January 2026 Release Notes
Copy link

The Command Platform release notes include information about what’s new, which are updated monthly, and improvements and fixes, which are updated weekly.

ℹ️

Last updated: January 26th, 2026

Improvements and Fixes
Copy link

Keep track of improvements and fixes to core technology.

Application Security (InsightAppSec) and AppSpider
Copy link

No updates released at this time.

Top of page

Cloud Security (InsightCloudSec)
Copy link

Release availability for self-hosted users

Self-hosted users are able to download the latest version usually 4 business days after SaaS users are upgraded from the following locations:

  • Terraform deployments: Public S3 bucket . Modules can be updated with the terraform get -update command.
  • Amazon Elastic Container Repository (ECR) deployments - You can obtain the ECR build images for this version from the InsightCloudSec ECR Gallery 

Version 26.1.27
Copy link

Software release date: January 27, 2026 | Release notes published: January 26, 2026

Improved

  • Kubernetes Scanner: Updated to v4.1.17 with vulnerability fixes:
    • Internal components and their versions are in the chart value file. You can easily view the data using the following command: helm show values <chart name> | grep -E 'Name:|Version:'.
    • For update to new version please use helm upgrade --install command referenced in Kubernetes Scanner documentation.
  • Container Vulnerability Assessments: Improved container vulnerability assessment reporting. Vulnerable resources for container assessments on K8s ReplicaSets now correctly list the parent K8s Deployment when applicable instead of the ReplicaSet instances.
  • Visual Interface: Fixed spacing between icons and labels in overflow menus throughout the product.
  • Identity Analysis Page: Added Insight Finding Severity advanced filter option for improved filtering capabilities.
  • TranscodingPipelineHarvester: De-registered AWS Transcoding Pipeline Harvester in response to its end of life in AWS.

New Insights

  • MemoryDB Cluster Authentication Disabled: Identifies MemoryDB clusters that do not have authentication enabled.
  • Virtual Machine Without Encryption At Host Enabled: Identifies Azure virtual machines that do not have encryption at host enabled.
  • Function App Deployment Slot Allowing a Configuration State of All Allowed: Identifies Function app deployment slots with overly permissive configuration states.
  • Function App Allowing a Configuration State of All Allowed: Identifies Function apps with overly permissive configuration states.
  • App Service App Does Not Require Client Certificate Authentication: Identifies Azure App Service apps that do not require client certificate authentication.
  • App Service Deployment Slot Does Not Require Client Certificate Authentication: Identifies Azure App Service deployment slots that do not require client certificate authentication.
  • Function App Does Not Require Client Certificate Authentication: Identifies Function apps that do not require client certificate authentication.
  • Function Deployment Slot Does Not Require Client Certificate Authentication: Identifies Function deployment slots that do not require client certificate authentication.

Updated Insights

  • App Service With FTP or SCM Basic Authentication Enabled: Renamed from “Web App With FTP or SCM Basic Authentication Enabled” and moved specific resource types to new dedicated insights:
    • App Service Deployment Slot moved to App Service Deployment Slots With FTP or SCM Basic Authentication Enabled.
    • Function App moved to Function App With FTP or SCM Basic Authentication Enabled.
    • Function App Deployment Slot moved to Function App Deployment Slots With FTP or SCM Basic Authentication Enabled.
  • Database Instance Defender for SQL Disabled: Renamed from “Database Instance Threat Detection Disabled” for better clarity.

New Query Filters

  • MemoryDB Cluster Authentication Disabled: Identifies MemoryDB clusters without authentication enabled.
  • Virtual Machine Without Encryption At Host Enabled: Identifies virtual machines without encryption at host enabled.
  • App Service Resource Does Not Require Client Certificate Authentication: Identifies Azure web app resources that do not require client certificate authentication.
  • Database Instance Defender Disabled (SQL Only): Identifies SQL database instances with Defender disabled.
  • Secret is Expired: Identifies expired ProviderSecrets. This is applicable only to GCP and Azure secrets.

New Compliance Packs

  • CIS AWS End User Compute Services Benchmark v1.2.0: Added comprehensive compliance pack for AWS End User Compute Services following CIS benchmarks.

