v8.0-milestone and trust-readiness release. Folds in the AiSOC missing
pieces — Phases 1–5 rollup (PR #337;
25 commits, 188 files, +23 743 / -907), four named v8.0 milestones (T3.7
NL→playbook, T3.8 design system v2, T4 wave-3 marketplace + 6 hardened
connectors, T5.3 fidelity loaders), the marketing-shell unification on
tryaisoc.com, the threat-actor attribution RBAC + port fix, and a large
Dependabot + security sweep that landed on main since v7.4.0.
Highlights
- AiSOC missing pieces — Phases 1–5 rollup
(PR #337). Closes every
item inplans/aisoc-missing-pieces/in a single landing: trust-critical
honesty fixes on/sovereign+ Features + README, CI matrix expanded to
7 previously-untested Python services (~971 new test signals), coverage
gates, real SOAR executors for SentinelOne EDR / PAN-OS / FortiGate /
Cloudflare WAF + DNS / Splunk ES / Elastic / MDE / Entra ID / Google
Workspace, realCreateTicketExecutorwired to Jira / ServiceNow /
PagerDuty, Azure/GCP/Okta/GWS effective-permissions resolvers, the
managed-mode auto-provision pipeline (infra/fly/managed/), CI-built
white-paper PDFs + 90 s Playwright screencast, the deterministic
NL → ES|QL / KQL / SPL translator (81-case eval at 100 % syntactic +
100 % semantic), real-browser visual regression, a buyer-journey E2E,
and four immutable ADRs (docs/decisions/0001-0004). - v8.0 milestones — design system, playbook generator, wave-3
connectors, fidelity loaders.
T3.7 NL → playbook generator
(PR #330);
T3.8 design system v2 + Storybook
(PR #331,
DraftFromPromptDialogstory restored in
PR #335,
Storybook publicDir conflict fixed in
PR #336);
T4 wave-3 marketplace scaffolding + six hardened connectors
(PR #333,
wave-1 parity hardening in
PR #328);
T5.3 AIT-LDS + MITRE Engenuity fidelity loaders
(PR #332). - Threat-actor attribution — port fix + optional RBAC. The
investigation agent defaultedAISOC_THREATINTEL_URLto
http://threatintel:8083, but the service binds 8005 — every
POST /api/v1/actors/attributefrom
services/agents/app/agents/investigation_agent.pytherefore hit a port
nothing listens on and silently degraded. Default corrected, docs +
AISOC_ATTRIBUTION_TIMEOUT_SECONDSaligned, regression test added
(PR #327). Same release
ships an opt-in shared-secret gate
(PR #329): when
AISOC_THREATINTEL_SERVICE_TOKENis set, every/api/v1/actors/*call
must presentAuthorization: Bearer <token>(constant-time compared,
401on mismatch); unset keeps the legacy unauthenticated behaviour
and logs a warning. Resolves the[#TODO-attribution-rbac]caveat in
docs/threat-actor-attribution.md. - Marketing-shell unification on
tryaisoc.com(QA wave, 2026-06-29).
