What shipped, when. Material changes to features, pricing, data sources, and how we score risk are announced here as well as in the notification channels for paying customers.
Six bigger bets shipped this month: a security score you can share, an investigation-grade URL scanner, threat intel scoped to your stack, audit-ready findings, brand-asset + malvertising detection, and a public REST API. New Solo tier at $79/month bridges the gap between Pro and Business, and every paid trial drops the credit-card requirement.
A documented REST API at /api/v1 for SIEM connectors, MSSP integrations, and your own automation. Three resources at launch: brand findings, public URL-scan results, and the universal indicator lookup. Bearer-token auth, 120 req/min/key, Business or Enterprise plan. Full Swagger UI at /api/docs.
Upload your logo, hero image, or masthead per brand and every typosquat finding is compared against it, catching impersonation pages whose chrome differs but whose imagery was lifted. Plus: brand monitor now queries the Meta Ads Library every scan for paid ads run on your brand keywords and surfaces ads from advertisers other than yours.
A single letter-grade score for each brand, built from five components: delivery hygiene, exposure, brand integrity, code, and identity. A 90-day history chart sits on the dashboard. Compare your number to the median for your industry ("vs SaaS median 780, top 25%"). Generate an opt-in public scorecard URL per brand to share with prospects, auditors, or insurers.
Structured TI Search across the public scan archive. Combine fields like kit:evilginx2, country:RU, verdict:phishing, and score:>=80 with AND/OR/NOT. Every scan result now ships with a network-flow graph showing where the page sends traffic, an aggregate Malware Trends dashboard, per-signal rule citations, and STIX, MISP, or flat IOC exports so you can pipe findings straight into your SIEM.
Every URL-scan signal and brand finding maps to NIST CSF 2.0, ISO 27001:2022, SOC 2 (TSC), and PCI DSS v4.0 controls so you can hand a finding to a compliance auditor without translation. The ATT&CK heat map now carries an estimated annualized loss exposure per technique (Open FAIR / IBM 2024 calibration) and a sector-level dollar total.
Pulse delivers a real-time threat feed scoped to your stack and industry. EPSS exploit-prediction scores feed the patching-cadence panel so you patch what is actually being weaponized first. New: live data from Google Safe Browsing, abuse.ch FeodoTracker, and SSL Blacklist on every scan. Add named executives to a brand watchlist and dark-web / social / code-leak collectors auto-elevate severity when their name or email appears.
Full changelog
The YARA editor at /yara-rules ships into production. Every URL scan submitted by an authenticated user pulls their active custom rules, the GCP sandbox compiles them alongside our 32 public-source rules on the same scan, and any matches are tagged with a "YOUR RULE" badge in the Detected by Yara table. Up to 50 active rules per user. Rules can be disabled (kept for later) or deleted; status changes take effect on the next scan.
Subscribe to release announcements with any feed reader. Same content as /changelog, structured as RSS 2.0. Featured rocks emit as separate items so each headline shows up. Auto-discovery link on the changelog page picks up automatically in modern readers.
Paying customers can now upload their own YARA rules via the public REST API or the new /yara-rules editor. Rules are validated against the local YARA 4.5 binary on save, with size + safe-import restrictions. CRUD endpoints under /api/yara-rules. No DRP competitor in our research lets customers ship their own detection rules into the pipeline.
Every public scorecard (the URL you share with prospects, auditors, or insurers) now carries a single dollar-figure: the Open FAIR ALE = SLE x ARO derived from the brand's active findings, calibrated per severity from IBM Cost of a Data Breach 2024. Per-severity caps prevent a long tail of low findings from inflating the headline. Pairs with the ATT&CK heat-map dollar overlay shipped earlier today.
A public, RFP-ready reference page that documents the 11 product categories and 5 built-in role presets (Owner, Editor, Certificate Manager, Brand Manager, Auditor) used to scope every customer-facing action. Renders directly from the runtime authorization model so it can never drift from what the server actually enforces. Quote it on SOC 2, ISO 27001, SIG/CAIQ, or vendor-risk questionnaire access-control rows.
