Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions docs/docs/release-notes/index.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,36 @@
# Release Notes

## 0.1.0-beta.4 (2026-06-17)

### New Features

- Redesigned asset display in the activity Detection section for a consistent look with the activity Details ([pull 26](https://github.com/CompassSecurity/raptr/pull/26))

### Fixes

- Blue Team members can now view and restore soft-deleted assets ([pull 26](https://github.com/CompassSecurity/raptr/pull/26))
- Sandboxed the Jinja2 environment used to render report templates to prevent server-side template injection (SSTI), with clearer error handling and logging for rejected templates ([pull 22](https://github.com/CompassSecurity/raptr/pull/22))
- Sanitized file names during assessment import and export to prevent path traversal (zip-slip) and `Content-Disposition` header injection ([pull 23](https://github.com/CompassSecurity/raptr/pull/23))
- The activity `state` is now required on update, so a partial request can no longer silently reset the workflow state ([pull 24](https://github.com/CompassSecurity/raptr/pull/24))
- Restricted Blue Team file upload and deletion behind the activity update permission (activity must be visible, not deleted, and in a Waiting state) ([pull 25](https://github.com/CompassSecurity/raptr/pull/25))
- Hardened file upload against polyglot files by normalizing the stored file extension to the detected content type ([pull 27](https://github.com/CompassSecurity/raptr/pull/27))
- Anaglyph mode improvements ([b7712db](https://github.com/CompassSecurity/raptr/commit/b7712db))
- Removed a duplicate event binding surfaced by the updated Vue tooling ([pull 28](https://github.com/CompassSecurity/raptr/pull/28))
- Fixed broken documentation links and anchors ([d279562](https://github.com/CompassSecurity/raptr/commit/d279562))

### Chore

- Updated frontend and backend dependencies ([pull 28](https://github.com/CompassSecurity/raptr/pull/28))
- Biome → 2.5.0
- vue → 3.5.38, vue-tsc → 3.3.5
- tailwindcss / @tailwindcss/vite → 4.3.1
- reka-ui → 2.9.10, @lucide/vue → 1.20.0
- dompurify → 3.4.10, marked → 18.0.5, axios → 1.18.0
- @hey-api/openapi-ts → 0.98.2, @types/node → 25.9.3
- Earlier dependency and Biome version bumps ([6c2e2e7](https://github.com/CompassSecurity/raptr/commit/6c2e2e7), [3b08058](https://github.com/CompassSecurity/raptr/commit/3b08058))
- Scoped the release and pull-request CI workflows with `paths-ignore` and removed the unused sandbox workflow ([8206d27](https://github.com/CompassSecurity/raptr/commit/8206d27), [00ae160](https://github.com/CompassSecurity/raptr/commit/00ae160))


## 0.1.0-beta.3 (2026-05-11)

### New Features
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/roadmap.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ Redesign the logging system to produce meaningful audit logs.
<div class="timeline-card" markdown>
<div class="timeline-card-header" markdown>
### :rocket: Beta Release
<span class="timeline-version">[v0.1.0.beta.1]</span>
<span class="timeline-version">\[v0.1.0.beta.1\]</span>
</div>
Release of version 0.1.0.beta.1
</div>
Expand All @@ -72,7 +72,7 @@ Release of version 0.1.0.beta.1
<div class="timeline-card" markdown>
<div class="timeline-card-header" markdown>
### :rocket: Alpha Release
<span class="timeline-version">[v0.1.0.alpha.1]</span>
<span class="timeline-version">\[v0.1.0.alpha.1\]</span>
</div>
Release of version 0.1.0.alpha.1
</div>
Expand Down
10 changes: 5 additions & 5 deletions docs/docs/user-guide/activities.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ The sidebar offers a quick overview and access to all activities and activity gr

The activity header shows the name and current state. Admins and Red Team members can change the state from the header. Blue Team members can only toggle between **Waiting Blue** and **Waiting Red** (when the activity is in one of those states).

Admins and Red Teamers can also access the :lucide-book-open: [Knowledge Base](knowledge_base.md) and :lucide-history: [History](activities.md#history) sections from the header.
Admins and Red Teamers can also access the :lucide-book-open: [Knowledge Base](knowledge_base.md) and :lucide-history: [History](activities.md#activity-history) sections from the header.

