Documentation Index

Fetch the complete documentation index at: https://knowledge.catonetworks.com/llms.txt

Use this file to discover all available pages before exploring further.

Product Updates - April 13, 2026

Prev Next

New Features & Enhancements

  • Client Rollout Pilot Users Supports User Groups: Simplify Client upgrades by adding user groups to the Pilot Users list, such as Pilot Users or IT. This helps you manage controlled rollouts more efficiently without adding users individually.

  • Custom Default Values for Webhook Fields: Custom webhooks let you send Cato events to external systems using configurable URLs, headers, and payloads. Define a custom default value instead of using NA, helping ensure compatibility with external systems that require specific formats or values.

    • Override default values for dynamic fields in webhook URLs, payloads, and headers

    • Use the *$ {field:defaultValue} * format to define the default values

  • Cato Splunk TA Supports Splunk Enterprise Integration and CIM: Seamlessly integrate Cato event data with Splunk Technology Add-on (TA) using CIM-compliant normalization.

    • Supports key Splunk CIM data models, including: Network Traffic, Intrusion Detection, DNS, Web, Authentication, Malware, and Change

    • Enables immediate use of out-of-the-box Splunk ES dashboards and detection content across network, security, and user activity domains

    • Works with Splunk Enterprise Security (ES) environments, including deployments with content packs such as ESCU, without requiring additional customization

  • Enhanced Behavior for Muted XOps Stories: Muted stories generated by the Threat Prevention and Threat Hunting engines are now visible in the Cato Management Application with a mute flag. This enhancement gives teams better visibility into muted activity while keeping the Stories Workbench focused on relevant items.

  • SLA Thresholds for Active/Active Socket Links: Define granular SLA thresholds for each Socket link in active/active site configurations for scenarios that require custom thresholds.

    • Previously, custom SLA thresholds were only available for active/passive Socket site configurations

    • Supported from Socket v25 and higher

  • Identify Office Users with User Awareness: User Awareness was extended to users working in the office without assigning them a ZTNA license. This improves accuracy for identity-based policies and user attribution in DEM, and supports all IdPs.

    • Supported from Windows Client v5.18 and macOS Client v5.11

    • Failed authentication events now use the Authenticated sub-type with a fail status, replacing connected with a fail status.

  • Posture Compliance Report: A new report maps compliance controls from leading compliance frameworks, including GDPR, ISO 27001:2022, and NIST SP 800-53 Rev. 5 to the relevant Cato posture checks. This helps you understand compliance coverage, identify gaps, and prioritize remediation based on the impact and status of each check.

PoP Announcements

  • These are the new ranges that are now available for the PoP locations:

    • Amsterdam, NL: 159.117.241.0/24

    • New York City, US: 199.27.50.0/24

    • Paris, FR: 159.117.240.0/24

Security Updates

  • Apps Catalog

    View more details about apps in the Apps Catalog.

    • New Apps: 2 new apps (Cato Proxy, Perplexity Computer)

    • Enhanced Apps:

      • Amity

        • Modified name from Convolab to Amity

        • Added domain amity.co

      • Claude

        • Added domain claudemcpcontent.com

      • Google Ads

        • Updated app domains

    • Category Changes:

      • Business Operations AI:

        • Removed apps: 15Th Rock, 5W Strategists

      • Generative AI Tools:

        • Removed apps: 15Th Rock, 5W Strategists, Activ-Al

      • Healthcare AI:

        • Removed app: Activ-Al

  • IPS Signatures

    View more details about the IPS signatures and protections in the Threats Catalog.

    • CVE-2021-2135 (New)

    • CVE-2021-21805 (New)

    • CVE-2022-38130 (Enhancement)

    • CVE-2025-71260 (New)

    • CVE-2026-21902 (New)

    • CVE-2026-24294 (New)

    • CVE-2026-25892 (New)

    • CVE-2026-27971 (New)

    • CVE-2026-29014 (New)

    • CVE-2026-34156 (New)

    • Scanners - Modbus Scanner | Read Holding Registers (New)

    • Scanners - Modbus Scanner | Write Multiple Holding Registers (New)

    • Scanners - SMB Anonymous Login Scans (New)

  • SAM Signatures

    These protections were added to the SAM service:

    • OpenClaw Agent Download from Raw Github User Content (New)

    • OpenClaw Agent Searching GitHub via API (New)

    • Suspicious VSCode Extension Download (New)

    • OpenClaw Slack Bot Communication (New)

  • XDR Indications of Attack

    • Anomaly Detection

      • First Occurrence of Scheduled Task Romotley Added (New)

      • Spike in Non-Compliant Devices (New)

  • Device Inventory

    These are the updates to the Device Inventory detection engine:

    • Video Conferencing

      • Logitech

        • Logitech Tap IP (New)

        • Logitech RoomMate (New)

    • IP Camera

      • Verkada (Enhancement)

  • Application Control Via API and Data Protection API Integrations

    These enhancements were made for Application Control Via API

    • Atlassian

      • Anomalies (Enhancement)

    • Azure AD

      • Third Party Apps (Enhancement)

    • Box

      • Activity (Enhancement)

    • ChatGPT

      • Activity (Enhancement)

    • DocuSign

      • Anomalies (Enhancement)

    • Dropbox

      • Activity (Enhancement)

      • Anomalies (Enhancement)

    • GitHub

      • Anomalies (Enhancement)

    • Google Apps

      • Activity (Enhancement)

      • Anomalies (Enhancement)

    • Microsoft General

      • Activity (Enhancement)

      • Anomalies (Enhancement)

    • Microsoft Exchange

      • Activity (Enhancement)

      • Anomalies (Enhancement)

    • Salesforce

      • Activity (Enhancement)

      • Third Party Apps (Enhancement)

    • SharePoint

      • Activity (Enhancement)

    • Slack

      • Activity (Enhancement)

      • Anomalies (Enhancement)

      • Third Party Apps (Enhancement)

    • Snyk

      • Anomalies (Enhancement)

    • Workday

      • Activity (Enhancement)

    • Zoom

      • Experience (Enhancement)

Note:

Content described in this update is gradually rolled out to the Cato PoPs over a two-week period. In addition, new features are gradually activated in the Cato Management Application over the same two-week rollout period as the PoPs. For more information, see this article. See the Cato Status Page for more information about the planned maintenance schedule.