Skip to main content
Stay up to date with the latest features, improvements, and fixes to the Wirespeed platform.
Jan 29, 2026
IntegrationsFeatures
  • Improved email detection analysis with sender/receiver direction tracking
UI/UX Improvements
  • Streamlined custom detection creation flow so you can build and save detections in one place
  • Redesigned Integrations page with category filtering, grid/list views, and improved connect modal
  • New hierarchical navigation and breadcrumbs for Verdict settings
  • Fixed Events table empty state alignment
Jan 27, 2026
Features
  • Successful brute force detections are now categorized as Login events
  • Optimized how we track progress on Events queries
UI/UX Improvements
  • API keys pages now use table layout with clearer empty states
Jan 26, 2026
Features
  • Notification frequency can now be managed from the Profile page
  • User tagging rules now support regex matching
UI/UX Improvements
  • Updated theme switcher to make dark mode toggle more prominent
Jan 23, 2026
PlatformIntegrations
  • 1Password integration added for audit events, item usages, and sign-in attempts monitoring
  • Orca Security integration added for cloud security alerts
  • Simplified JAMF Pro integration setup - you can now paste the JSON configuration directly
  • Integration enable/disable actions are now logged to the system audit log
Features
  • Bulk Actions! Close multiple cases at once from the Cases table
  • Generic syslog and JSON integrations support custom labels for easy identification
  • Team API keys can be created independently of user accounts
UI/UX Improvements
  • Redesigned profile page with organized sections for user details, notification settings, and API keys
  • Users can now edit their profile information including name, phone number, and timezone
  • Improved containment dialog with better asset selection and clearer actions
  • New verdict configuration UI with tree navigation and search to easily find and configure rules
  • Added ability to review and apply secure defaults across all verdict categories at once
  • Clearer timeline messages when searching for related authentication events
  • Service providers: Demo clients are now hidden by default in cases/detections tables
Jan 15, 2026
UI/UX Improvements
  • Added OS search filter to endpoints table for easier endpoint filtering by operating system
  • Improved containment UI in detection pages with better button and panel layout
  • Enhanced dark mode contrast for toggles, selects, inputs, and text fields for better visibility
  • Updated filter button to visually show applied filters with a clear button for easier filter management
  • Improved mobile UX for action panels with better alignment and responsiveness
  • Updated input component styling for consistency across the application
  • Updated documentation tooltips for better user guidance
  • Added countIf function for Events queries
Integrations & Threat Intelligence
  • Updated Microsoft IDP categorization rules
  • Optimized user automations to reduce false positives and incorrect tagging
Bug Fixes
  • Fixed incorrect calculation of Mean Time To Respond (MTTR) and Mean Time To Detect (MTTD) metrics in team statistics
Jan 12, 2026
  • Added Team API Keys allowing admins to create service account API keys for programmatic access at the team level
Jan 9, 2026
UI/UX Improvements
  • Added secure defaults preview dialog allowing you to review and selectively apply recommended security settings before changes are made
  • Added category filter to exclusion backtesting to test against specific detection categories
  • Improved automation UX with tabbed interface, renamed “Automations” to “Tagging Rules”, and added live preview when creating rules
  • Updated navigation hierarchy and removed onboarding link for cleaner navigation
  • Added empty states to tables and widgets across the application for better user guidance
  • Improved events table with advanced vs basic layout options and fixed dropdown menu behavior
  • Fixed case search UI disappearing when filters return no results
  • Removed warning screen when switching teams for a smoother team switching experience
  • Added white-labeling the platform name to case logs
Integrations
  • Enhanced SafeBreach integration to handle detections with multiple IP addresses
  • CrowdStrike domain controllers are now automatically tagged as Highly Valued Assets (HVA)
  • Unmapped SentinelOne high-severity detections now escalate properly
Detection & Threat Intelligence
  • Improved primary file IOC detection to better highlight the actual threat indicator in detection summaries
  • Added Impacket, SecretsDump, and GoToResolve to the tool catalog
  • Fixed Python tool detection to avoid false positives with malware names
  • Phishing connections from mobile devices are now automatically closed
  • Some detections are now mapped to informational events to reduce noise
Service Provider
  • Service providers can no longer add integrations (integrations only work at client tenant level)
Jan 7, 2026
  • Added ability to skip onboarding for faster team setup
  • Service providers can now opt out of subscribing to notifications when creating a team
  • Improved UI layout for custom detections and exclusions pages with action buttons now at the top right
  • Improved detection categorizations for evasion and discovery alerts
Dec 31, 2025
  • Fixed bug where team inbox escalation emails were incorrectly updated when switching teams.
