> For the complete documentation index, see [llms.txt](https://docs.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vectra.ai/release-notes/respond-ux-rux/2026-rux-release-notes.md).
# 2026 RUX Release Notes
{% updates format="full" %}
{% update date="2026-06-19" tags="announcements,2026.06" %}
## 2026.06 - Announcements
### V3.x (RUX) API Postman Collection Deprecation
Effective August 3, 2026, Vectra AI will formally deprecate and discontinue support for the V3.x (RUX) API Postman Collection.
Customers should transition to the OpenAPI specification available through the [REST API Documentation Portal](https://apidocs.vectra.ai/). The specification can be downloaded and imported directly into Postman or other API client tools to generate and maintain API requests.
This change applies only to the V3.x (RUX) API. The V2.x (QUX) API Postman Collection will continue to be maintained and supported.
No action is required before August 3, 2026. However, customers are encouraged to migrate their workflows to the OpenAPI specification as soon as practical.
{% endupdate %}
{% update date="2026-06-11" tags="signal,2026.06" %}
## 2026.06 - Signal
### EDR Process Context for Microsoft Defender now GA
Vectra AI has released Microsoft Defender EDR process correlation for all customers. This capability streamlines investigations by automatically finding the probable process related to a NDR detection and presenting it alongside the detection in the platform and when the event is collected via API.
This result is a more powerful detection and response, less manual work, and better outcomes for security teams. It eliminates the need for custom SIEM or SOAR correlation logic and can save up to 30 minutes per detection. What was the process driving C2 a browser or a PowerShell script, is it expected, or does it stand out, these are questions analysts must answer immediately, and this capability makes that instant. Review how to update your existing integration’s permissions here [Microsoft Defender Integration FAQ](https://docs.vectra.ai/configuration/setup/edr-integrations/microsoft-defender-for-endpoint?ask=defender+process\&q=qux+rux#finding-defender-tenant-id-application-id-and-application-secret) and enable this integration today.
{% endupdate %}
{% update date="2026-05-31" tags="signal,2026.05" %}
## 2026.05 - Signal
### AI Prioritization Scoring Enhancements
Vectra AI has enhanced its AI-driven scoring capabilities with new prioritization factors that improve how threats are surfaced and ranked. Updated scoring now incorporates attacker progress, attack velocity, behavioral correlation, entity importance, privilege context, rarity, and environmental relevance to better distinguish active threats from benign activity.
These enhancements help security teams reduce alert fatigue, prioritize high-risk entities more accurately, and accelerate investigation and response to attacker activity across network, identity, cloud, and SaaS environments.
**Learn more here:**
{% embed url="" %}
{% endupdate %}
{% update date="2026-04-30" tags="observe,2026.04" %}
## 2026.04 - Observe
### Rapid Release Improvements
The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:
* **SASE Smash-and-Grab Exfiltration Detection:** New coverage extends Smash-and-Grab exfiltration detection to SASE (Zscaler and Netskope) traffic.
* **XWorm C2 Detection:** New coverage identifies encrypted check-in traffic patterns over TCP, improving detection of modern XWorm variants communicating with attacker infrastructure.
* **Beaconless C2 (Unknown + TLS):** Behavioral models now detect long-lived, non-beaconing C2 sessions across both unknown and TLS protocols, including HTTPS and TLS-wrapped channels. This improves visibility into encrypted and interactive hands-on-keyboard activity while maintaining low detection noise.
* **Sliver & PoshC2 Enhancements:** Updated coverage improves detection of evolving Sliver HTTP encoder variants and introduces new visibility into PoshC2 activity over HTTP and HTTPS, strengthening detection of PowerShell-based C2 frameworks.
{% endupdate %}
{% update date="2026-04-30" tags="platform,2026.04" %}
## 2026.04 - Platform
### Traffic Visibility Drop Alerting
Vectra AI is introducing new health notifications to alert significant drops in observed IPs, traffic bandwidth, and packet volume that may impact detection coverage. Using machine learning, these alerts adapt to each customer’s unique network patterns and identify meaningful deviations without relying on static thresholds. Alert notifications can be delivered via email, webhook integrations, API, or Syslog on QUX.
This enhancement provides earlier awareness of visibility gaps, helping security teams quickly identify and address potential blind spots. Availability begins in April, with rollout planned in phases to ensure optimal signal quality and customer experience.
