Skip to main content

Invicti Platform on-demand release notes

RSS feed

This document highlights the new features, new security checks, improvements, and fixed issues introduced in the Invicti Platform across recent releases. Each update focuses on enhancing usability, visibility, security coverage, and integration capabilities for security teams and developers.

2025

This section summarizes all releases, features, improvements, and fixes for 2025 as they're added.

Release 04122025

Release date: 4 December 2025

New features

  • Improved API Insights dashboard to respect user access restrictions, preventing users from viewing results for targets they don't have permission to access. Only users who have access to all targets can view the dashboard (Read more)
  • Enabled users to re-register multiple times using the same NTA token, improving registration flexibility
  • Users can now add API specs via URL reference in target settings, allowing the scanner to pull specs at runtime from targets not accessible to Invicti cloud services (Read more)
  • Dark Mode is now available
  • Added ability to bulk add tags and comments to vulnerabilities
  • Added preview capability for REST API specifications (OpenAPI, Swagger, RAML) after uploading (Read more)
  • WAFs detected by DAST scanner are reported in the Scan activity log
  • Auto-scalable agents (Read more)

Improvements

  • Improved user experience when creating API Discovery targets and starting scans
  • NTA now automatically shuts down after multiple failed connection attempts to Invicti Platform
  • Addressed design inconsistencies for API Discovery/Catalog pages
  • Improved API reconstruction speed from network traffic in NTA
  • NTA Helm deployments now automatically pull the most recent version, with older versions available upon request
  • Minor usability improvements across the app
  • API catalog now displays additional target details when clicking on a row (Read more)
  • SCIM swagger is now available among API specifications (Read more)
  • Forms containing the inv-ignore CSS class are now excluded from DAST scanner testing
  • Scan duration calculation now includes scan pause time for more accurate reporting
  • Added pagination, sorting, and filtering capabilities to the PCI ASV scans page

Release 20112025

Release date: 20 November 2025

Improvements

  • Added a bulk action for retesting vulnerabilities
  • Updated visibility of items in API Discovery to show only unlinked API specs
  • Implemented API information export capability for API discovery and API catalog
  • Updated quick links to documentation and support in User profile
  • Implemented hostname variation handling during web crawling to ensure links with different subdomain formats are considered within the same scope
  • Implemented an upgrade process for NTA that preserves previous reconstruction context and avoids duplicate findings
  • Updated Docker Compose instructions to ensure the latest version of NTA is always used

Resolved issues

  • Fixed a typo in user agent list
  • Fixed an issue related to the missing pagination
  • Fixed visibility of "Vulnerability" column on Trend Matrix page
  • Fixed an issue where filtering targets by agent type didn't work correctly
  • Implemented clear error messaging for app name length validation during creation
  • Fixed a filter label formatting in the UI
  • Fixed an issue related to incorrect time zone offset saving for users in GTM +1
  • Fixed an issue where the scan duration displayed an incorrect value despite no requests or progress
  • Fixed an issue with sorting of API operations in API discovery or catalog
  • Fixed an issue with the incorrect base URL displayed on the API Insights dashboard
  • Fixed an issue where audit logs for scans stopped by the system incorrectly displayed the user as the one who initiated the action
  • Fixed an issue with uploading large files via the API
  • Fixed an issue where the the count of vulnerabilites in the scan summary tab is less than actually detected
  • Unified pagination options in Automations
  • Unified pagination options in Integrations
  • Enforced SSO login for users with TOTP configured when organization SSO is enabled
  • Updated the design of License page
  • Fixed an issue where special characters could be used in the name fields
  • Fixed an incompatibility issue with uploading multipart form data via the API hub Swagger page
  • Fixed an issue where custom roles weren't updated after changing permission scope
  • Fixed counting of total open vulnerabilities in API Insights dashboard
  • Fixed visibility issues on internal scanning agent list
  • Fixed categorization issue of Audit log export
  • Improved data display in Audit log
  • Added proof of exploit information in the vulnerability drawer for IAST-enabled scans
  • Implemented pagination in API discovery and API catalog
  • Added scan end timestamp information to the automated email sent upon scan completion
  • Fixed displayed information on failed logins in Audit log
  • Fixed an issue where the source type returned by GraphQL didn't match the UI display for API targets
  • Extra validation now prevents creating sample issue when mandatory fields are incomplete
  • Fixed a loading delay issue on the User/Team creation and editing pages
  • Corrected the user status logic to ensure that enabled users aren't incorrectly marked as invite expired, aligning with the intended behavior
  • Resolved an issue related to username input handling on the login page
  • Fixed UI inconsistencies in the Settings - Automations input for domain entries
  • Added more detailed information about export configurations in audit log activity
  • Fixed "Automations" button to navigate correctly after a license upgrade
  • Addressed the UI and messaging issues on the forgot password page
  • Added forward and back navigation buttons to the role drawer for easier navigation
  • Improved performance by speeding up loading times when creating and editing user groups
  • Issue trackers now correctly show the respective icons in Automations overview
  • Better usability when working with email field in Automations

