Resolute SecurityRESOLUTE
Sign inFree scan

What's new

Changelog

Recent improvements, fixes, and polish. Curated by hand — no auto-generated commit dumps.

May 2026

  • New

    See your security grade — A to F, on every screen

    Your free scan result now leads with a big, color-coded letter grade (A–F) and a one-line plain-English verdict, with the three things to fix first ranked at the top instead of a wall of acronyms. The same grade now shows up on your dashboard, your public trust page, and the compliance index — so 'how exposed am I?' is answerable in about ten seconds, and the raw protocol detail is one click away for whoever wants it.

    Run a free scan
  • New

    "What to do next" — the app now tells you where to start

    A new coach on the dashboard reads your actual posture and ranks the highest-leverage moves — overdue findings, insurance gaps, integrations worth connecting — each a one-click deep link in plain English (with an AI-written briefing when enabled). Every in-app section — findings, vendors, monitoring, compliance, training, risk — now leads with the same 'do this next', so you're never staring at a screen wondering where to begin. A posture-over-time trend on the dashboard shows your grade climbing the longer you stay.

    Dashboard
  • Polish

    Upgrade in one click from inside the app

    Hitting a paid feature inside the app now takes you straight to in-app checkout instead of bouncing you out to the public pricing page — fewer clicks between you and the plan you need.

    Billing
  • New

    Vendor questionnaire invitations — send a vendor a link, get back signed answers

    On any vendor row in the portfolio click 'Send questionnaire' — we generate a single-use 32-byte token, store only the SHA-256 hash, and email the vendor a link to /v/<token>. The vendor lands on a public no-auth form with our publicly-visible scan results already shown at the top so they don't have to re-state what we can see, plus 12 grouped questions covering MFA, encryption, SOC 2 / ISO certs, incident response, vulnerability mgmt, subprocessors, and a security contact. Submissions write to a vendor_attestations row and the portfolio shows an 'Attested' badge. Same single-use + 30-day-TTL + hashed-token pattern as magic-link.

    Vendors
  • New

    Vendor portfolio — SecurityScorecard-style scores + DNS-based vendor suggestions

    /app/vendors becomes a real portfolio. Each tracked vendor gets a security grade (A–F) and overall score computed by running our 8-check email-security scanner against their primary domain — same scoring as your own monitored domains, so vendors and self are comparable. We also auto-suggest vendors by pattern-matching DNS records on your monitored domains against a ~35-vendor registry (Microsoft 365 via MX, Cloudflare via NS, Stripe via TXT, etc.) — one click to add a suggested vendor + run its first scan inline. The portfolio table shows per-vendor email/DNS sub-scores, last scan date, and category (email / dns / iaas / paas / saas / collab / security / payments / analytics / marketing / support).

    Vendors
  • New

    Hero dashboards on Coverage + Posture, new Vendors section

    Coverage and Posture now lead with a hero status strip: a one-glance score (coverage completeness on /app/coverage, security score on /app/posture) and a single 'Do this next' callout that picks the highest-leverage action — triage critical findings before drift, drift before high-severity, etc. New top-level Vendors surface at /app/vendors aggregates third-party risk: vendor questionnaire status, vendor-tagged risk register entries, monitored vendor domains, and shortcuts to one-shot scans (DNS map, email security, security headers) for any external domain.

    CoveragePostureVendors
  • Polish

    Top nav consolidated to Coverage · Posture · Settings

    Eleven nav items collapsed to three intuitive entry points using cyber-native names. /app/coverage aggregates everything we're protecting (integrations, monitored domains, company profile, risk register, compliance assessments, insurance checklist), each card showing status-at-a-glance. /app/posture aggregates your current security state (dashboard, findings, activity, drift, compliance readiness, insurance attestation). Detail pages and URLs are unchanged so deep links still work.

    CoveragePosture
  • New

    DNS map — dnsdumpster-style reconnaissance

    One-shot DNS scan at /web-security/dns-map. Pulls NS/MX/A/AAAA/TXT/CAA on the apex, discovers subdomains via Certificate Transparency, resolves the owning ASN per IP. Rendered as a node-link map. Free, no auth. The same engine runs on every monitored-domain rescan and renders on the monitoring detail page.

    DNS map
  • Fix

    M365 sync now works on tenants without Entra ID P1

    Two bugs were silently blocking M365 syncs: (1) the Graph users-list call asked for signInActivity, which returns 403 on tenants without a Microsoft Entra ID P1 license — we now retry that call without the field and skip the dormant-account check on those tenants; (2) the BullMQ scheduler used a stable jobId, which let a previous completed sync silently block every subsequent enqueue via the queue's removeOnComplete window — the jobId now rotates every 5 minutes. Applied to all integration providers, not just M365.

    M365 integration
  • New

    Seven more web-security tools

    Password strength checker (entropy + time-to-crack), URL encoder/decoder (encodeURI / encodeURIComponent / form), HTML entity encoder/decoder, CORS policy analyzer (catches wildcard + credentials and the Allow-Origin: null exploit), IPv6 address inspector (RFC 5952 canonical form + scope classification), cron expression explainer (with next-fire times and the dom/dow OR-semantics gotcha), and a text diff viewer.

