Skip to main content

Invicti Platform on-premises release notes

RSS feed

This document highlights the new features, new security checks, improvements, and fixed issues introduced in the Invicti Platform across recent releases. Each update focuses on enhancing usability, visibility, security coverage, and integration capabilities for security teams and developers.

2026

This section summarizes all Invicti Platform on-premises releases, including new features, improvements, and fixes as they’re added.

Release 26.160.260609074715

Release date: 09 June 2026

New features

  • Outbound proxy support for on-premises installations: Invicti Platform on-premises now supports HTTP proxy configuration for outbound traffic, available in both the Windows installer (Read more) and Helm deployments (Read more).

  • Interactive login for DAST scans: You can now configure DAST scans to use interactive login, allowing you to manually complete CAPTCHAs or MFA steps at the start of the scan. This makes it possible to effectively scan sites that can't be fully automated. (Read more)

  • Reusable credentials for form authentication: You can now store credentials in Scans > Secrets and reference them in simple form authentication fields instead of entering plain-text values directly. (Read more)

  • Workspaces: You can now create isolated, self-managed workspaces to organize teams, projects, or environments independently within your organization. (Read more)

  • Multiple HTTP authentication credentials can now be configured per target: Targets can now hold more than one set of HTTP authentication credentials, enabling coverage of web applications where different site sections require different credentials. When multiple credentials are configured, a URL is required for each entry to ensure correct routing during scans.

Improvements

  • Login sequence and business logic recording on internal agent targets: You can now record Login Sequence Recorder (LSR) and Business Logic Recorder (BLR) sessions for Targets assigned to an internal scanning agent, not just cloud agent Targets. (Read more on the LSR and the BLR)

  • Invicti AI Assistant for all users: Invicti AI Assistant, including the Get help feature, is now available to all users in the account, not only Owners.

  • Filter DAST scans by URL: You can now filter the DAST scans list by target URL using a partial match, making it easier to find scans for specific targets.

  • Improved auditing for Target configuration changes: Changes to Target settings (business criticality, authentication, scan configuration, agent settings, excluded hours, IAST settings, name, and tags) are now audited with previous and new values for accountability and compliance.

  • Internal agent resource information: The internal agent details panel now shows information on machine resources, so you can self-troubleshoot resource-related scanning issues.

  • Higher import file limit: You can now upload up to 10 import files per Target, up from the previous limit of 5.

  • Confidence level now included in CSV and JSON vulnerability exports: Vulnerability exports now consistently include confidence level data. Previously, CSV exports omitted confidence levels entirely and JSON exports only surfaced them for a subset of vulnerabilities.

  • OWASP Top 10 report for all licenses: The OWASP Top 10 report is now available on all licenses, including Essentials.

  • Vulnerabilities list can now be filtered by target business criticality: A new Business Criticality filter in the DAST vulnerabilities list lets users focus on issues belonging to the most business-critical targets. A Business Impact column has also been added to the vulnerability view, providing this context at a glance without needing to navigate to the target.

  • SCIM implementation updates: SCIM2 patch operations no longer fail when a request references an unsupported attribute, unblocking user updates from Microsoft Entra ID and other identity providers.

  • Administrators can now request support access without involving an account owner: Support access requests were previously restricted to account owners only. Administrators can now submit support access requests directly, enabling faster engagement with the support team.

  • SCIM2 provisioning can now be enabled or disabled per organisation: Ultimate licence customers can now toggle SCIM2 provisioning endpoints on or off for their organisation. Previously, SCIM2 was always active. Disabling it prevents user and team updates or deletions through SCIM2-provisioned accounts, giving organisations more control over their identity management configuration.

  • Persistent vulnerabilities view: The Vulnerabilities page now remembers whether you last used the grouped or ungrouped view and restores it the next time you open the page.

  • Download logs for failed scans: You can now download debug logs for failed scans, not only successful ones, making it easier to troubleshoot scan failures.

  • Incremental scan type indicator: Scan details now show whether a scan ran as incremental or full, so you can quickly confirm the scan type without checking the scan configuration.

  • Delete scans created by a schedule: When you delete a scan schedule, you can now choose to also delete the scans created by that schedule, keeping the Scans page tidy.

  • Improved scan progress indicator: Scan progress is now calculated using a more accurate algorithm, so you get a clearer view of scan status and a better ETA.

  • APIs linked back to their scans: APIs discovered by a scan are now linked back to that scan from the API catalog, so you can trace any endpoint to the scan that found it.

Resolved issues

  • Teams with many members: Teams with a large number of members now load correctly.

  • Cross-organization tag suggestions: The Scans page Tags autocomplete now only shows tag suggestions belonging to your current organization.