Release 06112025

Release date: 6 November 2025

New features

  • Added a "Fixed (Unconfirmed)" status to better reflect the status of a vulnerability
  • Implemented toggle in Settings to turn on/off the automatic retest of a vulnerability after selecting "Fixed (Unconfirmed)" status
  • Retesting a "Fixed (Unconfirmed)" vulnerability automatically sets the status to "Fixed" or "Rediscovered"
  • Added Sensor-less API Discovery
  • Scan debug logs are available for download after a scan finishes
  • User provisioning with SCIM is now supported for Invicti Ultimate users
  • Added an ability to filter the user list by user creation method (manually created vs. auto-provisioned) when auto-provisioning is available

Improvements

  • Added an ability to use custom cookies during DAST scans when using the LSR
  • API Discovery now clearly shows hostname where API specs have been identified
  • Token used by Network Traffic Analyzer (NTA) now has extended expiration date to support longer offline periods
  • Improved sitemap parsing to handle entries with multiple comma-delimited URLs within a single entry
  • Implemented filtering and sorting options for number of operations, discovered and last updated date in API discovery
  • Implemented the display of PCI compliance status on the PCI scans list
  • Updated Chromium to 141.0.7390.122

Resolved issues

  • Fixed an issue that prevented users from changing column order on selected list views
  • Fixed an issue where GetAssetById didn't return correct asset detail
  • Improved handling of whitespaces in the Target URL field during target creation
  • MTTR now shows "-" instead of "0" when there is no data
  • Fixed a navigation issue in "Licensed FQDN's used" list
  • Fixed an issue where the user can't change the start date for scheduled scans
  • Fixed an issue where the site structure isn't available for scans aborted by the DAST scanner due to network errors
  • Fixed an issue where the Project filter by Threat severity displays incorrect results

Release 23102025

Release date: 23 October 2025

New features

  • Implemented improvements to ensure the coordinator receives a heartbeat signal during the archiving process to prevent scan abortion
  • Added an ability to copy custom scan profiles
  • Updated requirements for the Internal Agent to specify CPU, RAM, and disk space
  • Added logs compression while the scanner is running
  • Updated PCI activation request emails to include a masked license key
  • Implemented new Engine-based Zero-Config API discovery service
  • Updated the design of the grid
  • Added information about discovered or reconstructed APIs in the Scan details page
  • Improved navigation to currently running scan from the Targets page
  • The Executive and API Insights dashboards now include Rediscovered vulnerabilities in the total open counts
  • Implemented filtering, sorting, and pagination features for PCI scans
  • Increased URL length limit from 1024 to 2048 characters
  • Implemented API-only scan capability to improve scan speed and efficiency
  • Implemented automatic screenshots when the automated login by the DAST scanner fails; screenshots are included in the scan logs
  • Added an updates panel to the Application dashboard. This panel displays last scanned status and tags. Additionally, the Vulnerabilities by scan type widget now shows the container count
  • Implemented filtering out third-party APIs during web application scans to improve API discovery accuracy
  • Reconstructed REST API specifications are now displayed in the API Discovery view
  • Added Vulnerability ID column to the Vulnerabilities page table
  • Updated the NIST SO 800-53 report to the latest template Rev5
  • Disabled the retest button during a retest scan to prevent multiple concurrent scans for the same vulnerability
  • The Settings page has a refreshed look and updated design for improved usability
  • Implemented a new automation feature to automatically email a specified scan report upon scan completion
  • The Audit Log now records changes made to vulnerabilities

