v9.8 Release Notes (QUX)

9.8 will have the following release schedule:

• Customers with Remote Support Enabled: Customers who have remote support enabled will receive the update starting today.

  • You can check if you have remote support enabled under Settings > General with Remote Support set to Enabled.

    • If you plan to enable or disable Remote Support in the near future, please reach out to Support to confirm if you will receive or skip the upgrade.

• Customers Connected to Updater: Assuming a smooth rollout, customers who do not have remote support enabled but are connected to Updater will receive updates on or after January 20^th, 2026.

  • You can check if you are connected to Updater under Data Source > Brain-Setup > Proxy & Status and see that Updater Destination shows as connected, while Remote Support shows disabled.

• All Other Customers*: Assuming a smooth rollout, all customers will be able to download the update on or after January 28^th, 2026.

  • *Note: This does not impact customers that have requested they be pinned to a specific release from support.

🛡️ Coverage

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:

• Vectra AI continues its transition of detections previously delivered through the Suricata engine into native detections running directly on the Vectra flow engine. This ongoing effort ensures advanced attacker behavior coverage is available to all customers, without requiring Suspect Protocol Activity (SPA) or reliance on signature-based detection logic.

  • This release introduces additional detections for Cobalt Strike, Brute Ratel, and PowerShell Empire.

• Vectra AI has improved the Smash and Grab detection accuracy by ensuring destination domain names update correctly when observed later in a session. This enhancement allows whitelist logic to function as intended, reducing unnecessary alerts and improving the fidelity of Smash and Grab detections.

• Vectra AI has improved information-level detections for Remote Management and Monitoring (RMM) tools by correctly populating application protocol details in detection metadata. This enhancement provides clearer context on Host pages when RMM activity is observed, improving investigative clarity while maintaining a low-noise, non-scoring alerting experience.

• Vectra AI has refined its Mythic C2 detection logic to reduce false positives by tightening how server certificate fields are evaluated. This update narrows overly broad pattern matching, preventing benign domains containing similar terms from triggering alerts and improving overall detection fidelity.

New Detection: Azure Suspect Operation - DNS Security Policy Modification

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with modifications network flow logging. The new Azure Suspect Operation - DNS Security Policy Modification detection is designed to surface actions where an entity was observed deleting or modifying a resource associated with a DNS Security Policy. This could disable the logging of DNS queries or otherwise tamper with DNS resolution within the Azure environment. Threat actors use this technique to impair logging and evade detection.

New Detection: Azure Suspect Operation - Flow Logs Disabled

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with modifications network flow logging. The new Azure Suspect Operation - Flow Logs Disabled detection is designed to surface actions where an entity was observed deleting an Azure flow log resource. This indicates removal of flow logging for a VNet, subnet or NIC and is a well-known cloud defense evasion technique leveraged by attacked to impair visibility and auditability of actions.

New Detection: Azure Suspect Operation - Network Security Config Change

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with modifications of network security configurations. The new Azure Suspect Operation - Network Security Config Change detection is designed to surface actions where an entity is unexpectedly creating or modifying an Azure network security group (NSG) or modifying an Azure firewall resource. This may indicate lateral movement within the network or an attempt to impair defenses.

New Detection: Azure Suspect Operation - High-Risk Deletion

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with high-risk deletions in an Azure environment. The new Azure Suspect Operation - High-Risk Deletion detection is designed to surface actions such as removal of sensitive backups and immutability policies that threat actors may use to blind defenses and cause impact. This detection strengthens coverage against cloud threat actors like Storm-0501 that have leveraged these techniques in documented attacks.

Detection Enhancement: Azure TOR Activity

Enhancements have been introduced to the Azure TOR activity detection model to improve prioritization of the entities associated with this behavior. Moving forward, Vectra AI is adding impetus to the entities that showcase this behavior so that they are promptly surfaced in the Respond page. Customers may observe a minor increase in prioritized entities as a result of this change.

New Detection: Azure AD Suspect Operation: Guest User Added

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with initial access. The new Azure AD Suspect Operation: Guese User Added detection is designed to surface behaviors where a principal is observed inviting an external guest user into the environment which is inconsistent with the observed principal's behavioral profile. This method is used by threat actors in a social engineering campaign to establish access and maintain persistence into a victim's environment.

New Detection: Azure AD Suspect Operation: Unusual Sign-On from a Proxy

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with initial access. The new Azure AD Suspect Operation: Unusual Sign-On from a Proxy detection is designed to surface actions where a principal is observed signing in using a proxy or a VPN that is inconsistent with its normal behavior. This is a method used by threat actors to mask their true location. This detection is the first to leverage Vectra AI's new Threat Intelligence engine - a collection of private and licensed threat feeds designed to provide rich contextual and reputational information for the highest possible signal clarity.

