April 2026 Release Notes (RUX)

🛡️ Coverage

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:

• SASE Smash-and-Grab Exfiltration Detection: New coverage extends Smash-and-Grab exfiltration detection to SASE (Zscaler and Netskope) traffic.

• XWorm C2 Detection: New coverage identifies encrypted check-in traffic patterns over TCP, improving detection of modern XWorm variants communicating with attacker infrastructure.

• Beaconless C2 (Unknown + TLS): Behavioral models now detect long-lived, non-beaconing C2 sessions across both unknown and TLS protocols, including HTTPS and TLS-wrapped channels. This improves visibility into encrypted and interactive hands-on-keyboard activity while maintaining low detection noise.

• Sliver & PoshC2 Enhancements: Updated coverage improves detection of evolving Sliver HTTP encoder variants and introduces new visibility into PoshC2 activity over HTTP and HTTPS, strengthening detection of PowerShell-based C2 frameworks.

⚙️ Architecture/Administration

Traffic Visibility Drop Alerting

Vectra AI is introducing new health notifications to alert significant drops in observed IPs, traffic bandwidth, and packet volume that may impact detection coverage. Using machine learning, these alerts adapt to each customer’s unique network patterns and identify meaningful deviations without relying on static thresholds. Alert notifications can be delivered via email, webhook integrations, API, or Syslog on QUX.

This enhancement provides earlier awareness of visibility gaps, helping security teams quickly identify and address potential blind spots. Availability begins in April, with rollout planned in phases to ensure optimal signal quality and customer experience.

Read the documentation