Enhancement

This release gives customers a powerful new way to manage security at scale with the new Organization Dashboard - providing a unified view across all projects in one place. 🚀

In addition, key enhancements to STAR, scan and discovery management, project visibility, repeater controls, and dashboard capabilities deliver greater control, clearer insights, and more streamlined workflows. Helping teams work faster and make better decisions with less effort.

Organization Dashboard

The new Organization Dashboard provides a centralized view of your security posture across all projects, allowing you to monitor risk, track progress, and prioritize actions from a single place.

It includes a set of widgets that provide quick insights into project activity, overall security grade, unresolved vulnerabilities, remediation trends, scan execution, entrypoint coverage, and aging issues - helping you quickly identify risks and make informed decisions.

For more information, visit the Organization Dashboard user guide

Filter Project Dashboard by Severity

A global Severity Filter has been added to the Project Dashboard, allowing users to focus on specific vulnerability severities such as Critical or High.

Relevant widgets update dynamically to reflect the selected severity, enabling more focused analysis and prioritization.

Affected Widgets

• Security Grade - calculated based only on the selected severity and reflects the highest risk within that scope
• Open vs Fixed Trend - shows trends only for the selected severity
• Top 10 Aging Issues - displays only issues matching the selected severity
• Remediation Velocity by Severity (SLA) - Showing only the selected severity bar

For more information, visit the Dashboard Severity Filter user guide

Runtime Indicators for Repeaters

Runtime workload indicators have been added to the Repeater settings pages, showing queued, running, and scheduled executions per repeater, along with connectivity status and contextual tooltips.

This enhancement helps users make better decisions when selecting repeaters, avoid overload, and balance workloads more effectively. If runtime data is unavailable, a fallback state is displayed.

V2 of this feature will extend these indicators to the repeater selection dropdown in Scan, Discovery, and Authentication flows.

For more information, visit the user guide for Repeater Runtime Indicators

Limit Repeater Selection to One Per Scan

Repeater selection in Scan, Discovery, and Authentication configurations is now limited to a single repeater.

This aligns with current engine capabilities, as multiple repeaters are not supported per task. The update reduces confusion and ensures the UI and API accurately reflect system behavior.

New Completed Tasks Widget

A new Completed Tasks widget has been added to the Project Dashboard.

It displays the most recently completed scans and discoveries, including scan name, type, severity breakdown, total issues or entrypoints, and completion time.

This provides quick access to recent results in one place and improves visibility into scanning activity.

Filter Projects by Auto-Resolve Status

Users can now filter and sort projects based on their Auto-resolve status using a new column and filter options in project views.

This makes it easier to identify and manage projects with auto-resolve enabled or disabled, improving visibility and streamlining project selection.

Align Template Targets with Scan Configuration

The Targets tab in the Scan Template creation flow has been aligned with the Scan Configuration page to ensure templates remain generic and reusable.

This improves consistency, reduces configuration errors, and keeps templates environment-agnostic.

Additionally:

• Repeater selection is now optional in templates
• If selected, the repeater is automatically applied during scan configuration

Enable API Keys to Access Dashboard Widgets

API keys with the appropriate scope can now retrieve Project and Organization dashboard widget data programmatically, matching what users see in the UI.

Access respects existing project-level permissions and uses the projects:read scope, ensuring secure and controlled data access. The API documentation has been updated accordingly.

STAR Enhancements ⭐

STAR: BitBucket Support

STAR now supports working with Atlassian Bitbucket code repositories and BitBucket Pipelines CI/CD service.

Visit the user guide to see how to connect BitBucket code source

Changes Notice - Unconfirmed Issues

As part of our ongoing efforts to improve the accuracy and reliability of our security testing, we are updating how unconfirmed issues are handled in the platform.

Effective May 5th, the following changes will take place:

• Unconfirmed Issues
  New unconfirmed issues will no longer be generated.
  Existing unconfirmed issues will remain in the system, but will not be automatically removed.

