Dec 09, 2025 19 min read

Release Notes

March 31st, 2026

Auto-Scoring for Integration-Created Risks and Incidents

Organizations can enable automatic scoring for risks and incidents created via integrations. When enabled, newly ingested risks and incidents are scored at the time of ingestion. Records that are already closed in the source system are created as closed in the Adversarial Platform, ensuring consistent data and status flow.

Auto-scoring is configured per integration and must be explicitly enabled by the organization. For auto-scored records, the platform sets Urgency and Threat Objectives for risks, and Severity and Threat Objectives for incidents. For each relevant field, the reasoning is captured as part of the analysis. Users can manually score or overwrite auto-scored risks and incidents at any time.

Details synchronized from the source system are displayed in the Adversarial Platform. Any changes in the source system in terms of new details or modifications will be reflected in the relevant Adversarial record upon the next sync. When adding context, record your notes in the Comments section rather than the Description field. If you plan to run AI Scoring manually, first document your reasoning in Comments, save your changes, and then run the scoring.

This capability uses the same scoring inputs, procedures, and supplemental embeddings as the manual and bulk AI scoring workflows, ensuring consistent results across all records.

Cyber Incident Management Procedure (RAMP) AI Embedding Supplement Additions

False Positive Detection

False positive incidents are rated SEV5. Evidence of a false positive in the narrative content of an incident can take several forms such as confirmed authorized behavior, legitimate business purposes, confirmed activity from an authorized software agent, or an authorized IT administrator reconfiguring an endpoint or installing software. A legitimate vulnerability scanner, for example, does not represent unauthorized activity. The terms “anomalous” or benign or often used by analysts to indicate false positive events, so in context a phrase such as CUSTOMER_ANOMALOUS_SAFE or ANOMALOUS_SAFE_NO_ESCALATION can often be equated with a false positive.

March 23rd, 2026

Integrations - Organization level notifications via Slack & Teams

Platform administrators can configure organization-level notification subscriptions for Slack and Microsoft Teams. The sections below explain how to enable each platform and configure its notification settings.

Microsoft Teams

Integrate Risk and Incident notifications with Microsoft Teams to keep your team informed in real time. Configure a webhook to post alerts to designated Teams channel whenever risks or incidents are created or updated, ensuring rapid visibility into critical security events.

Directions for Teams notifications setup:

Open Microsoft Teams and create a designated Channel
If a channel already exists, go to your Teams → Channel
Click the “more chat options” icon (⋯) and select “Workflows”
Search for the following webhook in the “find templates” search bar "Send webhook alerts to a channel". The following steps will allow you to generate a webhook URL.
Once your designated webhook option is selected, you’ll see parameters to populate
Assign the “Team the channel is in”
Assign the “Channel”
Click Save
Click "Add workflow"
Copy the generated webhook URL
Navigate to the Integrations section of the Adversarial Platform, assign a “Channel Name” and paste the URL generated above into the “Webhook URL” field
Configure notification preferences in the Notifications settings
Once your channel is ready, navigate to the Adversarial tenant and click into your Settings page. Within the Company settings section, you will see a section for Notifications. These notification settings are for the organization, rather than the individual. This selection drives the triggers that create a notification to be sent to your designated Teams channel.

Slack

Integrate Risk and Incident notifications with Slack to keep your team informed in real time. Create a Slack app and configure a webhook to post alerts to a designated Slack channel whenever risks or incidents are created or updated, ensuring rapid visibility into critical security events.

Directions for Slack notifications setup:

Create a Channel in your Slack where you want to manage your Adversarial notifications. If one already exists, skip this step.
Go to your Slack workspace settings via the following link - https://my.slack.com/account/workspace-settings
From the menu on the left, navigate to the "Integrations" page
On the top right, select the "Build" option
Selecting Build will take you to the “Your Apps” page, select the “Create an App”
On the Create an app menu popup , you’ll see two options “From a manifest” and “From scratch”. Select the “From scratch” option.
Assign a name from your app by inputting the value in the “App Name” section
Select the workspace in which you wish to develop your app
Select the "Create App" button. Selecting this button will take you to the Basic Information page where you will see pertinent details about your app. On the left pane, under the Features section, select the “Incoming Webhooks” page.
Since this is a brand new app, you will see an option to Activate Incoming Webhoods, toggle the Off switch to On.
Under the Webhook URLs for Your Workspace section, select “Add New Webhook”. This will take you to a new page where you can assign the “Channel for your webhook”
Assign your designated Adversarial notifications Slack channel via the “Channel for webhook” dropdown.
Then select Allow
You will navigate back to the Incoming Webhooks page. Under the Webhook URLs for Your Workspace section, copy the Webhook URL you generated for your app and channel.
Navigate to your Adversarial tenant, go to Settings, and select the Integrations page.
Locate the Slack integration and click “Connect”
Assign the Channel Name
Paste the Webhook URL copied from step 6h.
Click Confirm to finalize your integration
Configure notification preferences in the Notifications settings
Now that your integration setup is finalized, navigate to your Adversarial settings page. Within the company settings section, you will see a section for Notifications. These notification settings are for the organization, rather than the individual. This selection drives the triggers that create a notification to be sent to your designated Slack channel.

Wiz 1:1 Refactor

With the refactor of the Wiz integration, each Wiz issue now maps to a distinct risk (RSK) rather than combining multiple issues into a single record. This change enables you to:

Track progress at the individual-issue level
Move each risk independently through its lifecycle
Gain a more accurate view of your organization’s remediation velocity

Lifecycle synchronization:

The integration keeps issues synchronized throughout the risk lifecycle. Risks will only progress forward and never backwards. To preserve the integrity of auto-scored and AI-scored risks, RSKs in the Urgency Proposed status will never regress to New.
When Wiz marks an issue as resolved, the corresponding risk advances to Closure Proposed in the Adversarial Platform. At that point, the RSK owner can review and manually close the risk in Adversarial.
If the issue later reappears in Wiz after the risk has reached Closure Proposed (and is closed), the integration creates a new risk record rather than reopening the closed.
Informational severity issues are not imported. Remaining urgency values from Wiz to Adversarial are mapped 1:1.

Adversarial Field - Description

Each imported risk includes a detailed Markdown description assembled from the Wiz issue data. The description contains the following sections (when data is available):

Rule description — The security finding explanation from the source rule.
Projects — Wiz project names, with business unit in parentheses if present.
Resource details — Resource name, type, cloud platform, region, subscription, and Kubernetes cluster/namespace.
Resource tags — Cloud resource tags shown as key-value pairs.
Resolution context — Only shown for resolved or rejected issues: resolution reason, resolution note, and rejection expiry date.
Service tickets — Links to external tickets (e.g. Jira, ServiceNow) associated with the Wiz issue.
Notes — Analyst notes from Wiz, with author and timestamp.
View in Wiz — Direct links to the rule definition and the issue in the Wiz console.

Adversarial Fields - Dates

Discovered Dates - Wiz issue created date
Closed Date - Wiz resolved date (for Resolved and non-Exception Rejected issues)
Expected Date - Wiz rejection expiry (Exception rejections only)

Status Mapping Details - Wiz to Adversarial Mapping

Open --> New
In Progress --> Remediation
Resolved --> Closed (The resolution reason maybe that the object is deleted, resource no longer exists)
Resolved --> Closure Proposed (The resolution is anything other than object deleted, with the Closed Date carried over)
Rejected --> Remediation (Resolution reason is an exception, this is time-bound, with the expiration date set from expiry)
Rejected --> Closed (Resolution reason is anything other than an exception)

Hint: A Rejected + Exception issue in Wiz represents a time-bound risk exception — the issue is still an open risk that has been temporarily accepted. It maps to Remediation rather than Closed, and the exception expiry date is used as the Expected Date (target remediation date) in Adversarial.

Modifications to CyberGov and Board Deck

The CyberGov and Board Decks have been updated to deliver more meaningful information across the Risk and Incident tables. Notable enhancements include live links in the ID columns within CyberGov tables, removal of the Description column, the addition of key dates for risks and incidents, and a more capable AI engine for executive summaries. These date fields help users understand why a given incident or risk appears in specific charts and tables directly from the CyberGov deck, and the live links provide one-click access to the corresponding record in Adversarial. The Board Deck now includes only SEV-1 and SEV-2 incidents, while the CyberGov deck continues to include SEV-1, SEV-2, and SEV-3 incidents.