  • Scan creation for ephemeral Targets via API: POST /api/v1/scans no longer returns 400 Invalid profile_id when launching scans against ephemeral (Dynamic URL) Targets in CI/CD pipelines with valid profile IDs.

  • CI/CD script generators now produce output when minimum severity is left blank: Previously, leaving the minimum severity field empty in the CI/CD script generator caused the script output to be blank rather than generating a script with no minimum vulnerability threshold. This affected all integrations - Azure Pipelines, CircleCI, GitHub Actions, GitLab CI/CD, and Jenkins. Scripts now generate correctly in this scenario.

HF Release 26.118.260428084120

Release date: 28 April 2026

Resolved issues

  • Corrected navigation settings in the on-premises installation: Users on OnPrem deployments will now correctly see the Version Updates page, and the Organization Data page is now properly restricted from general user access.

Release 26.113.260423132556

Release date: 23 April 2026

New features

  • Windows (WSL) installation: You can now install the Invicti Platform on-premises on Windows using Windows Subsystem for Linux (WSL), without needing a dedicated Linux machine. (Read more)

  • Dynamic (rotating) authentication tokens for API scanning: API scans can now authenticate using rotating tokens, meaning scans no longer fail or produce incomplete results when tokens expire mid-scan. (Read more)

  • Configurable login warning banner: You can now show a configurable warning banner at login with acknowledgment and decline options, designed for large and federal organizations with strict access control requirements. (Read more)

  • Customizable platform header banner: You can now display a customizable banner in the header across all platform pages to communicate important information to all users. (Read more)

  • API Discovery from encrypted traffic: You can now discover APIs from encrypted network traffic using eBPF, with no infrastructure changes required. (Read more)

  • IP address restrictions for user sessions: You can now restrict user sessions to specific IP addresses for improved security and compliance. (Read more)

Improvements

  • Parameters displayed for endpoints in API catalog: Each endpoint in the API catalog now displays its parameters, giving you a more complete view of your API surface. (Read more)

  • SCIM user provisioning with Microsoft Entra ID: SCIM integration with Microsoft Entra ID now uses long-lived OAuth tokens instead of short-lived bearer tokens, so user provisioning stays active without you having to manually refresh the token every hour. (Read more)

  • Extended character support in tags: Tags now accept any character, including spaces and multiple : separators, across all services.

  • Delete scheduled scans: You can now delete scheduled scans directly from the platform. (Read more)

  • Severity per check in scan profiles: Scan profiles now show the highest severity level reported by each check, so you can quickly understand the risk profile of your scan configuration before running a scan. You can also filter checks by severity. (Read more)

  • Incremental scans are now available for instant and one-time scheduled scans: You can now use incremental scans when running an instant scan or a one-time scheduled scan, allowing you to focus only on what has changed since your last scan. It saves you time and reduces noise on unchanged parts of your application.

  • WAF indication during scans: You can now clearly see when a Web Application Firewall is blocking or influencing scan results, so you can better interpret findings and adjust your scan configuration accordingly. (Read more)

  • Filter scans by target collection: When managing many targets, you can now filter your scan list by collection to quickly find the scans that matter to you.

  • Content type in Site structure: The Site structure now shows the content type (such as application/json) for each path, so you can quickly see what format each endpoint expects. (Read more)

  • HTTP request and response in Comprehensive Report: The Comprehensive Report now includes the full HTTP request and response for each finding, giving you more context for investigating and reproducing vulnerabilities.

Resolved issues

  • Scheduled scan times for EU customers after summer time change: Fixed a one-hour discrepancy in scheduled scan times for EU customers following the CET to CEST (summer time) transition.

  • Saving scheduled scans: Fixed a bug preventing users from saving scheduled scans due to a null reference error during scan updates.

  • Scans no longer abort before reaching the Max Scan Duration limit: Scans were stopping at 2 days even when the configured maximum duration was set to longer. Scans now run for the full configured duration.

Release 26.71.260312122304

Release date: 12 March 2026

New features

  • Compliance classification information is now included in vulnerability details to support regulatory alignment and audit readiness (Read more)

Improvements

  • Improved visibility of data in the API catalog
  • Added support for MSSP licensing business logic
  • Targets can now be filtered by Collections
  • DAST Scan schedules are no longer shown in the DAST scans page. These are shown in the DAST scheduled scans
  • Added the ability to assign tags to scans for better organization and filtering (Read more)
  • Scan details now include information on the scan agent used for each scan
  • Scanning agent IP addresses are now visible, improving transparency
  • Scheduled scans can now be assigned custom names to improve identification (Read more on scheduled scans and recurring scans)
  • AI-powered features are now enabled by default for new accounts. Account owners retain the ability to turn off these features during account creation (Read more)
  • Sorting by status on the DAST scans page now automatically uses the scan date as a secondary sort to provide more accurate results
  • Updated DAST engine to handle examples for $ref'd schemas in OpenAPI