• MongoDB (NoSQL) Injection Test
  This test will be deprecated and removed from the platform, as it primarily generated unconfirmed issues.

These changes are intended to reduce noise and help you focus on verified, actionable findings.

If you would like to fully remove existing unconfirmed issues from your environment, please contact our support team.

Important: These changes do not impact any API functionality or existing API calls.

Scans Tab in Project View

A new Scans tab is now available directly within the Project page. Users can view and manage scan activity without leaving the project context, reducing context switching and improving workflow efficiency.

Bright - Wiz Integration

Bright now supports integration with Wiz, enabling automatic correlation between DAST findings and cloud assets.

When enabled:

• Bright automatically sends scan findings to Wiz after each scan.
• Wiz correlates vulnerabilities with the relevant cloud resources.
• When vulnerabilities are fixed and a new scan runs, Wiz automatically updates the issue status.
• This provides unified visibility across application and cloud security posture.

Documentation: https://docs.brightsec.com/docs/wiz

Edit from Discovery and Scan Pages

Users can now edit configuration directly from Discovery and Scan Details pages, eliminating the need to navigate back to project settings to make updates.

Storage File Deletion

A Delete action is now available directly in the storage file kebab menu, allowing users to remove files individually without using bulk selection.

Repeater Deactivation Confirmation

To prevent accidental actions, a confirmation popup now appears when attempting to deactivate a repeater

Scan Runtime Display Issue

Fixed an issue where the Elapsed time could appear greater than the Total Runtime in scan progress, ensuring more accurate runtime reporting.

Enhancement

This release introduces several new features and improvements to enhance usability, visibility, and configuration control within the platform. Users can now benefit from better task tracking, clearer project scan status indicators, and expanded support for application scanning.

Scheduled Tasks Widget

A new Scheduled Tasks widget has been added to the Project Dashboard. This widget displays upcoming scan tasks with details like scan name, type, and a countdown timer, providing users with clear visibility of their scheduled scans.

Users can easily access and edit scheduled tasks through direct links to the Scan/Discovery pages. This feature is available to all users interacting with project dashboards and simplifies monitoring scan schedules.

Latest Failed Scan Indicator

The Projects table now displays a warning icon next to the "Last Scan" date when the most recent scan attempt fails or is disrupted. Hovering over this icon reveals a tooltip explaining that the latest scan attempt was unsuccessful, helping managers quickly identify compliance issues.

This visual is designed for managers who need to assess project scanning status at a glance without confusion between successful and failed scans.

Single Tab Support for Scans and Discoveries

Support has been added for running discoveries and scans on applications that do not accommodate multiple browser tabs. This update includes configuration options accessible via Project Settings and the Scan dialog, ensuring more robust handling of different application environments.

This enhancement allows users working with single-tab applications to perform scans without disruption, broadening compatibility across various setups.

Editing Scheduled Discoveries

Users can now edit existing scheduled discoveries directly from the Discovery → Scheduled Discovery's kebab menu → Edit view. Clicking Edit opens the configuration panel, allowing updates to targets, scheduling, and other discovery settings without needing to recreate the discovery.

This resolves a previous limitation where scheduled discoveries could not be modified after creation. All users with access to manage discoveries can update their scheduled configurations as expected.

Enhancement

This update focuses on strengthening security and reducing the risk of exposing sensitive information during authentication setup, while keeping configuration flexible for teams.

Default Masking for Recorded Authentication

Sensitive values entered during recorded browser-based authentication are now masked by default, so credentials are never shown in clear text in the UI or authentication JSON.

This can be configured at the project level in Project Settings → General Details → Project Settings.
And overridden per authentication object in Auth flow setup → Recorded browser-based form authentication.

The project-level setting determines the default for new recorded authentication objects, while existing setups are automatically updated for backward compatibility. New projects have masking enabled by default, and changes apply only to newly created recorded authentication objects.

The ability to enable or disable masking is controlled by the field:set-masked and field:set-clear-text scopes, ensuring only authorized users can change how sensitive values are handled.

