# April 2026 Release Notes (RUX)

## 🛡️ Coverage

#### Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:

* **SASE Smash-and-Grab Exfiltration Detection:** New coverage extends Smash-and-Grab exfiltration detection to SASE (Zscaler and Netskope) traffic.
* **XWorm C2 Detection:** New coverage identifies encrypted check-in traffic patterns over TCP, improving detection of modern XWorm variants communicating with attacker infrastructure.
* **Beaconless C2 (Unknown + TLS):** Behavioral models now detect long-lived, non-beaconing C2 sessions across both unknown and TLS protocols, including HTTPS and TLS-wrapped channels. This improves visibility into encrypted and interactive hands-on-keyboard activity while maintaining low detection noise.
* **Sliver & PoshC2 Enhancements:** Updated coverage improves detection of evolving Sliver HTTP encoder variants and introduces new visibility into PoshC2 activity over HTTP and HTTPS, strengthening detection of PowerShell-based C2 frameworks.

## ⚙️ Architecture/Administration

### Traffic Visibility Drop Alerting

Vectra AI is introducing new health notifications to alert significant drops in observed IPs, traffic bandwidth, and packet volume that may impact detection coverage. Using machine learning, these alerts adapt to each customer’s unique network patterns and identify meaningful deviations without relying on static thresholds. Alert notifications can be delivered via email, webhook integrations, API, or Syslog on QUX.

This enhancement provides earlier awareness of visibility gaps, helping security teams quickly identify and address potential blind spots. Availability begins in April, with rollout planned in phases to ensure optimal signal quality and customer experience.

<a href="https://docs.vectra.ai/deployment/traffic-engineering-and-validation/traffic-visibility-drop-alerting" class="button primary">Read the documentation</a>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.vectra.ai/release-notes/respond-ux-rux/april-2026-release-notes-rux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.