Read the documentation
{% endupdate %}
{% update date="2026-03-31" tags="observe,2026.03" %}
## 2026.03 - Observe
### Sliver Command and Control Enhancements
Vectra AI has enhanced its detection coverage for Sliver Command & Control (C2) activity by incorporating the latest advances in LLM and AI-driven modeling. Sliver’s flexible beaconing—characterized by variable sleep intervals and jitter—allows attackers to evade traditional defenses, particularly in longer, low-frequency communication patterns.
With this update, Vectra leverages attention-based techniques and enriched behavioral data to better capture these complex patterns, improving detection across previously evasive scenarios. This enhancement strengthens our beaconing C2 analytics, delivering more consistent visibility into sophisticated Sliver activity and enabling earlier, more accurate threat detection.
### Hidden Tunnel Enhancements
Vectra AI has expanded its Hidden Tunnel detection to identify stealthy, non-beaconing Command & Control (C2) activity over previously uncovered protocols. This type of attacker behavior uses long-lived, low-noise connections that can evade traditional detection methods while enabling direct, hands-on control of compromised systems.
With this update, Vectra delivers stronger visibility into these evasive attack techniques, providing new behavioral coverage for previously undetected activity and helping security teams identify and respond to sophisticated threats earlier.
### Rapid Release Improvements
The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:
* Vectra AI continues its transition of detections previously delivered through the Suricata engine into native detections running directly on the Vectra flow engine. This ongoing effort ensures advanced attacker behavior coverage is available to all customers, without requiring Suspect Protocol Activity (SPA) or reliance on signature-based detection logic. This release includes a number of new native detections covering **Cobalt Strike, Meterpreter, Mythic C2,** and **DNScat** activity, as well as a new rule to detect SSH on other reserved ports.
* Vectra AI has introduced new visibility into generative AI application usage by detecting DeepSeek activity within network traffic. This enhancement helps security teams better understand and monitor emerging AI tool usage in their environments, supporting improved governance and risk awareness.
* Vectra AI has expanded LDAP reconnaissance detection coverage to better identify attacker attempts to enumerate privileged accounts, delegation settings, and trust relationships within Active Directory. This enhancement improves visibility into early-stage discovery activity while reducing noise through more contextual and precise detection logic.
{% endupdate %}
{% update date="2026-03-31" tags="signal,2026.03" %}
## 2026.03 - Signal
### EDR Process Context now GA
Vectra AI has released CrowdStrike EDR process correlation for all customers. This capability streamlines investigations by automatically finding the probable process related to a NDR detection and presenting it alongside the detection in the platform and when the event is collected via API.
This result is a more powerful detection and response, less manual work, and better outcomes for security teams. It eliminates the need for custom SIEM or SOAR correlation logic and can save up to 30 minutes per detection. What was the process driving C2 a browser or a PowerShell script, is it expected, or does it stand out, these are questions analysts must answer immediately, and this capability makes that instant. Contact your Vectra AI account team to join the private preview and visit [Crowdstrike EDR Integration FAQ](https://support.vectra.ai/vectra/article/KB-VS-1143) for instructions on how to support this integration.
Learn more about how Vectra AI works with CrowdStrike in this podcast.
{% embed url="" %}
### Investigate API in Public Preview
Vectra AI is introducing the Investigate API, now available via API v3.4. This new capability enables customers to programmatically query investigation metadata, unlocking more flexible integrations and advanced investigative workflows.
With the Investigate API, security teams can more easily integrate Vectra data into external systems, automate enrichment and response processes, and reduce reliance on manual investigation through the UI—supporting more scalable and efficient security operations.
Investigate API is available at the endpoint /api/v3.4/investigations. For more information, visit the [API documentation site](https://apidocs.vectra.ai/api/v-3-4-investigations) or the [Investigate API user guide](https://docs.vectra.ai/operations/investigate/investigate-api-user-guide).
{% endupdate %}
{% update date="2026-03-31" tags="platform,2026.03" %}
## 2026.03 - Platform
### Multi-SAML Support now GA
The Quadrant UX platform currently supports single sign-on (SSO) through integration with a customer’s identity provider (IDP) using a configured SAML profile. Until now, only a single SAML profile can be defined, which restricts integration to one IDP at a time.