Fixed

  • Fixed an issue where HarvestTemplateProcessor failed to generate template IDs correctly for automatically registered cloud accounts.
  • Fixed an issue where AWSOrganizationSyncAccounts and AzureOrganizationSyncSubscriptions jobs did not send scheduler mailbox messages for automatically created organizations.
  • Fixed an issue where the Misconfigurations view failed to filter by Insights as expected.
  • Fixed an issue where the loading spinner persisted in the Resource Listing view after data was populated in the table.

Version 26.1.20
Copy link

Software release date: January 20, 2026 | Release notes published: January 20, 2026

Improved

  • Custom Insight Pack Limits: Removed the hard limit of 1,000 insights for custom insight packs.
  • AWS Region Support: Added missing AWS region ap-southeast-6 to harvesting strategy dropdown.
  • Cloud Summary Page: Updated flexibility of the primary Cloud Summary page to better support narrower monitor types.
  • Advanced Filtering: Added Advanced Filter on Vulnerability Proof.
  • AWS Harvester Error Handling: Changed job status of AWS harvesters that fail due to ClientError code UnauthorizedException from CLOUD_UNKNOWN_PROVIDER_ERROR to CLOUD_PERMISSION_ERROR.

New Insights

  • Database Cluster Without IAM Authentication: Identifies database clusters that do not have IAM authentication enabled.
  • App Service App Without Private Endpoint Connections: Identifies Azure App Service apps without private endpoint connections configured.

Updated Insights

  • App Service Without Managed Identity Enabled: Moved the following resource types to separate insights for better specificity:
    • App Service Deployment Slot moved to App Service Deployment Slot Without Managed Identity Configured.
    • Function App moved to Function App Without Managed Identity Configured.
    • Function App Deployment Slot moved to Function App Deployment Slot Without Managed Identity Configured.
  • Resource does not Support TLS 1.2: Updated to support the same resource types as its underlying Query Filter Resource Does Not Support TLS 1.2 Minimum.

New Query Filters

  • Resource Does Not Support TLS 1.3 Minimum: Identifies resources that do not support TLS 1.3 as the minimum version. Supports the following resource types:
    • Database Instances (AWS/Azure)
    • App Service Apps (Azure)
    • App Service Deployment Slots (Azure)
    • Function Apps (Azure)
    • Function Deployment Slots (Azure)
    • Load Balancers (AWS)
    • Storage Containers (AWS)
    • Content Delivery Networks (AWS)
    • Message Queues (Azure)
    • Message Queue Namespaces (Azure)
    • Message Topics (Azure)
  • Content Delivery Network Allowing Insecure Protocol within Security Policy or Origin: Combines findings from the following Query Filters:
    • Content Delivery Network Origin Supported SSL Protocol
    • Content Delivery Network With Specified Security Policy

Updated Query Filters

  • Resource Does Not Support TLS 1.2 Minimum: Added support for the following new resource types:
    • Cloud Accounts (GCP)
    • Content Delivery Networks (AWS)
    • Event Grid Topics (Azure)
    • Message Queues (Azure)
    • Message Queue Namespaces (Azure)
    • Message Topics (Azure)
  • Cloud Account By Minimum TLS Version Permitted:
    • Updated to remove a false positive case where a Cloud Account could have 2 Minimum TLS Versions.
    • Added a new not_in Boolean Inversion Flag.
  • Event Grid Topics By Minimum TLS Version Allowed: Added a not_in Boolean Inversion flag.
  • Message Queue Minimum TLS Version: Added a TLS 1.3 option to this Query Filter’s settings_config to match configurable options on Azure.
  • Message Queue Namespace Minimum TLS Version: Added a TLS 1.3 option to this Query Filter’s settings_config to match configurable options on Azure.

Fixed

  • Fixed an error with the AWS and GCP ThreatFindingsHarvester where the description was never saved.
  • Fixed an issue where the Insight Count on the Query Filters view did not match the rendered count in the Insights page.
  • Fixed an issue with the GCP ThreatFindings harvester which would fail if Security Command Center is completely disabled.
  • Fixed an issue where copying Add Cloud Non-Admin Instructions wouldn’t include links.
  • Fixed an issue where bots configured with multiple actions were throwing DetachedInstance errors when Slack or Teams actions preceded any others.

