{"id":42651,"date":"2025-10-27T10:13:25","date_gmt":"2025-10-27T04:43:25","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=42651"},"modified":"2026-01-13T00:00:13","modified_gmt":"2026-01-12T18:30:13","slug":"autumn-2026-product-updates-whats-new-at-astra-security","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/astra-product\/autumn-2026-product-updates-whats-new-at-astra-security\/","title":{"rendered":"Autumn 2025 Product Updates: What\u2019s New at Astra Security"},"content":{"rendered":"\n

Security reviews are changing. More buyers want live, verifiable proof of your security posture and not a static PDF that changes by dawn. Astra Trust Center<\/a> helps teams answer due diligence questions upfront, cutting back-and-forth questionnaires and keeping deals moving.<\/p>\n\n\n\n

At the same time, attackers aren\u2019t getting more creative, just more effective. The 2025 Verizon DBIR found that 88% <\/a>of Basic Web Application Attacks involved stolen credentials. In other words, authentication and access control remain the front door. That mirrors long-running guidance from OWASP, where Broken Access Control tops the risk list and appears in 94% <\/a>of tested applications.<\/p>\n\n\n\n

Also, observability is already part of your day-to-day. As teams lean on OpenTelemetry for traces, metrics, and logs, we\u2019ve made sure security becomes a part of it.<\/p>\n\n\n\n

That\u2019s the backdrop for this release. Everything we\u2019ve shipped this season pushes in three directions: first, proving trust continuously with a modern Trust Center that give buyers real-time assurance; second, expanding real-world coverage through custom login scripts that handle MFA and complex flows, clearer connectivity insights, and smarter rescans and scheduling that mirror how teams actually work; and third, meeting you where you are by ingesting API traffic via OpenTelemetry, adding faster self-serve controls, and polishing the UI so everyday tasks take fewer clicks.<\/p>\n\n\n\n

1. Trust center launch<\/strong><\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The Problem<\/strong>
<\/strong>Security reviews drag on when buyers get static PDFs and partial context, forcing long questionnaire cycles and repeated evidence-sharing.<\/p>\n\n\n\n

The Solution<\/strong>
<\/strong>We launched a Trust Center<\/strong> that stays up to date automatically. It shows live security posture, pentest results, and compliance status. You can put a Dynamic Trust Seal on your website, decks, or emails that links straight to your Trust Center. You can fully brand it (logo, colors) and control what\u2019s visible (posture, assessments, compliance, APIs, FAQs). <\/p>\n\n\n\n

The Impact<\/strong>
<\/strong>Buyers and partners get real-time confidence in your security, and you spend less time answering repetitive questionnaires. Deals move faster because the proof is public and current.<\/p>\n\n\n\n

2. Custom login scripts for web scans<\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The Problem<\/strong>
<\/strong>Automated scans often stopped at the login screen, especially with TOTP MFA, email magic links, or pop-up-based logins. That left essential parts of your app untested.<\/p>\n\n\n\n

The Solution<\/strong>
<\/strong>We added scriptable logins<\/strong> with conditional steps, try\/catch, and a small coding interface so you can teach the scanner exactly how to log in, even through MFA and tricky flows.<\/p>\n\n\n\n

The Impact<\/strong>
<\/strong>Scans actually reach the parts of your app that matter. Coverage increases, manual workarounds decrease, and results align with real user paths.<\/p>\n\n\n\n

3. OpenTelemetry SDK instrumentation (API security platform)<\/h3>\n\n\n\n
    \n
  1. <\/li>\n<\/ol>\n\n\n\n

    The Problem<\/strong>
    <\/strong>Getting real API traffic into a security tool often meant building separate collectors or pipelines, which took time and maintenance.<\/p>\n\n\n\n

    The Solution<\/strong>
    <\/strong>We now ingest API traffic via OpenTelemetry. If your apps already emit traces (Python, Node.js, Go, Java), you can route them through your existing OTel pipeline, and we\u2019ll turn that stream into security insights.<\/p>\n\n\n\n

    The Impact
    <\/strong>Faster onboarding to API security, fewer moving parts, and visibility that fits into the observability stack you already run.<\/p>\n\n\n\n

    4. Connectivity check failure insights<\/h3>\n\n\n\n
      \n
    1. <\/li>\n<\/ol>\n\n\n\n
      \"\"<\/figure>\n\n\n\n

      The Problem<\/strong>
      <\/strong>When a connectivity check failed, you only saw a generic error. It wasn\u2019t obvious what broke or how to fix it, which slowed down scans and created support back-and-forth.<\/p>\n\n\n\n

