These Release Notes describe updates to the Traceable functionalities:
1st October — 31st October
Updates
Product Area | Features | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Integrations | Regional Support for Snyk Integration | SaaS and On-prem (1.30.0) | Traceable’s Snyk integration now supports configuration of specific Snyk regions beyond the default one. You can also define a custom endpoint to support proxy-based or single-tenant environments, providing better flexibility in multi-region deployments. For more information, see Snyk Integration. |
Rule List Parameterization for Cloudflare WAF Integration | SaaS and On-prem (1.30.0) | Traceable has updated the Cloudflare WAF integration to support parameterized rule list inputs. This ensures environment-specific rule management, preventing rules created in one environment from affecting another. For more information, see Cloudflare Integration. | |
Catalog | Improved Handling of Lack of Encryption (LoE) Detection | SaaS and On-prem (1.30.0) | Traceable has updated the LoE detection logic to apply accurate heuristics. The issue is no longer reported in the following scenarios:
In all other cases, the issue continues to be detected appropriately. |
Protection | Detailed Evidence View for Threat Activity Groups | SaaS and On-prem (1.30.0) | Traceable now provides a detailed view on the Threat Activity page for SCO analysis. Clicking on a Threat Activity group displays aggregated evidence and allows you to create a single ticket for the entire group. This helps you triage issues and improve investigation efficiency. |
Source and Target Criteria in Custom Signature Policies | SaaS and On-prem (1.30.0) | Custom Signature policies now support advanced Source and Target criteria, including IP address, region, IP organization, user ID, and target scope. This provides you with finer control when monitoring and detecting threats. For more information, see Custom Policy. | |
Cloud Edge Deployment Workflow | SaaS | Traceable has introduced a new self-service workflow that enables you to onboard and protect applications directly from the Traceable platform. This reduces your manual effort and improves the deployment process for cloud edge deployment. For more information, see Cloud Edge Deployment. |
Resolved Issues
Product Area | Resolved Issues | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Protection | Errors in WAAP Dashboards | On-Prem (1.30.1) | Resolved an issue where two widgets on the Protection dashboard caused errors in on-prem environments due to metric-based queries. |
Catalog | Compliance Policy Evaluation Failures | SaaS and On-prem (1.30.0) | Resolved an issue where compliance policies failed to evaluate due to data-fetching errors at scale. Batch processing has been added to prevent these exceptions and ensure that policies are consistently evaluated. |
Improved Handling of Orphan Issues | SaaS and On-prem (1.30.0) | Traceable now automatically marks issues (vulnerabilities) as Fixed when their associated API endpoints are removed due to inactivity. This eliminates the orphan issues staying open and provides you with a more reliable and accurate view of your application security posture. | |
Accurate Detection of Duplicate HSTS Headers | SaaS and On-prem (1.30.0) | Traceable has updated the detection logic for HSTS issues to correctly handle multiple Strict-Transport-Security headers. This ensures that all duplicate headers are identified using a | |
Refined Vulnerability Detection on Insufficient Data | SaaS and On-prem (1.30.1) | Traceable has improved the detection logic so that issues (vulnerabilities) are not reported when response headers are missing. This eliminates false positives caused by empty sets being incorrectly evaluated as issues. | |
Null Status Code Flagged for HSTS | SaaS and On-prem (1.30.0) | Resolved an issue where issues (vulnerabilities) were incorrectly reported when response headers were missing. This detection logic previously used | |
Policy Drop-down Value Not Cleared on Attribute Switch | SaaS and On-prem (1.30.0) | Resolved an issue where the selected compliance policy value was not cleared when switching attributes. Traceable has improved the detection logic to accurately reset the drop-down when a new attribute is selected. | |
Standardized Naming for Identical Issues | SaaS and On-prem (1.30.0) | Resolved inconsistencies in issue naming across reports and exports. Identical issues, such as Weak JWT Algorithm, are now labeled consistently across the platform, improving clarity in issue management. | |
Alignment of Issue IDs between the Traceable platform and Dojo | SaaS and On-prem (1.30.0) | Resolved a mismatch where some issues appeared in Dojo but not on the Traceable platform because of the older | |
Correct Propagation of AST Issue Ownership Changes | SaaS and On-prem (1.30.0) | Traceable now propagates ownership changes for AST issues correctly to Defect Dojo. This ensures that entity ownership updates are reflected consistently across integrations. | |
Correct Ordering of Issue Timestamps | SaaS and On-prem (1.30.0) | Resolved an issue where | |
Properly Displaying Data Type Names for Custom Policies | SaaS and On-prem (1.30.0) | Resolved an issue where deleted datatypes caused Data Type IDs to appear on the Traceable platform instead of names. Additionally, the value drop-down now displays up to 500 attribute values at a time and displays the total count, allowing you to see all available datatypes, labels, and other attributes without searching. | |