#### General Information

Expand All @@ -107,7 +107,7 @@ This General section has three main purposes:
- **Requirements**: Explain environmental prerequisites that must be in place before execution, see [overcoming requirements hell](getting_started.md#overcoming-requirements-hell). Supports [Markdown](#markdown-fields)

??? bug "Strict MITRE mapping"
Currently the MITRE mapping is not strictly enforced in the backend. It is possible to create an activity with a MITRE mapping that is not valid. This will lead to the activity not being displayed in the [MITRE ATT&CK Heatmap](evaluation.md#mitre-attack-heatmap) or in the [MITRE ATT&CK Navigator](evaluation.md#export) export. The frontend enforces a strict mapping by only allowing or filtering techniques based on the chosen tactics, and vice versa.
Currently the MITRE mapping is not strictly enforced in the backend. It is possible to create an activity with a MITRE mapping that is not valid. This will lead to the activity not being displayed in the [MITRE ATT&CK Heatmap](evaluation.md#mitre-attck-heatmap) or in the [MITRE ATT&CK Navigator](evaluation.md#mitre-navigator-layer) export. The frontend enforces a strict mapping by only allowing or filtering techniques based on the chosen tactics, and vice versa.

##### Expected Outcomes

Expand All @@ -122,7 +122,7 @@ This section is used to set the expected outcomes of the activity. The settings
!!! info "Alert and Stakeholder Notification terminology"
The term `Alert` is used in RAPTR for any kind of automatic generated information that the Blue Team receives from the security stack. This can be a SIEM alert, an EDR alert, a firewall alert, etc.

`Stakeholder Notification` refers to any kind of notification sent to stakeholders. This term originates from the fact that we often test external MSSPs/SOCs on behalf of the customer, without informing the Blue Team about the test. As well as the SOC's detection capabilities, the customer is also interested in testing whether the SOC adheres to defined processes and procedures. For example, SLAs and escalation through defined channels. Using the [evaluation templates](templates.md#evaluation-templates), you can define any metric for stakeholder notifications. E.g. quality and correctness of the notification etc.
`Stakeholder Notification` refers to any kind of notification sent to stakeholders. This term originates from the fact that we often test external MSSPs/SOCs on behalf of the customer, without informing the Blue Team about the test. As well as the SOC's detection capabilities, the customer is also interested in testing whether the SOC adheres to defined processes and procedures. For example, SLAs and escalation through defined channels. Using the [evaluation templates](templates.md#evaluation-template), you can define any metric for stakeholder notifications. E.g. quality and correctness of the notification etc.

??? bug "Only one expected severity"
Currently there is only one expected severity for alerts and stakeholder notification. The assumption is that both notifications should have the same severity level.
Expand Down Expand Up @@ -203,7 +203,7 @@ The static evaluation section shows the following data:

##### Dynamic Evaluation Questions

You can either add new [evaluation template](evaluation#evaluation-templates) questions here or if you added them to the [default evaluation questions](assessments.md#lucide-settings-2-default-evaluation-templates) on the assessment level they will appear here as well.
You can either add new [evaluation template](templates.md#evaluation-template) questions here or if you added them to the [default evaluation questions](assessments.md#default-evaluation-templates) on the assessment level they will appear here as well.
The dynamic evaluation questions can be used for any kind of evaluation that is not covered by the static evalaution questions.

??? abstract "Working with dynamic evaluation questions"
Expand Down Expand Up @@ -237,7 +237,7 @@ All free text fields in the activity form support Markdown formating. Furthermor

You can change between UTC and your local time from the [toolbar](user_preferences_and_ui.md#toggle-utc-and-local-time).

The format used to display time (`24h` or `AM/PM`) and date format (e.g. `MM/DD/YYYY` or `DD/MM/YYYY`) can be configured in your [profile settings](user_preferences.md#timezone-and-date-format).
The format used to display time (`24h` or `AM/PM`) and date format (e.g. `MM/DD/YYYY` or `DD/MM/YYYY`) can be configured in your [profile settings](user_preferences_and_ui.md#timezone-and-date-format).

Use the :lucide-calendar: calendar or the **now** button to set the date and time. You can also type a date and time directely into the field. RAPTR will do its best to parse the date and time you enter.

Expand Down
2 changes: 1 addition & 1 deletion docs/docs/user-guide/administration.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ The user management page `/admin/users` displays all users in a filterable table
[![Create a new user](../assets/admin-user-create.gif "Create a new user")](../assets/admin-user-create.gif){:target="_blank"}

??? info "User Invitation"
RAPTR does not send any E-Mails. After user creation, share the credentials with the user. They can change their password from the [profile page](user_preferences.md#password).
RAPTR does not send any E-Mails. After user creation, share the credentials with the user. They can change their password from the [profile page](user_preferences_and_ui.md#password).

??? Bug "Initial Password"
At its current stage, it is not possible to set or mark a user's password so that it must be changed upon first login.
Expand Down
6 changes: 3 additions & 3 deletions docs/docs/user-guide/evaluation.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ The static evaluation also tracks timing metrics:
- **Event-to-Alert time**: How long between the activity execution (start time) and the first alert
- **Alert-to-Stakeholder time**: How long between the alert time and the stakeholder notification

These fields are auto-calculated, but the evaluation result must be manually set. The following options exist `pass`, `fail`, and `N/A`. By default the `N/A` state is choosen. See [working with auto-calculated fields](#working-with-auto-calculated-fields).
These fields are auto-calculated, but the evaluation result must be manually set. The following options exist `pass`, `fail`, and `N/A`. By default the `N/A` state is choosen.