      The Solution<\/strong>
      <\/strong>Connectivity checks now surface actionable diagnostics<\/strong> and guided troubleshooting<\/strong>. Instead of a dead-end error, you\u2019ll see what failed (DNS, TLS, headers, authentication, allowlisting, etc.) and the exact next steps to resolve it.<\/p>\n\n\n\n

      The Impact<\/strong>
      <\/strong>You can fix most issues yourself in minutes, keep scans moving, and avoid waiting on a support thread.<\/p>\n\n\n\n

      What You\u2019ll See Now<\/strong><\/p>\n\n\n\n

        \n
      • Root cause at a glance:<\/strong> Clear reason for the failure (for example, DNS resolution, certificate mismatch, blocked IP, invalid credentials).<\/li>\n\n\n\n
      • Step-by-step guidance:<\/strong> Targeted instructions mapped to each failure type.<\/li>\n\n\n\n
      • Owner vs. Platform actions:<\/strong> A quick indicator of whether the fix is on your side (configuration\/allowlist) or ours.<\/li>\n\n\n\n
      • Faster recovery:<\/strong> Retry from the same screen once you\u2019ve applied the fix.
        <\/li>\n<\/ul>\n\n\n\n

        5. Scheduling & workflow improvements<\/h3>\n\n\n\n
          \n
        1. <\/li>\n<\/ol>\n\n\n\n

          The Problem<\/strong>
          <\/strong>Scheduling manual pentests for iOS, Android, and \u201cOther\u201d assets was not available earlier. Bulk target selection was slow, and teams sometimes needed to start a crawl immediately but couldn\u2019t override preconditions.<\/p>\n\n\n\n

          The Solution<\/strong>
          <\/strong>From the Start Scan flow, you can now schedule manual pentests for iOS, Android, and Other assets (automated scans remain off for these). We added Shift+Click in the target selector for fast multi-select, and a Force-Start Crawl option to begin crawling when you decide it\u2019s appropriate.<\/p>\n\n\n\n

          The Impact<\/strong>
          <\/strong>One place to schedule across asset types, quicker setup with bulk selection, and the flexibility to kick off crawls on your timeline, reducing handoffs and keeping work moving.<\/p>\n\n\n\n

          6. Plan management & subscription clarity<\/h3>\n\n\n\n
            \n
          1. <\/li>\n<\/ol>\n\n\n\n
            \"\"<\/figure>\n\n\n\n

            The Problem<\/strong>
            <\/strong>Changing plans or understanding what a plan includes often meant extra steps. People also struggled to find the right subscription from a target, and collapsed plan cards hid key details during checkout.<\/p>\n\n\n\n

            The Solution<\/strong>
            <\/strong>You can now change plans directly from Subscriptions, and each target shows its active plan with a link that opens the subscription page already filtered to the right one. During checkout, selecting a plan automatically expands its details so nothing is hidden, status tooltips explain paused\/canceled\/deleted states, the Agency (Monthly) plan is visible, and an info tooltip clarifies offline subscription pricing.<\/p>\n\n\n\n

            The Impact<\/strong>
            <\/strong>You can change plans without support, see exactly what you\u2019re buying, and jump straight from a target to the right subscription, saving time and avoiding confusion.<\/p>\n\n\n\n

            7. Navigation & visibility improvements<\/h3>\n\n\n\n
              \n
            1. <\/li>\n<\/ol>\n\n\n\n
              \"\"<\/figure>\n\n\n\n

              The Problem<\/strong>
              <\/strong>Too many clicks to reach the right context. Scan names weren\u2019t always obvious, invites were hard to review in bulk, and it wasn\u2019t clear who owned a workspace or when a rescan would expire.<\/p>\n\n\n\n

              The Solution<\/strong>
              <\/strong>The Start Scan sheet now highlights your scan name with the target name as supporting text, and the scan name links straight to its details page. When inviting multiple users, all email addresses are visible before sending. You can open any target\u2019s settings directly from the workspace selector, the login-recording step appears in the progress bar for automated crawl scans, rescan validity is shown more prominently on the Pentest List page, and the workspace selector displays the owner\u2019s email so responsibility is clear.<\/p>\n\n\n\n

              The Impact<\/strong>
              <\/strong>Fewer clicks, fewer mistakes, faster onboarding for teammates, and better visibility into scan states and ownership.<\/p>\n\n\n\n

