July
NG Production Release Update - APIsec_cloud_7.7.2.0 ( July 09, 2026 )
This release introduces centralized API credential management, reusable global authentication profiles, OAuth PKCE support using Custom Authentication Chains, enhanced authentication validation for API-driven scans, and new Scan-and-Gate capabilities for CI/CD pipelines. Additional fixes improve BOLA scenario generation and polish SSRF detection reporting.
What's New
API Credentials Management
A new API Credentials page provides self-service management for both Personal Access Tokens (PATs) and OAuth Client Credentials. Users can create, manage, and revoke their own credentials, while administrators can manage credentials across the tenant.
Why this matters
- Centralizes credential management in a single location
- Simplifies API automation and integrations
- Improves security through scoped, expiring credentials
Global Credentials
Global Credentials allow a single authentication profile to be shared across multiple application environments. Updating a global credential automatically applies the change wherever it is linked.
Why this matters
- Simplifies credential rotation across applications
- Reduces administrative effort and configuration drift
- Maintains secure access through application-aware RBAC
OAuth PKCE Support
Custom Authentication Chains now support OAuth 2.0 Authorization Code flows with Proof Key for Code Exchange (PKCE). APIsec automatically manages PKCE parameters during authentication, simplifying configuration for supported identity providers.
Why this matters
- Enables authenticated scanning of APIs protected by PKCE
- Simplifies OAuth configuration for modern identity providers
- Expands support for secure authentication workflows
Pre-Scan Authentication Validation
API-driven scans can now optionally validate authentication credentials before scan execution. When enabled, the platform performs a lightweight authentication check against the endpoint used during the most recent Test Authentication execution. If the credentials are rejected, the scan is terminated instead of proceeding with unauthenticated requests.
API callers can control this behavior using the ignoreAuthFailure flag in the scan request:
- ignoreAuthFailure: false (default) — The scan is aborted if authentication validation fails.
- ignoreAuthFailure: true — The scan continues even if authentication validation fails, allowing unauthenticated portions of the scan to proceed.
Why this matters
- Detects authentication issues before scan execution
- Prevents unnecessary scans caused by invalid credentials
- Gives API integrations the flexibility to either fail fast or continue with partial coverage based on automation requirements
Note: This capability is currently opt-in for API-triggered scans. Existing UI, scheduled, and API scan behavior remains unchanged unless explicitly enabled.
Scan-and-Gate Enhancements
The Scan-and-Gate container now supports evaluating existing scan results without triggering a new scan and provides direct links from CI/CD failures to the corresponding findings in APIsec.
Why this matters
- Accelerates CI/CD pipelines
- Simplifies investigation of failed security gates
- Improves developer productivity during remediation
Issue Fixes
BOLA Scenario Generation
Problem
Automatically generated BOLA scenarios could include duplicate entries for the same endpoint.
Solution
Scenario generation now removes duplicate endpoints based on HTTP method and path.
Impact
- Produces cleaner BOLA scenario lists
- Prevents duplicate test execution during BOLA scans
SSRF Detection Messaging
Problem
SSRF detection findings contained a typographical error in the assertion text.
Solution
The finding message has been corrected across all SSRF detection variants.
Impact
- Improves the quality and professionalism of customer-facing reports
NG Production Release Update - APIsec_cloud_7.7.1.0 ( July 03, 2026 )
This release introduces Dark Mode, removes the 30-day access limit for PLG users, strengthens Hosted Agent security, and enhances authentication failure handling across supported authentication schemes. Additional fixes improve hosted-agent scheduling, protect sensitive data, enhance diagnostics for authentication failures, and improve the accuracy of Security Hub reporting.
What's New
Dark Mode
Dark Mode is now available across the platform. Users can switch between light and dark themes at any time from User Preferences. Currently, their preference isn't preserved across different browser sessions.
Why this matters
- Improves readability in low-light environments
- Reduces eye strain during extended sessions
- Let users personalize their experience without administrator involvement
Partial Credential Enforcement
A new detection category identifies APIs that advertise multiple authentication requirements—such as Authorization headers, API keys, session cookies, or XSRF tokens—but enforce only a subset during request validation. Endpoints that accept requests with one or more required credential elements missing are flagged for review.
Why this matters
- Detects authentication gaps that may be overlooked by traditional authentication tests
- Helps ensure every required credential element is actively validated
- Identifies weaknesses in composite authentication schemes involving multiple headers or cookies
- Improves detection accuracy by validating both HTTP responses and application response content to minimize false positives
Improvements
Extended Access for PLG Users
The 30-day access restriction for PLG users has been removed. Existing users who were previously locked out automatically regain access without requiring any action from users, administrators, or support.
Why this matters
- Enables uninterrupted product exploration
- Eliminates unnecessary access interruptions
- Provides a smoother onboarding experience
New Hosted Agent Release
A new Hosted Agent version introduces improved startup validation for mutual TLS (mTLS) certificate configuration. Certificate configuration issues are now detected during startup with clear, actionable error messages.
Why this matters
- Detects certificate configuration issues earlier
- Reduces scan failures caused by invalid mTLS configuration
- Improves deployment reliability for private Hosted Agents
Note: Customers running Private Hosted Agents are encouraged to deploy the latest agent version to receive these improvements.
Enhanced Authentication Failure Handling
Authentication failure detection has been expanded to support Basic Authentication, API Key, and HMAC authentication schemes. A new option also allows scans to continue after authentication failures while clearly identifying unauthenticated requests.
Why this matters
- Improves visibility into authentication configuration issues
- Produces more reliable scan results across supported authentication methods
- Allows teams to troubleshoot authentication failures while still collecting partial scan results
Issue Fixes
Scheduled Scans for Hosted Agent Applications
Problem
Scheduled scans for applications configured to use Hosted Agents could fail without appearing in Scan History.
Solution
Scheduled scans and Test Credentials now consistently use the configured Hosted Agent for scan execution.
Impact
- Improves the reliability of scheduled scans
- Ensures failures are visible in Scan History
- Supports environments accessible only through Hosted Agents
Protected Header Values During Test Reachability
Problem
Confidential header values could be displayed in clear text during Test Reachability.
Solution
Sensitive header values remain masked across all application views, including Test Reachability.
Impact
- Protects confidential authentication data
- Improves the security of environment configuration workflows
Improved Test Credentials Diagnostics
Problem
Authentication and connectivity failures often returned a generic "Internal Server Error," making troubleshooting difficult.
Solution
Test Credentials now surfaces the target system's HTTP status code, response body, and diagnostic information when available.
Impact
- Simplifies troubleshooting of authentication and connectivity issues
- Provides clearer diagnostics for WAF, OAuth, networking, and access configuration problems
Security Hub Summary Accuracy
Problem
Security Hub summary metrics may display inaccurate counts of scans, endpoints, and vulnerabilities.
Solution
Security Hub now calculates summary metrics correctly and excludes informational findings from vulnerability totals.
Impact
- Improves reporting accuracy
- Aligns dashboard metrics with application-level reporting
Security Hub Timezone Reporting
Problem
Security Hub summary metrics displayed zero values for users in certain time zones.
Solution
Date calculations have been updated to ensure consistent reporting regardless of the timezone.
Impact
- Provides accurate Security Hub metrics across all supported time zones
- Ensures consistent reporting for global teams