Enhancement

This release focuses on improving control, clarity, and automation across security workflows, authentication, reporting, and integrations.

Automatic Issue Resolution

Vulnerabilities that no longer reproduce in consistent re-scans can now be automatically marked as resolved. This keeps dashboards, reports, and metrics accurate without requiring manual status updates.

The system records how each issue was resolved and explains the reason in Issue Details → Resolution Reason, with visibility in scan history. This behavior is optional and must be enabled per project.

For more info, check the feature's docs page: Auto-resolve vulnerabilities

Multi-Field OTP Support

You can now enter one-time passcodes into applications that require a separate input for each digit, enabling authentication flows that were previously blocked. This allows multi-factor authentication to work seamlessly with apps that use digit-by-digit OTP entry.

This behavior supports variable OTP lengths and keeps existing single-field OTP handling unchanged. If the number of digits does not match the number of input fields, the flow fails with a clear error.

For more info, check the feature's docs page: Configure OTP Entry Across Multiple Input Fields

Scan and Discovery Pausing

New action buttons let you pause and resume scans and discoveries, giving you more control over how and when scans run. Paused scans preserve their state for 7 days and can be resumed later. After 7 days, the status will change to "stopped" automatically.

For more info, check the feature's docs: Pausing a Scan or Discovery

Improved PDF report export permissions

PDF report exports no longer require the org.memberships:read scope. Reports can now be generated based on reporting-related scopes only. When org.memberships:read is missing, user-related details (such as member names and mentions) are omitted or shown as unknown, while the rest of the report remains fully available.

Azure DevOps Integration improvement

We’ve improved the Azure DevOps integration experience by introducing automatic field fetching.

You can now:

• Automatically fetch available fields from your selected Azure project and work item type (for example, Bug).
• See field names and value types directly in Bright's UI.
• Select fields and values from dropdowns instead of manually entering API keys or field identifiers.

This makes the integration setup faster, safer, and far less error-prone.

Important note: To fully benefit from this improvement, we recommend disconnecting the existing Azure integration and reconnecting it.

Enhancement

SMS-Based One-Time Passwords

You can now create authentication objects that use SMS-based one-time passwords, including assigning and managing phone numbers by country. The assigned phone number is clearly displayed, and safeguards prevent using the same SMS verification in parallel activities.

This feature is available to users who manage authentication objects. When deleting an unused SMS-based authentication object, a clear warning explains that the phone number will be released and may be reassigned later

Support Contact Branding

Organizations can now replace default support references in alerts and emails with their own internal support contact, creating a more consistent experience for end users. This is configured in Organization Settings → General Details → Support Contact, where you can switch to internal support and optionally add a contact email.

Only Organization Owners can edit these settings. Changes apply only to the current organization, and the internal support email is shown only if provided, with no fallback to external support details.

Edit SLA From Dashboard

An Edit SLA button has been added directly to the SLA widget, making it easier to jump to configuration without navigating through multiple screens. Selecting the button opens Project Settings → SLA Configuration.

Users without project.sla:manage permission will still see the button, but it will be disabled with a clear tooltip explaining the restriction. This ensures visibility while preventing unauthorized changes.

Improved Project Dashboard Usability

The Project Dashboard now opens drawers with Confirmed Issues shown by default, helping teams focus immediately on actionable items. URLs in drawers include an open-in-new-tab icon, and all dashboard widgets now display tooltips that explain each metric and how it’s calculated.

These changes are available to all users with access to the Project Dashboard. The default behavior is consistent for everyone and does not rely on previous viewing history.

Enhancement

Bright MCP Server - AI-Driven Security Scanning

The new Bright MCP Server enables AI assistants to directly interact with Bright and manage security scans end-to-end.

Using natural language prompts, AI can now analyze existing coverage, identify missing or hidden entrypoints, add them to the project, select the most relevant security tests based on the application’s technology, and start scans automatically.

This significantly reduces manual setup, improves scan coverage beyond Swagger or UI exposure, and helps teams detect real risks faster with minimal effort.

Check out our Configuration guide and MCP tools and capabilities doc for more information.