A new tier between Pro ($29) and Business ($249) for agencies and small SaaS teams that outgrew Pro. 5 brand monitors, GitHub leaked-secrets scanning, brand-asset visual matching, malvertising detection on Meta Ads Library, VIP / executive watchlist (3 execs), one quarterly executive PDF report. Add-on: +5 brand monitors at $49/month. The 14-day trial on every paid tier no longer asks for a credit card.
A documented REST API at /api/v1 for SIEM connectors, MSSP integrations, and your own automation. Three resources at launch: brand findings, public URL-scan results, and the universal indicator lookup. Bearer-token auth, 120 requests / minute / key, Business or Enterprise plan. Mint a key from /settings#api-keys; full Swagger UI at /api/docs; spec at /api/openapi.json (or .yaml).
You can now upload your logo, hero image, or marketing masthead per brand monitor. Every typosquat finding is compared against each uploaded asset, so impersonation pages whose chrome differs from your main site (different layout, but lifted your logo) get caught. Comparisons happen automatically on every scan and are cached for fast re-reads.
Modern phishing increasingly skips the typosquat domain step and just buys ads on the brand name, routing the click to a kit on a lookalike host. Brand monitor now queries the Meta Ads Library every scan for active Facebook and Instagram ads matching your brand keywords, surfaces ads from advertisers other than yours, and auto-elevates risk when the landing host matches an existing typosquat finding. Google Ads Transparency Center coverage on the same surface ships next sprint.
Every line in the Analysis breakdown now ends with a "matched: <rule>" chip naming the detection source. Public threat feeds (URLhaus, ThreatFox, Google Safe Browsing, FeodoTracker, SSL Blacklist) link out to the source so an analyst can pivot to ground truth in one click. Most DRP vendors hide their detection logic; we show ours.
Every technique on /attack-heatmap now carries a dollar figure for estimated annualized loss exposure, and the stats bar shows a sector-level total. Calibrated per ATT&CK tactic from IBM Cost of a Data Breach 2024 (Initial Access $4.88M, Credential Access $4.81M, Exfiltration $4.45M, Impact $7.5M) and the Open FAIR ALE = SLE x ARO model. Numbers round to the nearest $50k to avoid spurious precision.
The Cmd+K universal lookup gets a sister tool at /tools/ti-search for power users who want to combine fields rather than paste a single token. /lookup itself now also surfaces every place a token appears across our corpus (URL scans, brand findings, ransomware leak sites, threat-intel feeds, and the CVE catalog) alongside the type-to-jump destination.
Every URL scan now consults Google Safe Browsing v4, abuse.ch FeodoTracker (botnet C2 IPs), and abuse.ch SSL Blacklist (malware certificate fingerprints). A hit on any of them locks the verdict to malware regardless of page contents. These feeds carry far fewer false positives than open IOC catalogs.
The brand monitor now catches dormant-registration squats: domains registered to look like yours but parked, waiting to weaponize on demand. We also added three more variant patterns (character omissions, neighbouring-key swaps, hyphen insertions) that real-world attackers actually use against major brands.
Every URL scan is now matched against 32 YARA rules curated from public sources (Volexity, Tenable, ditekshen) plus our own SecurityAlert.ai rules, with full author attribution per match. Our first production rule (sa_kit_punchvideo_stripe_lure) fires on a Stripe-themed credential lure we observed in the wild. A rule match is treated as a strong verdict signal, not a soft one.
Click any chip on the dashboard findings panel (severity, source, brand, or status) to filter the list inline. The active filter set is reflected in the URL so you can share a deep-link to a specific cut of findings (for example, all High typosquat findings on a given brand).
A new sector picker at the top of each brand-detail page sets the comparison cohort for industry benchmarks. The Insurance sector was added to the dropdown, and the dropdown is now alphabetical. A Settings drawer collects all the per-brand toggles (notifications, monitor cadence, sharable scorecard) in one place instead of scattered across the page.