As a reminder, the specific dates and data elements that determine a record’s inclusion in a table or chart are outlined below.

Risk Tables

When determining which risks appear on the RemAgi (Remediation Agility) chart, focus on each risk’s dates and status. This is especially relevant for the CyberGov deck, which presents risk details in tables. If the following conditions are met, a risk will appear on your Remediation Agility chart and, consequently, in your risk tables.

A risk is discovered and currently open during my reporting period - discovered during the period
A risk is discovered and closed during my reporting period - remediated during the period
A risk is due during the period - due on or before period end, and either still open or closed during/after the period. This doesn’t necessarily mean a risk is overdue though it can contain risks that were discovered outside of my period but have not been remediated yet.
A risk is discovered outside of my period but marked as closed during my period

Incident Tables

When determining which incidents appear on the Incidents chart, consider each record’s dates, severity, and status. This is especially relevant for the CyberGov deck, which presents incident details in tables. If the conditions below are met, an incident will appear on your Incidents chart and, consequently, in your incident tables.

An incident is has a detected date between the start and end of the reporting period
An incident has an occurred date between the start and end of the reporting period
An incident has a contained date between the start and end of the reporting period
Incidents have been detected or occurred before my reporting period but contained within the reporting period

Editor Tool Bar

The editor toolbar available in fields such as Title, Description, and Comments provides quick access to common formatting options. From a single location, you can apply bold, underline, or strikethrough, add block quotes, create bulleted lists, and more.

Hints: Within bulleted lists, press Tab to increase the indent and Shift+Tab to decrease it.

Risk and Incident Exports

The export feature allows for customizable columns. By selecting the Export button, users are able to export default fields or select Customize to add / remove columns they would like to display in their CSV exports. This feature is supported for both Risk and Incident registers.

New Modal View

As a way to consume information in a more efficient manner, for the Risk Register, the Likelihood and Impact Analysis / reasoning fields for the AI Scoring have been moved to display at the bottom of each relevant field. Similarly, for the Incident Module, the reasoning for the Severity now displays directly below the field. Users can then modify the reasoning as they please without the need to navigate to the Comments section. This way all reasoning is captured in one screen and Comments can be used for additional information and collaboration across users.

Hint: When the AI Scoring is initiated, if there is existing text, it will be overwritten by the new suggestion. If a user has made modifications, it is important to keep this in mind as that text will be removed and replaced with a new reasoning.

Enhanced date selection

In addition to selecting a relevant date from the calendar view, users have the ability to input text as YYYY-MM-DD directly into any date field.

February 23rd, 2025

Description Field Updates

The description field supports the ability to paste directly from a table and maintain the column and row formatting. Useful for platform users who want to pull details from various Excel or Google Sheet sources and maintain the specific table formatting.

This update also influences the way information flowing from integrations look in the platform, allowing for more organization and clear path of details captured per risk and incident record.

Assign Threat Objectives with AI Scoring

The power of the AI Scoring feature includes making suggestions for unpopulated Threat Objectives. In cases where users have not set applicable Threat Objectives for a given incident entry, the AI will provide a suggestion along with a reasoning for each value it has assigned.

If a user has proactively assigned values to this field, then the AI will not suggest nor overwrite the assigned values.

This feature is available for risks and incidents.

WatchTowr Integration

With real-time, asynchronous data flow, this integration automatically syncs WatchTowr findings to your Adversarial Risk Register.

The integration can be enabled directly from your Adversarial tenant via the “Settings” pane > “Integrations”. The necessary details to connect your WatchTowr environment are the tenant URL and API Token.

Key details:

Field defaults for newly created records:

Source: “Attack Surface Monitoring”
Type: “Configuration”

One-way data flow (ingest-only) from WatchTowr to Adversarial:

When a new finding is created in WatchTowr, it is automatically synced to Adversarial. We are currently pulling the findings endpoint to ensure we only create legitimate records in Adversarial. As hunts may not apply to your attack surface, those records will not appear in Adversarial.
Any subsequent updates in WatchTowr are reflected in the corresponding Adversarial RSK record.
Changes made in Adversarial do not impact records in WatchTowr.
Findings in WatchTowr with the status of "Low" will not be brought over to Adversarial.
Opened By: “WatchTowr Integration”

Example status flow:

Once a finding is established in WatchTowr, records in the status of “Confirmed” or “Unconfirmed” will be created in Adversarial with the status of “New”. Relevant dates such as “Discovered Date” will be captured in Adversarial based on the value of the “Date Identified” field in WatchTowr, and the field of “IRU” will be populated by the “Severity” field in the WatchTowr finding.