Force Learn Support in GraphQL | SaaS and On-prem (1.30.0) | Added GraphQL handling for Force Learn configuration in Catalog. This resolves errors caused by a feature being implemented at the gRPC layer but not supported at the GraphQL layer. | |
GraphQL API for Populating Issue Details | SaaS and On-prem (1.30.0) | Traceable has added support for a GraphQL API for editing issue fields, such as mitigation, risk impact, and attack methodology. | |
Case-Insensitive HSTS Issue Detection | SaaS and On-prem (1.30.0) | Resolved false positives for HSTS issues caused by case-sensitive header matching. Detection is now case-insensitive, ensuring headers such as | |
Enhanced HSTS Validation | SaaS and On-prem (1.30.0) | Traceable now performs stricter validation for HSTS headers:
In cases where multiple HSTS headers are present, even a single weak header now triggers HSTS detection, ensuring enhanced validation coverage. | |
Vulnerability Detection Logic Improvements | SaaS and On-prem (1.30.0) | Improved the detection logic for multiple issue types, including:
These updates improve accuracy in issue detection, and this fix may increase the number of reported issues. | |
Policy Updates | SaaS | Streamlined the platform by removing Issue Policies that are no longer actively detected by Traceable. This ensures only relevant and supported policies are displayed. | |
Endpoints Incorrectly Reverting to Learning Stage | SaaS and On-prem (1.30.1) | Resolved an issue where entity fetching failures caused API endpoints to revert from Learnt to Learning. The updated logic now accurately preserves the | |
Evidence Popups Not Displaying URL | SaaS and On-prem (1.30.1) | Resolved an issue where the evidence pop-up for an issue did not display URLs due to issues in resolving parameterized URLs. This fix ensures that parameterized URLs are now accurately detected and resolved, allowing evidence generation and the display to work as expected. | |
AST | Improved Scan Stability and Completion Rates | On-prem (1.30.0) | Improved resources for scan-manager, entity-service, traceable-runners, and MongoDB, significantly improving scan stability. Additionally, introduced an entity cache in scan-manager to reduce service calls and made gRPC and MongoDB timeouts configurable to further improve resiliency. |
Spec File AST Scan Reliability | SaaS and On-prem (1.30.0) | Resolved an issue where spec-file-based AST scans were not running as expected due to scan abort issues. With these improvements, the spec-based AST scans now execute correctly. | |
Reliable Alert Notifications | On-prem (1.30.0) | Resolved an issue where aborted scans did not trigger alert notifications. This occurred due to incorrect SMTP configuration in the Notification settings. | |
Accurate Scan Metadata Updates on the Traceable platform | On-prem (1.30.0) | Resolved an issue where Traceable displayed zero APIs scanned, even though issues (vulnerabilities) were detected. This was displayed as the calls made to update scan metadata were timing out due to duplicate key errors in MongoDB. This fix includes entity cache support and improved error handling to ensure accurate scan metadata updates. | |
Editable Issue Severity | SaaS and On-prem (1.30.0) | Resolved an issue where editing an issue severity, for example, from Critical to High, created a duplicate plugin entry instead of updating the existing plugin. | |
XAST Replay Store Retention Increase | SaaS and On-prem (1.30.0) | Traceable has increased the Replay retention period to 90 days, improving the effectiveness and coverage of XAST Replay scans. | |
Missing Impact and References in System-defined Issue Types | On-prem (1.30.1) | Resolved an issue where key fields, such as Impact and References, were missing in some vulnerability templates. These values are now populated for all enabled plugins. |
1st September — 30st September
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Catalog | API Governance Issues from Conformance Analysis | SaaS and On-prem (1.29.0) | Traceable now automatically generates API Governance issues when it detects schema drift during conformance analysis. Discrepancies in request and response bodies or headers are flagged as governance issues, providing you with deeper visibility into API drift and control over your API posture. For more information, see Conformance Analysis. |
Enhanced Static API Discovery | SaaS and On-prem (1.29.0) | Traceable has enhanced static API discovery with advanced configuration options to fine-tune detections and exclude unwanted noise. Enabled by default, this feature ensures a cleaner and more accurate API inventory for all users. | |
Improved Domain Classification | SaaS and On-prem (1.29.0) | Traceable now links domains directly to API entities, ensuring that each detected domain is associated with at least one API endpoint. This feature eliminates false positives from earlier traffic-based classifications, thereby improving domain visibility accuracy. |
31st July — 31st August