Resolved issues

  • Fixed an issue where reports generated by the Vulnerabilities page didn't start
  • Fixed an issue where scans remained stuck in the "starting" status before their failure
  • Fixed an issue where PCI scan activities were not shown in UI
  • Fixed the “List of URLs / Generic File (.txt/.*)” option to allow uploading files other than .txt
  • Fixed the deactivated toggle state for Discovery AI settings
  • Fixed an issue where the API Discovery remote target filter was not functioning correctly
  • Fixed an issue that prevented PCI scans from initiating when an internal agent was inactive
  • Fixed update logic for IAST sensor token
  • Restricted non-HTTP and non-HTTPS protocols in script initiated DeepScan sessions
  • Fixed an issue preventing users without an IAST license from saving target configurations
  • Scan profiles now correctly default to a preset when the previously assigned profile is deleted
  • Fixed a crash issue during scan
  • Fixed an issue where page navigation and data retrieval in "Licensed FQDNs used" were not working correctly
  • Resolved an issue preventing users from editing scan schedules and corrected the incorrect display of scans on the Scan Scheduled page
  • Discovery Configuration navigation now correctly highlights the section you are currently in
  • Fixed an issue where the "HTTP Authentication required" message was shown incorrectly
  • Fixed a missing vulnerability on http://rest.vulnweb.com/
  • Resolved an issue where Browser Context creation starts failing after some time
  • Fixed an issue where Apigee APIM connection details couldn't be edited after being saved and authenticated
  • Queued scans are now displayed correctly
  • Fixed an issue where API-SEC permissions were incorrectly enabled for Essentials users
  • Updated vulnerability checks to include the new SQL injection in aspnet.testsparker.com
  • Prevented Ephemeral Target resuming scan from the UI when excluded hours are encountered
  • Fixed an issue where Filtering Targets on Scan Status duplicates some targets
  • The flow for LSR with OTP no longer requires an additional step to insert the OTP value
  • Fixed an issue where the Filter dropdown doesn't populate after reset
  • Fixed client certificate handling to prevent scans from failing due to certificate-related issues
  • Fixed an issue where logging in via SSO doesn't work when the user has TOTP/MFA enabled
  • Fixed an issue where the Project filter by Threat severity displays incorrect results
  • Fixed filtering capability and labeling of the "Remote Target" filter in the API catalog and discovery list
  • Fixed an issue where Hidden APIs become visible when filtering data

Release 09102025

Release date: 9 October 2025

Improvements

  • API now supports filtering scan results by tags
  • Clicking on a target URL now opens the target details drawer
  • Added a button to request enabling PCI ASV scans directly in the product via email if the user has Professional/Ultimate license
  • Updated the notification instructing users to use Standalone LSR for targets that use internal scan agents
  • OTP tokens are now accessible for authorization scripts
  • Engine HTTP stats for API scans now include the number of 2xx status codes
  • Added the option to configure company details for the PCI ASV Report
  • Updated Inventory Endpoints in the API Hub
  • Added a filter to show only vulnerable APIs when navigating from the API dashboard to the API catalog
  • Added the ability for users to download debug scan logs
  • API Security is now available as an add-on for Essentials and Professional editions
  • Mapped security checks to their related found vulnerabilities
  • Only the Owner role can assign the Owner role and System and Subscription permissions
  • Added support for authentication scripts in the LSR
  • Added support for multiple BLRs with custom naming
  • Added a notification to inform the user when a scan is queued because of excluded hours
  • CSV import of Targets now allows specifying a username and password for form authentication

