Release/

April 2025

Features
Highlights

EPSS Version 4 Integration for Dynamic Risk Prioritization

Description:
Aptori now integrates  EPSS Version 4 (Exploit Prediction Scoring System) to deliver smarter, data-driven vulnerability prioritization. Each issue is dynamically updated with the latest EPSS scores, helping teams focus remediation efforts on the vulnerabilities most likely to be exploited in the wild. By combining Aptori’s contextual analysis with EPSS threat intelligence, security teams can make more informed decisions and reduce time spent on low-risk findings.

EPSS scores are continuously refreshed, ensuring your risk assessments stay current as threat landscapes evolve.

Where to Find It:
EPSS scores are displayed directly in the Issue Details view and are included in exports and reports. Learn more about EPSS v4 and how it enhances vulnerability management in our blog post.

Who Can Use It:
Available to all users with access to issue data and reports.

Expanded Vulnerability Mapping Across Security Standards and Attack Taxonomies

Description:
Aptori now delivers comprehensive vulnerability mapping across a broad range of industry standards, compliance frameworks, and attack taxonomies—helping security and compliance teams prioritize remediation, accelerate audits, and understand threat context more effectively. With this enhancement, every reported issue is automatically mapped to the most relevant frameworks, offering deeper insight into both technical risk and regulatory impact.

This unified mapping ensures that teams not only see what’s wrong, but also understand why it matters, where it’s exploitable, and how it aligns with compliance mandates.

What’s Included:

  • OWASP Top 10 – Categorizes issues by the most critical web application risks
  • MITRE CWE Top 25 – Identifies issues by common software weaknesses
  • NIST Frameworks – Maps to controls in NIST SP 800-53 and the NIST Cybersecurity Framework (CSF)
  • HITRUST CSF – Aligns with security requirements for healthcare and regulated industries
  • HIPAA Security Rule – Maps technical issues to required administrative and technical safeguards
  • PCI DSS – Connects vulnerabilities to payment card industry security requirements
  • CAPEC – Links each issue to known attacker behaviors, techniques, and exploitation patterns

Where to Find It:
Compliance and taxonomy mappings are displayed directly in the Issue Details view, and included in exports, reports, and integrations with tools like Jira and GitLab.

Who Can Use It:
Available to all users with access to issue and compliance data.

Jira Multi-Server Support with Project Mapping

Description:
Aptori now supports integration with multiple Jira servers, enabling organizations to manage cross-team and multi-instance workflows more effectively. Users can configure several Jira server connections within the platform and map individual Aptori projects to their corresponding Jira projects, ensuring seamless issue tracking across diverse teams and environments.

This feature is particularly useful for large enterprises or teams operating in complex, multi-Jira environments, allowing centralized security findings to be synchronized with the appropriate issue tracking systems.

Where to Find It:

  • Organization Owners can configure multiple Jira servers under Settings → Organization → Jira Servers
  • Project mappings can be managed within each Aptori project by selecting the associated Jira server and target Jira project

Who Can Use It:

  • Organization Owners can add and manage Jira server configurations
  • Organization and Group Owners, as well as Group Maintainers, can manage Jira-to-Aptori project mappings

Policy Editor with Rego Support for Custom Security Policies

Description:
The new Policy Editor enables users to create, manage, and apply custom security policies using the Rego policy language. These policies extend the power of the Aptori Sift engine by allowing organizations to define rules tailored to their specific security, compliance, or coding standards. Once authored, the policies are stored in the Aptori platform and can be dynamically fetched and included in Sift configurations, ensuring that all relevant custom checks are executed during CI runs.

This feature empowers teams to enforce organization-specific rules, detect violations beyond built-in analyzers, and scale policy-driven security testing across the SDLC.

Where to Find It:
Accessible in the Aptori platform under Policies. Policies can be linked into Sift configurations via the policy_evaluator section.
Details and schema examples are available in the Policy Evaluator documentation.

Who Can Use It:
Users with permission to manage Sift configurations and platform policies.