Additional search/filter options on Issues pages

Added a dedicated search capability to all Issues tabs - Issues, Ignored Issues, and Unconfirmed Issues.
Users can now quickly find specific issues by searching directly in the table using URL, CVE, ID, and other identifiers, making investigation, validation, and bulk actions significantly faster and more efficient.

Set Project-Level Email Notifications

You can now configure email notifications per project, giving teams full control over who gets notified about key events such as new issues, scan status changes, and errors. This improves alignment with team ownership, reduces notification noise, and ensures critical updates reach the right stakeholders at the right time.

Notifications are managed directly from Project Settings → Notifications, with support for selecting users, while still respecting individual notification preferences defined in personal user settings.

More details are available in the Project Notifications documentation.

Flexible Field Mapping for Azure Boards

Manually define required custom fields for Azure Boards during integration setup, ensuring tickets are created successfully even when boards enforce mandatory fields. This removes integration blockers, reduces manual work, and allows teams to keep their existing board configurations without compromises.

Custom fields are configured as key-value pairs per project under the Integration Settings, giving teams immediate control and visibility over how tickets are created

Improve Visibility For Completed Scans

A new column has been added to the Projects table, Last Completed Scan" showing the timestamp of the most recent successfully completed scan. This gives teams a clear and reliable indication of scan health and makes it easier to track project security status and compliance.

If no successful scan exists, the table clearly indicates that no scans have been completed successfully, helping teams quickly identify gaps and take action.

Better descriptions for our tests

We’ve refined the wording of our security test descriptions to make them clearer and easier to understand. This helps teams quickly understand what each test does, choose the right tests, and better communicate results across security, engineering, and business teams.

Masked authentication fields in test results

To improve data security, fields configured as masked in the authentication object are now automatically masked in the Test results tab. These values cannot be unmasked in the test results.

Enhancement

Scan Duration Estimation

You can now see an estimated scan duration before starting a scan. The estimate is based on your project’s Entry Points, selected tests, and past scan history. We also moved the scheduling section to the top of the tab to make it easier to access.

This helps you plan ahead, understand how long a scan is likely to take, and avoid unnecessary surprises - making the scan setup process smoother and more predictable.

Authentication Objects Now Visible in Scan Configuration

You can now see which Authentication Object (AO) is linked to each Entrypoint directly inside the Scan Configuration page, as well as the Project, Scan, and Discovery pages. Clearly shows either the assigned AO name or a simple “No authentication object is assigned.” You can also filter Entrypoints by whether they have an AO or not for better data management.

This improvement gives you a clearer view of which Entrypoints are authenticated before running a scan. It reduces confusion, keeps both pages aligned, and helps you quickly spot missing authentication setups, so scans run more smoothly.

WebGRPC Support

We’ve added full support for WebGRPC in our DAST engine. From now on, any target using WebGRPC (GRPC over HTTP/1.1 or HTTP/2) will be scanned automatically. There’s no need to upload GRPC schemas or proto files - Bright now detects, decodes, and parses everything directly from the HAR or crawler.

This makes scanning modern WebGRPC-based applications faster and simpler. You get full coverage without extra setup, manual uploads, or configuration work.

Updated Role Scopes for Organization & Member Management

We updated how organization-level scopes work to make permissions clearer and more predictable. Users will now see only the parts of the Organization settings that match their assigned scopes, and admins can manage members and groups more reliably.

This change makes access control easier to understand, reduces confusion, and helps large teams manage users and groups with confidence.

Scope Overview:

• org:readgives access to the Organization tab and general org details, but does not grant visibility into members.
• org.memberships:read allows users to see only the members who share a mutual group with them (excluding “Everyone”). Together with org:read, it enables opening the Organization tab and viewing the filtered member list.
• org.memberships:manage allows managing group memberships, including adding, editing, and removing members from groups.
• groups:manage allows creating, editing, and deleting groups, but does not control member visibility.
• groups:admin provides administrative control over groups only and should not be required for viewing members.

Improved Deletion Behavior for Entry Points and Issues

We improved the behavior of deleting Entry Points to ensure consistency. From now on, when an Entry Point is removed, all Issues linked to it are automatically removed as well. This keeps your project data clean and free from outdated or disconnected information.

This update helps maintain accurate vulnerability data, reduces noise from irrelevant Issues, and gives you a clearer, more trustworthy view of your project’s security status.