Dec 27, 2025
  • Added support for multiple team inboxes, allowing teams to configure and manage multiple email inboxes for case notifications
  • Improved search UX with a new clearable input component across the application
  • Added light and dark mode logos for Okta and AWS integrations
  • Improved UI performance for the sidebar, users page, and endpoints page
  • Enhanced SentinelOne STAR alert processing with better user and device extraction
  • Fixed bug where automation tag rules failed to tag users correctly
  • Improved OAuth JWT security with token expiration and versioning
Dec 18, 2025
  • SafeBreach integration added so that detections can be correlated to both actively running or past simulations
  • Added support for SentinelOne STAR alerts
  • Upgraded the Azure blog SDK used for syncing Entra sign-in logs
  • Improved JWT usage when adding integrations
Dec 11, 2025
  • Enhanced status transition handling for cases and detections to prevent race conditions
  • Added new RMM tools to our catalog
  • Improved Crowdstrike categorizations
  • Updated how productivity events are tagged to improve query performance
  • Jira comments are now marked as private when created in Jira Service Desk context
Dec 4, 2025
  • Added a Chat Ops status so that you can easily view cases and detections actively awaiting user feedback
  • More details about chat ops and containments have been added to the timeline and summary views
  • Improved Activity Summary emails, offering a more concise view of your env health and what requires your attention
  • A new dedicated Activity Summary email for Service Providers to give them a view of all clients
  • Events and WEL queries now support regex matching
  • Fixed bug where endpoints that failed to lookup would overwrite existing endpoint data
  • Fixed SentinelOne URL link issue
  • Improved performance for ingestion of historic detections
  • Improved search endpoint performance
  • Added new items to our RMM tool catalog
Nov 5, 2025
  • Initial support for Gmail subscriptions
  • Case and Detection tables now have the ability to filter by Integration
  • Crowdstrike Falcon Cloud Security is now parsed and ingested. No need to update your existing integration, it will begin to pull if present.
  • Added a new configuration in Verdicts where you can stipulate what to do if a monitor cannot run (for example if there is not enough data for the monitor, then escalate!)
  • New category mappings for Defender’s suppressed and discovery events
  • Endpoint Exploitation added as a new category
  • Jamf Protect integration now logs when your token is expired
  • Improved extraction of parent process files
Nov 3, 2025
  • AI verdicts for live off the land executions are now shown in the detection timeline
  • Thinkst Canary console settings now map to informational event
  • Simplified table filters, all filters can now be found at the right-hand side of the search bar
Oct 28, 2025
  • Improved Case and Impact UI on mobile devices
  • Exclusion creations, edits, and deletions are now tracked in the system log
  • Increased the amount of data extracted from Jamf Protect detections
  • Chat Ops tests are now easier with typeahead user searching
  • Various SMS chatops improvements
  • Fixed how we extract command line arguments for Sentinel One
  • Remapped how we handle Entra Connect tampering
  • Fixed a bug in manager chatops verdicts
  • Added average MTTV, MTTD, and MTTR to cases
Oct 24, 2025
  • 🍞 Upgraded to the Bun 1.3 runtime
  • Improved background job processing for added resiliency during long-running jobs
  • Added non-interactive sessions in Microsoft sign-in logs
  • Verdict rules can now insert a friendly explanation into your timeline
  • Added new categories for private credential exposure for VIPs, evasive activities in email, and more
Oct 22, 2025
  • SMS chat ops is now available! Learn more here
  • Mimecast integration added
  • AI analysis for some live off the land executions is now live
  • Automated impact identification is now in beta testing, Wirespeed will identify all activities performed by a user after suspicious activity is alerted on.