To tackle this, we are introducing support for multiple SAML profiles. This enhancement will enable customers and MSSPs to configure and manage integrations with multiple IDPs simultaneously, providing greater flexibility and alignment with complex identity environments. Multi-SAML enablement is supported through the UI ([documentation](https://docs.vectra.ai/configuration/access/saml-sso-qux/any-idp-saml-qux)) and API ([documentation](https://docs.vectra.ai/configuration/access/api-qux/v25-api-guide-qux?utm_source=sfdc)).
### Traffic Validation (ENTV) Alerts
Traffic Validation now delivers clear, actionable notifications when network traffic quality risks detection coverage. Customers are alerted on critical, aggregate events—such as asymmetric flows or dropped packets—that impact visibility. [Traffic Validation Sys\_check Alerts](https://docs.vectra.ai/deployment/traffic-engineering-and-validation/entv-syscheck-descriptions) provides clear explanations and recommended solutions, helping teams resolve problems faster and maintain reliable, high-confidence detections.
### New Close Workflow Enabled by Default
In 9.10, customers will be moved by default to our new close workflow. The New Close workflow offers better workflows for customers, and also will power our new operational SOC overflow report. Customers can opt out at any time from their configuration section. Learn more about [the workflow here.](https://docs.vectra.ai/operations/analyst-guidance/new-close-workflow?utm_source=sfdc)
### Account Menu Location
Vectra AI has updated the user interface to introduce a new account menu in the top-right corner of the page. This centralized location provides quick access to user settings, theme preferences, and logout options, improving overall navigation and usability.
{% endupdate %}
{% update date="2026-02-28" tags="signal,2026.02" %}
## 2026.02 - Signal
### Probable Owner on Attack Graph
Building off our previous detection visualization work, Attack Graphs now surface a “Probable Owner” for entities, helping analysts quickly identify responsible users or service accounts during investigations. This reduces friction when pivoting from detection to ownership context. Additionally, we enhanced Attack Graphs with the Vectra Perspective view, enabling analysts to better visualize malicious activity. This iteration improves clarity, investigation efficiency, and the ability to understand attack progression across entities.
{% endupdate %}
{% update date="2026-02-28" tags="platform,2026.02" %}
## 2026.02 - Platform
### Dark Mode
Welcome to the dark side...of the Vectra AI Platform! Customers can now toggle to dark mode under My Profile > Theme. [Some pages](https://support.vectra.ai/vectra/article/KB-VS-3217) are still being migrated to support Dark mode over the coming releases.
{% endupdate %}
{% update date="2026-01-31" tags="observe,2026.01" %}
## 2026.01 - Observe
### Rapid Release Improvements
The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:
* Vectra AI continues its transition of detections previously delivered through the Suricata engine into native detections running directly on the Vectra flow engine. This ongoing effort ensures advanced attacker behavior coverage is available to all customers, without requiring Suspect Protocol Activity (SPA) or reliance on signature-based detection logic.
* This release introduces additional detections for Cobalt Strike, Brute Ratel, and PowerShell Empire.
* Vectra AI has improved the Smash and Grab detection accuracy by ensuring destination domain names update correctly when observed later in a session. This enhancement allows whitelist logic to function as intended, reducing unnecessary alerts and improving the fidelity of Smash and Grab detections.
* Vectra AI has improved information-level detections for Remote Management and Monitoring (RMM) tools by correctly populating application protocol details in detection metadata. This enhancement provides clearer context on Host pages when RMM activity is observed, improving investigative clarity while maintaining a low-noise, non-scoring alerting experience.
* Vectra AI has refined its Mythic C2 detection logic to reduce false positives by tightening how server certificate fields are evaluated. This update narrows overly broad pattern matching, preventing benign domains containing similar terms from triggering alerts and improving overall detection fidelity.
### New Detection: Azure Suspect Operation - DNS Security Policy Modification
Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with modifications network flow logging. The new Azure Suspect Operation - DNS Security Policy Modification detection is designed to surface actions where an entity was observed deleting or modifying a resource associated with a DNS Security Policy. This could disable the logging of DNS queries or otherwise tamper with DNS resolution within the Azure environment. Threat actors use this technique to impair logging and evade detection.