Custom SLA Configuration in Dashboard

SLA and MTTR times are now shown in days instead of hours, making them easier to understand. Teams can also set custom SLA values per severity in days, instead of using only predefined options. The widgets automatically uses these values when showing SLA thresholds, breach status, and timeline scaling.

Only users with project.sla:manage permissions can change SLA settings. Custom SLA values can be set up to 1000 days per severity.

Clear Errors for SMS OTP Authentication

SMS-based OTP authentication now displays clear, user-friendly error messages when an issue occurs, making it easier to understand what went wrong and what to do next. This includes cases like failing to load available countries, no phone numbers being available, or issues reserving or releasing a phone number.

When deleting an SMS OTP authentication object, users will now see a clear warning explaining that the associated phone number will be released and may be reassigned. This helps prevent situations where verification messages could be sent to the wrong recipient if the application is still using that number.

Auto-Resolved Vulnerabilities Notification

Added a new Auto-Resolve notification that emails users when vulnerabilities are automatically marked as resolved after a successful scan. The email is sent only if at least one issue is auto-resolved and both user and project notifications are enabled, with all resolved issues grouped into a single project-level message.

Enhancement

This release focuses on improving control, clarity, and automation across security workflows, authentication, reporting, and integrations.

Automatic Issue Resolution

Vulnerabilities that no longer reproduce in consistent re-scans can now be automatically marked as resolved. This keeps dashboards, reports, and metrics accurate without requiring manual status updates.

The system records how each issue was resolved and explains the reason in Issue Details → Resolution Reason, with visibility in scan history. This behavior is optional and must be enabled per project.

For more info, check the feature's docs page: Auto-resolve vulnerabilities

Multi-Field OTP Support

You can now enter one-time passcodes into applications that require a separate input for each digit, enabling authentication flows that were previously blocked. This allows multi-factor authentication to work seamlessly with apps that use digit-by-digit OTP entry.

This behavior supports variable OTP lengths and keeps existing single-field OTP handling unchanged. If the number of digits does not match the number of input fields, the flow fails with a clear error.

For more info, check the feature's docs page: Configure OTP Entry Across Multiple Input Fields

Scan and Discovery Pausing

New action buttons let you pause and resume scans and discoveries, giving you more control over how and when scans run. Paused scans preserve their state for 7 days and can be resumed later. After 7 days, the status will change to "stopped" automatically.

For more info, check the feature's docs: Pausing a Scan or Discovery

Improved PDF report export permissions

PDF report exports no longer require the org.memberships:read scope. Reports can now be generated based on reporting-related scopes only. When org.memberships:read is missing, user-related details (such as member names and mentions) are omitted or shown as unknown, while the rest of the report remains fully available.

Azure DevOps Integration improvement

We’ve improved the Azure DevOps integration experience by introducing automatic field fetching.

You can now:

• Automatically fetch available fields from your selected Azure project and work item type (for example, Bug).
• See field names and value types directly in Bright's UI.
• Select fields and values from dropdowns instead of manually entering API keys or field identifiers.

This makes the integration setup faster, safer, and far less error-prone.

Important note: To fully benefit from this improvement, we recommend disconnecting the existing Azure integration and reconnecting it.

Enhancement

SMS-Based One-Time Passwords

You can now create authentication objects that use SMS-based one-time passwords, including assigning and managing phone numbers by country. The assigned phone number is clearly displayed, and safeguards prevent using the same SMS verification in parallel activities.

This feature is available to users who manage authentication objects. When deleting an unused SMS-based authentication object, a clear warning explains that the phone number will be released and may be reassigned later

Support Contact Branding

Organizations can now replace default support references in alerts and emails with their own internal support contact, creating a more consistent experience for end users. This is configured in Organization Settings → General Details → Support Contact, where you can switch to internal support and optionally add a contact email.

Only Organization Owners can edit these settings. Changes apply only to the current organization, and the internal support email is shown only if provided, with no fallback to external support details.

Edit SLA From Dashboard

An Edit SLA button has been added directly to the SLA widget, making it easier to jump to configuration without navigating through multiple screens. Selecting the button opens Project Settings → SLA Configuration.