Resolved issues

  • Fixed an issue where the Vulnerability Status column was missing from the Trend Matrix
  • Restored the missing Jira link on the Vulnerability page
  • Updated the Engine to correctly mark API specs loaded via GraphQL Introspection as Crawled instead of Imported
  • Fixed performance issues caused by DeepScan Static Analysis leading to slow page loading
  • Corrected an error preventing users from saving Max Password Age values greater than 10 days
  • Fixed mismatch between Value and Description for Inactivity Timeout in Session and Lockout settings
  • Fixed a UI issue where a deleted target was still visible in the Allowed Hosts section
  • Fixed an issue where DeepScan wasn't detecting Logout links
  • Fixed an issue where the Pattern attribute wasn't sent to the Scanner-AI-Service
  • Fixed inconsistency in scan schedule start times between the schedule list and detail views
  • Corrected sorting by Vulnerabilities on the Collections page, which previously caused an error
  • Fixed an SSO exemption bypass issue on page load
  • Resolved timezone errors in scheduled scans
  • Fixed an incorrect empty state message on the Collections page
  • Fixed an issue where Apigee APIM configurations couldn't be edited after authentication
  • Fixed an issue where users integrating with Mulesoft were redirected to an outdated configuration page
  • Resolved Jira field mapping inconsistencies
  • Fixed a UI issue where the Environment dropdown disappeared when scrolling on the Add Multiple Targets page
  • Ensured all “Add API Source” buttons open the same configuration page
  • Fixed issue causing Administrators to see empty content on the Settings page
  • Resolved inconsistent behavior when deleting custom profiles
  • Fixed mismatch between API Vulnerability counts on the Dashboard and other pages
  • Fixed an issue where API Insights displayed vulnerabilities even with zero APIs in the Catalog
  • Aligned API Insights counts for open vulnerabilities and other dashboard metrics
  • Fixed AI-aided login issues on sites requiring YES input during authentication
  • Resolved issue preventing users from generating API keys under migrated accounts
  • Validated Inventory Service endpoints to confirm proper UserID handling when using M2M tokens

Release 25092025

Release date: 25 September 2025

New features

  • Mark vulnerability with API tag when it comes from API target only
  • Added "view by a time range" options to the Application Trend Matrix
  • Added a new API parameter to filter vulnerabilities by severity in the vulnerabilities endpoint
  • Added the details about an API operation to the drawer in the API catalog
  • Added ability to configure the max scan duration for each Target. This can be used to specific smaller scan limits for scan done as part of CI/CD
  • Crawled APIs found are shown only once in API discovery
  • Added Invicti API to the list of integrations
  • Added an option to create a scan schedule directly from the Target's drawer
  • Added records of Applications, Assets, Collections to the Audit Log

Improvements

  • Improved error handling of the API Reconstructor to allow retries for failed uploads
  • Updated max API spec file size limit to 20 MB when uploaded via target settings

Resolved issues

  • Fixed API specification duplication
  • Fixed filtering for Invicti NAD in API Discovery
  • Fixed an issue where automations created multiple issues out of one vulnerability
  • Fixed an issue where hidden APIs were counted in the API dashboard
  • Fixed an issue where exporting targets to JSON/CSV file returned empty files
  • Target URL in the Most Vulnerable APIs list links to API list
  • Added icons to Most recent discovered APIs based on the source type
  • Fixed incorrect count of operations in the API dashboard
  • Fixed count of Total APIs in API dashboard to reflect only APIs in the API catalog
  • Fixed the visibility of Web Discovery for an Essentials package user
  • Fixed the visibility of API security features for an Essentials package user
  • Fixed the order of buttons for Website discovery and API discovery
  • Fixed the order of the scan activity logs for scans with Allowed Host
  • Fixed dashboard charts not showing information without DAST targets added
  • Fixed filtering of multiple values for a single filter type