### New Detection: Azure Suspect Operation - Flow Logs Disabled
Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with modifications network flow logging. The new Azure Suspect Operation - Flow Logs Disabled detection is designed to surface actions where an entity was observed deleting an Azure flow log resource. This indicates removal of flow logging for a VNet, subnet or NIC and is a well-known cloud defense evasion technique leveraged by attacked to impair visibility and auditability of actions.
### New Detection: Azure Suspect Operation - Network Security Config Change
Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with modifications of network security configurations. The new Azure Suspect Operation - Network Security Config Change detection is designed to surface actions where an entity is unexpectedly creating or modifying an Azure network security group (NSG) or modifying an Azure firewall resource. This may indicate lateral movement within the network or an attempt to impair defenses.
### New Detection: Azure Suspect Operation - High-Risk Deletion
Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with high-risk deletions in an Azure environment. The new Azure Suspect Operation - High-Risk Deletion detection is designed to surface actions such as removal of sensitive backups and immutability policies that threat actors may use to blind defenses and cause impact. This detection strengthens coverage against cloud threat actors like Storm-0501 that have leveraged these techniques in documented attacks.
### Detection Enhancement: Azure TOR Activity
Enhancements have been introduced to the Azure TOR activity detection model to improve prioritization of the entities associated with this behavior. Moving forward, Vectra AI is adding impetus to the entities that showcase this behavior so that they are promptly surfaced in the Respond page. Customers may observe a minor increase in prioritized entities as a result of this change.
### New Detection: Azure AD Suspect Operation: Guest User Added
Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with initial access. The new Azure AD Suspect Operation: Guese User Added detection is designed to surface behaviors where a principal is observed inviting an external guest user into the environment which is inconsistent with the observed principal's behavioral profile. This method is used by threat actors in a social engineering campaign to establish access and maintain persistence into a victim's environment.
### New Detection: Azure AD Suspect Operation: Unusual Sign-On from a Proxy
Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with initial access. The new Azure AD Suspect Operation: Unusual Sign-On from a Proxy detection is designed to surface actions where a principal is observed signing in using a proxy or a VPN that is inconsistent with its normal behavior. This is a method used by threat actors to mask their true location. This detection is the first to leverage Vectra AI's new Threat Intelligence engine - a collection of private and licensed threat feeds designed to provide rich contextual and reputational information for the highest possible signal clarity.
### Improved Kerberos Cipher Visibility
We enhanced how Kerberos encryption metadata is reported to provide more accurate visibility into authentication activity.
The platform now clearly distinguishes between:
* The encryption ciphers requested by the client
* The cipher used to protect the Kerberos session key
* The cipher used to encrypt the Kerberos ticket
This improvement strengthens the investigation of Kerberos-based attack techniques, including AS-REP Roasting and Kerberoasting, by ensuring the correct encryption context is surfaced for each authentication stage.
Security teams performing threat hunting or reviewing authentication telemetry may notice updated Kerberos cipher fields beginning at the end of January. No action is required, but existing queries or workflows should be reviewed to account for the updated metadata.
### Enhanced Kerberos Pre-Authentication Visibility
We introduced improved visibility into Kerberos pre-authentication (PA-DATA) exchanges during AS-REQ and AS-REP flows.
The platform now exposes both the types and counts of pre-authentication data used by the client and returned by the KDC. This provides additional context for understanding how Kerberos authentication is negotiated and helps security teams identify abnormal or unexpected pre-authentication behavior.
These enhancements support more effective investigation of Kerberos-based attacks and misconfigurations, particularly those involving modified or bypassed pre-authentication mechanisms.
Threat hunters and analysts reviewing Kerberos authentication telemetry may observe new pre-authentication metadata beginning at the end of January.
### Vulnerability Fixes
#### CVE-2025-11839
Addressed a medium-severity vulnerability related to GNU Binutils that could allow a local attacker to exploit an unchecked return value. Vectra has applied the appropriate package updates to remediate the issue and reduce potential exploitability.
#### CVE-2025-11840
Resolved a medium-severity vulnerability in GNU Binutils caused by an out-of-bounds read condition. Vectra has updated the affected components to address the issue and improve overall platform security.
{% endupdate %}
{% endupdates %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.vectra.ai/release-notes/respond-ux-rux/2026-rux-release-notes.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.