New Features & Enhancements
Client Rollout Pilot Users Supports User Groups: Simplify Client upgrades by adding user groups to the Pilot Users list, such as Pilot Users or IT. This helps you manage controlled rollouts more efficiently without adding users individually.
Custom Default Values for Webhook Fields: Custom webhooks let you send Cato events to external systems using configurable URLs, headers, and payloads. Define a custom default value instead of using NA, helping ensure compatibility with external systems that require specific formats or values.
Override default values for dynamic fields in webhook URLs, payloads, and headers
Use the *$ {field:defaultValue} * format to define the default values
Cato Splunk TA Supports Splunk Enterprise Integration and CIM: Seamlessly integrate Cato event data with Splunk Technology Add-on (TA) using CIM-compliant normalization.
Supports key Splunk CIM data models, including: Network Traffic, Intrusion Detection, DNS, Web, Authentication, Malware, and Change
Enables immediate use of out-of-the-box Splunk ES dashboards and detection content across network, security, and user activity domains
Works with Splunk Enterprise Security (ES) environments, including deployments with content packs such as ESCU, without requiring additional customization
Enhanced Behavior for Muted XOps Stories: Muted stories generated by the Threat Prevention and Threat Hunting engines are now visible in the Cato Management Application with a mute flag. This enhancement gives teams better visibility into muted activity while keeping the Stories Workbench focused on relevant items.
SLA Thresholds for Active/Active Socket Links: Define granular SLA thresholds for each Socket link in active/active site configurations for scenarios that require custom thresholds.
Previously, custom SLA thresholds were only available for active/passive Socket site configurations
Supported from Socket v25 and higher
Identify Office Users with User Awareness: User Awareness was extended to users working in the office without assigning them a ZTNA license. This improves accuracy for identity-based policies and user attribution in DEM, and supports all IdPs.
Supported from Windows Client v5.18 and macOS Client v5.11
Failed authentication events now use the Authenticated sub-type with a fail status, replacing connected with a fail status.
Posture Compliance Report: A new report maps compliance controls from leading compliance frameworks, including GDPR, ISO 27001:2022, and NIST SP 800-53 Rev. 5 to the relevant Cato posture checks. This helps you understand compliance coverage, identify gaps, and prioritize remediation based on the impact and status of each check.
PoP Announcements
These are the new ranges that are now available for the PoP locations:
Amsterdam, NL: 159.117.241.0/24
New York City, US: 199.27.50.0/24
Paris, FR: 159.117.240.0/24
Security Updates
Apps Catalog
View more details about apps in the Apps Catalog.
New Apps: 2 new apps (Cato Proxy, Perplexity Computer)
Enhanced Apps:
Amity
Modified name from Convolab to Amity
Added domain amity.co
Claude
Added domain claudemcpcontent.com
Google Ads
Updated app domains
Category Changes:
Business Operations AI:
Removed apps: 15Th Rock, 5W Strategists
Generative AI Tools:
Removed apps: 15Th Rock, 5W Strategists, Activ-Al
Healthcare AI:
Removed app: Activ-Al
IPS Signatures
View more details about the IPS signatures and protections in the Threats Catalog.
CVE-2021-2135 (New)
CVE-2021-21805 (New)
CVE-2022-38130 (Enhancement)
CVE-2025-71260 (New)
CVE-2026-21902 (New)
CVE-2026-24294 (New)
CVE-2026-25892 (New)
CVE-2026-27971 (New)
CVE-2026-29014 (New)
CVE-2026-34156 (New)
Scanners - Modbus Scanner | Read Holding Registers (New)
Scanners - Modbus Scanner | Write Multiple Holding Registers (New)
Scanners - SMB Anonymous Login Scans (New)
SAM Signatures
These protections were added to the SAM service:
OpenClaw Agent Download from Raw Github User Content (New)
OpenClaw Agent Searching GitHub via API (New)
Suspicious VSCode Extension Download (New)
OpenClaw Slack Bot Communication (New)
XDR Indications of Attack
Anomaly Detection
First Occurrence of Scheduled Task Romotley Added (New)
Spike in Non-Compliant Devices (New)
Device Inventory
These are the updates to the Device Inventory detection engine:
Video Conferencing
Logitech
Logitech Tap IP (New)
Logitech RoomMate (New)
IP Camera
Verkada (Enhancement)
Application Control Via API and Data Protection API Integrations
These enhancements were made for Application Control Via API
Atlassian
Anomalies (Enhancement)
Azure AD
Third Party Apps (Enhancement)
Box
Activity (Enhancement)
ChatGPT
Activity (Enhancement)
DocuSign
Anomalies (Enhancement)
Dropbox
Activity (Enhancement)
Anomalies (Enhancement)
GitHub
Anomalies (Enhancement)
Google Apps
Activity (Enhancement)
Anomalies (Enhancement)
Microsoft General
Activity (Enhancement)
Anomalies (Enhancement)
Microsoft Exchange
Activity (Enhancement)
Anomalies (Enhancement)
Salesforce
Activity (Enhancement)
Third Party Apps (Enhancement)
SharePoint
Activity (Enhancement)
Slack
Activity (Enhancement)
Anomalies (Enhancement)
Third Party Apps (Enhancement)
Snyk
Anomalies (Enhancement)
Workday
Activity (Enhancement)
Zoom
Experience (Enhancement)
Note:
Content described in this update is gradually rolled out to the Cato PoPs over a two-week period. In addition, new features are gradually activated in the Cato Management Application over the same two-week rollout period as the PoPs. For more information, see this article. See the Cato Status Page for more information about the planned maintenance schedule.