Version 26.1.13
Copy link

Software release date: January 13, 2026 | Release notes published: January 12, 2026

Improved

  • IAM Role Path Updates: Rapid7-provided default ICS CFTs will now omit /rapid7/ from IAM path by default. Roles without paths are required for customers wishing to reuse the same role for harvesting EKS Kubernetes resources. If needed, customers can generate the CFTs with the legacy path manually with the onboard.py script using the --iam-path option.
  • Cloud Essentials CIS Updates: Updated Cloud Essentials to use latest CIS benchmark versions (CIS AWS 6.0, CIS Azure 4.0, CIS GCP 4.0) after previous pack versions (1.x) were deprecated.
  • User Interface Enhancements:
    • Updated Cloud Account Harvester Settings to be consistent with product design system.
    • Updated Container Assessment Settings to be consistent with product design system.
    • Updated Settings > IAM Settings experience to be consistent design.
  • GCP Organization Structure: GCP organization structure is now collected before “Enable Account Discovery” is enabled so that context is present up front.
  • Azure Credential Management: Added new background job (AzureCredentialMetadataProcessor) that collects credential metadata associated with registered Azure Service Principals.
  • AWS ElastiCache Support: Added support for has_pending_update column for AWS MemcacheInstance.
    • New AWS permissions required:
      • elasticache:DescribeServiceUpdates
      • elasticache:DescribeUpdateActions
    • Detailed information about specific updates for a given ElastiCache instance will be available in the source document.
  • TLS Configuration Support: Added support for TLS encryption and minimal TLS version detection for AWS Database Clusters, including Neptune, DocumentDB, Aurora MySQL, and Aurora PostgreSQL.
  • Error Handling: Improved error handling added for AWS RestAPIGatewayStage export API call.
  • Azure Web App Features: The WebAppHarvester now harvests a new value ftp_basic_auth_enabled. In Azure, this is called ‘FTP Basic Auth Publishing Credentials’.
  • Remediation Table: Improved pagination for remediation table in vulnerability details.

New Insights

  • Timestream Database using Cloud Managed Key instead of Customer Managed Key: For timeseries database resource.
  • Neptune Database Cluster Encryption in Transit Disabled: New insight for CIS AWS Database Services Benchmark 1.0.0 Recommendation 9.3 Ensure Data in Transit is Encrypted (Manual).
  • Neptune Database Cluster Encryption at Rest Disabled: New insight for CIS AWS Database Services Benchmark 1.0.0 Recommendation 9.2 Ensure Data at Rest is Encrypted.
  • Database Cluster Encryption in Transit Disabled: New insight for CIS AWS Database Services Benchmark 1.0.0 Recommendation 7.4 Ensure Encryption in Transit is Enabled.
  • Storage Accounts Containing VHDs with No Encryption Type: Identifies Azure storage accounts containing VHDs with no encryption type.
  • Volume Network Access Overly Permissive (Attached): Identifies attached volumes with overly permissive network access.
  • Batch Environment Not Using Local Authentication Modes: Identifies batch environments not using local authentication modes.
  • App Service Deployment Slot With HTTP 2.0 Not Enabled: Moved from “App Service App With HTTP 2.0 Not Enabled” insight.
  • Function App With HTTP 2.0 Not Enabled: Moved from “App Service App With HTTP 2.0 Not Enabled” insight.
  • Function App Deployment Slots With HTTP 2.0 Not Enabled: Moved from “App Service App With HTTP 2.0 Not Enabled” insight.
  • App Service App End-to-End TLS Encryption Not Enabled: Identifies App Service apps without end-to-end TLS encryption.
  • App Service Deployment Slot Without End-to-End TLS Encryption: Identifies deployment slots without end-to-end TLS encryption.
  • Function App Without End-to-End TLS Encryption Enabled: Identifies function apps without end-to-end TLS encryption.
  • Function Deployment Slot Without End-to-End TLS Encryption Enabled: Identifies function deployment slots without end-to-end TLS encryption.
  • Web App With FTP Or SCM Enabled: Identifies web apps with FTP or SCM enabled.

Updated Insights

  • Virtual Machine Endpoint Protection Extension Not Installed:
    • Added Overview section.
    • Added remediation step.
    • Added remediation link.
    • Added bot configuration.
  • Web App Not Requiring HTTP2 (Azure): Renamed to App Service App With HTTP 2.0 Not Enabled.
  • Cache Instance Not Using Minimum TLS Version 1.2 or Higher: Updated to match the configuration of underlying QFs.
  • Storage Account set to TLS version 1.2 or higher: Updated to match the configuration of underlying QFs.
  • Resource does not Support TLS 1.2: Updated to now scope GCP resources, specifically Load Balancers and Storage Containers.