  • Fixed API bug when attempting to enable LOTL endpoint auto containment
  • Directory/Endpoint tag automations are now logged to the system log
  • Case reopening is now added to the case timeline
Oct 10, 2025
  • Improved next steps granularity when containment is partially successful
  • Added detection from 3 new RMM tools
  • Add 200 new detection mappings for Vectra integrations
  • CSV exports are now available on the cases and detections pages. Exports have a limit of 100k rows.
  • Bug fix for billable user counts on the Clients page for service providers
Oct 8, 2025
  • Improved retry handling for ticket creation in external systems
  • Cases with >24 hours of delay from the source are now closed automatically
  • Benign chat ops responses are now saved as exclusions
  • Refactored login verdict handling to remove low confidence verdict rules
  • New experimental AI analysis for live off the land executions is now being run in read-only mode
  • Verdict is now available in the Case details view
  • Reduced false positives for suspicious email identification after a suspicious login
  • Team, Case, and User deletion bug fixes
  • Service Providers can now whitelabel the following:
    • Email “from” name
    • Email reply-to address
    • In-product support button email address
    • Email signature and footer address
  • Historic Cases can now be reopened for further inspection
Sep 29, 2025
  • Increased webhook durability
  • Enhanced file grouping
  • Optimized memorary usage on detection consumption
  • Improved JSON parsing date parsing
  • Enhanced OAuth client credential grant handling
  • Fixed monitor logic for better accuracy
  • Improved duplicate detection lookups
  • Updated bun version
Sep 25, 2025
  • Vectra integration is now available!
  • Enhanced NATS consumer durability
  • Prevented chat ops when a monitor is already active
  • Enhanced chat ops to avoid notifying users who have timed out recently
  • Improved HVA value handling to not override manually set values during endpoint syncing
  • Optimized malware algorithms
  • Added categorizations for Falcon Cloud Security
  • Allowed VIP chat ops during testing
Sep 17, 2025
  • Improved AITM behavior detection
  • Improved unicode handling
  • Upgraded Crowdstrike Falcon endpoint syncs to use bulk fetching
  • Refactored enrichment to analyze files concurrently
Sep 15, 2025
  • Updated our algorithm to more accurately detect live off the land scenarios
  • Improved JSON parsing across all integrations
  • Adjusted our parser to better support inconsistencies observed in Microsoft data
  • If a detection is added to a case, ticket integrations (e.g. Jira) will note so via a comment
Sep 10, 2025
  • Service Provider name will now be used in client Timelines
  • Team list now identifies external members, easing Service Provider team management
  • Improve monitoring so that detection monitors in the same case stay in sync with one another
  • Improve date parsing for syslog ingestion
  • Update Jira Cloud integration to faciliate templated summary and optional sending of closed detections
  • Fixed bug where the IP page would not load for private IP addresses
Sep 9, 2025
  • 20 new and updated integration categorizations
  • Simulated breach detection
  • Identification and new verdict rules for masquerading files
  • Added category for Business Email Compromise (BEC), was previously mapped to Login alerts
  • Added category for Account Compromise
  • Added category for Lateral Movement
  • Fixed bug on events page where click-to-search functionality duplicated values
  • Clients table for Service Providers is now sortable
  • Improved detection of authorized RMM tools
  • Active monitors are displayed below escalated cases in the navigation bar
Aug 31, 2025
  • 11 new and updated integration categorizations
Aug 28, 2025
  • Webhooks are now processed asynchronously to increase reliability
  • Billable users & endpoints are available underneath your Team page, or the Clients page for service providers
  • 47 new and updated integration categorizations
Aug 24, 2025
  • User and Endpoint details pages have been updated to show related detections
  • User details page exposes authentication patterns
  • Dedicated category for business email compromise added
  • Updated details grid available on all entity details pages
  • Removed files, user agents, locations, processes, ip addresses, and domains from left-hand navigation
  • New command pallette available via cmd+k or ctrl+k to search the removed navigation items above
  • AI summary is now the default case description
Aug 22, 2025
  • You can now delete your team by navigating to the Teams page and selecting “Delete Team”. This action is irreversible.
  • New API endpoint POST /team/switch - Service providers can use this with a service provider API key to manage multiple tenants.