Closed off three classes of false positive in the URL-scan verdict logic: (1) ThreatFox uncorroborated matches no longer auto-force a malware verdict; (2) shared third-party analytics, ad-tech, and chatbot hosts (Marketo, Drift, Qualified, Google reCAPTCHA, marketing redirect chains) no longer drive beaconing or credential-post signals on legit complex sites; (3) GitHub social mentions no longer fire critical on every code-search hit unless we actually detect a real secret pattern.
A new Vendor risk view at /vendors lets you track your third-party vendors the same way you track your own brands. Add the domains of vendors you depend on (your SSO provider, your cloud, your payroll system) and we run the full scanner against each one: dark-web mentions, exposed services, leaked credentials, certificate posture. Comes with Business and Enterprise plans, capped at 25 and 250 vendors respectively.
The free credential exposure tool now shows the top hostnames where your credentials were stolen, broken down by employee versus customer sessions. Hostnames only, never paths, so no live session tokens are exposed. You get a concrete reset list instead of a single aggregate count.
Brand monitor scans now pull from abuse.ch URLhaus and ThreatFox (malware-distribution URLs and threat indicators tagged to your domain) plus a curated set of public threat-intel Telegram channels. The brand-detail dark-web tab gets new filter chips for URLhaus, ThreatFox, and Telegram so you can drill into each source. URLhaus and ThreatFox require a free abuse.ch API key.
New signups now go through a one-screen setup that asks for your domain and industry, then kicks off the first scan automatically. Your dashboard panel for actors targeting your sector filters to groups known to go after your industry, instead of showing a generic global list. A live progress banner shows whenever a scan is running, so you always know results are on the way.
We now scan public GitHub every day for code that mentions your monitored brands and flag any exposed credentials: AWS keys, GitHub tokens, Slack tokens, API keys, private keys, JWTs, basic-auth URLs, and more. Findings are sorted by severity, with sensitive files like .env, .yml, and .pem surfaced first. Any matched credential is redacted before it lands in our database, so we never store a live secret.
Paste any threat indicator and we route you to the right intelligence card automatically: CVE id, IP, hostname, file hash, email, threat actor name, or ransomware group. Cmd+K opens the lookup from anywhere on the site.
A new review queue surfaces domains we think belong to you but that you haven't told us about yet. We find them by cross-referencing shared TLS certificates, WHOIS registrant info, resolved IPs, and brand mentions in public GitHub code. One click promotes a candidate into a tracked brand and kicks off its first scan. Stale candidates auto-archive after 60 days if the signal disappears.
Search every TLS certificate ever logged for your monitored brands. Filter by hostname, organization, or issuer. Pivot from any result to find sibling certificates: the same cert reused across multiple hosts, or everything a given issuer has signed for you in the last 30 days.
A public heat map of the techniques attackers actually use, mapped to MITRE ATT&CK across 172 tracked threat actors and 14 tactics. Filter by industry to see what is hitting your sector: financial services skews toward valid-account abuse, government toward phishing, energy toward exposed remote-access services. Click any technique to drill into the actors using it.
SecurityAlert.ai is live as a standalone Digital Risk Protection product. Brand monitor, threat actor catalog, ransomware tracker, CVE intelligence, and three free public tools (SSL grader, phishing checker, credential exposure lookup) all ship at launch. The free tier starts at one brand monitor with no credit card.
172 threat actor profiles, 1,583 CISA Known Exploited Vulnerabilities, and 333 ransomware groups are loaded and ready to browse on day one. Ransomware leak sites are monitored continuously. CVE-to-actor attribution refreshes daily.
The SSL grader runs the full SSL Labs methodology: TLS 1.0 to 1.3 protocol coverage, cipher enumeration, key-exchange analysis, vulnerability checks (BEAST, POODLE, FREAK, LOGJAM, CRIME, BREACH), certificate chain validation, and HTTP security header grading. Letter grade A+ through F. Free, no signup, results cached for 30 days.