🚦 Control

Traffic Lockdown: Automated Network Defense via Firewall Integration

Vectra AI now empowers customers to take instant action on detected threats with Traffic Lockdown, a new capability that automatically blocks malicious hosts at the firewall level. By integrating directly with supported firewalls, Vectra AI dynamically publishes threat feed IPs for immediate enforcement with no manual rules or complex setup required. Security teams gain faster containment, cleaner workflows, and stronger protection where it matters most: at the network edge. Visit Traffic Lockdown for configuration instructions.

To hear more about Vectra's Response capabilities, watch this podcast:

Operational Overview Report

Introducing the Operational Overview Report — your SOC’s new command view for performance and impact. This report brings together key metrics like Mean Time to Assignment, Mean Time to Investigate, and Mean Time to Resolve, alongside top detections, MITRE ATT&CK mappings, and prioritized entities in one clear, visual dashboard. It quantifies how Vectra AI drives faster investigations, sharper triage, and measurable efficiency gains. With powerful insights for business reviews, executive reporting, and daily operations, it turns performance data into proof of value.

For more information about reporting, watch this podcast:

⚙️ Architecture/Administration

Navigational Change: Configuration

We’ve streamlined how you manage your environment in the Vectra AI Platform. The new Configuration tab unifies the Manage & Settings options to bring all configuration and control settings into one clear, intuitive view, so you can find what you need faster and act with confidence. This update eliminates friction and simplifies navigation. Less searching. More doing.

Syslog Certificate Validation

Vectra 9.8 adds support for validating server certificates for Syslog destinations using TLS. Validation is controlled by a checkbox in the Syslog configuration, allowing customers to confirm their certificates before enabling validation. Follow the Configuration Steps on Vectra’s Syslog Guide for guidance.

SSH Login to Vectra Appliances (Private Preview)

Vectra AI has simplified and clarified how administrators access appliances over SSH. Now authorized UI users can log in using their own SSH credentials, rather than relying on the shared vectra account. Administrators can manage personal SSH keys and CLI passwords directly from the Web UI. These updates make it easier for teams to follow best practices, reduce reliance on default credentials, and maintain secure administrative access. To learn more, visit SSH Login to Vectra Appliances Documentation Guide.

GCP Deployments Transition to Infrastructure Manager

GCP deployments now use Infrastructure Manager, which replaces Deployment Manager, ensuring continued support and a more reliable deployment experience. This update simplifies how Vectra brains and sensors are deployed on GCP, replacing deprecated tooling.

• Deployment guides will be updated with the Infrastructure Manager process: GCP vSensor Deployment Guide, GCP Brain Deployment Guide, Stream Deployment Guide

Introducing the Vectra S127 System

We’re excited to announce the newest member of the Vectra appliance family — the S127, available for order today! The S127 is the direct successor to our workhorse S101 platform, delivering the same trusted performance with modernized hardware and room to grow. The S127 supports 58 Gbps aggregate Sensor capacity, and 30Gbps performance with Match Enabled. For more information about the appliance specs, please see the Appliance and Sensor Specifications.

• For the deployment guide, please see the S127 Quick Start Guide.

🐞 Bug Fixes

Please log in to https://support.vectra.ai/vectra/ and search "Quadrant UX Bug Fixes" to view the latest bug fixes.

📎 Appendix

Coming Soon: Traffic Validation Notifications

Traffic Validation now delivers clear, actionable notifications when network traffic quality risks detection coverage. Customers can quickly see whether sensors are capturing the right traffic and pinpoint specific issues—such as asymmetric flows or dropped packets—that impact visibility. Traffic Validation Sys_check Descriptions provides clear explanations and recommended solutions, helping teams resolve problems faster and maintain reliable, high-confidence detections.

B101 Platform End of Sale Notice

The B101 platform has reach its End of Sale milestone on Nov 25^th, 2025. As part of this milestone, Vectra has been transitioning to the new B127 system.

While the B101 reached End of Sale on Nov 25^th, 2025, we are going to continue to provide full platform support until Nov 25^th 2030. This includes support for new software releases, Vectra Customer Support, and hardware warranty based upon warranty terms at time of purchase.

For more information about Vectra EOS/EOL, please see End of Sale/End of Life Policy Page.

Will this upgrade perform a reboot of the Brain or Sensors?

No, a reboot is not required as part of the 9.8 update.