Description Field Updates
The description field now supports the ability to paste directly from a table and maintain the column and row formatting. Useful for platform users who want to pull details from various Excel or Google Sheet sources and maintain the specific table formatting.
This update also influences the way information flowing from integrations look in the platform, allowing for more organization and clear path of details captured per risk and incident record.
Assign Threat Objectives with AI Scoring
We have expanded the power of the AI Scoring feature to include making suggestions for unpopulated Threat Objectives. In cases where users have not set applicable Threat Objectives for a given incident entry, the AI will provide a suggestion along with a reasoning for each value it has assigned.
If a user has proactively assigned values to this field, then the AI will not suggest nor overwrite the assigned values.
This feature is now available for risks and incidents.
WatchTowr Integration
With real-time, asynchronous data flow, this integration automatically syncs WatchTowr findings to your Adversarial Risk Register.
The integration can be enabled directly from your Adversarial tenant via the “Settings” pane > “Integrations”. The necessary details to connect your WatchTowr environment are the tenant URL and API Token.
Key details:
Field defaults for newly created records:
One-way data flow (ingest-only) from WatchTowr to Adversarial:
Example status flow:
Once a finding is established in WatchTowr, records in the status of “Confirmed” or “Unconfirmed” will be created in Adversarial with the status of “New”. Relevant dates such as “Discovered Date” will be captured in Adversarial based on the value of the “Date Identified” field in WatchTowr, and the field of “IRU” will be populated by the “Severity” field in the WatchTowr finding.
Findings records with the WatchTowr status of = “Remediated” or “Closed” translate to Adversarial status of Closure Proposed”. These are referring to risks that have been addressed and need a final review before they should be moved to the “Closed” status in Adversarial.
Findings that are marked as “Risk Accepted” or “Asset no longer tracked” in WatchTowr are marked as “Closed” in Adversarial to indicate there is no further activity necessary.
Risk to Incident Linking
Platform users are now able to link an existing incident directly from a risk entry. Previously, the linking was only possible via the Incidents page. Now a user has the ability to to proceed with linking existing incident records to existing risk records.
Risk Assessment Management Procedure (RAMP) Embedding Supplement Additions
To enhance the data load and data mapping experience, the data load templates found in the risk and incident registers have been updated to contain the default drop down values that are available in the platform
Encryption
Encryption-related findings are frequently overrated, as encryption is rarely a key control in preventing data disclosure. Specifically, a failure to encrypt at rest, while often an audit or examination finding, does not contribute materially to the likelihood of exploitation since it would only lessen the system’s resilience against local attacks once an adversary has disk access. Since the majority of data attacks are conducted through legitimate application channels via methods like credential theft, session hijacking, SQL injection, IDOR, or the abuse of logic flaws, the encryption status of data at rest is rarely relevant. Such findings generally would carry an unlikely or possible likelihood rating with the impact being high if such a risk were to be exploited. Likewise, findings around cipher strength weakness almost never contribute to actual incidents. Specifically, vulnerabilities in “weak” ciphers need to be analyzed for the attack methods, which usually require either capturing the encrypted data in transit (needing network access) or exploiting memory management bugs that could leak random, untargeted data. Such attacks are rarely part of actual incidents or adversarial kill chains. The likelihood of a weak cipher being abused is unlikely or possible, with the impact limited to medium or high depending on the type of data involved and whether the vulnerabilities could be exploited in a targeted fashion for specific data or randomly with hopes of something interesting being revealed.
Resiliency, Disaster Recovery, and Business Continuity
Findings around recovery time objectives not being met in DR tests or other weaknesses that are likely to contribute to restoration times are frequently overrated by auditors and examiners. Such findings are generally focused on Sabotage and Extortion Threat Objectives from an adversarial point of view, and the likelihood of exploitation is dependent on a disruptive attack being conducted first. This generally puts it at possible. The impact is based on the degree of failure in the test. If the test showed that the system would absolutely never be able to be recovered, it would be severe. Otherwise, simple delays in recovery could manifest as high or medium impact depending on the length of delay.
Assign Threat Objectives with AI Scoring
We have expanded the power of the AI Scoring feature to include making suggestions for unpopulated Threat Objectives. In cases where users have not set applicable Threat Objectives for a given risk entry, the AI will provide a suggestion along with a reasoning for each value it has assigned.
