May

NG Production Release Update - APIsec_cloud_7.5.3.0 (May 22, 2026)

This release expands Postman-based onboarding and scan workflows with support for spec reloads via Postman URL and Gateway integrations, Postman Environment variable resolution, and new OAuth-focused security test categories for authorization code replay and open redirect detection.

The release also improves hosted agent resiliency, API token-based scan execution, and Postman variable resolution during endpoint discovery and parameter hydration. Additional fixes improve MySQL injection category accuracy, strengthen the reliability of OAuth parameter hydration, and include platform-wide security hardening updates.

What's New

Postman Collection — Spec Reload via URL and Postman Gateway

Applications can now reload Postman-based API specifications directly from a Postman URL or via the Postman Gateway integration, without requiring manual collection downloads. File upload support introduced previously remains available.

Users can now reload specs using:

• Postman URL — provide the Postman Collection ID and API key to fetch the latest collection directly from the Postman cloud
• Postman Gateway — reload collections through the configured Postman Gateway integration
• File Upload — continue uploading updated collection files manually

On-prem deployments continue to support only file-upload reloads.

Why this matters

• Simplifies keeping Postman-based applications synchronized with API changes
• Eliminates manual collection, download, and upload workflows
• Accelerates API inventory refresh and onboarding updates

Postman Environment Support

Postman Environment files are now supported for Postman-based applications, allowing {{variable}} placeholders to resolve into actual values during onboarding and scans.

Environment files can now be added:

• During application onboarding
• While adding a new instance
• From the Parameters Configuration page
• By replacing the environment before completing onboarding

Resolved values now appear in both the endpoint inventory and parameter configuration views. Multiple environments can coexist within the same application, with environment selection available per scan.

Why this matters

• Eliminates unresolved Postman variable placeholders during scans
• Improves scan accuracy and endpoint discovery
• Simplifies managing multiple deployment environments within a single application

New OAuth Security Test Categories

Two new OAuth-focused security test categories are now available for applications configured with custom OAuth 2.0 authorization code flows.

Authorization Code Replay

• Detects whether OAuth authorization codes can be reused after a successful token exchange, violating OAuth2 security requirements.

OAuth Open Redirect

• Detects improper validation of redirect_url values in OAuth authorization flows that may allow attacker-controlled redirects. Both tests execute the application's full authentication chain end-to-end using the configured OAuth flow.

Why this matters

• Expands OAuth security coverage for authorization-code-based applications
• Detects authentication bypass and token replay vulnerabilities
• Validates real-world OAuth implementation security behavior

Immutable Docker Tags for Scan and Gate

The apisec/apisec-scan-and-gate Docker image is now published with immutable timestamp-based version tags in addition to latest .

Why this matters

• Supports CI/CD change-control requirements
• Enables reproducible pipeline executions
• Simplifies environment promotion and rollback workflows

Improvements

Scan Support for APIs Running on TLS 1.0 and TLS 1.1

APIsec can now successfully establish TLS handshakes and execute scans against API endpoints that support only legacy TLS 1.0 or 1.1.

Additional connection resiliency improvements include:

• Improved tolerance for connection shutdown events during scan execution
• Enhanced diagnostic reporting for exceptions that previously surfaced empty error messages

Why this matters

• Enables end-to-end security testing for APIs running legacy TLS configurations
• Improves scan resiliency during connectivity interruptions
• Provides clearer diagnostics for troubleshooting scan failures

Hosted Agent Management — Scan Execution Using API Tokens

Scans can now be invoked through private hosted agents using API Tokens (PATs) for authentication. Deployment templates for Docker Linux and Windows have also been refreshed.

Why this matters

• Simplifies CI/CD-based hosted-agent scan execution
• Expands automation flexibility using PAT authentication
• Improves deployment consistency across environments

Hosted Agent Management — Token Expiry Accuracy

Fixed token validity calculations for hosted agent tokens so that displayed expiry information now accurately reflects the actual remaining token lifetime.

Why this matters

• Improves visibility into token expiration timelines
• Helps teams rotate tokens proactively before expiry
• Prevents confusion caused by incorrect validity calculations

Postman Variable Resolution Improvements

Postman variable placeholders are now consistently resolved from collection variables, environment files, and request examples across endpoint inventory, scan execution, and AI-assisted parameter hydration.

Why this matters

• Improves consistency across Postman-based applications
• Ensures resolved endpoint and parameter values are used throughout the platform
• Enhances scan accuracy and parameter discovery workflows

Issue Fixes

1. MySQL Injection Category Display and Execution

Issue

• MySQL Injection scans were displayed and executed as generic SQL Injection tests, resulting in incorrect category visibility and duplicate-dispatch behavior during scans.

Fix

• MySQL Injection now executes and is displayed as a dedicated category, with MySQL-specific timing strategies and correct scan labeling.

