v9.3 Release Notes (QUX)
Vectra AI Platform – 9.3 Release Notes
The Vectra® X-series appliances, B-series appliances, S-series sensors, VM and Cloud Brain, VM and Cloud Sensors, are scheduled to be updated to Vectra Network software release version 9.3. The 9.3 release includes Scaler Internet Access SSE Integration, Vectra Match Integrated Ruleset Management, Attack Graphs Visualizations, JA4/JA4S Fingerprints, Network Traffic Validation UI on Quadrant UX, AI-Triage and AI-Prioritization Enhancements.
9.3 will have the following release schedule:
Customers with Remote Support Enabled: Customers who have remote support enabled will receive the update starting today.
You can check if you have remote support enabled under Settings > General with Remote Support set to Enabled.
If you plan to enable or disable Remote Support in the near future, please reach out to Support to confirm if you will receive or skip the upgrade.
Customers Connected to Updater: Assuming a smooth rollout, customers who do not have remote support enabled but are connected to Updater will receive updates on or after August 7th, 2025.
You can check if you are connected to Updater under Data Source > Brain-Setup > Proxy & Status and see that Updater Destination shows as connected, while Remote Support shows disabled.
All Other Customers*: Assuming a smooth rollout, all customers will be able to download the update on or after August 7th, 2025.
*Note: This does not impact customers that have requested they be pinned to a specific release from support.
Platform
Zscaler Internet Access SSE Integration in Public Preview
Vectra AI and Zscaler have teamed up to eliminate blind spots in encrypted and direct-to-cloud traffic. Through integration with Zscaler Internet Access (ZIA), Vectra replays user traffic from secure PCAPs for full-spectrum threat detection—uncovering advanced C2 and exfiltration that traditional tools miss. It’s a game-changer for securing remote and cloud-first environments. For information see Vectra’s Press Release and Podcast. Please contact your Vectra account team if you are interested in enabling Vectra’s ZIA integration. See Zscaler ZIA Integration and Optimization for implementation details.
Vectra Match Integrated Ruleset Management
Vectra Match now makes it easier to detect known Indicators of Compromise (IOCs) with Suricata-compatible signatures—no external tools required. As of 9.3, you can manage, modify, enable, or disable rules directly in the platform, and your changes persist even after Emerging Threats updates. It’s faster to set up, simpler to maintain, and puts full control of detection logic in your hands. For more information visit Managing Vectra Match Rulesets.
Note: In version 9.3, there is a known issue when migrating from an existing ruleset to the Vectra Curated Ruleset. If an existing ruleset is present when you upload to the Vectra Curated Ruleset option, the file name will not update — it will retain the old name instead of showing curated.rules. This does not affect the actual functionality of the ruleset; only the display name is incorrect. As a workaround, before upgrading to 9.3, delete all existing rulesets. This prevents the misnaming from occurring. This issue will be fixed in the upcoming 9.4 release.
Executive Overview Report
Vectra AI is introducing the Executive Overview Report—your boardroom-ready security snapshot. Purpose-built for CISOs and security leaders, it delivers clear, high-impact metrics like noise-to-signal trends and evolving attack patterns. In minutes, you’ll have the insights to showcase Vectra’s impact, steer strategic decisions, and prove how you’re reducing breach risk—no deep dives required.
Attack Graphs Visualizations in Quadrant UX
The new Attack Graph brings instant clarity to active threats by visually mapping how attackers move across your network, cloud, and identity environments. Powered by Vectra’s AI-Prioritization, each threat is now displayed directly on the host or account page—giving you immediate insight into where the attack started, what systems it interacted with, and how its risk level evolved over time.
Security teams can choose from three intuitive views to investigate threats in the way that best suits their workflow:
Attack Graph – See how different entities are linked during the attack.
Attack Flow – See how sequence of attacker actions in a structured path.
Attack Timeline – See how the threat risk changed and escalated.
This capability empowers SOC teams to act quickly and confidently by surfacing context and urgency in a single, actionable view. For more information visit the Attack Graph FAQ.
JA4/JA4S Fingerprints
Vectra AI now includes JA4 and JA4S fingerprints in metadata—bringing next-gen fingerprinting to encrypted traffic analysis. This powerful framework reduces collisions, links related sessions, and makes it easier to spot attacker infrastructure hiding behind common protocols. Analysts get clearer, faster insights with less noise and better context across detections. JA4 is supported in Investigate (RUX), Stream, and Recall, with more from the JA4+ suite coming soon. Read more about the new attributes here.
Network Traffic Validation UI in Quadrant UX
Starting in 9.3, Vectra AI has introduced new Traffic Validation pages. These pages transform the Traffic Validation JSON report into an intuitive dashboard— displaying insights faster and without the hassle of parsing raw data. Key stats are automatically checked against predefined health thresholds, with clear red or yellow indicators highlighting areas that may need attention. For more information read the FAQ.
