February 2026
RAMP embedding supplement: encryption
Section titled “RAMP embedding supplement: encryption”Encryption findings are often overrated. The Risk Assessment Management Procedure (RAMP) embedding supplement now provides guidance on scoring them:
- The majority of data attacks occur via legitimate application channels (credential theft, SQL injection, etc.), so encryption-at-rest status is rarely the relevant control. Likelihood is typically unlikely or possible.
- Encryption-at-rest failures rarely correspond to key controls.
- Weak cipher vulnerabilities rarely contribute to actual incidents. Likelihood is typically unlikely or possible, with impact medium or high.
RAMP embedding supplement: resiliency, disaster recovery, business continuity
Section titled “RAMP embedding supplement: resiliency, disaster recovery, business continuity”Recovery objective findings are frequently overrated by auditors. Updated guidance:
- These findings generally map to the Sabotage and Extortion Threat Objectives.
- Likelihood of exploitation is typically possible, since exploitation depends on a disruptive attack occurring first.
- Impact varies — severe if the system is unrecoverable, high or medium for delayed recovery.
Assign Threat Objectives with AI scoring
Section titled “Assign Threat Objectives with AI scoring”AI now suggests Threat Objectives for unpopulated fields and includes the reasoning behind each assigned value. Pre-assigned values are preserved — AI does not overwrite user input. Available for both risks and incidents.
Description field updates
Section titled “Description field updates”The Description field now supports pasting directly from tables while preserving column and row formatting. This makes information from integration sources easier to organize and improves the presentation of risk and incident details.
WatchTowr integration
Section titled “WatchTowr integration”Real-time, asynchronous data flow that syncs WatchTowr findings into the Risk Register. Enable it under Settings > Integrations by providing your tenant URL and API token.
Field defaults
- Source: Attack Surface Monitoring
- Type: Configuration
- Opened By: WatchTowr Integration
Behavior
- One-way ingest from WatchTowr.
- New findings are automatically synced; subsequent WatchTowr updates are reflected on the corresponding risk.
- Changes made in Adversarial do not flow back to WatchTowr.
- Findings are pulled from the Findings endpoint; hunts are excluded.
- Low severity findings are excluded.
Status mapping
| WatchTowr status | Adversarial status |
|---|---|
| Confirmed / Unconfirmed | New (Discovered Date set from Date Identified) |
| Remediated / Closed | Closure Proposed |
| Risk Accepted / Asset no longer tracked | Closed |
GreyMatter integration
Section titled “GreyMatter integration”Real-time, asynchronous incident data flow from GreyMatter to the Incident Register. Enable it under Settings > Integrations (requires read permissions on incidents).
Field defaults
- Source: SIEM
- Title: Ticket number plus detail
- Opened By: GreyMatter Integration
Behavior
- One-way ingest. Incidents in GreyMatter’s “New” status are excluded to prevent duplication.
- Brings ticket number, close notes, and pertinent dates.
- Records are created with no severity assigned — score them manually or via AI Score.
- Changes made in Adversarial do not flow back to GreyMatter; GreyMatter field changes flow into Adversarial.
Status mapping
| GreyMatter status | Adversarial status |
|---|---|
| Accepted | New |
| Remediation | In progress |
| Resolved | Review |
| Rejected | Closed |
Link risks to incidents
Section titled “Link risks to incidents”You can now link an existing incident directly from a risk entry. Previously, this could only be done from the Incidents page.
Data load templates
Section titled “Data load templates”Data load templates have been updated with the default dropdown values available in the platform.