Release Notes: v2026.6.0

Upgrade note: Migrations run automatically on startup. Review the breaking changes and migration sections below before upgrading.

Highlights

• New Threat Hunting agent — A new pre-built agent that runs weekly threat hunts automatically. It surfaces suspect activity and also suggests new detections and data sources based on your current coverage.
• Federated search across external S3 buckets — Custom views can now query log data stored in your own S3 buckets, enabling analysis without ingesting data into RunReveal first.
• Federated search custom views — Query log data in external S3 buckets directly from custom views, gated behind a feature flag, with source type decoupled from source configuration.
• New integrations for Zoom, Datadog Audit Trail, Palo Alto Prisma Access, and Google Workspace Alerts — Expand your security visibility with four new log sources available out of the box.
• Google Vertex AI provider support — You can now use Google Vertex AI as an LLM provider alongside existing options like Bedrock and Claude.
• Self-service ClickHouse migration management — Administrators can now view, preview, and manage destination ClickHouse migrations directly from the destinations page.

Features

• Google Vertex AI LLM provider — Configure Google Vertex AI as an LLM provider with project and location settings, and edit those settings without re-entering credentials.
• Destination migration management — View and preview pending ClickHouse migrations for destinations from the admin UI, with the ability to disable auto-run.
• CrowdStrike EDR alerts polling — Poll CrowdStrike EDR alerts via the gofalcon SDK for richer endpoint detection coverage.
• Jamf Protect audit events — The Jamf Protect source now ingests audit events in addition to existing alert data.
• Agent tool and context improvements — Agents now receive custom ClickHouse roles on creation, context-aware tools for scheduled runs, and a read-only tool selection UI.
• Investigation UX upgrades — Investigations now surface agent metadata, retry errors on triage status, show a time picker, and offer AI chat action buttons.
• Managed detection sync from archives — Sync managed detections from zip, tar, and filesystem sources, with orphaned detections deprecated instead of deleted.
• Configurable outbound webhook allowlist — Restrict outbound webhook destinations to an explicit allowlist via common.safeURL configuration.
• Shared query dynamic URLs — Shared queries now generate dynamic URLs for easier collaboration.
• Analytics dashboard usage visibility — Graphs list now shows which dashboards use each graph, warns before deleting graphs in use, and displays page position in cursor paging.
• Notification channel connected resources — The notification channel detail page now shows all detections and pipelines connected to that channel.
• Feature flag registry — Internal feature flags are now registered for discoverability.
• File watcher glob filtering — The reveald file source now supports glob-based include/exclude patterns for watched files.
• Salesforce event log interval configuration — Salesforce event log source now supports configuring daily or hourly collection intervals to match your Salesforce licensing tier.
• CLI multi-profile auth — The CLI now supports multiple authentication profiles with persistent instance URLs.
• Auto-redirect when logged in — Users already authenticated are automatically redirected to the dashboard.
• OAuth UX improvements — Restyled authorize and CLI callback pages with better cross-subdomain behavior.
• Pipelines and topics UX redesign — Refreshed UI for managing topics and pipelines, including a side popout for the transform page.
• Updated default LLM models — Default models for all AI providers have been updated to current versions, including replacing deprecated Claude 3 Haiku with Sonnet 4.6.

New Integrations

Bug Fixes

• Alerts date picker ranges — Fixed absolute and relative-division date ranges not being honored in the alerts date picker.
• AI model management — Stopped re-adding previously removed models and updated Bedrock model IDs to current values.
• Detection sync notification templates — Notification templates are now correctly extracted when syncing Sigma rules, and unknown templates produce a warning instead of an error.
• Salesforce polling reliability — Increased lag window for late-arriving Salesforce event logs and corrected the audit trail eventName field for cardinality tracking.
• GitHub polling error handling — Fixed high-water-mark handling in test mode and improved 403 error responses for GitHub polling sources.
• MS365 GCC-High OAuth scope — The MS365 source now uses the correct OAuth scope URL for government cloud and GCC-High environments.
• ClickHouse connection leak — Fixed a connection leak for flaky Bring Your Own Database destinations.
• Pipeline notification triggers — Fixed notify triggers not firing on pipeline updates.
• KSUID pagination collation — Added COLLATE "C" to detection and admin org pagination queries for correct KSUID ordering.
• Explorer null time column — Fixed a crash when exploring tables that lack a receivedAt column.
• Form validation errors — SuperRefine validation errors now propagate correctly and stale submit errors are cleared.
• Filter edit page guard — Fixed a crash when editing a filter with a missing pattern.
• Sources pagination — The sources context now fetches all pages of sources instead of only the first page.
• Reveald empty events on EOF — The file source no longer emits empty events when reaching end-of-file.
• R2 source validation — Added input validation for R2 sources and auto-formatting of Queue ID into UUID format.
• Detection subscription YAML overflow — Fixed YAML text overflow in the managed detection "edit subscriptions" view.
• Managed detection duplicate subscriptions — The bulk subscribe endpoint now handles duplicate subscriptions gracefully.
• Agent email template ordering — Reordered agent email templates to show results before the prompt.
• Polling query parameter preservation — The CallAPI helper now preserves existing query parameters on the passed URL.
• RRQ destination cache race condition — Fixed a race condition in the destination cache.
• Graph usage fetch — Eliminated an unnecessary re-render caused by setState inside useEffect for graph usage.
• Source verification for gov cloud — Fixed source verification flows for government cloud deployments.
• MCP list/prompts method — Fixed the MCP list/prompts method.
• DigitalOcean inference and Claude usage — Fixed DigitalOcean inference and Claude usage tracking.

Breaking Changes

The new CLI requires re-authentication to enable the new profiles system. The old CLI will continue to work while the sessions are still active.

Maintenance

• Upgraded Next.js to 16.2.6 for security fixes and pnpm to v11 with supply-chain hardening.
• Unified reveald release process with runreveal backend and CLI.
• Migrated external docs to Fumadocs v14 with brand refresh; consolidated enrichments docs; improved SentinelOne and GitHub audit log guides.
• Switched local development Docker tooling from Docker Compose to Podman.
• Added comprehensive reveald documentation section.
• Removed legacy webhook lambda, forge tooling, and broken testing-doc skills.
• Refactored time picker date-conversion logic into shared utilities.
• Optimized RRQ pipeline with cached hydrated JSON and freed memory before batching.
• Removed eager database pings from connection initialization.
• Set source limit for pro accounts to 15.
• Various CI, documentation, and internal tooling improvements.

Database Migrations