Every/(marketing)page, plus the standalone/not-found,
/why-open-source, and/benchmarkroutes, now renders the same
StickyNav+sections/Footershell. The old simplerLandingNav.tsx
andlanding/Footer.tsxwere deleted; eleven marketing pages had their
per-page nav/footer JSX + imports removed;(marketing)/layout.tsx
centrally injects the shell;StickyNav's anchors were absolutised
(/#solution,/benchmark,/pricing) so they resolve identically
from the landing page and from any subpage. Folded together with the
smaller fixes from the same QA pass: branded/not-foundpage
(ISSUE-004),308 /signup → /dashboardfor the anonymous demo
(ISSUE-003),Testimonials"Become a reference partner" CTA
repointed from the 404'ing/partnersto/contact(ISSUE-002),
deadstatus.tryaisoc.comfooter link removed (ISSUE-005), and an
SSR-whitespace bug on/aboutthat rendered "the 69connectors"
fixed by forcing an explicit{' '}token (ISSUE-007). - Knowledge-base ingest — boundary-aware chunking with overlap
(PR #321, closes
#277). KB ingestion no
longer splits mid-sentence or mid-code-fence; the new chunker prefers
paragraph / sentence / code-block boundaries, applies a configurable
overlap so retrieval doesn't lose context across chunks, and keeps the
produced chunks within the embedding model's hard token budget. - Realtime — WS/SSE authenticated via short-lived tickets
(PR #246, closes
#239). The realtime
service's WebSocket and SSE endpoints previously accepted any
connection. They now require a short-lived signed ticket that the API
mints for the authenticated session, closing the unauthenticated
fan-out surface that lived betweenservices/realtimeandapps/web. apps/web— Create Case button wired on/alerts/{id}
(PR #294, closes
#293). The button on
alert detail rendered but did nothing; it now POSTs through the cases
endpoint and navigates to the new case workspace.- Infrastructure — Terraform CI + missing core modules. Terraform
workflow on everyinfra/terraform/**change
(PR #251) runs
terraform init -backend=false,terraform validate, and
terraform fmt -check -recursiveagainst the AWS, GCP, Azure, and
BYOC configurations; the three reusable modules the AWS and BYOC
references were already importing —rds,elasticache,kafka—
are now actually present ininfra/terraform/modules/
(PR #252) so a fresh
terraform initagainst the multi-cloud skeletons no longer errors on
missing sources. GCP sensitive-var taint cleared onfor_each
(PR #243); Azure
Terraform skeleton documented
(PR #247). - Dependency & CI maintenance. ~15 Dependabot upgrades across the
Python, JS, and Go services (FastAPI inservices/{api,actions,agents}
via #317,
#319,
#320;
next16.2.7 → 16.2.9 in
#323;
framer-motion11.18.2 → 12.40.0 in
#307;
cryptographyin
#301 /
#302; Goredis/go-redis
in #297 /
#298;
strawberry-graphqlin
#318;
actions/checkoutv6 → v7 in
#316; plus
@xyflow/react,@types/node,tsx,@tailwindcss/postcss); pnpm
audit high/critical findings cleared
(PR #322) so the dep-bump
PR queue could actually merge; a duplicate@mdx-js/reactkey that
was breakingpnpm installremoved
(PR #296);aiohttpbumped
to 3.14.1 to clear CVE-2026-34993 + CVE-2026-47265
(PR #295).
AiSOC missing pieces — Phases 1–5 (PR #337)
The largest single landing in this release. Twenty-five commits implement
the entire plans/aisoc-missing-pieces/ roadmap; nothing in the plan is
deferred.
Phase 1 — Trust-critical fixes (1.1–1.6): one build-time
generator + CI gate is now the only place the marquee connector count
lives; the hard-coded ★ 2.3k GitHub-stars badge was replaced with a
live shields.io endpoint; every SOC 2 / ISO 27001 / GDPR / DPDP claim
across /sovereign, Features.tsx, and README.md is now qualified
with the honest "controls aligned to" framing pending a Type I audit
(ADR-0002 below); seven 404'ing footer links and two pricing CTAs were
either stubbed, repointed to mailto:, or redirected to GitHub; the
real services/connectors/app/connectors/gitlab.py connector that the
marquee pill had been claiming was real now exists; and the /sovereign
Terraform deep-links route to the correct subdirectories per cloud, with
Azure added and the unsupported clouds struck.
Phase 2 — Operational readiness (2.1–2.6): the seven Python
services that were silently outside the CI matrix
(services/{ueba,honeytokens,purple-team,osquery-tls,connectors,actions, threatintel} in practice) are now included; the pytest and Vitest
configurations enforce a coverage floor via --cov-fail-under and the
Vitest coverage.thresholds; prometheus.yml no longer lists scrape
targets that don't exist (CI now gates against drift); Prometheus
alerting rules + Alertmanager container are wired in docker-compose.yml;
seven incident runbooks land under docs/runbooks/; and every FastAPI
service now exposes /livez (the process is up) and /readyz
(dependencies are reachable) separate from the existing /health.