Enhancements

Project Dashboard (New)

The new Application Dashboard is now live. It gives you a clean, easy-to-understand view of your project security. You can quickly see the most important alerts, SLA risks, issue trends, and recent scan activity.

You can find more information in the dedicated user guide we created: Click here.

Accessing the Dashboard

1. Go to the Projects page.
2. Click on the desired project.
3. The Dashboard tab opens automatically as the default view.

Navigation Path: Projects → [Project Name] → Dashboard

Project Page UI Enhancements

We updated the Project page to deliver a cleaner and more intuitive workflow. The project management tab has been moved to the top for improved visibility and easier navigation.

• To start a new scan, go to the Discoveries page and create a Discovery.
• To add Entry Points, visit the Entry Points page.
• To export Issues, Unconfirmed Issues, or Ignored Issues, navigate to the relavent Issues' page and export directly from there.
• To delete a project, go to the settings page and click on the delete button.

Project Delete Confirmation

To prevent accidental deletions, we added a new confirmation step when deleting a project. Users are now required to type the full project name before deletion is allowed. The Delete button becomes active only when the name is entered correctly, ensuring safer and more deliberate project management.

To delete a project, go to the settings page and click on the delete button.

Mask toggle for Authorized requests setup headers in the Authentication Flow dialog

Header values in the Authorized requests setup section (Advanced tab of the Authentication Flow dialog) can be displayed as Clear text or Masked text. By default, these headers appear as clear text and follow the same masking behavior as other headers in the Authentication Flow.

Note: The unmasking access scope determines who can mask or unmask these header values.

For more information, see Authorized requests setup headers

Bright STAR

STAR GitLab support is now live and available for use

STAR now supports GitLab as a code source, allowing you to run STAR scans directly on your GitLab repositories.

For more information about Bright STAR, see Introducing Bright STAR. To enable STAR in your Bright environment for complete CI/CD auto-testing, remediation, and validation, contact your Bright Customer Success Engineer.

Integrations

Export STAR project issues as SARIF

STAR projects now support export of project issues in SARIF format. This new feature facilitates the seamless sharing of project-level security findings with external tools.

Access and File Details

The new export option is located on the Project Issues screen.

1. Go to the Project Issues tab for the STAR project.
2. Select the Export menu.
3. Choose the new option: Export as SARIF for STAR.

Changes to the SARIF file

The SARIF file keeps the same structure as the existing DAST SARIF export, with one STAR-specific addition in the properties section:

"properties": {
  "star_sources": [
    "repo-name:branch-name",
    "another-repo:another-branch"
  ]
}

New partner integrations: Tenable, Cycode, and Legit

Bright has expanded integration support to connect with three additional security platforms, enhancing visibility and governance across the Software Development Lifecycle (SDLC).

These new integrations let you bring Bright DAST findings into the tools your security and engineering teams already use, so you manage application and pipeline risks from a single place.

Tenable integration (Exposure Management)

Bright connector to Tenable Exposure Management (Tenable One). The connector ingests Bright DAST projects and issues into Tenable as web application assets and findings, using Bright APIs.

With this integration, you can:

• View Bright web application assets together with other Tenable One assets in a single inventory.
• Analyze Bright DAST findings with Tenable’s exposure and vulnerability views, using Tenable’s severity and status mapping.
• Use existing Tenable One workflows—filters, dashboards, and reports—to track and report on Bright-originated issues.

Configuration steps and field mappings for the Bright connector are documented in Tenable Exposure Management. Tenable-Bright connector

Cycode integration (ASPM)

Bright connector to Cycode’s Application Security Posture Management (ASPM) platform. The integration imports Bright DAST findings into Cycode so you can manage web application vulnerabilities together with other AppSec data in a single system.

With this integration, you can:

• Correlate DAST findings with results from other scanners (like SAST and SCA) within CyCode's Risk Intelligence Graph.
• Use Cycode’s dashboards, queries, and workflows to track and triage Bright-originated issues.
• Keep remediation ownership and status aligned across security and development teams.

The integration is configured from the Cycode environment by adding Bright as an external scanner through the Cycode integrations page.