Release 11092025

Release date: 11 September 2025

New features

  • Added Vulnerabilities widgets to the Target Trend Matrix
  • The User Agent string is now displayed in Scan Configuration settings for each Target
  • Updated the scanner error message for status code 429 (Too Many Requests)
  • Added display of Mean Time to Remediate grouped by severity and indicated vulnerabilities exceeding MTTR
  • The Vulnerability drawer is now accessible in the Trend Matrix
  • Added the ability to export the Trend Matrix to CSV
  • Added filtering options for the Trend Matrix
  • Introduced the Trend Matrix for Applications
  • Improved the display of scan duration in reports
  • Added a custom User Agent option in Scan Configuration for Targets
  • FQDN utilization is now displayed in the side menu
  • Implemented automatic DAST scans in the GitHub Actions CI/CD pipeline

Improvements

  • Scan Profiles are now required for CI/CD integrations

Resolved issues

  • Resolved an issue that prevented manually entered sensor secrets from being saved
  • Enhanced scan summaries to provide clearer explanations for aborted scans
  • Resolved multiple issues related to HTTP/2 and LSR processing
  • Resolved handling of aborted scans in the command-line tool
  • Resolved an issue with restricted HTTP methods to ensure scan script requests are properly blocked
  • Resolved an issue with Jira bi-directional sync to ensure status updates are accurately reflected
  • Resolved an issue where scan progress displayed 100% without matching the actual scanner status

Release 28082025

Release date: 28 August 2025

New features

  • Scanning stops automatically when a 429 status is received without a retry-after header
  • Implemented Trend Matrix for DAST Targets
  • AI-Aided Login automatically regenerates invalid reused LSR files
  • Added support for tracking session tokens in URL Parameters for LSR recorder
  • DeepScan now scans all path fragments discovered in locations for potential vulnerabilities
  • Added a filter on the Vulnerabilities page to show vulnerabilities found on APIs
  • Added support in AI-Aided Login for saving AI-generated LSR files
  • Improved Agents Page with an updated design for better navigation and readability
  • Added the Technologies tab to the Application dashboard
  • Added user provisioning with SCIM 2.0 for Teams

Release 14082025

Release date: 14 August 2025

New features

  • Added the ability to restrict HTTP methods for a DAST scans on a Target
  • Added "Export to file" bulk action in Projects
  • Added "Sync vulnerabilities" bulk action in Projects
  • Added "Last updated" per SAST source in Projects
  • Added "Export to file" action in Projects
  • Added "Sync vulnerabilities" action in Projects
  • Added handling of custom namespaces in specifications for WSDL imports
  • Added NTA Standalone mode
  • Added details about an API operation to API catalog
  • Added "Scan comparison" feature to Past scans tab
  • Added a scan message when AI-aided login is used
  • Implemented automation to push vulnerabilities into issue trackers every time they are found, creating new or updating existing work items if needed
  • Added vulnerability assignment to a specific user
  • Implemented standard and compliance reports for Application consolidating all SAST asset vulnerabilities for a comprehensive application security overview
  • Added "Most vulnerable technologies" list to the Application dashboard
  • Added filtering by application, asset, and environment to the Vulnerabilities page
  • Added information on the status and version of the installed NTA to the API sources section in Discovery Configuration

Release 30072025

Release date: 30 July 2025

New features

  • Enhanced DAST scanner with improved performance and vulnerability detection capabilities
  • Fully redesigned user interface and experience
  • New Applications feature allows to group related targets under logical application structures
  • AI-powered web form auto-completion for DAST scans (Read more)
  • AI-powered authentication handling for DAST scans
  • Dynamic targets for integration into CI/CD pipelines (Read more)
  • Detection of IDOR (Insecure Direct Object Reference) and BOLA (Broken Object Level Authorization) vulnerabilities in APIs
  • Improved API analysis through stateful scanning capabilities
  • Concurrent scan support for internal scanning agents
  • Docker-based internal scanning agents
  • Simplified Packages
  • LLM vulnerability detection including:
    • LLM Command Injection
    • LLM-enabled Server-side Request Forgery (SSRF)
    • LLM Insecure Output Handling
    • Tool Usage Exposure
    • Prompt Injection
    • System Prompt Leakage
    • LLM Fingerprinting (Read more)