AI-Triage Now Auto-Resolves More Benign Threats
Vectra AI’s proprietary agentic AI just got smarter. Our upgraded AI-Triage algorithm now automatically investigates and resolves 50% of benign C&C and 25% of benign Recon detections—dramatically reducing benign events. It leverages both local patterns and global insights to deliver the clearest signal yet. For more details on AI-Triage, see the AI-Triage KB and our recent update video.
Improved Threat Ranking with AI-Prioritization
Vectra AI’s AI-Prioritization has been enhanced to better surface threats that mirror recent changes in attacker behavior. Expect better separation of high and critical threats, smarter prioritization across your environment and faster prioritization of threats. Note that some host and account’s threat and certainty scores may shift based on the updated scoring logic once your system is updated.
Triage Best Practices
Vectra AI is introducing a new Best Practices series designed to help users get the most out of key features in the Vectra platform. The first release in this series focuses on Triage. The Triage Best Practices guide includes common terminology, when and why to triage, how-to instructions, FAQs, and much more. Visit the Triage Best Practices article to hone your Triage workflow.
VirusTotal Removal
Vectra AI has removed the VirusTotal integration from Quadrant UX due to licensing changes. The External Destination popup no longer displays VirusTotal data, and a full UI cleanup is coming in the next release to avoid confusion. For feedback or questions on this removal, contact your Vectra AI account team.
Detections
New Detection Suite: AWS S3
Vectra AI has introduced three new detections to surface suspicious behaviors surrounding the use of AWS S3 in the impact and exfil stages of the cloud kill chain:
AWS Suspicious S3 Batch Deletion: This detection surfaces behaviors associated with large-scale downloads and deletions associated with multiple files. This behavior may indicate the destructive manipulation phase of ransomware activity in the environment.
AWS Suspicious S3 Object Deletion: Like the new S3 Batch Deletion detection, this detection highlights behaviors where individual objects were downloaded and then deleted from a S3 bucket in a way that may indicate the destructive manipulation phase of ransomware activity in the environment.
AWS Suspicious S3 Encryption: This detection highlights unusual encryption activities that could indicate a ransomware encryption phase in progress. It is designed to surface encryption of many S3 objects using either an external KMS key (SSE-KMS) or a client-controlled key (SSE-C).
Signal Enhancements to M365, Azure AD and Azure
Enhancements have been introduced to the following AAD, Microsoft 365 and Azure detections to better account for the risk of the underlying behaviors and surface them promptly for review. Introduction of these enhancements may result in changes to the number of entities prioritized within the Vectra platform:
M365 Suspect Power Automate Activity: This detection alerts on potential exfiltration or C2 behaviors using Power Automate within the environment. The enhancements made to this detection result in significant improvements in the fidelity of this detection and reduction in the rate of false positives observed within this detection and similar detections (M365 Power Automate HTTP Flow Creation and M365 Suspicious Power Automate Flow Creation).
Azure AD Privilege Operation Anomaly: This detection alerts on anomalous Azure AD operations potentially associated with privilege escalation. Vectra is enhancing this detection to sharpen the behaviors considered anomalous. The expected outcome is decreased noise surrounding this detection.
Risky Exchange Operation: This detection alerts on privileged operations within Exchange that may be abused by an attacker. Vectra is enhancing the scope of behaviors under consideration for this alert and removing potentially benign actions in Exchange (such as setting up automated responses). Customers can expect a significant reduction in volume (over 30%) because of these enhancements.
Azure Diagnostic Logging Disabled: This detection surfaces defense impairment behaviors surrounding deletion of Azure diagnostic logs settings. The detection has been enhanced for broader coverage around deletion of diagnostic logging on Virtual Machine (VMs). Customers may observe a minor increase in detection volumes associated with this enhancement.
Rapid Release Improvements
The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of 9.3:
NDR-222: Updates the title of a Suspect Protocol Activity detection for suspicious usage of Windows Remote Management (WinRM). The new title is "Possible Malicious WinRM Usage" to better reflect the nature of the behavior.
CS-10426: Resolved an issue affecting some Suspect Protocol Activity detections where source and destination IP addresses were incorrectly attributed due to the client acting as a proxy. This fix has been applied across all relevant detection algorithms.
NDR-251: Expands detection coverage against penetration techniques used by the Kali Linux Package Repository.
NDR-251: Expands the Tor Activity detection by identifying destination IPs that match known Tor nodes.
Bug Fixes
CS-10309: Added Detections Reduced Host’s Threat Score
Resolved an issue where a host’s threat score was reduced when new detections were added. This is not the intended behavior, and the issue has been resolved.
CS-10448: Variety of Sub-Accounts Linked to a Single Account
Resolved an issue where sub-accounts were incorrectly linked to the wrong user. This issue has been resolved.
Appendix:
Will this upgrade perform a reboot of the Brain or Sensors?
No, a reboot is not required as part of the 9.3 update.
Last updated
Was this helpful?