Release Notes
What's new with DataDefender?
On this page, we'll be tracking additions to DataDefender starting from December 2025. Each month will have New, Improved, and Fixed items.
June 2026
New Features
Product Onboarding & Evaluation
Interactive Sample Organization Environment
Implemented a new Sample Organization feature, allowing users to safely interact with the console, view live dashboards, and explore features populated entirely with rich test data.
Data Classification
Data Pattern Import & Export
Added the ability to import and export custom Data Patterns via the Classification Profiles page, enabling seamless rule-sharing and backup.
Profile Versioning Support
Expanded foundational versioning support to include full Data Classification Profiles versioning, making it easier to track changes over time.
Remediation & Risk Management
Direct S3 Public Access Revocation
Added the capability to directly revoke public access to exposed S3 buckets straight from the Public Resources interface.
NOTE: You must grant permissions for this within the Settings > Cloud Connectivity page.
Support & System Status
Public Health Dashboard Link
Added a direct link to the public-facing DataDefender system health status dashboard in the left-hand navigation menu.
Threat Detection & Reporting
Attack Summary Tab
Added a dedicated Summary tab to the primary Attacks page, instantly highlighting the most critical, high-level details of any potential security incident.
New Multi-Stage Attack Scenario:
Pacu Execution Detection: Automatically identifies and alerts on automated, multi-step cloud exploitation techniques driven by the Pacu open-source penetration testing framework.
New Threat Signatures:
EC2 Userdata Injection: Detected when cloud instance startup scripts are modified, indicating potential persistent backdoor or malware injection.
EBS Snapshot Exfiltration: Detected when infrastructure volume snapshots are shared externally or modified for outside access.
Secrets Manager Credential Access: Detected when an anomalous burst of secret retrieval requests targets AWS Secrets Manager.
Permission Bruteforce Detection: Detected when an entity generates rapid, repeated authorization failures while guessing API permissions.
S3 Public Access Block Removal: Detected when account-level or bucket-level Public Access Blocks are deactivated, risking data exposure.
Improvements
Cross-Navigation & Drilldowns
Data Stores to Classification Pivot
Added contextual drilldown links from the Data Stores inventory straight to the Data Classification dashboard for any asset containing active matches.
Classification to Deep-Dive Details Pivot
Added direct drilldown links from the main Data Classification screen straight to the granular Data Classification Details file view for any selected data store.
Expanded Asset Details View
Updated the Data Classification page to instantly display all matched Data Profiles whenever an individual asset row is expanded.
User Experience & Interface
Redesigned Public Resources Dashboard
Completely redesigned the layout and data presentation of the Public Resources page for a cleaner, more actionable workflow.
Optimized Organization Selection
Refined and improved the core Organization Selection screen.
Data Classification Engine
Streamlined Agent Configuration Syncing
Improved the backend process for communicating real-time configuration updates to already-deployed Data Classification scanning agents.
Long-Running Job Management
Enhanced how the platform handles, optimizes, and executes massive, long-running Data Classification jobs.
Job Monitor Activity Filtering
Added the ability to filter the Data Classification Job monitoring page specifically by assets that returned matched data results.
May 2026
New Features
Account & Organization Management
AWS Organizations Onboarding
Added the capability to onboard entire AWS Organizations at scale, simplifying multi-account management.
Platform Re-Branding: Cloud Connectivity
Re-named "Linked Accounts" to Cloud Connectivity across the console to better reflect the platform's core infrastructure integration.
Role-Based Access Control (RBAC)
Read-Only User Role
Introduced a dedicated Read-Only user role to allow viewing and auditing without permitting configuration changes.
Data Classification & Inventory
Centralized Job Monitoring
Introduced a new Data Classification Jobs monitoring page under Settings to track active and historic scan statuses in real time.
Unencrypted Asset Filtering
Added the ability to filter the core Data Stores page to isolate resources that do not support encryption.
New Data Classification Profiles:
Compliance
Sensitivity
Querying, Reporting & Exporting
Query Builder Exporting
Added the ability to export search and analysis results directly from the Audit Activity page.
Unified Activity Query Experience
Combined the Audit Activity and File Access Report into a single, unified activity query engine for streamlined investigations.
