API changes
Breaking change! - Likelihood of Impact: Very Low
The clonedTo
and clonedFrom
includes for findings have been renamed to importedTo
and importedFrom
. The events in the timeline relating to importing have been renamed from FindingCloneEvent
to FindingImportEvent
, and they now only appear on the original finding.
Checklists for Complete and Auditable Security Assessments
Checklists are now available, helping teams deliver more reliable, complete, and auditable security assessments. You can use any checklist you need, choosing from predefined industry standards or creating your own to match your methodology, ensuring every test case is thoroughly tested and documented.

Highlights
- Start with the included templates, with more coming in future updates.
- Use only the checklist levels you need, such as Level 1 and Level 2 from OWASP ASVS, while excluding Level 3.
- Create custom templates to match internal testing methodologies.
- Attach checklists to assessment templates so new assessments include the right checklists automatically.
- Include checklist results directly in your reports with the new Checklist Table component, featuring flexible display options and full customization via 'Report Theme' settings.
- Assign test cases to researchers and track progress in real time.
- Access checklists and test cases instantly from the researcher panel.
- Attach findings and comments to individual test cases as proof.
Getting Started
- Add a checklist to an assessment on the main assessment page using the 'Assessment Settings' dropdown (the button with the wrench icon).
- Access the added checklist either via the researcher panel or the 'Checklist' tab.
- Start testing! Each test case begins as Not Tested. Researchers can mark cases as Not Applicable, Passed, or Failed, and attach supporting evidence.
- For more details on configuring and using checklists, see the documentation.

Component Preview
When adding components like dynamic tables to markdown fields, you will now see a live preview with the selected options. This means you no longer need to reference the documentation to figure out what each component or option does.
For assessments, previews are generated using data from that assessment. For assessment templates, dummy data is used instead.

Other Improvements
- Activity is now logged when a user views an assessment or finding. In the API, every finding or assessment object that is returned is also logged, regardless of which route is used.
- When importing a finding from a previous assessment, the finding no longer has a separate created event and import event.
- You can now set assessment sections to appear in reports only if the section itself or one of its children has findings.
- Added new target types 'Gameplay', 'Smart contract', 'Web3 application', 'Source code' and 'Network'.
- Added includes for
allComments
andallEvents
to findings in the API. This gets all comments or timeline events, including replies. - 'Finding status changed'-notifications are no longer sent to researchers.
- Researchers are no longer notified about retest requests being cancelled if they do not have permission to create retests.
- Assessments with the 'Retest Requested' status are now considered locked (similar to 'On Hold' and 'Completed' assessments), preventing researchers from making changes.
- You can now use the keyboard to interact with dropdowns in the markdown editor toolbar.
- The markdown editor toolbar is now always visible when editing a large markdown field.
- You can now assign users to assessments as 'Lead Researcher'. Marking a researcher as lead can help establish clear accountability within the team. This role may involve coordinating technical work, supporting other researchers, and helping ensure findings are consistent and well-organized. Responsibilities can vary based on your team's workflow.
- Added documentation for which media file types can be uploaded. You can find the list in 'Documentation > General > Usage > Markdown Editor'.
- File upload support has been extended:
- Additional image and video formats are supported.
- You can now upload a variety of audio files.
.7z
and.tar.gz
archives are now supported.- Any unsupported file type can still be uploaded by first compressing it into a
.zip
,.7z
, or.tar.gz
archive. - The related documentation has been improved.
- New options for finding numbers and short ID:
- You can display the finding number (e.g., 001) in the title of each finding in reports. You can find this setting in the Miscellaneous tab of the Report Theme settings.
- The following options can be set on the assessment edit page, with defaults in 'Settings > General > Assessment Defaults' for new assessments:
- You can now configure if the assessment short ID is included in finding short IDs. So the ID could be 'MyAssessmentShortId-001' or simply '001'.
- You can now configure the minimum number of digits for finding ID numbers. So it could be '1', '001' or even '000001'.
Bug Fixes
- Fixed an issue where importing a finding from a previous assessment and changing its status or severity while in draft would trigger timeline events and notifications. These should only occur if the finding has been published.
- Fixed an issue where imported findings retained the
created_at
timestamp from the original finding. - Fixed a bug where a file upload dialog would sometimes open when selecting text in a markdown editor.
- Fixed an inconsistency in the markdown editor where an attachment’s extension sometimes differed from the one inserted into the markdown field.
- Fixed missing example requests and responses in the API documentation.
- Fixed an issue where deleting a retest request could leave findings stuck in 'Retest Pending' with no way to update the status.
- Cancelling or deleting a retest request now always sets the finding back to the status it was before the request, instead of always setting 'Unresolved'.
- Fixed a bug where sections could appear in the wrong order in some tables.
- Fixed image scaling issues in the online report.
- Fixed incorrect fonts and sizes being applied to some fields in the online report.
- Fixed an issue where the preview of large images in the markdown editor prevented editing the caption.
- The LinkedIn field for users can now only contain links to LinkedIn.
- Fixed a bug where deleting a custom field would cause a '405 Method Not Allowed' error.
- Fixed a bug on the schedule page where the 'Save changes' button did nothing when editing an assessment phase.
- Fixed a bug in the markdown editor where the focus would remain on the markdown editor when opening the snippet dialog.
- Fixed an issue that could prevent the 'General Settings' form from saving when certain results table options were selected.