Users without project.sla:manage permission will still see the button, but it will be disabled with a clear tooltip explaining the restriction. This ensures visibility while preventing unauthorized changes.

Improved Project Dashboard Usability

The Project Dashboard now opens drawers with Confirmed Issues shown by default, helping teams focus immediately on actionable items. URLs in drawers include an open-in-new-tab icon, and all dashboard widgets now display tooltips that explain each metric and how it’s calculated.

These changes are available to all users with access to the Project Dashboard. The default behavior is consistent for everyone and does not rely on previous viewing history.

Enhancement

Bright MCP Server - AI-Driven Security Scanning

The new Bright MCP Server enables AI assistants to directly interact with Bright and manage security scans end-to-end.

Using natural language prompts, AI can now analyze existing coverage, identify missing or hidden entrypoints, add them to the project, select the most relevant security tests based on the application’s technology, and start scans automatically.

This significantly reduces manual setup, improves scan coverage beyond Swagger or UI exposure, and helps teams detect real risks faster with minimal effort.

Check out our Configuration guide and MCP tools and capabilities doc for more information.

Additional search/filter options on Issues pages

Added a dedicated search capability to all Issues tabs - Issues, Ignored Issues, and Unconfirmed Issues.
Users can now quickly find specific issues by searching directly in the table using URL, CVE, ID, and other identifiers, making investigation, validation, and bulk actions significantly faster and more efficient.

Set Project-Level Email Notifications

You can now configure email notifications per project, giving teams full control over who gets notified about key events such as new issues, scan status changes, and errors. This improves alignment with team ownership, reduces notification noise, and ensures critical updates reach the right stakeholders at the right time.

Notifications are managed directly from Project Settings → Notifications, with support for selecting users, while still respecting individual notification preferences defined in personal user settings.

More details are available in the Project Notifications documentation.

Flexible Field Mapping for Azure Boards

Manually define required custom fields for Azure Boards during integration setup, ensuring tickets are created successfully even when boards enforce mandatory fields. This removes integration blockers, reduces manual work, and allows teams to keep their existing board configurations without compromises.

Custom fields are configured as key-value pairs per project under the Integration Settings, giving teams immediate control and visibility over how tickets are created

Improve Visibility For Completed Scans

A new column has been added to the Projects table, Last Completed Scan" showing the timestamp of the most recent successfully completed scan. This gives teams a clear and reliable indication of scan health and makes it easier to track project security status and compliance.

If no successful scan exists, the table clearly indicates that no scans have been completed successfully, helping teams quickly identify gaps and take action.

Better descriptions for our tests

We’ve refined the wording of our security test descriptions to make them clearer and easier to understand. This helps teams quickly understand what each test does, choose the right tests, and better communicate results across security, engineering, and business teams.

Masked authentication fields in test results

To improve data security, fields configured as masked in the authentication object are now automatically masked in the Test results tab. These values cannot be unmasked in the test results.

Enhancement

Scan Duration Estimation

You can now see an estimated scan duration before starting a scan. The estimate is based on your project’s Entry Points, selected tests, and past scan history. We also moved the scheduling section to the top of the tab to make it easier to access.

This helps you plan ahead, understand how long a scan is likely to take, and avoid unnecessary surprises - making the scan setup process smoother and more predictable.

Authentication Objects Now Visible in Scan Configuration

You can now see which Authentication Object (AO) is linked to each Entrypoint directly inside the Scan Configuration page, as well as the Project, Scan, and Discovery pages. Clearly shows either the assigned AO name or a simple “No authentication object is assigned.” You can also filter Entrypoints by whether they have an AO or not for better data management.

This improvement gives you a clearer view of which Entrypoints are authenticated before running a scan. It reduces confusion, keeps both pages aligned, and helps you quickly spot missing authentication setups, so scans run more smoothly.

