Skip to main content

March 2026

Batou SAST

  • Real-time code scanning — Batou, Turen’s static analysis engine, scans code in real time as agents write it. Findings are surfaced inline with confidence scores and CWE classification.
  • Confidence-based blocking — Blocking presets now use confidence tiers instead of severity, giving you clearer control over what gets blocked vs. warned. Configure presets from the SAST tab in Software Security.
  • Finding lifecycle tracking — Every finding now tracks its lifecycle status: Active, Fixed, Suppressed, or Blocked. The Issue Resolution view shows how findings are resolved over time.
  • Redesigned SAST dashboard — Scan Activity (lines scanned, avg scan time), Detection Confidence distribution, Top Active Risks, Vulnerability Categories (CWE breakdown), and Issue Resolution charts.
  • Inline suppression — Developers can suppress false positives with // batou:ignore RULE-ID comments. Suppressed findings are tracked in the dashboard with their reason.
  • Rule management — Disable individual SAST rules per-org from the dashboard.

Security

  • Malware detection — PIA now identifies malware advisories (MAL-*) and automatically escalates them to CRITICAL severity (CVSS 10.0). Malware status is surfaced in the API response and dashboard.
  • Password reset — Users can now reset their password via email from the sign-in page. MFA-enabled users are prompted for their TOTP code during the reset flow.
  • Multiple security hardening fixes across session replay, skill uploads, policy management, and invitation handling.

Billing & Subscriptions

  • Free trial at signup — New organizations automatically start with a 14-day free trial of the Teams plan. No credit card required to get started.
  • Billing enforcement — Organizations with expired trials or canceled subscriptions are prompted to upgrade. Active trials and paid subscriptions continue uninterrupted.
  • Promo codes — Promotion codes can now be applied during Stripe checkout.
  • Plan upgrades — Solo plan users can upgrade to Teams directly from the billing page.
  • Trial fix — New organizations on the free trial now correctly have SAST and custom skills enabled from the start.

Dashboard

  • Feature gating by plan — SAST, custom skills, and custom rules are now gated by billing tier. Teams plan users get full access; Solo plan users see upgrade prompts.
  • Package allowlist & blocklist — Manage allowed and blocked packages directly from the Events page. Block suspicious packages with one click.
  • Interactive LLM analytics — The LLM dashboard is now fully interactive with clickable charts and deep-linked filters.
  • Activity heatmap — Redesigned activity-by-hour heatmap with dynamic labels and a stats summary row.
  • Improved onboarding — Redesigned onboarding page with trial-aware flow showing days remaining and clear upgrade paths. Onboarding completion is now persisted server-side.
  • Better policy validation — Scorecard score inputs now validate properly, and the Save button is disabled when values are invalid.
  • Invite flow — Redesigned authentication pages to support team invitation workflows.
  • GitHub skill import — Import custom skills directly from a GitHub repository URL.
  • Agent download from dashboard — The Devices page now shows a download button with the latest agent version, always pointing to the current release.
  • Blocked scan visibility — Blocked scans now show all findings including any that were later suppressed, so you can see exactly what triggered the block.
  • Documentation links — Quick links to documentation and help are now available in the sidebar.
  • Cleaner SAST findings — Removed redundant severity badges from individual findings. Lifecycle labels (Fixed, Suppressed) are still shown.
  • Multi-platform agent downloads — The agent download button now supports per-platform download links (macOS DMG, Linux tarballs).

Session Replay

  • Faster session loading — Session content now streams with parallel chunk fetching, ETag caching, and content tickets for reduced latency on large sessions.
  • Session reconciliation — Agents now reconcile session upload state on checkin, ensuring no sessions are lost if uploads are interrupted.
  • Time range filter fix — Dashboard charts and session stats now correctly respect the selected time range. Previously, some views could show all-time data regardless of the filter.
  • Date range filter — Filter sessions by a specific date range using the new “Between” filter with start and end date pickers.
  • Subagent visibility — Subagent sessions now appear in the replay list. You can expand a parent session to see its subagents, and hour filters match across both parent and subagent sessions.
  • Heatmap improvements — Clicking an hour on the activity heatmap now filters in place instead of navigating away, preserving your other active filters.

Agent & CLI

  • Automatic updates with rollback — The agent now updates itself automatically when a new version is available. If an update fails, it rolls back to the previous working version — no manual reinstall required.
  • Update channel settings — Admins can choose a release channel (production, beta, alpha), set a version offset to stay a few versions behind latest, or pin to a specific version. Configure from Platform Settings > Device Settings.
  • Curated skills — Agents now receive curated skill manifests alongside custom skills during sync.
  • Faster event ingestion — CLI and security events now use batch inserts for improved throughput.
  • Better UTF-8 handling — Session first-prompt previews are now safely truncated at character boundaries, preventing garbled text.
  • Billing enforcement for agents — Registration and session uploads now respect organization plan limits.

Package Intelligence (PIA)

  • Malware detection — Packages with known malware advisories are flagged with has_malware: true and escalated to CRITICAL severity.
  • Version range support — PIA now resolves version range specifiers (e.g., ^1.2.0, >=2.0) to concrete versions via deps.dev, improving vulnerability and license accuracy.
  • Reduced log noise — Expected not-found responses from upstream APIs are no longer logged as warnings.