Findings records with the WatchTowr status of = “Remediated” or “Closed” translate to Adversarial status of Closure Proposed”. These are referring to risks that have been addressed and need a final review before they should be moved to the “Closed” status in Adversarial.

Findings that are marked as “Risk Accepted” or “Asset no longer tracked” in WatchTowr are marked as “Closed” in Adversarial to indicate there is no further activity necessary.

Risk to Incident Linking

Platform users are able to link an existing incident directly from a risk entry. Previously, the linking was only possible via the Incidents page. Now a user has the ability to to proceed with linking existing incident records to existing risk records.

February 18th, 2026

Risk Assessment Management Procedure (RAMP) Embedding Supplement Additions

Encryption

Encryption-related findings are frequently overrated, as encryption is rarely a key control in preventing data disclosure. Specifically, a failure to encrypt at rest, while often an audit or examination finding, does not contribute materially to the likelihood of exploitation since it would only lessen the system’s resilience against local attacks once an adversary has disk access. Since the majority of data attacks are conducted through legitimate application channels via methods like credential theft, session hijacking, SQL injection, IDOR, or the abuse of logic flaws, the encryption status of data at rest is rarely relevant. Such findings generally would carry an unlikely or possible likelihood rating with the impact being high if such a risk were to be exploited. Likewise, findings around cipher strength weakness almost never contribute to actual incidents. Specifically, vulnerabilities in “weak” ciphers need to be analyzed for the attack methods, which usually require either capturing the encrypted data in transit (needing network access) or exploiting memory management bugs that could leak random, untargeted data. Such attacks are rarely part of actual incidents or adversarial kill chains. The likelihood of a weak cipher being abused is unlikely or possible, with the impact limited to medium or high depending on the type of data involved and whether the vulnerabilities could be exploited in a targeted fashion for specific data or randomly with hopes of something interesting being revealed.

Resiliency, Disaster Recovery, and Business Continuity

Findings around recovery time objectives not being met in DR tests or other weaknesses that are likely to contribute to restoration times are frequently overrated by auditors and examiners. Such findings are generally focused on Sabotage and Extortion Threat Objectives from an adversarial point of view, and the likelihood of exploitation is dependent on a disruptive attack being conducted first. This generally puts it at possible. The impact is based on the degree of failure in the test. If the test showed that the system would absolutely never be able to be recovered, it would be severe. Otherwise, simple delays in recovery could manifest as high or medium impact depending on the length of delay.

Assign Threat Objectives with AI Scoring

The power of the AI Scoring feature includes making suggestions for unpopulated Threat Objectives. In cases where users have not set applicable Threat Objectives for a given risk entry, the AI will provide a suggestion along with a reasoning for each value it has assigned.

If a user has proactively assigned values to this field, then the AI will not suggest nor overwrite the assigned values.

GreyMatter Integration

With real-time, asynchronous data flow, this integration automatically syncs GreyMatter incidents to your Adversarial Incident Register.

The integration can be enabled directly from your Adversarial tenant via the “Settings” pane > “Integrations”. The API Key Access needs to have read permissions for incidents to allow for the data flow.

Key details:

Field defaults for newly created records:

Source: “SIEM”
Title: Assigned as the Ticket Number plus detail about the record

One-way data flow (ingest-only) from GreyMatter to Adversarial:

To account for deduplication efforts and to check the legitimacy of an incident record in GreyMatter, Incidents marked as “New” are not created in Adversarial.
The integration brings over key information from GreyMatter fields such as ticket number, close notes, pertinent dates, and more.
Incident records will be created in Adversarial with no severity assigned. Users will need to navigate to the incident record, AI Score the incident or manually assign a severity level.
Changes made in Adversarial do not impact records in GreyMatter.
Field changes in GreyMatter will be mapped directly to Adversarial.
Opened By: “GreyMatter Integration”

Example status flow:

Once the GreyMatter AI reviews a new incident record and accepts it as a legitimate incident, an incident record is created in Adversarial with Status = “New. The Occurred Date and Detected Date will be brought over from populated fields in GreyMatter. As an incident is being worked on, the Adversarial user can populate the Contained and Responded Dates, and create Risk Register Referral records.