WebGRPC Support

We’ve added full support for WebGRPC in our DAST engine. From now on, any target using WebGRPC (GRPC over HTTP/1.1 or HTTP/2) will be scanned automatically. There’s no need to upload GRPC schemas or proto files - Bright now detects, decodes, and parses everything directly from the HAR or crawler.

This makes scanning modern WebGRPC-based applications faster and simpler. You get full coverage without extra setup, manual uploads, or configuration work.

Updated Role Scopes for Organization & Member Management

We updated how organization-level scopes work to make permissions clearer and more predictable. Users will now see only the parts of the Organization settings that match their assigned scopes, and admins can manage members and groups more reliably.

This change makes access control easier to understand, reduces confusion, and helps large teams manage users and groups with confidence.

Scope Overview:

• org:readgives access to the Organization tab and general org details, but does not grant visibility into members.
• org.memberships:read allows users to see only the members who share a mutual group with them (excluding “Everyone”). Together with org:read, it enables opening the Organization tab and viewing the filtered member list.
• org.memberships:manage allows managing group memberships, including adding, editing, and removing members from groups.
• groups:manage allows creating, editing, and deleting groups, but does not control member visibility.
• groups:admin provides administrative control over groups only and should not be required for viewing members.

Improved Deletion Behavior for Entry Points and Issues

We improved the behavior of deleting Entry Points to ensure consistency. From now on, when an Entry Point is removed, all Issues linked to it are automatically removed as well. This keeps your project data clean and free from outdated or disconnected information.

This update helps maintain accurate vulnerability data, reduces noise from irrelevant Issues, and gives you a clearer, more trustworthy view of your project’s security status.

Enhancements

Project Dashboard (New)

The new Application Dashboard is now live. It gives you a clean, easy-to-understand view of your project security. You can quickly see the most important alerts, SLA risks, issue trends, and recent scan activity.

You can find more information in the dedicated user guide we created: Click here.

Accessing the Dashboard

1. Go to the Projects page.
2. Click on the desired project.
3. The Dashboard tab opens automatically as the default view.

Navigation Path: Projects → [Project Name] → Dashboard

Project Page UI Enhancements

We updated the Project page to deliver a cleaner and more intuitive workflow. The project management tab has been moved to the top for improved visibility and easier navigation.

• To start a new scan, go to the Discoveries page and create a Discovery.
• To add Entry Points, visit the Entry Points page.
• To export Issues, Unconfirmed Issues, or Ignored Issues, navigate to the relavent Issues' page and export directly from there.
• To delete a project, go to the settings page and click on the delete button.

Project Delete Confirmation

To prevent accidental deletions, we added a new confirmation step when deleting a project. Users are now required to type the full project name before deletion is allowed. The Delete button becomes active only when the name is entered correctly, ensuring safer and more deliberate project management.

To delete a project, go to the settings page and click on the delete button.

Mask toggle for Authorized requests setup headers in the Authentication Flow dialog

Header values in the Authorized requests setup section (Advanced tab of the Authentication Flow dialog) can be displayed as Clear text or Masked text. By default, these headers appear as clear text and follow the same masking behavior as other headers in the Authentication Flow.

Note: The unmasking access scope determines who can mask or unmask these header values.

For more information, see Authorized requests setup headers

Bright STAR

STAR GitLab support is now live and available for use

STAR now supports GitLab as a code source, allowing you to run STAR scans directly on your GitLab repositories.

For more information about Bright STAR, see Introducing Bright STAR. To enable STAR in your Bright environment for complete CI/CD auto-testing, remediation, and validation, contact your Bright Customer Success Engineer.

Integrations

Export STAR project issues as SARIF

STAR projects now support export of project issues in SARIF format. This new feature facilitates the seamless sharing of project-level security findings with external tools.

Access and File Details

The new export option is located on the Project Issues screen.

1. Go to the Project Issues tab for the STAR project.
2. Select the Export menu.
3. Choose the new option: Export as SARIF for STAR.