Release Notes

2025.4.3

New Features

  • Compliance Standards Mapping Displayed in Issues
    The Issue page now shows a mapping from the Compliance category to the corresponding compliance framework category for the CWE associated with the issue. With this release, every reported issue is now mapped to OWASP API Top 10, OWASP Top 10, MITRE CWE Top 25, NIST, HITRUST CSF, HIPAA Security Rule, PCI DSS, and CAPEC.
  • The GitLab DAST report output has been enhanced to include the compliance mappings.

Enhancements

  • Sift: PoP Token Body Handling
    The Proof-of-Possession (PoP) token now includes "body" in the "ehts" claim only when the request has a non-empty body, improving token accuracy.
  • Sift: Filter Operations by HTTP Method
    Sift now allows filtering operations based on their HTTP method, enabling more targeted scans.

Bug Fixes

  • Generator Sets JSON Handling Fix
    Fixed an issue where a variable value of type JSON was not correctly stored in the Sift configuration.
  • Configuration Editor PolicyEvaluator Fix
    Resolved an issue where the PolicyEvaluator analyzer could appear multiple times for the same Policy in the configuration generated by the Configuration Editor.
  • Jira Integration Role-Based Access Fix
    Jira settings are now only displayed to users with the Owner role, ensuring proper access control.

Important Notes

  • PostgreSQL Vector Extension Requirement
    The vector PostgreSQL extension must be installed in the database used by Aptori before installing or upgrading to Aptori Platform 25.4.3.
    • Install it using the SQL command: CREATE EXTENSION IF NOT EXISTS vector WITH SCHEMA public;

2025.4.2

New Features

  • Jira Multi-Server Support
    You can now configure multiple Jira servers within the platform.
    • Supports project mapping between a Jira project and an Aptori project.
    • Organization Owners can add or update Jira server configurations.
    • Organization Owners, Group Owners, and Group Maintainers can manage Jira-to-Aptori project mappings.
  • API Settings – JSON Generator Support
    Under API Settings → Generators, you can now assign a JSON generator as a parameter to an operation.
  • Cookie Ignore List
    A new setting in the Admin Portal allows administrators to define a list of regular expressions for cookies that should be excluded from security checks.

Enhancements

  • Run Result Summary View
    The summary now clearly states whether an issue was found or not found, replacing the older Pass/Fail status for improved clarity.

Bug Fixes

  • Postman Upload for Generators Fix
    Fixed issues related to uploading Postman collections for generator configuration.

2025.4.1

New Features

  • User Assignment Search
    Easily search for users when assigning issues, streamlining the triage and remediation process.
  • Issues Report API
    Retrieve a comprehensive list of all issues using the Issues API and Python SDK, with support for advanced filtering options.
  • Issues Report
    Generate and download a complete report of all issues, enabling better tracking, auditing, and communication.
  • Pending Invitations Search
    Search capability added to the Pending Invitations list, making it easier to locate specific user invites.
  • Policy Editor
    A new Policy Editor allows users to create and manage custom policies, supporting rules written in Rego.
  • EPSSv4 Integration
    EPSS version 4 is now integrated into Aptori, providing enhanced risk-based prioritization for vulnerabilities.

Enhancements

  • Configuration Editor Enhancement
    You can now select User Defined Policies for evaluation in a Sift scan of your application, offering more granular control over custom security checks.
Aptori
Aptori is the AI for the good guys—enabling security teams to reduce risk, accelerate secure releases, and ensure continuous compliance.

Aptori is the leader in autonomous application security, delivering the first deterministic AI to detect and remediate business logic vulnerabilities with precision.

The Aptori AI Security Engineer proactively identifies, prioritizes, and fixes vulnerabilities across code, APIs, applications, and cloud environments. By eliminating security backlogs and freeing engineering capacity, Aptori empowers teams to innovate faster and ship secure software at scale.
PLATFORM
Why AptoriProduct Updates
          
RESOURCES
InsightsGuidesGlossaryWhite PapersDocumentation
SOLUTIONS
AI-Driven AppSecAI Security EngineerAI Code FixApplication Security TestingAPI Security TestingAPI Risk AssessmentPrevent BOLA AttacksPCI DSS 4.0 Compliance
NEWSLETTER
Get monthly news and insights in your inbox