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Integrations | Custom Signature Support for the Google Cloud Armor WAF Integration | SaaS and On-prem (1.28.0) | Traceable now supports creating and managing custom signature rules for the Google Cloud Armor (GCA) WAF Integration. You can now define Custom Signature Rules in the Protection Policies, and they are automatically translated into Google Cloud Armor expressions. This enables you to detect and block malicious requests based on headers, payloads, query parameters, and other request attributes. For more information, see Google Cloud Armor Integration. |
16th July — 30th July
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Integrations | Updated Cloudflare Integration Setup | SaaS and On-prem (1.28.0) | Traceable has updated its Cloudflare integration to align with the latest Cloudflare changes. This ensures continued compatibility and improved functionality following the deprecation of the older Cloudflare API on June 15, 2025. For more information, see Cloudflare Integration. |
Custom Signature Support for the Google Cloud Armor Integration | SaaS and On-prem (1.28.0) | Traceable now supports applying advanced custom signatures to the Google Cloud Armor (GCA), extending protection beyond basic IP blocking. You can define custom request inspection rules within the Traceable platform that are dynamically translated into GCA custom expressions for enforcement. | |
HTTP Event Collector Integration with Traceable | SaaS and On-prem (1.28.0) | You can now integrate your SIEM applications with Traceable using the HTTP Event Collector (HEC). HEC is a secure, token-based method for transmitting structured data, such as JSON, in real-time. The initial support includes integrations with Splunk and CrowdStrike, enabling faster and more reliable forwarding of security events. For more information, see HTTP Event Collector (HEC) Integration. | |
Protection | Testing Mode for Web Application Protection Rules | SaaS and On-prem (1.28.0) | Traceable now supports the Testing mode for Web Application Protection (WAP) policies. This mode enables you to evaluate new or updated rules in a non-enforcing state for a specified period before transitioning them to Monitoring or Blocking mode. This feature helps you validate rule behavior and minimize false positives before enforcement. For more information, see Rule Testing for New and Updated Rule(s). |
Clone Support for Custom Policies | SaaS and On-prem (1.28.0) | Traceable now allows you to clone existing policies, including custom signatures, rate limiting, and exclusion policies. This helps you create new versions of existing policies with minor adjustments, making policy management easier and configuration updates faster. | |
Boards | Dashboard Sharing Support | SaaS and On-prem (1.28.0) | Traceable now allows you to share custom dashboards with other users in your organization, improving collaboration across teams. You can also control access by assigning View or Edit permissions to collaborators, ensuring flexibility and governance in dashboard management. For more information, see Custom Dashboard Sharing. |
10th June — 15th July
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Catalog | Centralized Label Management | SaaS and On-prem (1.27.0) | Traceable now provides a dedicated Labels tab that allows you to create, update, and manage labels used to categorize APIs across the platform. This centralized view enables you to organize APIs by functionality, environment, or business requirements. This makes it easier for you to filter data and assess issues and API posture at a scale. For more information, see Label Management. |
Enhanced Issues Page with Domain and Label-based Views | SaaS and On-prem (1.27.0) | Traceable now supports Domain and Label-based filtering, grouping, and sorting on the Issues page. These enhancements give you increased flexibility and context while assessing and resolving issues, and align with your organization’s ownership models. For more information, see Issues Overview. | |
Improved Handling of Orphan Vulnerabilities | SaaS and On-prem (1.27.0) | Traceable now marks orphan vulnerabilities as Closed instead of deleting them, ensuring consistent tracking across external vulnerability management systems. This applies to cases such as API deletion, merging, inactivity, or rollback scenarios. This enhancement improves auditability and preserves the historical security context across your API lifecycle. | |
Standardized Naming for Identical Vulnerabilities | SaaS and On-prem (1.27.0) | Traceable now uses consistent naming for identical vulnerabilities across reports and exports. Issues such as HTTP security header misconfiguration or Weak JWT algorithms are labeled uniformly. This enhancement improves clarity and reduces confusion in vulnerability management workflows. | |
Protection | Enhanced Threat Actor Scoring | SaaS and On-prem (1.27.0) | Traceable has enhanced threat actor scoring with support for environments, confidence levels, and exclusion policies. These improvements provide more accurate, context-aware scores and offer increased control over how Traceable evaluates threat actors across environments. |
Improved Usability of Threat Actor Data | SaaS and On-prem (1.27.0) | Traceable has redesigned the Threat Actor page to offer a more intuitive experience and improved data exploration for analysis. You can now filter, sort, and analyze threat actor activity more efficiently to identify attack patterns and take the necessary actions. For more information, see Threat Actors. | |
