New Features & Enhancements
Client Split Tunnel Policy Supports FQDN-Based Apps: We enhanced the Split Tunnel Policy to use FQDN-based apps that Cato dynamically updates, simplifying policy maintenance. Show me the Split Tunnel page.
Clients route matching traffic directly to the Internet or through Cato
Supported from Windows Client v6.4 and higher
Manage Different Policy Changes in Separate Revisions: Admins can maintain multiple parallel policy revisions, allowing different policy changes to be developed independently. This enables smaller updates to be published while other changes remain in progress.
Switch between published and unpublished revisions
Initially available for Internet Firewall, WAN Firewall, and Private Access policies
Notify Action Supported for Application Control Policy: Application and Data Control rules support a Notify action that lets you discourage user activity rather than block it. If a user takes an action that matches this rule, the Client displays a custom notification. Users can dismiss the notification and continue their activity.
Customize notification templates (show me the User Notification page)
CASB license required
SNAT IP Range for Enterprise Browser and Browser Extension: Configure a dedicated SNAT IP range for Enterprise Browser and Browser Extension. This lets users access WAN applications that use existing IP-based ACLs, even when Cato is not the default gateway at the destination site.
Supported on all Enterprise Browser and Browser Extension versions
Device Posture Checks Support Lower Than Operator: Device Posture checks that include a version number support the Lower Than operator. This provides more flexibility when applying rules to devices running versions below a specified threshold.
Continuing Rollout for Near Real-Time Updates for Threat Prevention Stories: XOps Threat Prevention stories continue to be enhanced with near real-time updates, helping admins more quickly detect and respond to supported threat indications.
To see the list of enhanced story indications, see here
XOps license required
Defender for Endpoint XOps Connector Supports Additional Licenses: The Microsoft Defender for Endpoint XOps connector supports these additional Microsoft licenses:
Now supported:
Microsoft Defender for Endpoint Plan 2
Microsoft 365 E5 or Microsoft 365 E5 Security
Microsoft 365 A5 (Education) or Microsoft 365 G5 (Government)
Windows 11 Enterprise E5
Previously supported for Microsoft 365 E3 or higher
Cato XOps license required
Simplified AI Gateway Integration: During the week of July 13, 2026, AI Gateway configuration will become part of the Guards page. Create a single AI Gateway Guard to generate the authorization key and configure your integration, instead of the previous two-step process.
AI Security Guards of type AI Gateway are now called Homegrown Apps
Existing AI Gateway configurations are migrated automatically
For more information about what has changed, see our FAQ
AI Security for Applications license required
Granular Claude Plan Detection for User Interaction Policy: Apply different rules for the AI Security User Interaction Policy based on whether users access personal or enterprise Claude environments.
Use Claude Free and Claude for Business as separate applications
AI Security for Users license required
Automatic Migration to Account-Level Bypass Policy: To help transition to the account-level Socket bypass policy, we are automatically migrating eligible site-level bypass policies to the account-level policy.
Applies to sites running Socket v26 and higher
Sites running earlier Socket versions are not eligible for automatic migration
The site-level bypass policy will be deprecated from accounts that migrate to the account-level policy
Expanded Webhook Fields: Webhook notifications now include a significantly richer set of fields, giving security teams more data to build complete, actionable payloads for SIEM and SOAR platforms.
New security and network event fields follow the same naming conventions as the Events API, making correlation seamless
No impact on existing webhook integrations
Updates for Cato Terraform Provider: We released new versions for the Cato Terraform module, including:
v0.0.90
Stabilized WAN interface hydration
v0.0.88
Support for Application Control and CASB resources for tenant restriction and application controls (e.g
cato_app_tenant_restriction_rule)
v0.0.87
Support for global IP ranges (
cato_global_ip_ranges)Regression tests
Bug fixes and enhancements
Read more in the changelog
Starting Rollout of Socket v26.0.23517: We are starting to gradually roll out Socket version 26.0.23517 to all customers, including enhancements and bug fixes. No customer action is required.
PoP Announcements
Detroit, US: A new range (199.27.55.0/24) is now available for the Detroit PoP location.
The following new ranges will soon be available:
Melbourne, AU: 113.30.140.0/24
Paris, FR: 159.117.247.0/24
Tel Aviv, IL: 159.117.246.0/24
Note: Content described in this update is gradually rolled out to the Cato PoPs over a two-week period. In addition, new features are gradually activated in the Cato Management Application over the same two-week rollout period as the PoPs. For more information, see this article. See the Cato Status Page for more information about the planned maintenance schedule.