What's next on the platform.
The themes below are in active build on our near-term roadmap. We sequence, scope, and ship them on a bi-weekly cadence. This is the narrative view — for the same pipeline on a horizon-based timeline, see the roadmap. When any of these themes goes live, it moves to the release notes.
Native SIEM integration for the three most common SIEM platforms
First-class SIEM connectors replace the generic-webhook integration path. Each supports native event shape, per-tenant endpoints, and a durable retry queue with manual replay.
Multi-vendor attachment sandbox + expanded threat-intel integrations + cross-MSP reputation
Multi-vendor attachment detonation goes live, additional commercial threat-intel providers join the detection fan-out, and opt-in cross-MSP vendor reputation launches as a privacy-preserving intelligence network.
Identity × Email — risk-signal bridge, auto-session-revocation, and Google Workspace coverage
The seam between email security and identity security closes. When an identity-provider risk signal fires on a user, our email detection adapts in real time. Auto session revocation deterministically contains consensus-malicious outbound. Google Workspace joins Microsoft Entra as a supported identity source.
Browser isolation as a dedicated verdict tier — commercial and open-source options
A third verdict tier sits between ALLOW and BLOCK: ISOLATE. Suspicious-but-not-definitive URLs open in a sandboxed browser session. Customers choose between a commercial isolation platform and a self-hostable open-source option. Signed single-use redirect URLs, session recording with a 30-day POPIA-compliant purge, and a non-spoofable interstitial.
Elite Threat Detection add-on — backend and data-plane ready, runtime rollout starts
Elite Threat Detection opens as a per-seat add-on for Fortress-tier customers. The detection-pipeline hooks, the session / recording data-plane, the retro-hunt API, and the explainable-verdict API are all live. Customer-visible runtime for the browser-isolation and attachment-detonation backends rolls out region by region as the underlying infrastructure is provisioned.
Cross-feature detection rules — combined signals across identity, DLP, and email intent
Nine named detection rules combine signals across our identity, DLP, breach-intelligence, DMARC, behavioural-BEC, and thread-analysis layers. Combined signals carry more weight than any single engine, because joint false-positive rates are lower. Each rule is individually toggleable per tenant and has its own false-positive tracking.
Platform Operations Overview + default observability dashboards + DLP and SIEM admin views
Every metric that matters, visible to customers in real time. A new Admin Operations Overview aggregates detector health, verdict volume, DLP incidents, cross-feature rule fire rate, and more. Default observability dashboards ship alongside, DLP Incident and SIEM retry-queue admin views land, and a per-tenant sidecar-health widget joins the SOC Dashboard.