Dec 2025 Release Notes (RUX)

🛡️ Coverage

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:

• Vectra AI continues its transition of detections previously delivered through the Suricata engine into native detections running directly on the Vectra flow engine. This ongoing effort ensures advanced attacker behavior coverage is available to all customers, without requiring Suspect Protocol Activity (SPA) or reliance on signature-based detection logic.

  • This release introduces additional detections for Cobalt Strike, Brute Ratel, and PowerShell Empire.

• Vectra AI has improved the Smash and Grab detection accuracy by ensuring destination domain names update correctly when observed later in a session. This enhancement allows whitelist logic to function as intended, reducing unnecessary alerts and improving the fidelity of Smash and Grab detections.

• Vectra AI has improved information-level detections for Remote Management and Monitoring (RMM) tools by correctly populating application protocol details in detection metadata. This enhancement provides clearer context on Host pages when RMM activity is observed, improving investigative clarity while maintaining a low-noise, non-scoring alerting experience.

• Vectra AI has refined its Mythic C2 detection logic to reduce false positives by tightening how server certificate fields are evaluated. This update narrows overly broad pattern matching, preventing benign domains containing similar terms from triggering alerts and improving overall detection fidelity.

🔎 Clarity

EDR process correlation (Private Preview)

Vectra AI has released CrowdStrike EDR process correlation for private preview customers. This capability streamlines investigations by automatically finding the probable process related to a NDR detection and presenting it alongside the detection in the platform and when the event is collected via API.

This result is a more powerful detection and response, less manual work, and better outcomes for security teams. It eliminates the need for custom SIEM or SOAR correlation logic and can save up to 30 minutes per detection. What was the process driving C2 a browser or a PowerShell script, is it expected, or does it stand out, these are questions analysts must answer immediately, and this capability makes that instant. Contact your Vectra AI account team to join the private preview and visit Crowdstrike EDR Integration FAQ for instructions on how to support this integration.

Learn more about how Vectra AI works with CrowdStrike in this podcast:

🚦 Control

Vectra 360 Response Enhancement for Cloud Identity

Vectra AI’s Account Lockdown now includes Password Reset for Azure AD/Entra ID, providing customers with a stronger, more reliable way to proactively stop identity-based attacks, particularly token theft. By revoking sessions and forcing a password reset, Vectra AI instantly removes attacker access while letting legitimate users log back in with minimal friction. This expands Vectra AI’s 360 Response capability which enables proactive response across traffic, devices and identity. To read more about the feature visit the support article, https://support.vectra.ai/vectra/article/KB-VS-1123

To hear about the feature more watch:

🐞 Bug Fixes

Please log in to https://support.vectra.ai/vectra/ and search "Respond UX Bug Fixes" to view the latest bug fixes.