Impact

• MySQL Injection scans now display correctly throughout scan workflows
• Prevents duplicate execution behavior between SQL and MySQL injection categories
• Improves category-level scan visibility and reporting accuracy

2. AI-Assisted Parameter Hydration — Postman OAuth Placement

Issue

• Re-Discover Parameters failed in Postman-based applications using OAuth2 credentials configured with query-parameter token placement.

Fix

• OAuth placement values are now normalized correctly during Postman auth extraction, and invalid placement values now surface as actionable auth-resolution errors instead of validation crashes.

Impact

• Restores parameter discovery for affected Postman OAuth applications
• Improves the reliability of AI-assisted parameter hydration workflows
• Provides clearer diagnostics for malformed authentication configurations

---

NG Production Release Update - APIsec_cloud_7.5.2.0 ( May 15, 2026 )

This release introduces a new Dashboard with role-aware visibility and guided onboarding, along with Postman Collection reload, Django support in Code Bolt, editable Business Unit/Team names, and locale-aware date formatting. Reliability and diagnostics also improve across hosted agents, gateway integrations, SwaggerHub onboarding, and Guided Actions.

Introducing Dashboard

The new Dashboard is now available from the main navigation, providing centralized visibility into application security posture and compliance status. It supports role-aware views for ADMIN, USER, and VIEWER/Auditor roles, with data scoped by access level. VIEWER/Auditor roles get tenant-wide compliance visibility via the Security Policy Applications view without requiring direct application assignment. A guided onboarding tour is included for first-time users.

Why this matters

• Centralized visibility into application health and compliance
• Tenant-wide compliance review for audit and governance teams without operational access
• Guided navigation for first-time users

Coming Next

• An Onboarding Health view alongside security posture and compliance, surfacing how completely each application is onboarded and where attention is needed to move it forward. Includes an Onboarding Score quantifying completeness across key milestones, so stalled applications and next actions are immediately visible.

Spec Reload Using Postman Collections

Applications can now reload their API specification using an updated Postman Collection file, regardless of whether they were originally registered using OpenAPI (OAS) or Postman Collection format.

Why this matters

• Simplifies keeping API definitions in sync with Postman collections
• Eliminates the need to recreate applications when collections change
• Improves visibility into specification refresh activity

Note: Reloading Postman Collections via a URL or Gateway integration isn't supported yet and will be added in a future release.

Editable Business Unit and Team Names

Administrators can now rename Business Units and Teams directly from Team Management.

Why this matters

• Simplifies organizational updates and restructuring
• Reduces the need to recreate teams or business units for naming changes
• Improves flexibility when managing large organizations

Code Bolt — Django Framework Support

Code Bolt now supports Django, expanding coverage for Python-based applications and APIs.

Why this matters

• Enables automated onboarding and analysis for Django applications
• Expands framework compatibility for Code Bolt users
• Simplifies API discovery for Python environments

Issue Fixes

Private Hosted Agent Visibility in Scan Details

• Issue: Private hosted agents created by ROLE_USER users were not visible in the Scan Details page, making it difficult to identify which execution environment was used for a scan.
• Fix: Private-hosted agents are now visible on the Scan Details page while maintaining existing ownership and access restrictions.

Impact

• Improves visibility into scan execution environments
• Preserves secure ownership boundaries for privately managed agents
• Hosted agents created by administrators remain shared across the organization

Postman Gateway Integration — Collection Registration

• Issue: Applications imported from Postman Gateway integrations failed to register and displayed a generic "Something went wrong" error.
• Fix: Resolved the registration issue affecting Postman workspace imports.

Impact

• Improves the reliability of Postman workspace onboarding
• Applications now register successfully from connected Postman workspaces

SwaggerHub Integration — Project API Loading

• Issue: Selecting a SwaggerHub project caused the APIs table to fail loading with an internal server error.
• Fix: Resolved the project-loading issue affecting SwaggerHub integrations.

Impact

• Restores reliable API loading from SwaggerHub projects
• Improves the stability of SwaggerHub integrations

Improved Reachability Error Reporting

• Issue: Some endpoints returned a generic “Internal APIsec error during test execution” message when connectivity, DNS, TLS, or timeout issues prevented successful communication with the target environment.
• Fix:
  • Scan results now surface specific network and connectivity errors directly in test execution results instead of displaying a generic internal error.
  • Timeout handling was also improved to provide additional time for slower responses before marking requests as failed prematurely.

Impact

• Simplifies troubleshooting for connectivity issues
• Provides clearer diagnostics during scan failures
• Reduces ambiguity in hosted agent troubleshooting

Locale-Aware Date and Time Formatting

• Issue: Dates and timestamps were displayed in a fixed UTC format regardless of the user's locale or time zone.
• Fix: Date and time formatting now automatically adapts to the user’s browser locale and timezone settings.