New Query Filters

  • Database Cluster Encryption In Transit Disabled: Identifies database clusters with encryption in transit disabled for CIS AWS Database Services Benchmark 1.0.0 Recommendation 7.4.
  • Storage Account With Unmanaged Disk (VHDs): Identifies storage accounts containing unmanaged disks (VHDs).
  • Volume Has Overly Permissive Network Access: Identifies volumes with overly permissive network access settings.
  • Batch Environment Authentication Modes: Identifies batch environments authentication mode configurations.
  • App Service Resource Without End-to-End TLS Encryption Enabled: Identifies App Service resources without end-to-end TLS encryption enabled.
  • Web App With FTP or SCM Enabled: Identifies web apps with FTP or SCM enabled.
  • Load Balancer SSL Protocol Version Below 1.2: Combines the findings of Load Balancer SSL Protocol Version QFs to return Load Balancer resources that are non-compliant across GCP, AWS, and ALI.

Updated Query Filters

  • Cache Instance Minimum TLS Version: Removed TLS 1.3 configuration options as TLS 1.3 is not configurable as a Minimum TLS Version.
  • Storage Account Minimum TLS Version: Removed TLS 1.3 configuration options as TLS 1.3 is not configurable as a Minimum TLS Version.
  • Distributed Table Minimal TLS Version: Removed TLS 1.3 configuration options as TLS 1.3 is not configurable as a Minimum TLS Version.
  • Resource Does Not Support TLS 1.2 Minimum: Multiple configuration updates:
    • settings_config for Database Instance resources updated to include TLS 1.3, removing false positive results where TLS 1.3 resources were being flagged as non-compliant.
    • settings_config for Elasticsearch Instance resources updated to include Policy-Min-TLS-1-2-PFS-2023-10, removing false positive results where resources enforcing TLS 1.2 were being flagged as non-compliant.
    • settings_config for Distributed Table resources updated to no longer include TLS 1.3, as this is not configurable as a Minimum TLS Version for this resource type.
    • Removed Web App as a supported resource type. This is now an AWS-only resource type for which we cannot gather Minimum TLS Version data.
    • Added Load Balancer as a supported resource type.
    • No longer scopes Web Apps.
    • Now scopes non-compliant Load Balancer resources across AWS, ALI, and GCP.
    • Now scopes GCP resources, specifically Load Balancers and Storage Containers.

New API Features

  • Added filter_id parameter support to the paginated insights endpoint (/v4/iac/insights).

Fixed

  • Fixed styling of hyperlinks in tooltips to contrast more with the background and existing text to be visible in both light and dark themes.
  • Fixed line breaks around external links when included inline with product documentation.
  • Fixed visual regression on harvest results charts as seen on cloud accounts overview screen.
  • Resolved an issue where hiding columns in the resource-listing-table caused the remaining columns to become excessively wide, ensuring table columns now resize appropriately based on visible selections for a more user-friendly experience.
  • Fixed issue preventing users from viewing GCP BigQuery datasets with extensive metadata in the UI. (Only affecting customers with feature flag S3SourceDocumentStorage enabled).
  • Fixed a bug that prevented messages being sent to MS Teams via our integration.

Top of page

SIEM (InsightIDR)
Copy link

No updates released at this time.

Top of page

InsightVM
Copy link

Version 8.34.0
Copy link

Software release date: Jan 26, 2026 | Release notes published: Jan 22, 2026

Improved:

  • Enhanced fingerprinting for Citrix Virtual Apps and Desktops to improve detection accuracy. The identification logic has been updated to use additional Citrix components present on the system, providing more reliable recognition of Citrix environments.
  • Enhanced administration of scan engines by allowing custom properties to be managed directly from the Console host’s text-based command console. Administrators can apply properties to all engines or selected engines without logging into each engine individually.
  • Optimized the display of the “Last Assessed” timestamp on the Assets page by presenting it in the local timezone for a more consistent user experience.
  • Enhanced scan scheduling flexibility by allowing asset groups to be excluded directly within scan schedules. Asset groups can now be selected for exclusion regardless of when they were created, making it easier to manage scan scope and scheduling.
  • The GET /api/3/asset_groups endpoint now applies more granular, role-aware filtering to API responses. Asset group results are aligned with the authenticated user’s role, with Global Administrators continuing to receive the full list and other roles receiving appropriately scoped results. This change affects the API only and does not impact asset group visibility in the UI.
  • Internal runtime cleanup improvements were made to enhance system hygiene and reduce unnecessary scan findings.