Testing | Revamped AST Experience with the New User Interface | SaaS and On-prem (1.27.0) | Traceable introduces a redesigned user interface for API Security Testing (AST). The new user interface makes it easier to configure scans, track progress, and analyze results. The updated experience helps you navigate and manage your testing workflows with better clarity and efficiency. For more information, see API Security Testing. |
24th May — 9th June
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Integrations | Enhanced Imperva WAF integration with Custom Blocking Support | SaaS | Traceable now supports Custom Signature-based and User-based blocking through the Imperva WAF integration. For more information, see Imperva Integration. |
Catalog | Schema Drift Detection Across API Spec Components | SaaS and On-prem (1.25) | Conformance Analysis now detects mismatches across all parts of your API specifications, including request and response bodies, headers, and parameters. This enhancement helps you identify undocumented, shadow, or orphan endpoints by comparing live traffic against your API specifications, providing security and development teams deeper visibility into API drift. For more information, see Conformance Analysis. |
Protection | Enhanced WAAP Dashboards and Security Events Explorer | SaaS | The Security Events are now accessible under the Protection module in the Traceable platform, providing different perspectives on investigating threats. The Threat Requests tab shows spans that triggered one or more detection rules, while the Rule Triggers tab shows each detection rule and the matching spans. These improvements provide more flexible and focused ways of analyzing malicious activity across APIs. |
Testing | Support for Scanning SOAP APIs | SaaS and On-prem (1.25) | Traceable now supports Live and Replay AST scans on SOAP APIs. During scanning, Traceable parses the XML request and response bodies and uses updated plugins to detect vulnerabilities in SOAP traffic, extending testing coverage beyond REST APIs. |
10th May — 23rd May
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Integrations | Akamai Integration with Network List Support | SaaS | Traceable now supports the use of Network List IDs in the Akamai integration, enabling categorized and scalable IP and threat actor blocking. You can manage all blocked entries through a single, reusable network list in Akamai for easier policy updates and streamlined enforcement. For more information, see Akamai Integration. |
Protection | Known Bots (Traceable-Categorized Bots) | SaaS | Traceable now categorizes and identifies known internet bots, such as search engine crawlers or malicious scrapers, under the Known Bots view. This enables you to monitor their activity across APIs and take the necessary actions. |
Protection | Role and Scope Configuration for BFLA Detection (Security Scheme) | SaaS | Traceable now supports configuration of user roles and scopes to enhance BFLA (Broken Function Level Authorization) detection. You can leverage Traceable’s auto learned role-scope mappings or define configurations manually to detect unauthorized access patterns and protect your application against misuse. For more information, see Security Scheme. |
18th April — 9th May
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Catalog | Annotating Issue Status Changes | SaaS and On-prem (1.23) | Traceable now allows you to add comments while changing an issue's status. These comments are automatically highlighted in the Status log, providing context for the update and creating an audit trail. This helps improve collaboration and accountability during issue resolution. For more information, see Issue Management. |
27th March — 17th April
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Catalog | WSDL Specification Support | SaaS and On-prem (1.22) | Traceable now supports uploading WSDL API specifications for SOAP endpoints. Traceable automatically detects any mismatches between the uploaded documentation and observed traffic. This helps ensure that the SOAP APIs are behaving as expected, reducing security issues, and simplifying compliance. |
Catalog | Redesigned Issues Page | SaaS and On-prem (1.22) | Traceable introduces a redesigned Issues page that provides a centralized view of issues detected across sources (Live Traffic, Compliance, and AST). The enhanced filtering, grouping, and download options help you easily identify, analyze, and work towards remediation of high-impact findings. For more information, see Issues Overview and Issue Management. |
Catalog | Change Insights Report | SaaS and On-prem (1.22) | Traceable now offers a Change Insights reporting template that highlights newly discovered APIs and Issues over the past 7, 30, or 90 days. This helps you monitor changes in your API posture, track new and emerging issues, and prioritize security reviews. These changes are accessible under the Reports section. |
Protection | Bot Protection Dashboard | SaaS | Traceable now provides a Bot Protection dashboard offering a high-level view of malicious bot activity across your APIs. This helps you quickly identify abnormal patterns, prioritize threats, and make informed decisions. For more information, see Bot Protection Dashboard. |