Threat Detection & Reporting
New Multi-Stage Attack Scenario:
Privilege Escalation via PassRole Abuse: Automatically identifies and alerts on multi-step techniques where an identity exploits iam:PassRole permissions to elevate its authority.
New Threat Signatures:
Security Group Backdoor: Detected when firewall rules are modified to allow unauthorized, persistent inbound access.
VPC Flow Log Deletion: Detected when network traffic logging is disabled, disrupting primary network forensic trails.
AMI Backdoor: Detected when a machine image is modified or shared externally, risking intellectual property exposure.
EC2 Key Pair Creation: Detected when new virtual machine access keys are generated, indicating potential unauthorized persistence.
Secrets Manager Credential Access: Detected when a burst of sensitive secrets or credentials are read from AWS Secrets Manager.
SSM Parameter Store Credential Access: Detected when unauthorized API calls target sensitive parameters stored in Systems Manager.
GuardDuty Tampering: Detected when native cloud threat detection features are disabled, paused, or deleted.
Config Service Disruption: Detected when configuration recorders are stopped, halting compliance tracking.
IAM Enumeration Burst: Detected when an identity rapidly probes identity permissions, indicating pre-attack mapping.
EC2 Enumeration Burst: Detected when an identity rapidly scans for virtual machines and infrastructure layouts.
Improvements
User Experience
External Accounts Updates
Improved the overall layout and user experience of the External Accounts page.
Contextual Classification Navigation
Added cross-navigation drilldown links to the primary Data Classification dashboard for faster data store pivots.
Enhanced Profile Sandbox Experience
Improved the layout and responsiveness of the Regular Expression test sandbox within custom Data Classification Profiles.
Threat Detection & Analytics
Accelerated CloudTrail Processing
Optimized the underlying CloudTrail event processing engine to deliver significantly faster security alerting.
Refined Attack Severity Categories
Updated and recalibrated attack severity groupings to align more accurately with risk potential.
IAM Role Visibility in Attacks
Improved how IAM Roles are displayed and presented within the context of active Attack pages.
Navigation & Pagination
Multi-Stage Attack Interface Controls
Updated the layout of the Multi-Stage Attacks page for better ease of use.
Multi-Stage Attack Pagination
Added explicit pagination controls to the Multi-Stage Attacks page to improve load times and navigation across large lists.
April 2026
New Features
Integrations & Notifications
Slack and Webhook Notifications
Added native support for forwarding security alerts and system notifications directly to Slack channels and custom Webhooks.
Inventory & Data Asset Discovery
EBS Snapshots Coverage
Expanded the Data Store Inventory to include Amazon EBS Snapshots for broader infrastructure visibility.
RDS Snapshots Coverage
Expanded the Data Store Inventory to include Amazon RDS Snapshots.
Cloud Backup Volume Visibility
Added dedicated tracking for cloud Backups within the central Data Store Inventory.
IAM Data Collection
Added full support for incorporating AWS Identity and Access Management (IAM) data into the platform's core data collection process.
Threat Detection & Reporting
Interactive Scenario Library
Introduced the Scenario Library for Multi-Stage Attacks, providing a reference framework to understand mapped attacker techniques.
Real-Time and Historic Attack Tracking
Added explicit support for distinguishing between "In-Progress" and historical "Occurred" Multi-Stage Attacks.
New Threat Signatures:
Mass Encryption: Detected when rapid, widespread encryption occurs, a primary indicator of active ransomware.
Unused High-Privilege Access: Detected when a highly privileged identity exhibits unusual activity after long periods of dormancy.
RDS Snapshot Bulk Deletion: Detected when multiple database snapshots are deleted in quick succession, threatening data recovery.
S3 Bucket Wipe: Detected when catastrophic, automated deletion commands are executed across an entire S3 bucket.
S3 Object Lock Governance Bypass: Detected when an identity attempts to override or delete S3 objects protected by Governance-mode retention.
S3 Legal Hold Bulk Removal: Detected when explicit legal holds are lifted from a large number of S3 objects simultaneously.
S3 Lifecycle Rapid Expiration: Detected when lifecycle policies are modified to prematurely expire and delete massive amounts of data.
S3 Object Lock Configuration Weakened: Detected when bucket-level object lock settings are modified or disabled.
S3 Object Version Purging: Detected when permanent deletion commands are targeting older, archived object versions.
Excessive API Calls: Detected when an anomalous volume of API requests originates from a single identity, indicating scraping or denial-of-service attempts.