Phase 3 — Real SOAR executors (3.1–3.5): the executor surface
stops being a façade. SentinelOne EDR has a real client
(services/actions/app/integrations/sentinelone.py) wired to
ContainHostExecutor; PAN-OS, FortiGate, Cloudflare WAF, and Cloudflare
DNS firewall each have a real client wired to the appropriate Block…
executor; AckAlertExecutor and SuppressAlertExecutor now talk to
Splunk Enterprise Security, Elastic Security, and Microsoft Defender for
Endpoint directly; Entra ID and Google Workspace are wired as real IdP
clients for DisableUserExecutor; and CreateTicketExecutor no longer
returns SIMULATED — it delegates to the existing Jira, ServiceNow, and
PagerDuty connectors.
Phase 4 — Larger build-out (4.1–4.8):
- 4.1 — Azure RBAC, GCP IAM, Okta, and Google Workspace
effective-permissions resolvers (closes T3.2). The investigation agent
can now answer "what can this principal actually do?" across all four
IdPs, not just AWS. - 4.2 — Managed-mode auto-provision pipeline (closes T6.1):
infra/fly/managed/+ a workflow that creates a fresh Fly tenant from
a push tomain, dry-run-safe (won't act withoutFLY_API_TOKEN). - 4.3 —
make papersbuilds the white-paper PDFs in CI, and a
Playwright project records a 90-second product screencast on demand. - 4.4 — Connector wave finished: Sysdig, Vault, Snowflake, and
Cloudflare Zero Trust manifests + docs. - 4.5 — Pluggable event-warehouse provider
(services/api/app/services/event_warehouse/) with Elasticsearch,
Splunk, and Chronicle implementations;croniter-backed hunt
scheduler (closes Milestone 1F). - 4.6 — Deterministic NL → ES|QL / KQL / SPL translator. 81-case
eval, 100 % syntactic, 100 % semantic — every output is parsed
through a grammar validator before return. - 4.7 — Real-browser visual regression: Playwright + Storybook,
pinned tomcr.microsoft.com/playwright:v1.49.0-jammy. First CI run
needs--update-snapshots. - 4.8 — Buyer-journey E2E covering
/alerts → Investigation Rail → /playbooksruns onpnpm e2e.
Phase 5 — Strategic decisions (5.1–5.4): four immutable ADRs.
0001-cyble-cti-moat.md retires
the Cyble-only CTI moat in favour of a pluggable MIT-compatible CTI
fusion layer; 0002-compliance-claims.md
fixes the "controls aligned to" framing until a Type I audit lands and
gates it on a concrete enterprise design partner;
0003-mssp-pricing-shape.md
keeps three public tiers, with MSSP getting its own narrative at
/mssp; 0004-live-demo-strategy.md
retires the Cloudflare Tunnel demo and provisions a dedicated managed-mode
tenant on Fly.io.
The Playwright projects (screencast, visual, journey) are gated by
PLAYWRIGHT_PROJECT so no project's webServer boots when another
runs. The four ADRs are immutable: future changes write a new ADR that
supersedes the old one.
v8.0 milestones — design system v2, NL→playbook, wave-3 connectors, fidelity loaders
T3.7 — NL → playbook generator
(PR #330). Operators can
type a runbook in English and the agent emits a structured playbook YAML
that fits the existing services/actions schema: graph of executors,
inputs, and conditionals, with the same JSON-schema validation the
console editor enforces. Backed by the same deterministic translator
substrate as Phase 4.6 so the output stays parsable when the LLM goes
sideways.
T3.8 — Design system v2 + Storybook
(PR #331). The console
finally has a single source of truth for tokens, primitives, and
composites. apps/web/src/components/ui/ is now organized as
tokens / primitives / patterns, every component renders in Storybook,
and the visual-regression CI gate from Phase 4.7 watches it.
DraftFromPromptDialog was momentarily lost during the migration and
restored in PR #335. The
Vite publicDir copy that broke the Storybook build under the new
config was disabled in PR
#336 so main CI stays
green.
T4 — Wave-3 marketplace scaffolding + six hardened connectors
(PR #333). The marketplace
registry gains the schema + tooling for the third connector wave; six
wave-2 connectors had their tests and fixtures hardened to wave-1 parity
in PR #328 so every
first-party connector ships with the same shape of negative-path
coverage.
T5.3 — AIT-LDS + MITRE Engenuity fidelity loaders
(PR #332).
Detection-fidelity scoring now ingests two canonical labelled datasets:
the AI-Threats Labelled Dataset and the MITRE Engenuity ATT&CK
evaluation set, both fronted by deterministic loaders so the
fidelity-score outputs are reproducible across CI runs.
