FIG. 15 Changelog

What we shipped. When.

Every release of the platform and the agent, with customer-visible notes. RSS at ironcastle.io/changelog.rss. Slack feed available on Keep and Citadel.

NEW FIX SECURITY DETECTION BREAKING
Subscribe to release notes →
v0.1.17 12 May 2026 Agent · macOS

Tamper resistance landed

  • NEW LaunchDaemon KeepAlive=true — agent respawns within 1-2 seconds of any kill attempt.
  • NEW Watchdog heartbeat goroutine — exits the agent if telemetry stalls > 30s, forcing a clean respawn.
  • DETECTION New event agent.tamper_attempt fires on detected pkill, launchctl unload, plist deletion. Creates critical incident with attacker PID + cmd.
  • SECURITY Auto-isolate triggered if tamperer is non-root non-admin.
Platform · Sprint 4 11 May 2026 Collector + Portal

Auto-response cascade + AI Guardian

  • NEW AI Guardian — latest frontier models with cached context read every fired incident, assign MITRE technique, and recommend action in plain English.
  • NEW Auto-cascade: kill / quarantine / blocklist / isolate, queued automatically on critical detection. 7-minute median containment.
  • NEW "What we did for you" transparency panel on customer portal — every analyst and AI action logged with timestamp + actor.
  • NEW AUTO-CONTAINED badges in SOC analyst queue.
  • NEW Forensic snapshot capture (process tree + sockets + kexts + system metadata) on every critical incident.
  • FIX Security score endpoint latency 57s → 0.31s (denormalised daily snapshot table).
v0.1.16 11 May 2026 Agent · macOS

YARA scanning is live

  • NEW On-device YARA scan for every non-Apple-signed process on spawn. libyara 0.32.
  • NEW Signed rule pack distribution. Ed25519-signed; agent verifies signature before compile.
  • DETECTION Catches Mimikatz, EICAR test rule. Full Florian Roth pack pending compile-then-bisect work.
  • FIX Use proc_pidpath for absolute exec path (replaces truncated ps comm=).
  • FIX Per-process SHA256 cache so repeat spawns of the same binary don't re-scan.
v0.1.15 10 May 2026 Agent · macOS

Self-update reliability

  • FIX v0.1.14 decode regression (base64 + signature verify race). Forced update via manifest.
  • NEW Self-update progress events stream to portal for visibility.
Platform · Sprint 3 10 May 2026 Collector + Portal

Make alerts actionable

  • NEW Sigma engine in production with field-level matching. ~9 macOS detection rules.
  • NEW Process kill with PID-reuse defence (process-start timestamp comparison).
  • NEW File quarantine + per-tenant SHA256 blocklist. Auto-block on re-execution.
  • NEW Threat intel cascade — MalwareBazaar + AlienVault OTX hash/IP matching.
  • NEW SOC analyst queue with SLA tracking.
  • NEW Resend-powered incident emails on critical/high.
Platform · Sprint 2 9 May 2026 Collector

Detection foundations

  • NEW Event ingestion pipeline with ClickHouse-backed storage, 90-day retention.
  • NEW Network isolation (pf-based, IPv6-aware Cloudflare allowlist).
  • NEW Multi-tenant architecture: super admin → partner → tenant with row-level isolation.
  • SECURITY RLS enforcement on every table. qual: true banned by lint.

Want machine-readable releases? RSS feed at ironcastle.io/changelog.rss · JSON feed available on request.

Request feed →