Resolved issues

  • Resolved an issue where API specifications and related scans weren't displayed correctly for certain targets
  • Resolved a limitation that prevented successful uploads of larger CSV files
  • Resolved an issue where rediscovered vulnerabilities weren't included in scan and target reports
  • Fixed an issue that prevented reports being generated
  • Extended default scan timeout values for On-Prem environments and Internal Agents
  • Corrected an issue where updated threat levels weren't immediately reflected in the UI after severity changes
  • Resolved an issue that caused unexpected errors related to missing scan creator information
  • Fixed an issue where the Download Logs option wasn't available for aborted scans
  • Fixed an OAuth API validation issue

Release 26.34.260203090313

Release date: 3 February 2026

New features

  • Implemented a feature that allows users to override the severity of vulnerabilities detected in DAST scans (Read more on individual vulnerability's and global severity changes)
  • Implemented screenshot capture during DAST scans to improve visibility of the scanning process and authentication failures (Read more)
  • Compliance classification information is now included in vulnerability details to support regulatory alignment and audit readiness (Read more)
  • Added support for automatic user provisioning during IdP-initiated SAML SSO login
  • Added CircleCI integration (Read more)
  • Improved API Insights dashboard to respect user access restrictions, preventing users from viewing results for targets they don't have permission to access. Only users who have access to all targets can view the dashboard (Read more)
  • Users can now add bulk comments and tags to vulnerabilites (Read more)
  • Enabled users to re-register multiple times using the same NTA token, improving registration flexibility
  • Users can now add API specs via URL reference in target settings, allowing the scanner to pull specs at runtime from targets not accessible to Invicti cloud services (Read more)
  • NTA now automatically shuts down after multiple failed connection attempts to Invicti Platform (Read more)
  • Dark mode is now available
  • Added preview capability for REST API specifications (OpenAPI, Swagger, RAML) after uploading (Read more)
  • WAFs detected by DAST scanner are reported in the Scan activity log
  • Auto-scalable agents (Read more)

Improvements

  • Discovered and inventoried APIs can now be exported directly from the API catalog view, allowing users to download their full API inventory
  • Enabled users to re-register multiple times with the same NTA token
  • Improved the user experience after creating or linking a target in the API security platform, ensuring users land in the API catalog with an informative success message.
  • Users can now preview uploaded or linked API specifications directly within the target configuration.
  • When the API Security add-on license is added or removed, engine-based discovery is automatically enabled or disabled accordingly to reflect the current license state.
  • APIs can now be added as reference URLs even when the endpoint is not reachable from the cloud, supporting the use of internal or private URLs.
  • The Kong Konnect integration has been upgraded to use the latest API v3.
  • The time-zone picker in user profile settings has been upgraded and now includes India Standard Time (GMT +5:30).
  • AI-powered features are now enabled by default for all new accounts, with account owners given the option to disable them at the time of account creation.
  • The Scan Preparator now supports proxy configuration for remote backend access, enabling internal scanning agents to reach backend services through a proxy.
  • The LSR engine now forwards screenshot data captured during scans to the UI, making visual scan evidence available directly in the interface.
  • The ICBD component has been updated to run on Node.js 20.x (LTS), ensuring compatibility with the latest long-term support release.

Resolved issues

  • Fixed an issue where creating a target from a discovered AWS API failed.
  • Resolved an issue where the API target detail view returned an incorrect number of operations.
  • GraphQL and other unsupported API spec types are no longer incorrectly displayed in API Hub.
  • Fixed an issue where the API Hub Swagger page failed.
  • Resolved an issue where default sorting and manual sorting changes of API operations were not applied correctly.
  • Fixed an issue where the API Target Source type displayed in the UI did not match the value set when uploading from the target configuration.
  • Fixed a communication issue between DAST and Inventory services when updating a target agent.
  • Fixed an issue where the Exemptions list failed to display more than 50 users.
  • Fixed an issue where the internal scanner was generating excessive request volume.
  • Resolved an issue where LSR scans with restrictions and imported files failed to complete successfully.

2025

This section summarizes all Invicti Platform on-premises releases, including new features, improvements, and fixes as they’re added.

Release 25.322.251118145546

Release date: 20 November 2025

This is the first release of the Invicti Platform on-premises edition. This release provides a self-hosted deployment option that allows organizations to run Invicti Platform within their own infrastructure using Helm charts on Kubernetes.

To install Invicti Platform on-premises, follow the comprehensive on-premises documentation, which covers:

  • Architecture overview and system requirements
  • Prerequisites and Kubernetes cluster configuration
  • Step-by-step installation instructions
  • Post-installation setup and configuration
  • Troubleshooting guidance