Version 8.33.0
Copy link

Software release date: Jan 12, 2026 | Release notes published: Jan 8, 2026

Improved:

  • Improved scan performance by optimizing CPU usage during HTTPS service fingerprinting. Enhancements have been made to the VMware detection logic to prevent inefficient processing when scanning non-VMware HTTPS endpoints that return unexpected response content. This ensures consistent performance and more efficient use of system resources during scans.
  • Improved assessment accuracy for the CIS Apple macOS 14.0 Sonoma Benchmark (Level 1) by refining evaluation of password account lockout threshold and reset timing requirements.
  • Improved assessment accuracy for the CIS Apple macOS 13.0 Ventura Benchmark (Level 1) by correcting syntax issues in policy rules.
  • Improved DHCP-based discovery connections to enhance stability and consistency when connecting to supported Windows DHCP servers.
  • Enhanced various user interface elements to improve layout, responsiveness, and overall usability across the Security Console.

Top of page

Nexpose
Copy link

Version 8.34.0
Copy link

Software release date: Jan 26, 2026 | Release notes published: Jan 22, 2026

Improved:

  • Enhanced fingerprinting for Citrix Virtual Apps and Desktops to improve detection accuracy. The identification logic has been updated to use additional Citrix components present on the system, providing more reliable recognition of Citrix environments.
  • Enhanced administration of scan engines by allowing custom properties to be managed directly from the Console host’s text-based command console. Administrators can apply properties to all engines or selected engines without logging into each engine individually.
  • Optimized the display of the “Last Assessed” timestamp on the Assets page by presenting it in the local timezone for a more consistent user experience.
  • Enhanced scan scheduling flexibility by allowing asset groups to be excluded directly within scan schedules. Asset groups can now be selected for exclusion regardless of when they were created, making it easier to manage scan scope and scheduling.
  • The GET /api/3/asset_groups endpoint now applies more granular, role-aware filtering to API responses. Asset group results are aligned with the authenticated user’s role, with Global Administrators continuing to receive the full list and other roles receiving appropriately scoped results. This change affects the API only and does not impact asset group visibility in the UI.
  • Internal runtime cleanup improvements were made to enhance system hygiene and reduce unnecessary scan findings.

Version 8.33.0
Copy link

Software release date: Jan 12, 2026 | Release notes published: Jan 8, 2026

Improved:

  • Improved scan performance by optimizing CPU usage during HTTPS service fingerprinting. Enhancements have been made to the VMware detection logic to prevent inefficient processing when scanning non-VMware HTTPS endpoints that return unexpected response content. This ensures consistent performance and more efficient use of system resources during scans.
  • Improved assessment accuracy for the CIS Apple macOS 14.0 Sonoma Benchmark (Level 1) by refining evaluation of password account lockout threshold and reset timing requirements.
  • Improved assessment accuracy for the CIS Apple macOS 13.0 Ventura Benchmark (Level 1) by correcting syntax issues in policy rules.
  • Improved DHCP-based discovery connections to enhance stability and consistency when connecting to supported Windows DHCP servers.
  • Enhanced various user interface elements to improve layout, responsiveness, and overall usability across the Security Console.

Top of page

Digital Risk Protection (Threat Command)
Copy link

No updates released at this time.

Top of page

Rapid7 Agent
Copy link

No updates released at this time.

Top of page

Next-Generation Antivirus
Copy link

No updates released at this time.

Top of page

Ransomware Prevention
Copy link

No updates released at this time.

Top of page

Velociraptor
Copy link

Rapid7 Velociraptor Client Version 0.74.4.15
Copy link

Software release period: January 20, 2026 - January 31, 2026 | Release notes published: January 22, 2026

Improved:

  • Reduced Time for Velociraptor Investigations Hosted Velociraptor clients now poll the Velociraptor service every three minutes instead of every ten minutes. This change significantly reduces the average wait time for an idle client to start jobs such as hunts, endpoint collections, and Virtual File System (VFS) listings.

Note: Command Platform–managed updates must be enabled for assets to update automatically to the latest Rapid7 Velociraptor version. For more information, read the managed agent updates documentation .

Top of page