If a user has proactively assigned values to this field, then the AI will not suggest nor overwrite the assigned values.
GreyMatter Integration
With real-time, asynchronous data flow, this integration automatically syncs GreyMatter incidents to your Adversarial Incident Register.
The integration can be enabled directly from your Adversarial tenant via the “Settings” pane > “Integrations”. The API Key Access needs to have read permissions for incidents to allow for the data flow.
Key details:
Field defaults for newly created records:
One-way data flow (ingest-only) from GreyMatter to Adversarial:
Example status flow:
Once the GreyMatter AI reviews a new incident record and accepts it as a legitimate incident, an incident record is created in Adversarial with Status = “New. The Occurred Date and Detected Date will be brought over from populated fields in GreyMatter. As an incident is being worked on, the Adversarial user can populate the Contained and Responded Dates, and create Risk Register Referral records.
Incident records with the Adversarial status = “In progress” translate to GreyMatter records that are marked as “Remediation”.
Incident findings that are marked as “Resolved” in GreyMatter are created in Adversarial with the status of “Review”. If the “Contained date” equivalent is populated in GreyMatter, the “Contained Date” in Adversarial will reflect as such. An Adversarial user can review the incident record, add details and comments, and set Status = “Closed”.
Findings with the Status = “Rejected” in GreyMatter are ingested with the Status = “Closed” in Adversarial.
AI Scoring in the Risk Register now includes Comments
For the Risk Register entries, AI Suggest Score feature currently bundles information found in the “Title” and “Description” fields along with the “Initially Reported Urgency” and “Threat Objective” fields. With the IRU and the Threat Objectives fields being optional.
With the latest release, details captured in the Comments section of a given risk entry will now be included. This will allow users to capture pertinent details that go beyond initial investigation and description details.
In-platform notifications for new items
This enhancement enables notification generation when creating risks and incidents that include notifiable attributes (e.g., urgency, severity, assignees). Previously, notifications were only triggered by updates to existing items. Now, qualifying items generate the appropriate notifications at creation.
This feature will be a great complement in allowing users to be notified when an integration creates risks or when other users bulk create risks that may meet notifiable attributes selected by a user.
New Data Load Templates for Risks and Incidents
To enhance the data load and data mapping experience, the data load templates found in the risk and incident registers have been updated to contain the default drop down values that are available in the platform.
Integrations: Wiz
With real-time, asynchronous data flow, this integration automatically syncs Wiz issues to your Adversarial Risk Register, enabling you to track the lifecycle of your cloud configuration risks.
Key details:
Field defaults for newly created records:
One-way data flow (ingest-only) from Wiz to Adversarial:
Example status flow:
A new finding in Wiz creates a new risk record in Adversarial with Status = “New.”
If the Wiz finding is marked “Resolved,” the Adversarial record moves to Status = “Closure Proposed.” If the Closed Date is populated in Wiz, the same date values will be captured and maintained in the Adversarial record.
An Adversarial user can review the record, add details and comments, and set Status = “Closed”, as appropriate.
Findings with Status = “Rejected” in Wiz are ingested with Status = "Closed" to represent a record of the discovery, and dismissal, of that issue.
What's next?
GreyMatter: Integration with the Incident Register
WatchTowr: Attack Surface Management platform; integration with the Risk Register
Service Accounts & API Access: Create service accounts with API credentials for programmatic access.
Notifications: Email first, then chat apps like Slack & Microsoft Teams.
Role-Based Access Control: Enhancements to access control.
Integrations
In addition to the recent availability of the Crowdstrike Falcon integration, the HackerOne integration is now live in the platform! Users can access both integrations by navigating to the Settings and Integrations pages.
Integration Automation
Integrations can now be automated, running asynchronously to ingest RSK or INC items from connected sources. You can toggle automation on per integration under Settings -> Integrations.
"Opened By" Update on Integrated Items
While items ingested via integration would previously reflect the person kicking off the import, now that they can run asynchronously the Integration name is listed under "Opened By".