Threat-actor attribution — port fix + RBAC
Two narrowly-scoped fixes that together close the only path by which the
investigation agent could silently degrade.
services/agents/app/agents/investigation_agent.py defaulted
AISOC_THREATINTEL_URL to http://threatintel:8083. The service binds
8005 in its Dockerfile, in docker-compose.yml, and in the README
service table — every POST /api/v1/actors/attribute call therefore hit
a port nothing listens on. The error path was soft-handled, so
attribution wasn't 500-ing; it was returning empty
attribution silently. PR #327
corrects the default to http://threatintel:8005, fixes the matching
docs/threat-actor-attribution.md references, raises the stale
AISOC_ATTRIBUTION_TIMEOUT_SECONDS default from 10 to 30, and adds
a regression test (services/agents/tests/test_attribution_service_url.py)
that pins the URL and timeout so this can't drift again.
PR #329 layers an opt-in
shared-secret gate on the actor-attribution router. When
AISOC_THREATINTEL_SERVICE_TOKEN is set, every /api/v1/actors/* call
must present Authorization: Bearer <token>; the comparison is
constant-time, 401 on mismatch. When the env var is unset, the
endpoints stay unauthenticated for backward compatibility and emit a
single startup warning so the operator knows the gate isn't on. The
investigation agent forwards the token via its own
AISOC_THREATINTEL_SERVICE_TOKEN. Resolves the
[#TODO-attribution-rbac] caveat in docs/threat-actor-attribution.md.
Marketing-shell unification on tryaisoc.com
Pre-7.5 the marketing surface was rendering two different navigation
components — the richer StickyNav on the landing page and the older
LandingNav everywhere else — and likewise two footers. Subpage visitors
saw a degraded nav with hash-only anchors that misbehaved (e.g. #pricing
on /about was a no-op rather than navigating to /pricing).
The unification (commit
77039a41):
apps/web/src/app/(marketing)/layout.tsxnow importsStickyNav
andsections/Footerand renders them around{children}. Every
page in the(marketing)route group is content-only.- Eleven marketing pages had their per-page nav/footer JSX + imports
removed — they now inherit from the layout. - The standalone routes (
not-found.tsx,why-open-source/page.tsx,
benchmark/page.tsx) — which live outside(marketing)and so
can't pick up its layout — importStickyNavandsections/Footer
directly. StickyNav'sNAV_LINKSwere absolutised so they work from any URL:
/#solution,/#pillars,/#connectors,/benchmark,/pricing,
docs/intro. The "Self-host" CTA points at/pricingfor the same
reason.apps/web/src/components/landing/LandingNav.tsxand
apps/web/src/components/landing/Footer.tsxwere deleted.
Bundled in the same QA wave:
ISSUE-002—Testimonials"Become a reference partner" CTA was
pointing at/partners, which 404s. Now goes to/contact.ISSUE-003—/signup308-redirects to/dashboard. The
anonymous demo dashboard is the signup flow; the old form-fronted
signup is gone.ISSUE-004—/not-foundis now a branded dark-theme page with
the unified shell and a "back to home" CTA, replacing Next's default.ISSUE-005— Removed the deadstatus.tryaisoc.comlink from
the footer.ISSUE-007—/aboutrendered "the 69connectors" because
React's JSX text-children whitespace rules drop the leading space of
a text segment that wraps right after a{expression}. Forced an
explicit{' '}token so the layout-quirk is immune to reflow.
Knowledge-base — boundary-aware chunking with overlap
PR #321 (closes
#277). The previous
chunker split on a flat character budget, which routinely produced
mid-sentence chunks and severed code fences. The new chunker walks the
document with paragraph → sentence → token precedence, applies an
overlap (default 64 tokens, configurable) so retrieval doesn't lose
context across chunks, and keeps every produced chunk under the
embedding model's hard token budget. Retrieval quality on the existing
KB ingestion fixtures improved without any model change.
