# v9.10 Release Notes (QUX)
## đĄď¸ Coverage
### Sliver Command and Control Enhancements
Vectra AI has enhanced its detection coverage for Sliver Command & Control (C2) activity by incorporating the latest advances in LLM and AI-driven modeling. Sliverâs flexible beaconingâcharacterized by variable sleep intervals and jitterâallows attackers to evade traditional defenses, particularly in longer, low-frequency communication patterns.
With this update, Vectra leverages attention-based techniques and enriched behavioral data to better capture these complex patterns, improving detection across previously evasive scenarios. This enhancement strengthens our beaconing C2 analytics, delivering more consistent visibility into sophisticated Sliver activity and enabling earlier, more accurate threat detection.
### Hidden Tunnel Enhancements
Vectra AI has expanded its Hidden Tunnel detection to identify stealthy, non-beaconing Command & Control (C2) activity over previously uncovered protocols. This type of attacker behavior uses long-lived, low-noise connections that can evade traditional detection methods while enabling direct, hands-on control of compromised systems.
With this update, Vectra delivers stronger visibility into these evasive attack techniques, providing new behavioral coverage for previously undetected activity and helping security teams identify and respond to sophisticated threats earlier.
### Rapid Release Improvements
The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectraâs update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:
* Vectra AI continues its transition of detections previously delivered through the Suricata engine into native detections running directly on the Vectra flow engine. This ongoing effort ensures advanced attacker behavior coverage is available to all customers, without requiring Suspect Protocol Activity (SPA) or reliance on signature-based detection logic. This release includes a number of new native detections covering **Cobalt Strike, Meterpreter, Mythic C2,** and **DNScat** activity, as well as a new rule to detect SSH on other reserved ports.
* Vectra AI has introduced new visibility into generative AI application usage by detecting DeepSeek activity within network traffic. This enhancement helps security teams better understand and monitor emerging AI tool usage in their environments, supporting improved governance and risk awareness.
* Vectra AI has expanded LDAP reconnaissance detection coverage to better identify attacker attempts to enumerate privileged accounts, delegation settings, and trust relationships within Active Directory. This enhancement improves visibility into early-stage discovery activity while reducing noise through more contextual and precise detection logic.
#### Improved NTLM Authentication Visibility
We enhanced how NTLM authentication metadata is captured and reported to provide deeper visibility into legacy authentication activity across the network.
The platform now surfaces additional NTLM authentication context in Stream and Recall, including:
* The NTLM server challenge used during authentication
* The NTLM protocol version observed in the exchange
For specific field names and descriptions, visit [Metadata Attributes](https://docs.vectra.ai/reference/metadata-attributes/vectra-ai-platform-network-metadata-attributes).
#### Expanded DHCP Metadata Visibility
We expanded DHCP telemetry to provide a richer device and network configuration context for hosts joining the network.
Additional DHCP metadata fields are now captured and available in Stream and Recall, including:
* Vendor and user class identifiers used for device fingerprinting
* Client system architecture and vendor-specific device metadata
* Network configuration attributes such as router information and parameter request lists
* Device provisioning and configuration metadata including TFTP server names, WPAD URLs, and MUD URLs
These enhancements improve device identification, asset fingerprinting, and network visibility by exposing additional configuration signals present during DHCP negotiations. For specific field names and descriptions, visit [Metadata Attributes](https://docs.vectra.ai/reference/metadata-attributes/vectra-ai-platform-network-metadata-attributes).
## đ Clarity
#### EDR Process Context now GA
Vectra AI has released CrowdStrike EDR process correlation for all customers. This capability streamlines investigations by automatically finding the probable process related to a NDR detection and presenting it alongside the detection in the platform and when the event is collected via API.
This result is a more powerful detection and response, less manual work, and better outcomes for security teams. It eliminates the need for custom SIEM or SOAR correlation logic and can save up to 30 minutes per detection. What was the process driving C2 a browser or a PowerShell script, is it expected, or does it stand out, these are questions analysts must answer immediately, and this capability makes that instant. Contact your Vectra AI account team to join the private preview and visit [Crowdstrike EDR Integration FAQ](https://support.vectra.ai/vectra/article/KB-VS-1143) for instructions on how to support this integration.
Learn more about how Vectra AI works with CrowdStrike in this podcast.
{% embed url="" %}
## âď¸ Architecture/Administration
### Dark Mode in Public Preview
Welcome to the dark side...of the Vectra AI Platform! Customers can now toggle to dark mode under My Profile > Theme. [Some pages](https://support.vectra.ai/s/article/KB-VS-3217) are still being migrated to support Dark mode over the coming releases.
### Traffic Validation (ENTV) Alerts
Traffic Validation now delivers clear, actionable notifications when network traffic quality risks detection coverage. Customers are alerted on critical, aggregate eventsâsuch as asymmetric flows or dropped packetsâthat impact visibility. [Traffic Validation Sys\_check Alerts](https://docs.vectra.ai/deployment/traffic-engineering-and-validation/entv-syscheck-descriptions) provides clear explanations and recommended solutions, helping teams resolve problems faster and maintain reliable, high-confidence detections.
### SSH Login to Vectra Appliances now GA
Vectra AI has simplified and clarified how administrators access appliances over SSH. Now authorized UI users can log in using their own SSH credentials, rather than relying on the shared vectra account. Administrators can manage personal SSH keys and CLI passwords directly from the Web UI. These updates make it easier for teams to follow best practices, reduce reliance on default credentials, and maintain secure administrative access. To learn more, visit [SSH Login to Vectra Appliances Documentation Guide](https://support.vectra.ai/vectra/article/KB-VS-1704).
### New Close Workflow Enabled by Default
In 9.10, customers will be moved by default to our new close workflow. The New Close workflow offers better workflows for customers, and also will power our new operational SOC overflow report. Customers can opt out at any time from their configuration section. Learn more about [the workflow here.](https://docs.vectra.ai/operations/analyst-guidance/new-close-workflow?utm_source=sfdc)
### Multi-SAML Support now GA
The Quadrant UX platform currently supports single sign-on (SSO) through integration with a customerâs identity provider (IDP) using a configured SAML profile. Until now, only a single SAML profile can be defined, which restricts integration to one IDP at a time.
To tackle this, we are introducing support for multiple SAML profiles. This enhancement will enable customers and MSSPs to configure and manage integrations with multiple IDPs simultaneously, providing greater flexibility and alignment with complex identity environments. Multi-SAML enablement is supported through the UI ([documentation](https://docs.vectra.ai/configuration/access/saml-sso-qux/any-idp-saml-qux)) and API ([documentation](https://docs.vectra.ai/configuration/access/api-qux/v25-api-guide-qux?utm_source=sfdc)).
## đ Bug Fixes
Please log in to and search "Quadrant UX Bug Fixes" to view the latest bug fixes.
## đ Appendix
### S101 Platform End of Sale Notice
The S101 platform has reach its End of Sale milestone on Feb 13th, 2026. As part of this milestone, Vectra has been transitioning to the new S127 system.
While the S101 reached End of Sale on Feb 13th, 2026, we are going to continue to provide full platform support until Feb 13th 2031. This includes support for new software releases, Vectra Customer Support, and hardware warranty based upon warranty terms at time of purchase.
For more information about Vectra EOS/EOL, please see [End of Sale/End of Life Policy Page.](https://support.vectra.ai/vectra/article/KB-VS-1268)
### Will this upgrade perform a reboot of the Brain or Sensors?
No, a reboot is not required as part of the 9.10 update.
