Changelog

Release Notes

Track every feature, fix, and improvement shipped to SOCWarden.

3.0.02026-03-19

Detection Engine v2, Kill Chains & Real-time Dashboard

added29 event-specific detection rules across 3 batches (base scores, sequences, kill chains)

added5 kill chain patterns (account takeover, data exfiltration, server compromise, privilege escalation, defense evasion)

addedMulti-tier alert system (FLASH/PRIORITY/ROUTINE)

addedDecay-based alert cooldowns (progressive 0→6h→12h→24h suppression)

addedSemantic alert deduplication (normalized fingerprinting)

addedDelta engine — 15-minute security posture sweeps

addedReal-time SSE dashboard updates

addedLLM security briefing protocol (daily digest, incident, on-demand)

addedGraceful enrichment degradation with health tracking

added3 new OSINT sources: GreyNoise Community, Shodan InternetDB, Pulsedive

addedSC Malaysia Investor Alerts (3,225 indicators)

addedGitHub Leak Scanner (credential_leak_detected alerts)

addedDistributed credential spray detection

addedGranular API key scoping (66 event types)

addedOrganization settings page

2.0.02026-03-18

Integrations & IP Actions Redesign

addedPer-org Cloudflare BYOK integration — bring your own API token + zone ID

addedAWS WAF integration placeholder (coming soon)

addedBlock IP / Unblock IP / Watchlist / Unwatchlist / Suspend Actor actions with confirmation modal

addedIP action alerts dispatched through notification channels (webhook, Slack, etc.)

addedEnricher watchlist monitoring — alerts when watchlisted IP sends new events

addedPer-project notification channel scoping — route alerts to different channels per project

addedMultiple channels of same type with named labels

addedRBAC middleware — Viewer, Member, Admin, Owner role enforcement on all pages

addedWebhook payload reference docs page with all 25 alert type samples

addedIP status badges (Blocked/Watchlisted) on event list, detail page, and forensic drawer

changedMerged SIEM Forwarding into unified Integrations page (Response Actions + Data Export)

changedRenamed Alert Channels to Notifications

changedConsolidated n8n into Webhook channel type

changedWebhook payload flattened — removed redundant `raw` dump, added `event_type`, `project`, `network`, `geo`, `tags`

changedFree plan forensic drawer now shows risk score + country only (full detail on Starter+)

fixedPlan permission enforcement on all behavioral detections (impossible travel, geo-anomaly, session anomaly, credential spray)

fixedAbuseIPDB, AI summary, export quota, network intel — all correctly plan-gated

fixedForwardToSiem job wired into ConsumeAlertQueue (was dead code)

fixedThreatModelEngine wired into ConsumeAlertQueue (was never invoked)

fixedAlert assignment now uses dedicated `assigned_to` column instead of overloading `acknowledged_by`

fixedIncident creation plan-gated on event detail page (was only gated on forensic drawer)

fixedCommand injection regex expanded to detect `rm`, `mv`, `chmod`, `dd`, `kill`, `shutdown`

removedGlobal Cloudflare ENV vars — replaced by per-org BYOK in Settings > Integrations

removedIpListObserver — replaced by explicit HandleIpListChange action (no implicit side effects)

removedN8nWebhookService (dead code) — n8n channels migrated to webhook type

1.0.02026-03-15

Initial Release — Phase 1 + Phase 2

addedEvent ingestion via POST /v1/events with rate limiting, idempotency, CORS, batch support

addedEnrichment pipeline: GeoIP, UA parsing, ASN, Tor/VPN/proxy/datacenter detection

addedOSINT threat feeds: Spamhaus, Feodo, ET, CINS, blocklist.de, GreenSnow, URLhaus

addedBehavioral detections: brute force, impossible travel, geo-anomaly, credential spray, session anomaly

addedRequest anomaly detection: SQLi, XSS, path traversal, command injection, SSRF, LDAP injection

addedML behavioral model (Isolation Forest) for anomaly scoring

addedLLM alert summaries via Claude API

addedDashboard: overview, event explorer, alert queue, incident management, server fleet

addedForensic drawer with 14 investigation panels

addedNotification channels: Email, Slack, Telegram, Discord, Webhook, PagerDuty, MS Teams

addedStripe billing with 4 plan tiers (Free, Starter, Pro, Business)

addedServer agent with 28 event types (SSH, file, process, user, service, package, cron, firewall, network, container, log)

added5 SDKs: Laravel, Node.js, Python, Go, Browser

addedCustom threat models with FOLLOWED_BY chains and AND/OR/NOT logic

addedSOC 2 + NIST CSF 2.0 compliance dashboard

addedSIEM forwarding: Splunk HEC, Datadog Logs, webhook

addedSOCWarden Intelligence: domain typosquatting monitor, CISA KEV sync, MyCERT advisories