- 47 new and updated integration categorizations
Aug 24, 2025
- User and Endpoint details pages have been updated to show related detections
- User details page exposes authentication patterns
- Dedicated category for business email compromise added
- Updated details grid available on all entity details pages
- Removed files, user agents, locations, processes, ip addresses, and domains from left-hand navigation
- New command pallette available via
cmd+korctrl+kto search the removed navigation items above - AI summary is now the default case description
Aug 22, 2025
- You can now delete your team by navigating to the Teams page and selecting “Delete Team”. This action is irreversible.
- New API endpoint
POST /team/switch- Service providers can use this with a service provider API key to manage multiple tenants.
Aug 20, 2025
- Fixed custom detection query timeouts by updating query generation logic to use proper partitioning keys.
- Generic Syslog and JSON log importers are now generally available.
- Improved endpoint and user correlation to prioritize active managed users over dormant ones.
Aug 17, 2025
- Improved cases dashboard now shows mean time to detect, verdict, respond, and contain.
- Timeline logging improvements for ingestion of historic detections on initial integration.
- Lowered required thresholds for Apple Private Relay and ISP logins from trusted locations.
- Improved live off the land tool detection for
pwsh.exeandwinpty-agent.exe. - Improved remote management tool detection for ScreenConnect and NinjaOne.
Aug 12, 2025
- Jira comments sync back to Wirespeed and are shown in the cases view.
- IPv6 addresses are flattened by default
- Integration categorization and parsing improvements for Crowdstrike and Okta
Aug 5, 2025
- In the Events view, you can now click properties to automatically add them to the search bar.
- When creating a user you can now opt them out of activity emails.
- New and updated mappings for Microsoft.
July 30, 2025
- Jira Cloud is now available! Review our documentation to learn how Wirespeed cases can create Jira issues and how closing issues in Jira can close the issue in Wirespeed.
- Updated Microsoft UAL parsing and tidying of AWS GuardDuty permissions checks.
- Prioritize managed users in directory user searches.
July 28, 2025
- Hunts and Monitors are now generally available!
- Hunts are deep analyses using 30-day patterns, threat intelligence, and device validation that hunts for any clues or indications that may inform a detection.
- Monitors are continuous surveillance executing rules at regular intervals to detect repeat patterns over extended periods (days to weeks), generating cases when specific threat patterns match.
- New mappings for JAMF Protect.
- Added the ability to test ChatOps with unamanaged user, making it easier than ever to see a live demo of ChatOps in action.
July 23, 2025
- Cisco Duo authentications logs are now available in Wirespeed! Check out our integration docs to learn how to get started.
- Custom detection changes are logged to your audit log.
- Detections table verdict and page size filters were not working as expected.
- New and fixed mappings for detections from Microsoft and Crowdstrike.
July 18, 2025
- Certain OCSF observables were not being properly identified on authentication events.
- Containment and chat ops actions are more clear in the What Happened summary.
- Improved detection mappings for vulnerable drivers, brute force, and email malware alerts.
July 12, 2025
- Check Point Harmony spam and graymail alerts are no longer considered detections. They will still be enriched and available in the data lake.
July 11, 2025
- Need a quick birds eye view of your Detections? Go checkout out the new stats at the top!
- You asked for it, we delivered: Apple Private Relay 🍏 handling has been added to our verdict rules.
- You’re not using Chatops? Onboard a group today to instantly increase the effectiveness and intelligence of your Wirespeed deployment.
- Subscribe to changelog updates at
https://docs.wirespeed.co/changelog/rss.xml.
July 7, 2025
- Leverage the full power of Clickhouse by using Wirespeed’s Advanced Queries. Seriously, go check out the docs for this one. Start or continue your journey to become a Wirespeed Superuser!
- Updated our user algorithm, making our directory decision making even smarter.
- Ever wonder if your mobile endpoints are responsible for more cases? You can now filter cases by “Was Mobile” to learn more about what your mobile devices are triggering.
July 1, 2025
- Custom Detections are here: use SQL to create your own custom detections.
- Jira integration added. Check out our Jira integration docs to learn how Wirespeed and Jira can stay in sync!
June 27, 2025
- Added ability for Service Providers to provide default ChatOps messaging for client teams.
June 25, 2025
- Updated verdict ordering for better prioritization
- Added TOR logins to verdict algorithm
- Fixed timeline display issues for improved event tracking
June 23, 2025
- Microsoft sign-in log processing is now generally available
June 19, 2025
- Okta sign-in log processing is now generally available
- Enhanced directory user automation rules for email domain matching
- Increased clarity of threat indicator data
June 18, 2025
- AI Case Summaries: you can now view a AI-generated summary of every case
- Added ability to ingest all assets from detection sources and option to tag them as HVT
June 11, 2025
- JAMF Protect integration has been enabled for Beta testing
June 10, 2025
Welcome to our new changelog! Items will be added here as soon as they are released.