Legit Security integration (ASPM)

Bright connector to Legit Security’s Application Security Posture Management (ASPM) platform. The integration sends Bright DAST findings to Legit so you can manage web application vulnerabilities together with other AppSec data in one place.

With this integration, you can:

• View Bright DAST results alongside findings from other security tools in Legit’s unified ASPM view.
• Use Legit’s workflows, policies, and dashboards to track and remediate Bright-originated issues.
• Keep ownership and status of vulnerabilities aligned between security and development teams.

You configure the integration from the Legit environment by adding Bright as an external security scanner through the Legit integrations page.

Enhancements

Report & Export Permissions Update

Improved report permissions to make data access clearer and more secure:

• PDF reports and report template configurations now require login with a Bearer token (used in the Bright web app).
• API Keys continue to support other export formats such as CSV, JSON, SARIF, and HAR.

If your automations use API Keys for PDF reports, switch to Bearer token authentication to continue using this feature.

Scope behavior for exporting reports:

New: Filter Entrypoints by Host

A new host-based filter has been added to the Entrypoints tables in both Scan and Discovery pages. This improvement allows users to quickly isolate and view entrypoints associated with specific hosts, ensuring more accurate visibility and troubleshooting across multi-host projects.

Improved Projects Page Layout

Projects page UI improvements for easier navigation and use.

What's New:

• Moved the toolbar from the bottom to the top of the page for better visibility and a more intuitive layout.
• Added a Create Discovery button in the Discovery tab.
• Added a Create Entry Point button in the Entry Points tab.
• You can now share direct links to specific tabs or items within the Projects page.

These updates are part of our ongoing effort to improve usability and align the Projects area with the upcoming new Bright dashboard experience . No workflow or automation changes are required on your side - this update is UI only.

Bright-CLI

New version of Bright-CLI v13.8.0.

New features:

• CI: support arm64 in docker hub.

Bug fixes:

• Resolved the repeater connection issue which occasionally happened on bridge service restart, where repeaters appeared connected but were unresponsive.

Removed deprecated endpoint

The entry point GET '/api/v1/me/org/memberships' is now deprecated.

Integrations

OX Security integration (ASPM)

Bright now integrates with OX Security. You can automatically import Bright DAST findings into OX to manage AppSec risks in a single backlog with consistent prioritization and automated routing. The integration enables seamless visibility and unified risk management across your SDLC.

Enhancements

Mask toggle for Additional Headers in the Authentication Flow dialog

Values of a specific header in the Advanced tab of the Authentication flow dialog can now be set to display as Clear Text or Masked Text. This masking enhancement follows the same role scopes as the existing mask feature.

Note: The unmasking access scope determines the ability to mask and unmask values.

For more information, see Additional Headers

Unconfirmed Issues Tab Now Visible by Default

The Unconfirmed Issues tab is now visible by default on the Scan and Project details pages. This tab was previously hidden by default making it harder for new users to find unconfirmed issues show in the scan widgets to locate their details.

Redesigned Email Templates

Bright system emails now include modernized layouts, and improved readability for easier communication and understanding.

Improvements

Scheduled Scans Reliability Improvements

The issue preventing scheduled scans from running as expected due to unavailable repeaters or off-line environments is resolved. Scans will now start and complete in the correct sequence, ensuring reliable automation and scheduled scan results.

SSO Configuration Fix

The issue preventing users from completing SSO setup after removing a previous authentication provider is now resolved. A Disconnect button was added enabling users to to reset or remove configurations at any time, preventing setup interruptions.

Visual Fixes in Scan Progress

Several UI inconsistencies in the Scan Info > Progress view are now resolved. When no entry points are scanned (0/0), the system now displays N/A instead of 100%, providing a clearer and more accurate representation of scan results.

Upcoming breaking changes

API Scope Update - Effective October 21, 2025

Report permissions will be more clear and secure.

What will change

Starting October 21, 2025, certain actions related to PDF report generation will require a different authentication method:

• PDF report generation (for Scan and Project) and organization-level report configuration will be available only when using a Bearer token – the same authentication method used in the Bright web app.

  These actions will require two specific permissions:

  • reports:read – to view and export reports
  • reports:write – to edit or configure report templates

• API Keys will no longer support these report-related endpoints.