Impact

• Improves readability across global regions
• Displays timestamps using local date/time conventions
• Eliminates inconsistencies caused by UTC-only formatting

Guided Actions — Authentication Status Display

• Issue: The Guided Actions Scanned pill incorrectly displayed “No Credentials are configured” even when valid authentication credentials existed.
• Fix: Resolved the authentication state validation issue in Guided Actions.

Impact

• Authentication status now reflects the actual configuration state
• Reduces confusion during scan workflows
• Improves the reliability of Guided Actions recommendations

---

NG Production Release Update - APIsec_cloud_7.5.1.1 ( May 08, 2026 )

Applications Page Handling for PLG Users

Improved handling of team membership checks when loading the Applications page for PLG (Product-Led Growth) users. Users without team associations are now handled gracefully.

Impact

• Improved reliability and user experience for tenants without team structures.

---

NG Production Release Update - APIsec_cloud_7.5.1.0 ( May 05, 2026 )

This release improves integration, visibility, and usability across the platform. Key updates include in-product CI/CD script generation, scan source tracking for better auditability, and redesigned Team Management and Applications pages for more efficient access and prioritization. The Guided Actions panel helps users quickly understand application health and take targeted actions such as configuring authentication, improving coverage, and addressing findings, while TLS version detection enhances security by identifying outdated configurations.

SSL/TLS Version Detection

APIsec now detects deprecated TLS versions (TLS 1.0 and 1.1) and reports them with supporting evidence, including the negotiated cipher suite. This applies to both cloud and hosted agent scans.

Why this matters

• Identifies outdated and insecure configurations
• Helps enforce modern security standards
• Improves visibility into transport-layer risks

Parameter Hydration — Custom Authentication Support and Reliability

The parameter hydration agent now supports applications with custom authentication and includes additional resiliency for applications using static API keys. This ensures parameters are discovered and processed reliably without failures across different authentication setups.

Why this matters

• Enables consistent parameter discovery for APIs using custom authentication and API keys
• Reduces hydration failures, improving overall scan coverage
• Improves reliability and performance for large and complex applications

CI/CD Integration — Script Generation in the UI

You can now generate CI/CD pipeline scripts directly from the Application page. Select your pipeline type (GitHub Actions, GitLab CI, Jenkins) and copy a ready-to-use script with pre-filled Application and Instance IDs. CI/CD setup instructions are also available from the Integrations page.

Why this matters

• Simplifies pipeline integration setup
• Eliminates manual configuration errors
• Speeds up CI/CD onboarding

Scan Source Tracking

Scan History now shows how each scan was triggered (Manual, Scheduled, or CI/CD).

Why this matters

• Improves the auditability of scan activity
• Distinguishes automated vs manual scans
• Helps track CI/CD-driven testing

Guided Actions Panel

A new Guided Actions panel provides a health score, real-time status indicators, and contextual recommendations based on the application's current state. Users can quickly identify issues across authentication, configuration, coverage, and findings, and navigate directly to the relevant areas.

Why this matters

• Highlights what needs attention across key areas in one place
• Provides actionable recommendations based on the current state
• Reduces time spent navigating and diagnosing issues

Applications Home Page Redesign

The Applications page now includes risk scoring, advanced filtering, and improved visibility into application status.

Why this matters

• Quickly identify high-risk or untested applications
• Simplify filtering and prioritization
• Improve visibility into team ownership and risk

New Team Management Experience

Team Management has been redesigned into a unified workspace with improved usability and performance.

Why this matters

• Simplifies management of teams, users, and business units
• Reduces navigation overhead
• Improves responsiveness and usability

Team Management — Application Assignment

You can now assign and manage applications directly within the Team Management view.

Why this matters

• Eliminates the need to navigate to individual applications
• Centralizes access management
• Speeds up onboarding and team configuration

Quick Start Authentication (Paste Token)

You can now run scans by pasting a bearer token directly into the configuration—no setup required.

Why this matters

• Speeds up onboarding for secured APIs
• Reduces configuration effort
• Enables quick validation workflows

Register Applications Using Burp Proxy XML

We have extended non-OAS onboarding to support Burp Proxy XML exports. You can now register applications using traffic captured in Burp, enabling onboarding when API specifications aren't available. APIsec parses the Burp XML, converts it into an OpenAPI Specification (OAS), and extracts the environment base URL during registration. You can review and update the base URL before completing setup. Once registered, the generated OAS is available for download, allowing you to refine or extend it and reload the updated specification as needed.

Why this matters

• Expands onboarding support for APIs without existing specifications
• Leverages Burp captures to quickly bring APIs into testing
• Reduces dependency on formal API documentation
• Provides flexibility to refine and reuse the generated API specification