Realtime — short-lived ticket auth on WS/SSE
PR #246 (closes
#239). The realtime
service previously accepted any WebSocket or SSE connection — there was
no way to assert which tenant a stream belonged to except via the
client's word for it. Connections now require a short-lived signed
ticket that the API issues to the authenticated session; the ticket
encodes the tenant and the subscription scope and expires after a small
window so a stolen ticket can't long-tail. Closes a multi-tenant
fan-out surface that had been live since the realtime service shipped.
Infrastructure — Terraform CI + missing core modules
PR #251 — every push that
touches infra/terraform/** now runs terraform init -backend=false,
terraform validate, and terraform fmt -check -recursive against the
AWS, GCP, Azure, and BYOC configurations. The same gates ran locally in
the v7.4.0 deploys; they're now actually enforced.
PR #252 — the AWS and BYOC
references in v7.4.0 imported infra/terraform/modules/rds,
modules/elasticache, and modules/kafka from sources that did not
exist in the repo. The three modules are now actually present, so a
fresh terraform init against the multi-cloud skeletons no longer
errors on a missing source. PR
#243 drops the
sensitive-var taint from for_each in the GCP module so the plan stays
clean. PR #247 documents
the Azure Terraform skeleton end-to-end in apps/docs/.
Dependency & CI maintenance
Around fifteen Dependabot landings since v7.4.0; the headline ones:
- FastAPI updated in
services/api,services/actions, and
services/agents(PRs
#317,
#319,
#320). next16.2.7 → 16.2.9 (PR
#323).framer-motion11.18.2 → 12.40.0 (PR
#307).cryptographyupdated inservices/apiandservices/actions
(PRs #301,
#302).redis/go-redis/v9updated inservices/enrichmentand
services/ingest(PRs
#297,
#298).strawberry-graphqlupdated inservices/api
(PR #318).actions/checkoutv6 → v7 across every workflow
(PR #316).aiohttp3.14.1 to clear CVE-2026-34993 + CVE-2026-47265
(PR #295).- pnpm audit cleared of all high/critical findings
(PR #322) so the dep-bump
queue could merge without the global gate failing on unrelated noise. pnpm-lock.yamlduplicate@mdx-js/reactkey fixed
(PR #296) — was breaking
pnpm installon fresh clones.- Other dev/test bumps:
@xyflow/react12.10.2 → 12.11.0
(PR #283),
@types/node20.19.39 → 25.9.2
(PR #285),
tsx4.22.1 → 4.22.4 (PR
#306),
@tailwindcss/postcss4.3.0 → 4.3.1 (PR
#305).
Docs
AISOC_V8_PROGRESS.mdtracker re-introduced
(PR #334) so the v8.0
milestone burn-down lives at the repo root again.AGENTS.mdupdated to record AiSOC (github.com/beenuar/AiSOC) as the
single source of truth — the olderAISOC-Cyblemirror is now
archived (PR #326;
archive-notice sync in PR
#325;plans/cyble-aisoc/
subtree merged for posterity in PR
#324).- Marketing-page docs links repointed at the Docusaurus site
(PR #245). - Connector pages — Vault → Auth0/Okta cross-links unbroken
(post-merge fix onmain). README.mdsynced to v7.4.0 ahead of this release
(PR #246).
Changed
VERSIONbumped 7.4.0 → 7.5.0.apps/web/package.jsonbumped 7.3.1 → 7.5.0. The web app's
package.jsonhad drifted fromVERSIONsince the v7.3.1 hotfix;
this release reconciles them.README.mdversion badge + headline updated to v7.5.0.
Migration notes
None required for users on v7.4.0 — every change in this release is
either additive (new endpoints, new env vars defaulting to safe
unauthenticated behaviour, new connectors and executors) or a pure bug
fix to existing behaviour. Specifically:
- The threat-actor attribution port fix changes a default — if you
had explicitly setAISOC_THREATINTEL_URLin your environment, it is
honoured unchanged. - The optional
AISOC_THREATINTEL_SERVICE_TOKENgate is off until you
set it. Set it on both theagentsandthreatintelservices to
turn the gate on. - The Realtime short-lived-ticket auth is enforced server-side; the
apps/webclient mints + refreshes tickets automatically against the
authenticated API session. No client work is required for in-tree
consumers; external SSE consumers must adopt the ticket flow. - The marketing-shell unification is a
tryaisoc.com-only change; it
doesn't touch the console attryaisoc.com/dashboardor any
product surface.