  • Regular exports such as CSV, JSON, SARIF, HAR, etc., will continue to work with API Keys as before.

This update helps prevents users with limited roles from exporting sensitive report data without proper access.

What you’ll need to do

If you or your automations currently use API Keys to generate PDF reports or configure report templates, switch to Bearer token authentication to continue using these capabilities.

No action will be required for other export formats.

Enhancements

Repeater Editing Scope Restriction

Addition of a dedicated scope restriction ensuring that only authorized users can make edits to specified repeaters.

In large organizations, multiple teams often work with the same repeaters. This new dedicated repeater scope ensures that only specified team members can edit a repeater’s name or settings.

Repeater editing options include:

• Rename
• Change description
• Reassign to a different project
• Add a script

Key updates:

• Scope restriction:
  • Only users with the new scope repeaters:manage can perform edit actions.
  • Scope repeaters:write is still required for creating and removing repeaters, as well as activating/deactivating them.
  • During rollout, repeaters:manage will be automatically added to any Role or API key that already has repeaters:write.

Non-authorized users:

• The Edit button is changed to View, and the edit window is grayed out.

Audit logs:

• All repeater edit actions (name, description, reassignments, scripts) are logged.
• Audit logs include repeater name, action, user, and timestamp.

This change strengthens governance and prevents accidental or unauthorized changes across teams, while ensuring all activity remains visible in audit logs.

Pretty print for JSON bodies

The Request and Response Body display fields now include a Pretty print toggle. When enabled, the field shows JSON in an indented, multi-line view instead of a single line.

For example From:

To:

Re-auth triggers: AND/OR groups

It is now possible to combine re-auth triggers with AND or OR and to organize them into groups. This makes it easier to describe how authentication failure looks in mixed targets (web pages and APIs).

• See more details here: https://docs.brightsec.com/docs/add-new-auth-object#/

User icon tooltip now displays the user’s full name

The header tooltip has been updated: when hovering the user icon, it now shows the full name of the logged-in user (replacing the previous “Account” text). This helps confirm which account is active at a glance.

API Endpoint Deprecation Notice - /api/v1/me/org/memberships

We are deprecating the endpoint /api/v1/me/org/memberships.

Timeline

Deprecation start: September 22, 2025

Removal date: October 19, 2025, midnight UTC

The endpoint will continue to function during the deprecation window. After the removal date, it will no longer be available, and requests will fail.

Enhancements

Bulk selection in the status tab

Now you can save time managing large sets of issues inside the Issues table, reduce repetitive work across pages, get clear visibility with a “Selected X of Y” counter, and stay in control with transparent feedback after every bulk action.

What’s new

• Select all across pages - use the "Add all to selection" button to select every issue that matches your current filters, not just the ones on the current page.
• Filter and select - apply bulk actions to only the issues that match your chosen filters.
• Clear selection- reset your choices instantly with the "Clear selection" button.
• Selection counter - always see how many issues you’ve selected out of the total.
• Smarter bulk actions - bulk actions (Resolve, Reopen, Ignore) apply only where they are supported. For example, “Reopen” will affect only resolved issues.
• Confirmation & feedback - before applying an action, you’ll see a confirmation window. Once complete, a notification shows exactly how many issues were updated and if any were skipped.

How it works

• If you select issues with mixed statuses, all actions appear, but only relevant ones are applied.
• If you bulk select a single status, only the actions valid for that status will be highlighted.

Updated API Documentation Link

We’ve updated the API docs link in the Help menu (top toolbar). The link now points to the latest V3 API documentation: API docs V3

This ensures you always have quick access to the most up-to-date API references and capabilities.

Simplified Access to Logs

We’ve streamlined log access by removing the unused logs scope. Going forward, only the org.logs scope will be available for viewing organization-wide logs.

What this means for you

• No impact on access - users with the correct roles and API keys will continue to see all log information as before.
• Audit Log unchanged- all Audit Log features remain fully accessible.
• Cleaner permissions - reduced redundancy makes roles and scopes easier to understand and manage.

Fresh Look: Updated Product Logo

We’ve refreshed our product logo to align with our new brand look.