S3 Backup File Deletion: Detected when targeted deletion events impact known backup archives stored in S3.
S3 Server Access Logging Disabled: Detected when access logging is turned off on a bucket, blinding forensic audit trails.
Improvements
User Experience & Onboarding
Redesigned Account Onboarding Flow
Completely redesigned the Link Account process to deliver a smoother, more intuitive initial onboarding experience.
Enhanced Threat Summary Dashboards
Improved the overall data presentation and visualization within the primary Threat Summary views.
Intelligent Credential Error Handling
Improved how the platform handles and surfaces alerts when linked account credentials become invalid or expire.
Data Classification & Inventory
Archived File Classification
Improved the underlying data classification engine to better support and extract text from compressed and archived file formats.
Data Pattern Inventory Filtering
Added the ability to filter the core Data Stores page by specific Data Pattern matches.
Classification Details Layout Polish
Improved sorting and filtering capabilities within the deep-dive Classification Details page.
Vulnerability & Risk Management (Public Resources)
Cross-Navigation Public Resource Drilldowns
Added contextual, cross-navigation drilldown links directly to the Public Resources page for faster investigation.
Threat Detection & Analytics
Cloud Intrusion Scenario Refinement
Enhanced the behavioral detection logic for the core Cloud Intrusion multi-stage attack scenario.
Attacks Interface Filtering
Improved the sorting, filtering, and isolation controls within the main Attacks pages.
Performance & Scalability
Optimized S3 Inventory Collection
Reduced the overall volume of client-side API calls required to fetch and process S3 inventory data, minimizing API overhead.
March 2026
New Features
User Experience & Navigation
Global Organization Dropdown
Added a new Organization dropdown menu to the global header, allowing users to rapidly switch between different Organizations.
Streamlined Left Navigation
Re-organized the primary left-hand navigation menu to improve overall discoverability and ease of use.
Account & Configuration Management
Linked Account Removal
Added the capability to fully remove linked accounts directly from the console.
Automated CloudFormation Template (CFT) Updates
Added the ability to automatically update the linked account CloudFormation Template whenever configuration changes are made.
Data Classification
Centralized Data Classification Dashboard
Introduced a new Data Classification Page to view, analyze, and filter all assets containing classification matches.
Deep-Dive File Details View
Introduced a new Data Classification Details page, allowing users to view all specific files that triggered classification matches.
Data Pattern Versioning
Added foundational support for Data Classification Data Patterns versioning to better manage rule updates over time.
Intelligent Smart Scanning
Added support for Smart Scanning within the Data Classification scanning agents, allowing them to automatically shut down when not in use to optimize resource consumption.
New Data Classification Profiles:
Access Management
Connectivity Secrets
Cryptographic Material
Financial Data
Government Identifiers
Identity Data
Infrastructure Secrets
Private Keys
Threat Detection & Reporting
Executive Threat Report Summary
Introduced a new Threat Report summary page designed to provide a high-level, executive overview of current active threats.
Multi-Stage Attack Reporting
Introduced a new Multi-Stage Attack report that automatically identifies, links, and analyzes complex, multi-step attack patterns.
New Threat Signatures:
Archival settings modified: Detected when long-term storage or archival configurations are altered, risking data retention compliance.
Unexpected EBS snapshot deletion: Detected when an Amazon EBS snapshot is deleted outside of normal operational patterns.
Access control list modified to 'Everyone': Detected when a resource ACL is opened broadly to the public.
AWS Security Service Disabled: Detected when critical cloud security services are deactivated.
Bucket Versioning Disabled: Detected when versioning is turned off on an S3 bucket, increasing risk of unrecoverable data loss.
MFA Delete Bypass via S3 Versioning Manipulation: Detected when advanced S3 versioning actions are used to circumvent MFA delete requirements.
Mass Deletion: Detected when an unusually high volume of resources or files are deleted in a short timeframe.
Rapid File Rename Pattern: Detected when multiple files are quickly renamed, a common indicator of ransomware activity.
Unused High-Privilege Access: Detected when a highly privileged identity exhibits unusual activity after long periods of dormancy.
SAML Provider Metadata Changed: Detected when federation settings are modified, indicating potential identity provider tampering.
