April 2026
Dashboard
- Unified install flow with Linux beta: A new shared install component across onboarding, the Getting Started page, and the Agents page. Linux users now get a first-class path with a shell installer plus
.deb,.rpm, and tarball downloads per architecture (labelled Linux (Beta)). macOS keeps the.dmgas the primary CTA. The shell snippet is pre-filled withTUREN_REGISTRATION_KEY=…when a key is available, so it’s one paste to install and register. A new “all platforms” disclosure lists every binary format the platform ships. - Code Quality Trend replaces Detection Confidence card: The SAST dashboard’s “Detection Confidence” card conflated finding volume with confidence distribution and was easy to misread. It’s been replaced with a clearer trend view of blocked vs. warned findings over time.
- Removed entropy-detection UI: Entropy detection is no longer a live secret-scanning mode in the agent, so the related toggles and indicators have been removed from the dashboard. Pattern-based detection for AWS keys, Stripe, GitHub PATs, private keys, and other high-confidence formats remains fully active.
API
- Slowloris protection: API server now enforces
IdleTimeoutandReadHeaderTimeouton incoming requests, closing slow-header and slow-read attack vectors against customer-facing endpoints. - Trial auto-cancel when no payment method: If a free-trial subscription reaches its end date with no payment method on file, the subscription is now cancelled cleanly instead of attempting a failing charge. You retain read-only access and can upgrade at any time.
GET /api/v1/agent-versionssupports?limit=N: The agent-versions list endpoint now accepts an optionallimitquery param (clamped to a max of 100), combinable with the existingchannelfilter. Existing callers without a limit are unaffected.
Agent
See the full agent release notes for per-version detail. April highlights:- Linux support (GA): Turen agent now runs on Ubuntu/Debian and RHEL/CentOS/Fedora on both x86_64 and arm64, with auto-updates and rollback matching macOS. Shipped in
v0.1.44. - Windows 11 support (GA): Turen agent now runs on Windows 11 on both amd64 and arm64, installed via an Authenticode-signed
.msiand registered as a Windows Service. Claude Code hooks fire on both Bash and PowerShell, and auto-updates work in place with rollback. Shipped inv0.2.0. - Self-correcting Batou suppressions: AI coding agents can resolve Batou false positives inline with a
batou:ignore <RULE> -- <reason>comment instead of pausing to ask. Bare directives (no reason) still flag for human review. Shipped inv0.1.45. - Fewer Batou false positives: Multi-line Python suppressions match the correct line, trailing inline directives no longer extend suppression to unrelated code, and Python CLI scripts are downgraded from blocking to hint-level. Shipped in
v0.1.45. - Broader Batou taint coverage: New sinks and sources across 13 languages, including HTTP-client SSRF (Java), GraphQL resolver contexts (Java, Rust), async SQL drivers (Python), archive extraction / Zip Slip (JavaScript), SSH command exec (C++), and more.
March 2026
Batou SAST
- Real-time code scanning: Batou, Turen’s static analysis engine, scans code in real time as agents write it. Findings are surfaced inline with confidence scores and CWE classification.
- Confidence-based blocking: Blocking presets now use confidence tiers instead of severity, giving you clearer control over what gets blocked vs. warned. Configure presets from the SAST tab in Software Security.
- Finding lifecycle tracking: Every finding now tracks its lifecycle status: Active, Fixed, Suppressed, or Blocked. The Issue Resolution view shows how findings are resolved over time.
- Redesigned SAST dashboard: Scan Activity (lines scanned, avg scan time), Detection Confidence distribution, Top Active Risks, Vulnerability Categories (CWE breakdown), and Issue Resolution charts.
- Inline suppression: Developers can suppress false positives with
// batou:ignore RULE-IDcomments. Suppressed findings are tracked in the dashboard with their reason. - Rule management: Disable individual SAST rules per-org from the dashboard.
Security
- Malware detection: PIA now identifies malware advisories (MAL-*) and automatically escalates them to CRITICAL severity (CVSS 10.0). Malware status is surfaced in the API response and dashboard.
