2026.02¶

Features & Enhancements¶

NodeZero Federal – MCP Server Access¶

• FedRAMP High customers can now access a Horizon3-hosted MCP Server at: https://mcp.gov-horizon3ai.com/mcp. This simplifies secure model connectivity for federal environments.

Risk-Based Vulnerability Management (RBVM)¶

Vulnerability Management Hub (VMH)¶

• Added port, protocol, and IP byte count fields to VMH data for richer technical context.
• Clarified first seen and last seen timestamps in the API.
• Expanded filtering and faceted search across:
• Operators
• Runners
• Templates
• Tickets (including “assigned by”)
• Impacts
• Weaknesses

These improvements make it easier to analyze and prioritize vulnerabilities at scale.

High-Value Targeting (HVT)¶

• Added new HVT categories and improved hostname and username pattern matching to enhance business risk identification.
• Refined HVT prompts for improved consistency and accuracy in AI-assisted classification.

Cross-Domain Credential Injection¶

• Added the ability to inject cross-domain credentials into Password Audit and internal pentests, enabling more realistic multi-domain attack path validation.

Runner UI Enhancements¶

• Expanded the Runner detail page with new tabs covering:
• Command History
• Credentials injection
• Past Pentests

Reporting Improvements¶

• Pentest report downloads now include an optional LLM action log for greater transparency into AI-assisted operations.

MSP Subclient Flexibility¶

• MSP subclients without explicit asset allocations can now run operations using the parent organization’s licensed asset pool, improving operational flexibility.

Filtering & Sorting Enhancements¶

Significant filtering and sorting improvements across the platform:

Pentests¶

• Runners: Kubernetes namespace, User, User role
• Kubernetes Operators: Version, Chart version, User
• Templates: Runner name; sortable by min/max run times

Vulnerability Management Hub (VMH)¶

• Tickets: Asset category, Status, Severity, User
• Sort by Asset count and User

Pentest Results¶

• Impacts: Weakness name, Credential name, Host name, Impact type
• Weaknesses: Weakness name/ID, Category, Impact type
• Credentials: Username, IP address, Impact type
• Data: Service type, Data store type, IP address, Protocol & Port, Permissions, Name
• Hosts: Access roles, Service types, Impact types; sortable by operating system

New Attack Content¶

• Ivanti Endpoint Manager Mobile (EPMM) – CVE-2026-1281
  An authentication bypass vulnerability that allows unauthenticated attackers to access protected functionality, potentially leading to unauthorized system access.

• BeyondTrust – CVE-2026-1731
  A vulnerability that could allow an attacker to execute arbitrary code or gain elevated privileges on affected systems, depending on configuration.

• LDAPS Support
  Added LDAPS support to internal attack modules to expand secure Active Directory enumeration and exploitation paths.

• Kubernetes Service Account RCE Identification
  Introduced detection of a Kubernetes-based remote code execution condition where service accounts with nodes/proxy GET permissions can be abused to execute commands against cluster nodes.

Platform Performance & Stability¶

Host Discovery Improvements¶

• Improved host discovery logic for operations with scopes smaller than a /15 CIDR range, improving reliability and consistency of scan coverage in large environments.

Database & Backend Optimizations¶

• Improved GraphQL request logging to reduce database write load and lower the risk of portal latency spikes.
• Tuned database idle connection timeouts to reduce connection pool exhaustion under load.
• Fixed intermittent background job timeouts when connecting to the operations database, improving data pipeline reliability.
• Optimized internal weakness-series processing to reduce execution time and resource consumption.
• Corrected tenant backfill logic so jobs resume from the proper checkpoint instead of restarting.

Bug Fixes¶

• Fixed Windows 11 hosts being misidentified as Windows 10.
• Updated ADCS ESC8 cryptography handling to use supported libraries.
• Resolved silent SMB verification failures when passwords began with a dash (-).
• Updated build process to use a patched responder version to reduce unintended network strain during credential poisoning scenarios.
• Fixed an NTDS password cracking timeout issue that caused certain operations to wait indefinitely.
• Updated AD Tripwire installer to use culture-invariant timestamps.
• Fixed co-branding display issues in the Portal.
• Corrected CSV reporting so parent reports properly include subclient assets.
• Fixed blank client names appearing in the “Move Pentest” modal.
• Corrected Rapid Response Alerts page loading and empty states.
• Fixed launch script behavior to properly remove old containers before starting new ones.
• Ensured read-only users see disabled (not hidden) action buttons for consistent UX.
• Corrected asset allocation enforcement edge cases for MSP environments.
• Improved Entra ID refresh token verification logic to maintain compatibility with Microsoft changes.
• Tripwire alert emails now clearly include the associated account name.