### Severity Evaluations

Expand All @@ -49,7 +49,7 @@ The system also compares expected vs. actual severity levels for alerts and stak
- **Alert vs expected severity**: The expected severity of the alert vs the actual severity of the alert
- **Stakeholder notification vs expected severity**: The expected severity of the stakeholder notification vs the actual severity of the stakeholder notification

These fields are auto-calculated, but the evaluation result must be manually set. The following options exist `pass`, `fail`, and `N/A`. By default the `N/A` state is choosen. See [working with auto-calculated fields](#working-with-auto-calculated-fields).
These fields are auto-calculated, but the evaluation result must be manually set. The following options exist `pass`, `fail`, and `N/A`. By default the `N/A` state is choosen.

??? bug "Only one expected severity"
Currently there is only one expected severity for alerts and stakeholder notification. The assumption is that both notifications should have the same severity level.
Expand Down Expand Up @@ -81,7 +81,7 @@ Each evaluation question which cannot be answered automatically must be manually
[![Working with dynamic evaluation questions](../assets/eval-dynamic-questions.gif "Working with dynamic evaluation questions")](../assets/eval-dynamic-questions.gif){:target="_blank"}

??? bug "Auto-calculated fields"
The timing and severity static evaluation questions text are auto-calculated. Nevertheless these fields support [Markdown](#markdown-fields). You can overwrite the fields. As long as the field ends in `(auto-calculated)` the field will be re-calculated on changes.
The timing and severity static evaluation questions text are auto-calculated. Nevertheless these fields support [Markdown](activities.md#markdown-fields). You can overwrite the fields. As long as the field ends in `(auto-calculated)` the field will be re-calculated on changes.

??? abstract "Working with auto-calculated fields"
[![Working with auto-calculated fields](../assets/eval-auto-calculated.gif "Working with auto-calculated fields")](../assets/eval-auto-calculated.gif){:target="_blank"}
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/user-guide/knowledge_base.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Each knowledge base article has:

Articles are linked to activities in two ways:

- **By MITRE technique**: When an activity is mapped to a MITRE technique, all knowledge base articles linked to that technique are automatically available in the activity's [Knowledge Base section](activities.md#knowledge-base).
- **By MITRE technique**: When an activity is mapped to a MITRE technique, all knowledge base articles linked to that technique are automatically available in the activity's knowledge base section.
- **By activity template**: [Activity templates](templates.md#activity-template) can reference specific knowledge base articles by name. When imported into an assessment, these links are carried over to the created activity — allowing templates to point to articles beyond just the MITRE technique mapping.

## Variables
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/user-guide/user_preferences_and_ui.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ RAPTR supports time-based one-time password (TOTP) multi-factor authentication f

You can use the **Reset MFA** function to delete the current OTP secret. You will be logged out and can generate a new OTP secret on your next login.

An Administrator can also reset a users MFA. See [Administration](administration.md#lucide-shield-x-reset-mfa) for more information.
An Administrator can also reset a users MFA. See [Administration](administration.md#reset-mfa) for more information.

??? bug "No optional MFA choice"
The current RAPTR setup only support global MFA enforcement. Either it is required or not. There is no option to enable or allow MFA on a per user basis.
Expand Down Expand Up @@ -62,7 +62,7 @@ Some views, such as the assessments list or activity list, support auto-refreshi
### Toggle UTC and Local Time

Toggle between UTC and local time using the :lucide-globe: icon in the top navigation bar. Your preference is saved locally in your browser. All times in RAPTR should display according to this setting.
You can overwride your browser local time zone in the [profile settings](user_preferences.md#timezone-and-date-format).
You can overwride your browser local time zone in the [profile settings](#timezone-and-date-format).

??? abstract "Toggle between UTC and local time"
[![Toggle between UTC and local time](../assets/ui-toggle-utc-local.gif "Toggle between UTC and local time")](../assets/ui-toggle-utc-local.gif){:target="_blank"}
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/user-guide/visibility.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ The visibility of an activity is inherited from its parent activity group. If an

Visibility can be changed in several ways:

- Toggle visiblity of activities and activity groups from the [activity table](activities.md#activity-views)
- Toggle visibility of activities in bulk from the [activity table](activities.md#activity-views)
- Toggle visiblity of activities and activity groups from the [activity table](activities.md#activity-table-views)
- Toggle visibility of activities in bulk from the [activity table](activities.md#activity-table-views)
- Toggle visiblity of activities and activity groups from the [coresponding form](activities.md#general-information)

??? abstract "Toggle visibility in table view"
Expand Down