    Password strengthURL encoderHTML entitiesCORS analyzerIPv6 inspectorCron explainerDiff viewer
  • New

    Ten new web-security utilities

    JWT inspector, IPv4 CIDR calculator, hash calculator (MD5 + SHA family), base64 encoder/decoder, URL inspector with safety findings, UUID v4 generator + inspector, timestamp converter, JSON formatter / minifier / validator, regex tester, and an HTTP security headers builder.

    JWT inspectorCIDR calculatorHash calculatorBase64URL inspectorUUID toolTimestampJSONRegex testerSecurity headers builder
  • New

    Passkeys / WebAuthn login

    Add a passkey from /app/settings/profile. At sign-in, Face ID / Touch ID / Windows Hello / a hardware-key tap replaces your 6-digit code. TOTP and recovery codes still work as fallbacks.

    Profile
  • New

    Findings calendar feed (iCalendar)

    Subscribe in Apple Calendar / Google Calendar / Outlook to see SLA due-dates alongside your other commitments. Auth via API key in URL or Authorization header.

    API docs
  • New

    Recent activity feed

    What changed lately across your org — audit-log entries, finding transitions, and integration syncs in one chronological view at /app/activity.

    Activity
  • New

    Findings CSV + JSON export

    Stream every finding (respecting your current filter selection) as CSV or JSON. Click 'Export ▾' on the findings board. Useful for board reports and vCISO handoffs.

    Findings
  • Polish

    Reliability hardening: 4 drift hotfixes + post-deploy audit

    Schema drift was caught and healed across 4 separate columns/tables (logo_data_url, cloudflare_*, compliance_state_changed_at, last_manual_sync_at). Worker memory bumped from 256MB to 512MB to stop OOM-loop. M365 sync lockDuration extended to 5 min. New post-deploy drift audit catches future regressions immediately instead of via customer 500s.

  • New

    Worker-health admin page

    Platform-admin diagnostic showing per-provider sync freshness, 24-hour run/error counts, and pointers at the deeper-diagnostic db-doctor actions. At /app/admin/worker-health.

  • New

    /help FAQ, /security trust page, /changelog

    Three new marketing surfaces: a structured FAQ at /help covering Getting started, Integrations, Security, Billing, and Troubleshooting; a public Trust Center at /security with hosting, data, auth, ops, and disclosure detail; and this changelog you're reading.

    HelpTrust centerChangelog
  • New

    Email-authentication trio: DKIM, MTA-STS, TLS-RPT, CAA, security.txt builders

    Five new bring-your-own-record tools alongside the existing SPF builder and DMARC validator. Each grades inputs tag-by-tag in plain English; no DNS lookup, no account.

    DKIM validatorMTA-STS builderTLS-RPT builderCAA buildersecurity.txt builder
  • New

    Manual sync button on every integration

    Tired of waiting an hour for the next scheduler tick? Owners now get a 'Sync now' button on each integration's settings page, with a 5-minute server-enforced cool-down.

    Integrations
  • New

    Findings CSV + JSON export

    Stream every finding (respecting your current filter selection) as CSV or JSON. Useful for board reports and vCISO handoffs.

    Findings board
  • New

    Unified recent-activity feed

    What changed lately across your org — audit-log entries, finding transitions, and integration syncs in one chronological view.

    Activity feed
  • Fix

    Site is up again

    Recovered from three separate prod outages today: missing logo_data_url column, missing cloudflare_* tables, and a crash-looping worker (tsconfig.json wasn't in the Docker runtime image). Schema is fully realigned via the new idempotent re-apply.

  • Polish

    Production runbook + drift audit + worker boot banner

    Three operations improvements that came out of today's incident response: a docs/RUNBOOK.md, a `pnpm db:audit-missing` script, and a stderr-first boot banner so the worker is never silent again.

  • New

    Industry benchmarks widget

    Your MFA / encryption / DMARC / endpoint-protection / patch-currency vs. industry medians sourced from Verizon DBIR, Microsoft Digital Defense, IBM X-Force, Coalition, and CISA. Set your industry on the profile page to see it.

    Profile
  • New

    Webhook signing (HMAC-SHA256)

    Outgoing generic webhooks now carry X-SMB-Signature so receivers can verify the payload. Rotate the secret per-org from settings. Sample receiver included.

    Webhook docs
  • New

    Snyk integration

    Connect Snyk and we'll pull projects + vulnerabilities every hour. Critical-and-fixable findings become posture-affecting items on your Kanban board.

    Snyk integration
  • New

    Risk register with 180-day review reminders

    Mark a finding 'accepted' and we'll automatically remind you to review it after 180 days. No more accepted-and-forgotten risks rotting in your backlog.

  • New

    AWS, KnowBe4 integrations + compliance posture overview

    AWS pulls IAM users, S3 buckets, and GuardDuty findings. KnowBe4 pulls training completions + phishing-test results. New cross-framework posture summary unifies CMMC + SOC 2 + CSF status.

  • Polish

    Compliance assessments are now fun

    Progress bars, streak banners, sample-evidence illustrations for 102 controls across CMMC / SOC 2 / CSF, plus a 'Save & next' button. Compliance work shouldn't feel like the DMV.

    Compliance
  • Fix

    Login text was invisible

    The login/signup/MFA inputs were rendering text in white on a white autofill background. Added explicit text-foreground and a -webkit-autofill override across all inputs.