OIDC Provider Thumbprint Changed: Detected when OpenID Connect configurations are altered, risking unauthorized authentication trusts.
Access Key Backdoor Detection: Detected when subtle access key modifications mimic stealthy persistent access techniques.
High Access Denied Rate: Detected when an identity generates an extreme volume of authorization failures over a brief period.
Privilege Escalation Scan: Detected when an entity performs targeted API calls to probe for misconfigured permissions.
Lambda Code Injection: Detected when unauthorized code modifications are attempted on serverless functions.
Bedrock Model Invocation Abuse: Detected when anomalous or malicious request volume is directed at Amazon Bedrock AI models.
Excessive Role Assumption: Detected when an identity rapidly assumes multiple distinct IAM roles, indicating lateral movement.
S3 Replication Deleted: Detected when cross-region or cross-account bucket replication is removed, impacting disaster recovery.
Improvements
User Experience
Dark Mode Optimization
Improved the overall Dark Mode presentation across the entire console for better readability and contrast.
Enhanced External Accounts Mapping
Improved how public, internal, and external accounts are visually categorized and presented within the External Accounts page.
User Management Polish
Added comprehensive filtering and sorting options to the User Management page for more efficient administration.
Public Resources Interface Updates
Improved the user experience and layout of the Public Resources page.
Vulnerability & Risk Management (Security Holes)
Security Holes Layout Enhancements
Improved the core user experience and data density within the Security Holes page.
Service-Based Filtering
Added the ability to filter Security Hole findings by specific cloud services.
Public Resource Check Suppression
Added the ability to filter out public resource checks from the main Security Holes view to minimize noise.
Data Classification
Automated Agent Updates
Automated the backend process for deploying routine updates to the Data Classification scanning agents.
Threat Detection & Analytics
Advanced Ransomware Note Detection
Improved the behavioral detection engine responsible for identifying ransomware notes and extortion text.
Refined Malicious File Extensions Engine
Enhanced the coverage and accuracy of the Malicious File Extensions threat signature.
February 2026
New Features:
Threat Detection
New Threat Signatures:
Role Trust Policy Modification: Detected when changes are made to a role’s trust relationship, potentially allowing unauthorized cross-account access or privilege escalation.
Access Key Persistence: Detected when new long-term access keys are created, indicating a potential backdoor for persistent account access.
Access Denied Event: Detected when a spike in authorization failures occurs, highlighting potential discovery or brute-force activity.
Privilege Escalation Attempt: Detected when an identity attempts to gain higher-level permissions than currently assigned.
Prowler Tool Detection: Detected when security assessment activity from the Prowler open-source tool is identified within the environment.
ScoutSuite Tool Detection: Detected when infrastructure auditing activity from the ScoutSuite multi-cloud security tool is identified within the environment.
Improvements
User Experience
Enhanced External Accounts Interface
Updated the user experience for onboarding AWS accounts, making the process easier and more intuitive.
Direct AWS Console Linking
Added direct links from discovered assets to the AWS console, allowing you to view and manage specific resources instantly.
Data Classification
Optimized Scanning Agent Deployment
Improved the AWS CloudFormation process for deploying classification scanning agents, resulting in a smoother setup experience.
Streamlined S3 Bucket Collection
Enhanced the data collection process for Amazon S3 buckets to increase discovery efficiency and reliability.
Threat Detection & Analytics
Refined Threat Severity Determination
Upgraded the underlying logic used to calculate threat severity, ensuring more accurate prioritization of critical alerts.
January 2026
New
New Signature Added: CloudTrail Logging Disabled
This signature tracks when CloudTrail logging is disabled
New Signature Added: Cloudtrail Trail Deleted
This signature tracks when CloudTrail Trails are Deleted
New Signature Added: CloudWatch Log Group Deleted
This signature tracks when CloudWatch Log Groups are deleted.
Child Organizations will now show nested organizations in the UI
Users now enter the Launchpad upon sign-in. Utilize the Launchpad to jump to the functionality that matters for you.
Improved
'Sensitive Data' columns are hidden and 'Risk Signals' columns are shown in the following pages:
Object Storage
Public Buckets
Improved Launchpad descriptions
Improving Malicious IP Connection Signature
Adding UTC Labels across DataDefender for date specificity
UI text and tooltip improvements
Fixed
Adding more input validation for the Registration page
UI Fixes
Last updated