Security & Audit Logging

Released: May 8, 2026

A foundational security release adding MFA, SIEM-ready audit log streaming, and a wide audit-coverage sweep that ensures every mutation is logged.

New

TOTP MFA. Time-based one-time password enrollment with QR setup, recovery codes, and a login challenge step. MFA setup banner on the dashboard nudges users who haven't enrolled yet.
Audit log streaming to SIEM. Real-time stream of audit events to customer-controlled webhook destinations. Built-in support for Splunk HEC (with payload wrapping) and Datadog (DD-API-KEY header). Generic webhook destination for any other ingest endpoint.
Multi-destination dispatch. Configure multiple SIEM destinations per org; events are dispatched to all of them concurrently with provider-specific formatting.
Inactivity auto-logout. Tightened idle limit to 15 minutes with a 5-minute warning banner and 60-second final modal before the session ends.

Comprehensive audit coverage. Every authenticated mutation now writes an audit log entry (settings changes, member invites, scan triggers, drift watch CRUD, runner lifecycle, SSO config edits, etc.). Reviewable in-app and streamable to SIEM in the same format.
Provider logos on SIEM destination cards. Splunk and Datadog destinations show recognizable marks in settings.
Verify-email cross-tab routing. Verifying email in one tab now signals other open tabs to refresh auth state instead of leaving them stuck on the gate.

Verify-email gate honored for legacy users. SAML SSO callbacks for legacy users with emailVerified: false now flip the flag rather than blocking them at the gate. Reason: the IdP already authenticated the email, so a second verification step was redundant and confusing.