Incident records with the Adversarial status = “In progress” translate to GreyMatter records that are marked as “Remediation”.

Incident findings that are marked as “Resolved” in GreyMatter are created in Adversarial with the status of “Review”. If the “Contained date” equivalent is populated in GreyMatter, the “Contained Date” in Adversarial will reflect as such. An Adversarial user can review the incident record, add details and comments, and set Status = “Closed”.

Findings with the Status = “Rejected” in GreyMatter are ingested with the Status = “Closed” in Adversarial.

Data Load Templates

To enhance the data load and data mapping experience, the data load templates found in the risk and incident registers have been updated to contain the default drop down values that are available in the platform

January 13th, 2026

AI Scoring in the Risk Register now includes Comments

For the Risk Register entries, AI Suggest Score feature currently bundles information found in the “Title” and “Description” fields along with the “Initially Reported Urgency” and “Threat Objective” fields. With the IRU and the Threat Objectives fields being optional.

With the latest release, details captured in the Comments section of a given risk entry are also included. This will allow users to capture pertinent details that go beyond initial investigation and description details.

In-platform notifications for new items

This enhancement enables notification generation when creating risks and incidents that include notifiable attributes (e.g., urgency, severity, assignees). Previously, notifications were only triggered by updates to existing items. Qualifying items generate the appropriate notifications at creation.

This feature will be a great complement in allowing users to be notified when an integration creates risks or when other users bulk create risks that may meet notifiable attributes selected by a user.

New Data Load Templates for Risks and Incidents

Integrations: Wiz

With real-time, asynchronous data flow, this integration automatically syncs Wiz issues to your Adversarial Risk Register, enabling you to track the lifecycle of your cloud configuration risks.

Key details:

Field defaults for newly created records:

Source: "Attack Surface Monitoring"
Type: “Configuration”

One-way data flow (ingest-only) from Wiz to Adversarial:

When a new record is created in Wiz, it is automatically synced to Adversarial.
Any subsequent updates in Wiz are reflected in the corresponding Adversarial RSK record.
Changes made in Adversarial do not impact records in Wiz.
Opened By: “Wiz Integration”

Example status flow:

A new finding in Wiz creates a new risk record in Adversarial with Status = “New.”

If the Wiz finding is marked “Resolved,” the Adversarial record moves to Status = “Closure Proposed.” If the Closed Date is populated in Wiz, the same date values will be captured and maintained in the Adversarial record.

An Adversarial user can review the record, add details and comments, and set Status = “Closed”, as appropriate.

Findings with Status = “Rejected” in Wiz are ingested with Status = "Closed" to represent a record of the discovery, and dismissal, of that issue.

What's next?

GreyMatter: Integration with the Incident Register

WatchTowr: Attack Surface Management platform; integration with the Risk Register

Service Accounts & API Access: Create service accounts with API credentials for programmatic access.

Notifications: Email first, then chat apps like Slack & Microsoft Teams.

Currently, notifications are handled in-application via the bell icon found on the right side of each page. With the next phase of notifications, the platform will trigger emails based on preferences set by the individual user.
Notifications will also include a feature for intelligent AI-driven recaps, especially important for integration activity that includes key summaries for users to view.

Role-Based Access Control: Enhancements to access control.

December 9th, 2025

Integrations

In addition to the recent availability of the Crowdstrike Falcon integration, the HackerOne integration is now live in the platform! Users can access both integrations by navigating to the Settings and Integrations pages.

Integration Automation

Integrations run asynchronously to ingest RSK or INC items from connected sources. You can enable asynch automation per integration under Settings -> Integrations.

"Opened By" Update on Integrated Items

Users can easily differentiate RSKs and INCs that have been created by an integration by viewing the "Opened By" field. The Opened By field is populated with the specific integration that has created a risk or incident entry.

