Changelog

What's new in SICenter.

The sprint cadence. Every entry below is in production right now — nothing here is roadmap.

Sprint5h — board-ready reports, SSO, status page

newimprovedfixedsecurity
  • Executive PDF reports. Generate a six-page board-ready PDF (cover, executive summary, risk dashboard, asset inventory, top-10 findings ranked by EPSS×CVSS×KEV, hygiene snapshot) from /dashboard/reports. Weekly, monthly, and quarterly windows.
  • Weekly auto-email cron. Opt in via the toggle on /dashboard/reports and we email the latest report to every owner / admin in your org every Monday at 14:00 UTC.
  • SAML SSO infrastructure. samlify@2.8.10 integrated with signature, audience, and 5-minute replay validation. Routes for AuthnRequest, ACS, SP metadata, domain discovery, and connection CRUD. Login page now auto-detects SSO domains. Final session-issuance step in beta — contact support to enable for your tenant.
  • 5 new offensive tools. cve_enrich (NVD-cached), epss_lookup (FIRST.org), brand_typosquat (6 strategies + DNS + crt.sh), api_discovery (robots, sitemap, Swagger, GraphQL), cloud_config_audit (HEAD/OPTIONS for CDN/S3/CORS). 19 MCP tools total.
  • 9 outbound integrations live. Microsoft Teams (Adaptive Card v1.5), PagerDuty (Events API v2 with severity gate), GitHub Issues (PAT auth + label dedup), plus Linear and ServiceNow surfaced. Slack, Jira, generic webhook continue.
  • Inbound Jira webhook — bidirectional status sync. Marking a Jira issue Done / Resolved / Closed / Cancelled now auto-resolves the matching SICenter finding via sicenter-finding-<uuid> labels. Constant-time secret validation. 200 no-op for unknown issues so Jira never disables the webhook.
  • Public status page. Live operational health at /status. Polls app, database, threat-intel sync. Auto-refresh every 30 seconds. No auth required. Footer status badge on every page reflects real-time state.
  • Per-tool SEO landing pages. Every MCP tool now has its own page at /mcp/tools/{name} — auto-generated from the registry, with input schema table, REST + MCP examples, and cross-links to peer tools in the same CTEM stage.
  • SOC 2 controls matrix. 12-row SOC 2 Trust Service Criteria evidence matrix at /security#soc2 mapping our day-to-day engineering controls (RLS, AES-256-GCM, audit log, SSRF guards, HMAC webhook signing). Sales-grade snapshot.
  • Webhook verification docs. 5-language code samples (Node, Python, Go, Ruby, PHP) for verifying our HMAC-SHA256 webhook signatures with constant-time comparators and 5-minute replay window. /docs/webhook-verify.
  • Critical bug fixes. Findings page 500 (column mismatch), CTEM dashboard showing 0/0 (same column bug), Stripe portal stale customer_id (now returns 410 with upgrade_url), exposure_rollup_org cartesian explosion (DISTINCT ON fix), MCP error code collision, /auth/logout missing nodejs runtime, plus 25+ more.
  • SSRF hardening. ServiceNow and generic webhook connectors now route user-supplied URLs through assertPublicHost — DNS-resolves the target and rejects RFC 1918, link-local, loopback, and rebinding attempts.

Want to be notified when something ships? Subscribe to our blog or follow us on X. RSS feed coming soon.