              8. Findings, reporting & target setup<\/h3>\n\n\n\n
                \n
              1. <\/li>\n<\/ol>\n\n\n\n
                \"\"<\/figure>\n\n\n\n

                The Problem<\/strong>
                <\/strong>Important items were sometimes buried in lists, tables felt dense, and some report details needed to better match compliance expectations. API target setup also had one step too many.<\/p>\n\n\n\n

                The Solution<\/strong>
                <\/strong>Findings are now sorted by severity first, then risk score, then recency, and the findings table has cleaner alignment and interactions. Final reports include CREST and PCI  logos for clearer compliance signaling. API target setup is simpler because the Base URL step is merged into the main target URL field, and the false-positive flow is more precise; marking a false positive requires a reason, and the dialog explains scan exclusion.<\/p>\n\n\n\n

                The Impact
                <\/strong>You focus on what matters first, reports look audit-ready, API target setup is faster, and false-positive handling drives better signal quality.<\/p>\n\n\n\n

                9. Open synced Jira tickets from findings<\/h3>\n\n\n\n
                  \n
                1. <\/li>\n<\/ol>\n\n\n\n
                  \"\"<\/figure>\n\n\n\n

                  The Problem<\/strong>
                  <\/strong>Jumping from a security finding to its corresponding Jira ticket took too many clicks. People had to copy IDs, search inside Jira, and then hunt for the right issue that was slowing triage and handoffs.<\/p>\n\n\n\n

                  The Solution<\/strong>
                  <\/strong>A new Open in Jira action appears wherever you review findings. From the findings table or the findings\u2019 details view, you can open the already-synced Jira issue in one click. <\/p>\n\n\n\n

                  The Impact<\/strong>
                  <\/strong>Triage is faster, ownership is clearer, and handoffs are smoother. Security can move directly from evidence to the exact work item, and engineering lands on the right ticket every time.<\/p>\n\n\n\n

                  10. Scan cancellation & run transparency<\/h3>\n\n\n\n
                    \n
                  1. <\/li>\n<\/ol>\n\n\n\n
                    \"\"<\/figure>\n\n\n\n

                    The Problem<\/strong>
                    <\/strong>Cancellations weren\u2019t self-explanatory, and teams needed clearer context during long-running scans.<\/p>\n\n\n\n

                    The Solution<\/strong>
                    <\/strong>Canceled runs now display the reason, so you immediately know what happened, and the login-recording side sheet shows descriptive messaging when SBL checks fail, so it\u2019s clear how to fix setup issues.<\/p>\n\n\n\n

                    The Impact<\/strong>
                    <\/strong>You understand interruptions right away and can correct setup problems without guesswork.<\/p>\n\n\n\n

                    <\/span>What\u2019s next<\/span><\/h2>\n\n\n\n

                    Looking ahead, we\u2019re keeping things simple: prove trust, widen coverage, and help you move faster. You\u2019ll be able to put your Trust Center on a custom domain (for example, trust.yourcompany.com) so it feels like part of your site. You\u2019ll also be able to buy and activate Cloud inside the product (enterprise plans will still go through sales). We\u2019re redesigning the Home page to be cleaner and more useful, with small, clear widgets that highlight what needs attention. On compliance, we\u2019re adding mappings to PCI, DORA, and NIST 2, and we\u2019re building compliance-based reports for SOC 2, HIPAA, and ISO 27001 to make audits easier. Detection is getting stronger across the board: better broken access control checks for APIs, DAST improvements that find more API-specific issues, and threat model scans that fit your type of application. Finally, we\u2019re adding secret leak detection in CI\/CD (opt-in) and continuing to improve our AWS cloud security rules. <\/p>\n","protected":false},"excerpt":{"rendered":"

                    Security reviews are changing. More buyers want live, verifiable proof of your security posture and not a static PDF that changes by dawn. Astra Trust Center helps teams answer due diligence questions upfront, cutting back-and-forth questionnaires and keeping deals moving. At the same time, attackers aren\u2019t getting more creative, just more effective. The 2025 Verizon … Read more<\/a><\/p>\n","protected":false},"author":124,"featured_media":42660,"comment_status":"open","ping_status":"0","sticky":false,"template":"","format":"standard","meta":{"footnotes":"[]"},"categories":[58],"tags":[],"class_list":["post-42651","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-astra-product"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/42651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/124"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=42651"}],"version-history":[{"count":5,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/42651\/revisions"}],"predecessor-version":[{"id":44784,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/42651\/revisions\/44784"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/42660"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=42651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=42651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=42651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}