Remediation Agility (RemAgi) Update

We've updated the Remediation Agility chart significantly to handle huge datasets, with knock-on benefits for organizations of all sizes. The chart is interactive, allowing you to hover over any day and quickly see the number of urgent risks open or overdue at a glance. Highlight a range and quickly see the progress made on risk counts during that period.

AI Suggest Score UI Refresh

Prior to this release, when a user scored a risk or incident via the AI Suggest Score feature, the user would hover over the likelihood and impact to see the reasoning for the scores. With the new release, the reasoning displays below their respective fields, allowing the user to easily read prior to saving or cancelling the changes.

What's next?

Beyond the immediate benefits, integration automation is a key milestone toward several upcoming features that we will keep you posted on:

AI Automation: Soon integrations will have the option to auto-apply the RAMP or CIRP rubrics and score risk urgency or incident severity after ingestion.

Notifications: We know you need notifications of all of these actions outside the platform, so we are bringing Slack, Teams, and email notifications including intelligent AI-driven recaps for integration activity with key summaries. Teaser: "Adversarial Bot: Last night your 6 integrations ran with no errors. 37 RSKs were ingested, of which 28 had been rated high or critical by the source tool. After applying the RAMP, 3 remained high - all Bug Bounty findings related to a cross-site scripting bug. Click here to review that work and launch remediation tickets."

Triage UI: To tie this all together, we are working on an expanded view of our risk register that will let you easily review the work AI performed in automation, focused on risk downgrades and the rationale with the ability to revise actions or quickly launch remediation tickets and move forward.

November 25th, 2025

Item Tags

Our team has been working on an easy way to allow users to Tag and Filter Risks and Incidents. Prior to Item Tags, we rolled out Filter Views. Think of Item Tags as a complement to your filters! Whether you want to associate a specific business unit, a technology identifier, or an informational tag to filter your risks with, Item Tags will be your go to! With the latest release, you will now see the Tags option right in the Risk and Incident Registers, create new Tags via the register or through settings! Item tags are created at the organization tenant level and can be shared across users!

To create and assign an item tag directly from your risk or incident register, go to the column that displays the "Tags" field. You can click into the field box to view existing tags and select from the dropdown, leverage type ahead search to find a matching tag. Or simply start typing to create a new tag, to save and assign the new tag, hit enter.

Getting started:

Take a look at our Loom Video to get started or by following the steps below:

To utilize Tags in your register’s filter views, click the filter icon to enable the fields menu, then select the "Tags" field to view all applicable tag values. Once a filter is applied, you can save it as a register view to use regularly, just as with any other filter combination. Click the "Save" option, and select “Create New View” to name your view. Finally, click the checkbox icon to save it. To edit a view, modify your selected filter values within the current view, then click "Save" and select the update option to confirm your changes.

To manage existing tags, navigate to the Tags section within Settings where you will see options for editing, or deleting existing tags, as well as for creating new tags. If a tag you wish to delete is associated with an existing record, you will have the option to re-tag it with a new value or to proceed without re-tagging. Once ready, click "Save" to confirm the deletion.

Filter Views

We’re excited to introduce an enhancement to Filter Views. Currently, filter views are user-specific and can not be shared with others. That changes with link sharing, you can now share the exact filter parameters with others in the same environment.

To share a view:

(1.) Open the filter view and apply the desired filters.

(2.) Copy the page URL from your browser.

(3.) Send the link to another user in your environment.

(4.) When they open the link, they will see the incident or risk register with the same filter parameters you applied.

Board and CyberGov Reports

AI powered Executive Summary Slide: The Executive Summary slide found in both the Board Deck and CyberGov Report now include AI generated details around the four modules, rather than starting from scratch, users can now leverage the details gathered from the platform to call out relevant information that aligns with each module. As with all documentation from the Adversarial Platform, this slide is editable for further modifications by the user.

Updated Fields within the Detailed Side View

Tags field is available within the modal for easy user access and tag assignment. Users can now delete a risk directly from the modal.

Highlight ID on a selected RSK or Incident

When working on a specific risk or incident in the detailed side view, the selected record now displays with a highlight allowing users to easily find their working item within the table view.