# Mar 2026 Release Notes (RUX)
### đĄď¸ Coverage
### Sliver Command and Control Enhancements
Vectra AI has enhanced its detection coverage for Sliver Command & Control (C2) activity by incorporating the latest advances in LLM and AI-driven modeling. Sliverâs flexible beaconingâcharacterized by variable sleep intervals and jitterâallows attackers to evade traditional defenses, particularly in longer, low-frequency communication patterns.
With this update, Vectra leverages attention-based techniques and enriched behavioral data to better capture these complex patterns, improving detection across previously evasive scenarios. This enhancement strengthens our beaconing C2 analytics, delivering more consistent visibility into sophisticated Sliver activity and enabling earlier, more accurate threat detection.
### Hidden Tunnel Enhancements
Vectra AI has expanded its Hidden Tunnel detection to identify stealthy, non-beaconing Command & Control (C2) activity over previously uncovered protocols. This type of attacker behavior uses long-lived, low-noise connections that can evade traditional detection methods while enabling direct, hands-on control of compromised systems.
With this update, Vectra delivers stronger visibility into these evasive attack techniques, providing new behavioral coverage for previously undetected activity and helping security teams identify and respond to sophisticated threats earlier.
### Rapid Release Improvements
The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectraâs update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:
* Vectra AI continues its transition of detections previously delivered through the Suricata engine into native detections running directly on the Vectra flow engine. This ongoing effort ensures advanced attacker behavior coverage is available to all customers, without requiring Suspect Protocol Activity (SPA) or reliance on signature-based detection logic. This release includes a number of new native detections covering **Cobalt Strike, Meterpreter, Mythic C2,** and **DNScat** activity, as well as a new rule to detect SSH on other reserved ports.
* Vectra AI has introduced new visibility into generative AI application usage by detecting DeepSeek activity within network traffic. This enhancement helps security teams better understand and monitor emerging AI tool usage in their environments, supporting improved governance and risk awareness.
* Vectra AI has expanded LDAP reconnaissance detection coverage to better identify attacker attempts to enumerate privileged accounts, delegation settings, and trust relationships within Active Directory. This enhancement improves visibility into early-stage discovery activity while reducing noise through more contextual and precise detection logic.
## đ Clarity
#### EDR Process Context now GA
Vectra AI has released CrowdStrike EDR process correlation for all customers. This capability streamlines investigations by automatically finding the probable process related to a NDR detection and presenting it alongside the detection in the platform and when the event is collected via API.
This result is a more powerful detection and response, less manual work, and better outcomes for security teams. It eliminates the need for custom SIEM or SOAR correlation logic and can save up to 30 minutes per detection. What was the process driving C2 a browser or a PowerShell script, is it expected, or does it stand out, these are questions analysts must answer immediately, and this capability makes that instant. Contact your Vectra AI account team to join the private preview and visit [Crowdstrike EDR Integration FAQ](https://support.vectra.ai/vectra/article/KB-VS-1143) for instructions on how to support this integration.
Learn more about how Vectra AI works with CrowdStrike in this podcast.
{% embed url="" %}
### Investigate API in Public Preview
Vectra AI is introducing the Investigate API, now available via API v3.4. This new capability enables customers to programmatically query investigation metadata, unlocking more flexible integrations and advanced investigative workflows.
With the Investigate API, security teams can more easily integrate Vectra data into external systems, automate enrichment and response processes, and reduce reliance on manual investigation through the UIâsupporting more scalable and efficient security operations.
Investigate API is available at the endpoint /api/v3.4/investigations. For more information, visit the [API documentation site](https://apidocs.vectra.ai/api/v-3-4-investigations) or the [Investigate API user guide](https://docs.vectra.ai/operations/investigate/investigate-api-user-guide).
## âď¸ Architecture/Administration
### Multi-SAML Support now GA
The Quadrant UX platform currently supports single sign-on (SSO) through integration with a customerâs identity provider (IDP) using a configured SAML profile. Until now, only a single SAML profile can be defined, which restricts integration to one IDP at a time.
To tackle this, we are introducing support for multiple SAML profiles. This enhancement will enable customers and MSSPs to configure and manage integrations with multiple IDPs simultaneously, providing greater flexibility and alignment with complex identity environments. Multi-SAML enablement is supported through the UI ([documentation](https://docs.vectra.ai/configuration/access/saml-sso-qux/any-idp-saml-qux)) and API ([documentation](https://docs.vectra.ai/configuration/access/api-qux/v25-api-guide-qux?utm_source=sfdc)).
### Traffic Validation (ENTV) Alerts
Traffic Validation now delivers clear, actionable notifications when network traffic quality risks detection coverage. Customers are alerted on critical, aggregate eventsâsuch as asymmetric flows or dropped packetsâthat impact visibility. [Traffic Validation Sys\_check Alerts](https://docs.vectra.ai/deployment/traffic-engineering-and-validation/entv-syscheck-descriptions) provides clear explanations and recommended solutions, helping teams resolve problems faster and maintain reliable, high-confidence detections.
### New Close Workflow Enabled by Default
In 9.10, customers will be moved by default to our new close workflow. The New Close workflow offers better workflows for customers, and also will power our new operational SOC overflow report. Customers can opt out at any time from their configuration section. Learn more about [the workflow here.](https://docs.vectra.ai/operations/analyst-guidance/new-close-workflow?utm_source=sfdc)
### Account Menu Location
Vectra AI has updated the user interface to introduce a new account menu in the top-right corner of the page. This centralized location provides quick access to user settings, theme preferences, and logout options, improving overall navigation and usability.
## đ Bug Fixes
Please log in to and search "Respond UX Bug Fixes" to view the latest bug fixes.