Enhancements

Install the Bright CLI Repeater as a Helm Chart

The Bright CLI Repeater lets you run Bright security scans without exposing your internal applications to the Internet.

The Repeater acts as a secure proxy that connects to your local targets and forwards scan requests from the Bright cloud engine. With this release, the CLI Repeater can now be installed as a Helm Chart.

For more information, see Bright CLI Repeater.

Find and parse GQL entrypoints

The Bright engine now automatically detects and parses the GraphQL schemas it encounters. This new feature automatically expands the scan's scope by adding all endpoints defined within the schema, ensuring that even hidden APIs are detected and tested.

For more information, see Adding entrypoints to your project.

Mask toggle for headers and bodies in the Authentication Flow dialog

You can now define if a value of a specific header or body would be displayed as Clear Text or Masked Text.

Note: The ability to mask and unmask values is determined by the unmasking access scope.

For more information, see Authentication Flow.

Import Baseline Parameters from Insomnia

You can now import Baseline Parameters directly from Insomnia’s YAML export (type: collection.insomnia.rest/5.0)

To learn more information about Baseline Parameters, see: Baseline Parameters

Pretty Print format in Auth Flow steps

Users can now toggle to Pretty Print format in the body fields of the request/response of the Test result tab of the Authentication object.

Disable 2FA for Users

To help organizations maintain flexibility without compromising on security, Bright now provides admins and owners with a controlled way to manage members' 2FA settings. This ensures business continuity in urgent cases while keeping full auditability and accountability.

Bright organization Owners and Admins with the scope: org.memberships.reset-mfa can now disable 2FA for members directly from the Members page. The disable option is available only to users who have 2FA enabled. T

When 2FA is disabled for a member, the member will be logged out of all active sessions and will need to re-enroll when logging in again. Every 2FA action taken is fully tracked in the audit log, including the timestamp, the actor, the target user, and the IP address. Members whose 2FA was disabled will automatically receive an email notification regarding the change.

Restrictions:

• Admins cannot disable 2FA for other Admins.
• Owners can disable 2FA for all members.
• Users without the correct scope will not see Disable 2FA as an option from the kebab menu in the members page.
• If organization-wide mandatory 2FA is enabled, users will be required to reconfigure 2FA on their next login.

Ignored Issues tab and improved widgets

We’ve introduced a new Ignored Issues tab in the Scan and Project details pages to help you better manage issues you’ve chosen to ignore, such as false positives or irrelevant entry points.

Ignored Issues tab

• After marking issues as Ignored (single or bulk), they're now automatically move to the tab, keeping the main Issues table view focused on active vulnerabilities.
• The Ignored issues tab displays the same columns as the main Issues table.
• You can set a *Reopen status to ignored issues individually (via the kebab menu) or in bulk, moving them back to the main table.
• The Ignored Issue setting persists across rescans, so you don't need to perform the same action again and again.
• Tab visibility can be toggled via the gear icon in Settings.

Widgets & History

• Ignored cases are now grouped under the Closed section, with hover tooltips showing the breakdown between Ignored and Resolved.
• Hovering on severity labels shows a breakdown of New vs. Recurring issues, while hovering on Closed/Total shows Resolved vs. Ignored.
• Clicking a widget opens a filtered view per severity.
• The History page shows the total number of vulnerabilities found (unfiltered). Clicking it drills down into filtered views.

Contextual Issue Actions

The Issues table actions now show only the relevant options based on each issue’s current status, reducing confusion and preventing invalid actions.

Status-based actions:

• New → Resolve, Ignore (move to ignored issues tab)
• Resolved → Reopen
• Ignored → Reopen (moves back to main Issues table)
• Recurring → Resolve, Ignore

Bulk actions:

• Actions are only available if all selected issues support them.
• If not applicable, buttons are disabled with tooltips explaining why.
• For bulk changes, a confirmation modal will appear (e.g. “Are you sure you want to Resolve 12 issues?”).

UI improvements: Action buttons are now color-coded for clarity:

• Resolve → Green
• Reopen → Purple
• Ignore → Orange

API for a bulk project issue action changes:

The following API was added:

/api/v1/project-issues/status

Payload:

{"projectIssueIds": string[],"action": "resolve" | "ignore" | "reopen"}