Aug 20, 2025
  • Fixed custom detection query timeouts by updating query generation logic to use proper partitioning keys.
  • Generic Syslog and JSON log importers are now generally available.
  • Improved endpoint and user correlation to prioritize active managed users over dormant ones.
Aug 17, 2025
  • Improved cases dashboard now shows mean time to detect, verdict, respond, and contain.
  • Timeline logging improvements for ingestion of historic detections on initial integration.
  • Lowered required thresholds for Apple Private Relay and ISP logins from trusted locations.
  • Improved live off the land tool detection for pwsh.exe and winpty-agent.exe.
  • Improved remote management tool detection for ScreenConnect and NinjaOne.
Aug 12, 2025
  • Jira comments sync back to Wirespeed and are shown in the cases view.
  • IPv6 addresses are flattened by default
  • Integration categorization and parsing improvements for Crowdstrike and Okta
Aug 5, 2025
  • In the Events view, you can now click properties to automatically add them to the search bar.
  • When creating a user you can now opt them out of activity emails.
  • New and updated mappings for Microsoft.
July 30, 2025
  • Jira Cloud is now available! Review our documentation to learn how Wirespeed cases can create Jira issues and how closing issues in Jira can close the issue in Wirespeed.
  • Updated Microsoft UAL parsing and tidying of AWS GuardDuty permissions checks.
  • Prioritize managed users in directory user searches.
July 28, 2025
  • Hunts and Monitors are now generally available!
    • Hunts are deep analyses using 30-day patterns, threat intelligence, and device validation that hunts for any clues or indications that may inform a detection.
    • Monitors are continuous surveillance executing rules at regular intervals to detect repeat patterns over extended periods (days to weeks), generating cases when specific threat patterns match.
  • New mappings for JAMF Protect.
  • Added the ability to test ChatOps with unamanaged user, making it easier than ever to see a live demo of ChatOps in action.
July 23, 2025
  • Cisco Duo authentications logs are now available in Wirespeed! Check out our integration docs to learn how to get started.
  • Custom detection changes are logged to your audit log.
  • Detections table verdict and page size filters were not working as expected.
  • New and fixed mappings for detections from Microsoft and Crowdstrike.
July 18, 2025
  • Certain OCSF observables were not being properly identified on authentication events.
  • Containment and chat ops actions are more clear in the What Happened summary.
  • Improved detection mappings for vulnerable drivers, brute force, and email malware alerts.
July 12, 2025
  • Checkpoint Harmony spam and graymail alerts are no longer considered detections. They will still be enriched and available in the data lake.
July 11, 2025
  • Need a quick birds eye view of your Detections? Go checkout out the new stats at the top!
  • You asked for it, we delivered: Apple Private Relay 🍏 handling has been added to our verdict rules.
  • You’re not using Chatops? Onboard a group today to instantly increase the effectiveness and intelligence of your Wirespeed deployment.
  • Subscribe to changelog updates at https://docs.wirespeed.co/changelog/rss.xml.
July 7, 2025
  • Leverage the full power of Clickhouse by using Wirespeed’s Advanced Queries. Seriously, go check out the docs for this one. Start or continue your journey to become a Wirespeed Superuser!
  • Updated our user algorithm, making our directory decision making even smarter.
  • Ever wonder if your mobile endpoints are responsible for more cases? You can now filter cases by “Was Mobile” to learn more about what your mobile devices are triggering.
July 1, 2025
June 27, 2025
  • Added ability for Service Providers to provide default ChatOps messaging for client teams.
June 25, 2025
  • Updated verdict ordering for better prioritization
  • Added TOR logins to verdict algorithm
  • Fixed timeline display issues for improved event tracking
June 23, 2025
  • Microsoft sign-in log processing is now generally available
June 19, 2025
  • Okta sign-in log processing is now generally available
  • Enhanced directory user automation rules for email domain matching
  • Increased clarity of threat indicator data
June 18, 2025
  • AI Case Summaries: you can now view a AI-generated summary of every case
  • Added ability to ingest all assets from detection sources and option to tag them as HVT
June 11, 2025
  • JAMF Protect integration has been enabled for Beta testing
June 10, 2025
Welcome to our new changelog! Items will be added here as soon as they are released.