📢 Release Notes

A new Graph tab in Endpoint visualizes device relationships, giving users a more intuitive way to understand connections between devices, domains, and associated users.

• Graph surfaces domain logos and user details directly within the experience.
• Reduces reliance on table-only investigation flows for relationship analysis.

Search and status filters on the Devices and Applications views now persist in the URL, enabling shareable links and browser back/forward navigation.

• Users can save, share, and return to specific filtered views without manually recreating them.
• Improves collaboration and reduces friction across Endpoint investigation workflows.

Improved error states, messaging, and retry logic across the Devices tab and workforce watchlist workflows.

• Enhanced error handling and retry logic for adding workforce watchlists.
• Clearer failure-state messaging reduces dead ends during investigation and response workflows.

Focused UI improvements to reduce visual noise and improve consistency during investigations.

• Updated glossary drawer descriptions for accuracy.
• Added row highlighting on selection for Sightings.
• Loading totals are now hidden until data is fully ready, eliminating loading-state flicker.

Behind-the-scenes investments to improve engineering efficiency, release quality, and API documentation.

• Expanded end-to-end test coverage for watchlist verification flows.
• Added Swagger/OpenAPI documentation generation for the API.
• Improved auto-deploy workflows for test environments.

A large backlog of combolists is being ingested and deduplicated.

• Customers may see new unique credential pairs appear in the UI and APIs.
• No email alerts or webhooks are triggered for combolist matches tied to this backlog ingestion.
• Backlog ingests will continue throughout April, May, and June 2026.

Reduced friction navigating from notifications into relevant workflows and destination pages.

• Added shallow link support for Breach Alerts, enabling direct linking into alert context.
• Data export emails now include a direct link to the Exports page.

Improved investigative context, data accuracy, and view persistence in the Records tab.

• Username is now a default column for infected users in the Records tab.
• Phish Time is now available as an optional column.
• Optional column selections persist across sessions — no need to reconfigure on each visit.
• Fixed exposed asset and login credential counts for improved data accuracy.

A set of stability and usability improvements for data-heavy table views.

• Implemented broader DataGrid persistence across sessions.
• Enabled automatic column pinning during horizontal scrolling.
• Fixed page reset behavior when filters change.
• Corrected watchlist column alignment issues in Workforce Settings.

Continued foundational investment in Endpoint Devices to support a more stable and scalable experience.

• Added seeded scenarios and search and filtering support in automated flows.
• Expanded test plan and page object coverage for Endpoint Devices.

Improved consistency and guardrails for export actions and enterprise user permissions.

• Updated export terminology from "Email" to "Domains" for Workforce exports.
• Disabled export from All Records when a date filter is present, preventing unsupported export actions.
• Hid the Delete All option for enterprise users where it is not applicable.

Copy, skeleton, and cleanup fixes to align the interface with current product functionality.

• Shipped copy updates and fixed skeleton loading behavior.
• Resolved a domain dropdown issue.
• Removed remaining email identifier references from latest watchlist events and related areas.

Expanded automated coverage and supporting reliability updates to improve product stability across environments.

• Expanded end-to-end and multi-environment test coverage, including password reuse verification flows.
• Supporting reliability updates including timeout adjustments and infrastructure maintenance.

New breach metadata fields are now available for newly ingested breach records.

• Every new breach record now includes breach_title and breach_category.
• Where available, records now also include phone_full and ec_phone_full with country code.
• Applies across supported APIs and Vela v1.

Investigations now autosave so users can resume work without losing progress.

• Searches, pivots, graph settings, and record edits are persisted automatically — no manual save required.
• Graph settings persisted: legend display, layout, orientation, legend per-item visibility, and node X/Y coordinates. Zoom and user-manipulated node placement are not persisted.
• A new Investigations home view provides a centralized library with a clean table layout; investigations can be renamed from multiple locations.
• Single left-hand nav item Investigations replaces separate "search" and "investigation" entries.
• Tab persistence: leaving and returning restores the full investigation context.
• Inline delete available directly from the home/search page.
• Note: Using an Incognito node disables saving.

API key management is now available directly in the console via a new API Keys section under Settings.

• API Keys tab: Tabular view of all organization-owned API keys for WF & EP, including key name (last 10 digits), type, quota limit, queries (month to date), and last used. Columns are customizable.
• Settings tab: Enterprise key details and IP whitelist information.
• Docs tab: Links to API documentation and data schema.

Notification settings for exposure alerts and data exports can now be configured directly in the console.

• Exposure alert (breach alert) email notifications are enabled by default for all user roles.
• Data export ready email notifications are available and disabled by default for all user roles.
• Notifications is the third item in the Settings left-hand panel, beneath Watchlist and API Keys.
• Workforce and Endpoint share the same Settings page for these controls.