Changes to the SARIF file

The SARIF file keeps the same structure as the existing DAST SARIF export, with one STAR-specific addition in the properties section:

"properties": {
  "star_sources": [
    "repo-name:branch-name",
    "another-repo:another-branch"
  ]
}

New partner integrations: Tenable, Cycode, and Legit

Bright has expanded integration support to connect with three additional security platforms, enhancing visibility and governance across the Software Development Lifecycle (SDLC).

These new integrations let you bring Bright DAST findings into the tools your security and engineering teams already use, so you manage application and pipeline risks from a single place.

Tenable integration (Exposure Management)

Bright connector to Tenable Exposure Management (Tenable One). The connector ingests Bright DAST projects and issues into Tenable as web application assets and findings, using Bright APIs.

With this integration, you can:

• View Bright web application assets together with other Tenable One assets in a single inventory.
• Analyze Bright DAST findings with Tenable’s exposure and vulnerability views, using Tenable’s severity and status mapping.
• Use existing Tenable One workflows—filters, dashboards, and reports—to track and report on Bright-originated issues.

Configuration steps and field mappings for the Bright connector are documented in Tenable Exposure Management. Tenable-Bright connector

Cycode integration (ASPM)

Bright connector to Cycode’s Application Security Posture Management (ASPM) platform. The integration imports Bright DAST findings into Cycode so you can manage web application vulnerabilities together with other AppSec data in a single system.

With this integration, you can:

• Correlate DAST findings with results from other scanners (like SAST and SCA) within CyCode's Risk Intelligence Graph.
• Use Cycode’s dashboards, queries, and workflows to track and triage Bright-originated issues.
• Keep remediation ownership and status aligned across security and development teams.

The integration is configured from the Cycode environment by adding Bright as an external scanner through the Cycode integrations page.

Legit Security integration (ASPM)

Bright connector to Legit Security’s Application Security Posture Management (ASPM) platform. The integration sends Bright DAST findings to Legit so you can manage web application vulnerabilities together with other AppSec data in one place.

With this integration, you can:

• View Bright DAST results alongside findings from other security tools in Legit’s unified ASPM view.
• Use Legit’s workflows, policies, and dashboards to track and remediate Bright-originated issues.
• Keep ownership and status of vulnerabilities aligned between security and development teams.

You configure the integration from the Legit environment by adding Bright as an external security scanner through the Legit integrations page.

Enhancements

Report & Export Permissions Update

Improved report permissions to make data access clearer and more secure:

• PDF reports and report template configurations now require login with a Bearer token (used in the Bright web app).
• API Keys continue to support other export formats such as CSV, JSON, SARIF, and HAR.

If your automations use API Keys for PDF reports, switch to Bearer token authentication to continue using this feature.

Scope behavior for exporting reports:

New: Filter Entrypoints by Host

A new host-based filter has been added to the Entrypoints tables in both Scan and Discovery pages. This improvement allows users to quickly isolate and view entrypoints associated with specific hosts, ensuring more accurate visibility and troubleshooting across multi-host projects.

Improved Projects Page Layout

Projects page UI improvements for easier navigation and use.

What's New:

• Moved the toolbar from the bottom to the top of the page for better visibility and a more intuitive layout.
• Added a Create Discovery button in the Discovery tab.
• Added a Create Entry Point button in the Entry Points tab.
• You can now share direct links to specific tabs or items within the Projects page.

These updates are part of our ongoing effort to improve usability and align the Projects area with the upcoming new Bright dashboard experience . No workflow or automation changes are required on your side - this update is UI only.

Bright-CLI

New version of Bright-CLI v13.8.0.

New features:

• CI: support arm64 in docker hub.

Bug fixes:

• Resolved the repeater connection issue which occasionally happened on bridge service restart, where repeaters appeared connected but were unresponsive.

Removed deprecated endpoint

The entry point GET '/api/v1/me/org/memberships' is now deprecated.

Integrations

OX Security integration (ASPM)

Bright now integrates with OX Security. You can automatically import Bright DAST findings into OX to manage AppSec risks in a single backlog with consistent prioritization and automated routing. The integration enables seamless visibility and unified risk management across your SDLC.