Remediation Agility (RemAgi) Update
We've updated the Remediation Agility chart significantly to handle huge datasets, with knock-on benefits for organizations of all sizes. The chart is also now interactive, allowing you to hover over any day and quickly see the number of urgent risks open or overdue at a glance. Highlight a range and quickly see the progress made on risk counts during that period.
AI Suggest Score UI Refresh
Prior to this release, when a user scored a risk or incident via the AI Suggest Score feature, the user would hover over the likelihood and impact to see the reasoning for the scores. With the new release, the reasoning displays below their respective fields, allowing the user to easily read prior to saving or cancelling the changes.
What's next?
Beyond the immediate benefits, integration automation is a key milestone toward several upcoming features that we will keep you posted on:
AI Automation: Soon integrations will have the option to auto-apply the RAMP or CIRP rubrics and score risk urgency or incident severity after ingestion.
Notifications: We know you need notifications of all of these actions outside the platform, so we are bringing Slack, Teams, and email notifications including intelligent AI-driven recaps for integration activity with key summaries. Teaser: "Adversarial Bot: Last night your 6 integrations ran with no errors. 37 RSKs were ingested, of which 28 had been rated high or critical by the source tool. After applying the RAMP, 3 remained high - all Bug Bounty findings related to a cross-site scripting bug. Click here to review that work and launch remediation tickets."
Triage UI: To tie this all together, we are working on an expanded view of our risk register that will let you easily review the work AI performed in automation, focused on risk downgrades and the rationale with the ability to revise actions or quickly launch remediation tickets and move forward.
Item Tags
Our team has been working on an easy way to allow users to Tag and Filter Risks and Incidents. Prior to Item Tags, we rolled out Filter Views. Think of Item Tags as a complement to your filters! Whether you want to associate a specific business unit, a technology identifier, or an informational tag to filter your risks with, Item Tags will be your go to! With the latest release, you will now see the Tags option right in the Risk and Incident Registers, create new Tags via the register or through settings! Item tags are created at the organization tenant level and can be shared across users!
To create and assign an item tag directly from your risk or incident register, go to the column that displays the "Tags" field. You can click into the field box to view existing tags and select from the dropdown, leverage type ahead search to find a matching tag. Or simply start typing to create a new tag, to save and assign the new tag, hit enter.
Getting started:
Take a look at our Loom Video to get started or by following the steps below:
To create and assign an item tag directly from your risk or incident register, go to the column that displays the "Tags" field. You can click into the field box to view existing tags and select from the dropdown, leverage type ahead search to find a matching tag. Or simply start typing to create a new tag, to save and assign the new tag, hit enter.
To utilize Tags in your register’s filter views, click the filter icon to enable the fields menu, then select the "Tags" field to view all applicable tag values. Once a filter is applied, you can save it as a register view to use regularly, just as with any other filter combination. Click the "Save" option, and select “Create New View” to name your view. Finally, click the checkbox icon to save it. To edit a view, modify your selected filter values within the current view, then click "Save" and select the update option to confirm your changes.
To manage existing tags, navigate to the Tags section within Settings where you will see options for editing, or deleting existing tags, as well as for creating new tags. If a tag you wish to delete is associated with an existing record, you will have the option to re-tag it with a new value or to proceed without re-tagging. Once ready, click "Save" to confirm the deletion.
Filter Views
We’re excited to introduce an enhancement to Filter Views. Currently, filter views are user-specific and can not be shared with others. That changes with link sharing, you can now share the exact filter parameters with others in the same environment.
To share a view:
(1.) Open the filter view and apply the desired filters.
(2.) Copy the page URL from your browser.
(3.) Send the link to another user in your environment.
(4.) When they open the link, they will see the incident or risk register with the same filter parameters you applied.
Board and CyberGov Reports
AI powered Executive Summary Slide: The Executive Summary slide found in both the Board Deck and CyberGov Report now include AI generated details around the four modules, rather than starting from scratch, users can now leverage the details gathered from the platform to call out relevant information that aligns with each module. As with all documentation from the Adversarial Platform, this slide is editable for further modifications by the user.
Updated Fields within the Detailed Side View
Tags field is available within the modal for easy user access and tag assignment. Users can now delete a risk directly from the modal.
Highlight ID on a selected RSK or Incident
When working on a specific risk or incident in the detailed side view, the selected record now displays with a highlight allowing users to easily find their working item within the table view.