27th February — 26th March
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Integrations | mTLS Support for Jira | SaaS and On-prem (1.21) | Traceable now supports mTLS integration with Jira using server certificates instead of root certificates. The Traceable Customer Success team can provide these server certificates to you, and you can upload them directly to your Jira server for a secure connection. For more information, see mTLS support for Jira Data Center. |
Catalog | Customizable Issue Policies | SaaS and On-prem (1.21) | Traceable now allows you to adjust the scope, severity, and rules for Issue (Vulnerability and Compliance) Policies. This helps you align Traceable’s findings with your internal policies, reduce unnecessary alerts, and better manage your API security. For more information, see Issue Policies. |
Protection | WAAP Detection Policies | SaaS and On-prem (1.21) | Traceable now offers an improved user experience and more detailed controls for Protection policies, with categorization into Web Application Protection, API Protection, and Custom Policies. For more information, see Policies. |
5th February — 26th February
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Catalog | WebSocket API support | SaaS and On-prem (1.20) | Traceable now supports WebSocket API endpoints. These APIs are visible in the Inventory page under Catalog. For more information, see API Endpoints. |
User Attribution Rule Preview | SaaS and On-prem (1.20) | Traceable now provides a live preview of the user attribution rule based on your configured attributes. This feature guides you through the process of rule configuration and allows you to validate them. Using this feature, you can ensure accurate user attribution through the multiple stages of the configuration. For more information, see User Attribution. |
9th January — 4th February
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
Catalog | WSDL specification support | SaaS and On-prem (1.19) | Traceable now generates WSDL (Web Services Description Language) API specifications for SOAP APIs. The generated WSDL specs can be viewed on the API overview page. For more information, see API Endpoints and Endpoint Details. |
Compliance policy | SaaS and On-prem (1.19) | Traceable now auto-resolves Compliance Issues if it is not seen for the last 14 days in a row. All such issues will be marked as "Fixed". For more information, see Issue Resolution. | |
Parameters | SaaS and On-prem | The Parameters page (formerly API DNA) has been redesigned to emphasize data sensitivity, datasets, data types, and parameter details, including mandatory status. Users can now create data classification rules directly from this page for enhanced control. For more information, see Parameters. | |
Boards | Dashboard and reporting | SaaS | Traceable introduces customizable home dashboards and the ability to create custom dashboards tailored to specific use cases. Users can build dashboards using Traceable data sources, including Catalogs, Issues, Threat Activity, and more. Create data widgets and add them to custom dashboards for a personalized view of security insights. Additionally, custom dashboards can be scheduled for automated email delivery as reports, ensuring users stay updated with the latest security data. For more information, see Boards. |
1st December 2024 - 15th January
Product Area | Feature | Deployment Type (SaaS, On-prem, Both) | Description |
|---|---|---|---|
API Catalog | User attribution | SaaS | The improved and simplified user experience enables Traceable users to configure user attribution rules to extract user ID, user role, auth types, and other user-related identifiers for better cataloging and threat protection use cases. For more information, see User attribution. |
Parameters | SaaS | The Parameters page (formerly API DNA) has been redesigned to emphasize data sensitivity, datasets, data types, and parameter details, including mandatory status. Users can now create data classification rules directly from this page for enhanced control. For more information, see Parameters. | |
AST | Mutations and assertions | SaaS and On-prem | Custom Overrides for Vulnerability detections allow users to update the plugin logic according to their organizational needs without creating a custom plugin/ logic. For more information, see Mutations and assertions. |
Protection | Exclusion rules | SaaS and On-prem | Traceable now supports Detection Exclusion Policies, allowing you to configure rules to exclude specific API requests from alerting, blocking, or allowing actions. This provides greater flexibility in managing API security. For more information, see Exclusions. |
Teams and Roles | RBAC | SaaS | Traceable's Role-Based Access Control (RBAC) now includes custom roles, offering enhanced flexibility in user management. This feature allows organizations to define roles tailored to their specific operational needs, ensuring precise access control and promoting secure collaboration across teams. For more information, see RBAC. |
Integrations | ServiceNow ITSM | SaaS and On-prem | ServiceNow ITSM integration lets you create ServiceNow ITSM tickets for Vulnerabilities, threat events, and attacks detected by the Traceable Platform. For more information, see ServiceNow ITSM integration. |