- Password reset: Users can now reset their password via email from the sign-in page. MFA-enabled users are prompted for their TOTP code during the reset flow.
- Multiple security hardening fixes across session replay, skill uploads, policy management, and invitation handling.
Billing & Subscriptions
- Free trial at signup: New organizations automatically start with a 14-day free trial of the Teams plan. No credit card required to get started.
- Billing enforcement: Organizations with expired trials or canceled subscriptions are prompted to upgrade. Active trials and paid subscriptions continue uninterrupted.
- Promo codes: Promotion codes can now be applied during Stripe checkout.
- Plan upgrades: Solo plan users can upgrade to Teams directly from the billing page.
- Trial fix: New organizations on the free trial now correctly have SAST and custom skills enabled from the start.
Dashboard
- Feature gating by plan: SAST, custom skills, and custom rules are now gated by billing tier. Teams plan users get full access; Solo plan users see upgrade prompts.
- Package allowlist & blocklist: Manage allowed and blocked packages directly from the Events page. Block suspicious packages with one click.
- Interactive LLM analytics: The LLM dashboard is now fully interactive with clickable charts and deep-linked filters.
- Activity heatmap: Redesigned activity-by-hour heatmap with dynamic labels and a stats summary row.
- Improved onboarding: Redesigned onboarding page with trial-aware flow showing days remaining and clear upgrade paths. Onboarding completion is now persisted server-side.
- Better policy validation: Scorecard score inputs now validate properly, and the Save button is disabled when values are invalid.
- Invite flow: Redesigned authentication pages to support team invitation workflows.
- GitHub skill import: Import custom skills directly from a GitHub repository URL.
- Agent download from dashboard: The Devices page now shows a download button with the latest agent version, always pointing to the current release.
- Blocked scan visibility: Blocked scans now show all findings including any that were later suppressed, so you can see exactly what triggered the block.
- Documentation links: Quick links to documentation and help are now available in the sidebar.
- Cleaner SAST findings: Removed redundant severity badges from individual findings. Lifecycle labels (Fixed, Suppressed) are still shown.
- Multi-platform agent downloads: The agent download button now supports per-platform download links (macOS DMG, Linux tarballs).
Session Replay
- Faster session loading: Session content now streams with parallel chunk fetching, ETag caching, and content tickets for reduced latency on large sessions.
- Session reconciliation: Agents now reconcile session upload state on checkin, ensuring no sessions are lost if uploads are interrupted.
- Time range filter fix: Dashboard charts and session stats now correctly respect the selected time range. Previously, some views could show all-time data regardless of the filter.
- Date range filter: Filter sessions by a specific date range using the new “Between” filter with start and end date pickers.
- Subagent visibility: Subagent sessions now appear in the replay list. You can expand a parent session to see its subagents, and hour filters match across both parent and subagent sessions.
- Heatmap improvements: Clicking an hour on the activity heatmap now filters in place instead of navigating away, preserving your other active filters.
Agent & CLI
- Automatic updates with rollback: The agent now updates itself automatically when a new version is available. If an update fails, it rolls back to the previous working version: no manual reinstall required.
- Update channel settings: Admins can choose a release channel (production, beta, alpha), set a version offset to stay a few versions behind latest, or pin to a specific version. Configure from Platform Settings > Device Settings.
- Curated skills: Agents now receive curated skill manifests alongside custom skills during sync.
- Faster event ingestion: CLI and security events now use batch inserts for improved throughput.
- Better UTF-8 handling: Session first-prompt previews are now safely truncated at character boundaries, preventing garbled text.
- Billing enforcement for agents: Registration and session uploads now respect organization plan limits.
Package Intelligence (PIA)
- Malware detection: Packages with known malware advisories are flagged with
has_malware: trueand escalated to CRITICAL severity. - Version range support: PIA now resolves version range specifiers (e.g.,
^1.2.0,>=2.0) to concrete versions via deps.dev, improving vulnerability and license accuracy. - Reduced log noise: Expected not-found responses from upstream APIs are no longer logged as warnings.