March 2026
Auto-scoring for integration-created risks and incidents
Section titled “Auto-scoring for integration-created risks and incidents”Organizations can now turn on automatic scoring for risks and incidents ingested through integrations. When enabled:
- The platform automatically sets Urgency and Threat Objectives for risks, and Severity and Threat Objectives for incidents.
- Analysis reasoning is captured for each scored field.
- Records that are already closed in the source system are created in a closed state in Adversarial.
- Users can manually override any auto-scored value at any time.
- Subsequent changes in the source system are reflected on the next sync.
Auto-scoring uses the same scoring inputs, procedures, and supplemental embeddings as the manual and bulk scoring workflows.
False positive detection for incident scoring
Section titled “False positive detection for incident scoring”The Cyber Incident Management Procedure (CIRP) embedding supplement now includes guidance for identifying false positive incidents, which are scored as SEV5. Indicators include:
- Confirmed authorized behavior or legitimate business activity
- Authorized software agents or IT administrator actions
- Activity from legitimate vulnerability scanners
- Source-system language such as “anomalous”, “benign”, or “ANOMALOUS_SAFE”
Organization-level notifications via Slack and Teams
Section titled “Organization-level notifications via Slack and Teams”Organizations can now route notifications to a designated channel in Microsoft Teams or Slack.
Microsoft Teams
- Create a channel in Teams to receive notifications.
- Configure a webhook using the Send webhook alerts to a channel workflow and generate a webhook URL.
- In Adversarial, go to Settings > Integrations and enter the channel name and webhook URL.
- Configure organization-level notification preferences in Settings.
Slack
- Create a Slack channel to receive notifications.
- Build a new Slack app from scratch in your workspace and enable Incoming Webhooks.
- Create a webhook for the designated channel and copy the webhook URL.
- In Adversarial, go to Settings > Integrations and enter the webhook URL.
- Configure organization notification preferences in Settings.
Wiz integration: 1:1 refactor
Section titled “Wiz integration: 1:1 refactor”Each Wiz issue now maps to an individual risk (RSK) instead of being combined with other issues. This enables tracking at the issue level, independent lifecycle progression, and a more accurate view of remediation velocity.
- Lifecycle synchronization prevents backward progression — risks already in Urgency Proposed never regress to New.
- Resolved issues advance to Closure Proposed. If an issue reappears after closure, a new risk is created.
- Issues with informational severity are excluded from import.
Risk Description contents
- Rule description
- Projects (with business unit notation)
- Resource details: name, type, cloud platform, region, subscription, cluster/namespace
- Resource tags as key-value pairs
- Resolution context for resolved or rejected issues
- Service tickets linking to external systems
- Analyst notes with author and timestamp
- Direct links to the rule definition and the Wiz console
Date mapping
| Adversarial field | Wiz source |
|---|---|
| Discovered Date | Issue created date |
| Closed Date | Resolved date (Resolved and non-Exception Rejected) |
| Expected Date | Rejection expiry (Exception rejections only) |
Status mapping
| Wiz status | Adversarial status |
|---|---|
| Open | New |
| In Progress | Remediation |
| Resolved (object deleted) | Closed |
| Resolved (other reasons) | Closure Proposed |
| Rejected (exception) | Remediation (with expiry as Expected Date) |
| Rejected (non-exception) | Closed |
CyberGov and Board Deck updates
Section titled “CyberGov and Board Deck updates”- ID columns now contain live links for one-click access to the underlying record.
- The Description column has been removed.
- Key dates for risks and incidents are now included.
- The AI engine generating executive summaries has been enhanced.
- The Board Deck now includes only SEV-1 and SEV-2 incidents. CyberGov continues to include SEV-1, SEV-2, and SEV-3.
Risk table inclusion criteria
- Risk discovered and open during the reporting period
- Risk discovered and closed during the reporting period
- Risk due during the period (due on or before the period end, open or closed after)
- Risk discovered outside the period but closed during the period
Incident table inclusion criteria
- Detected date within the reporting period
- Occurred date within the reporting period
- Contained date within the reporting period
- Detected or occurred before the period but contained within it
Editor toolbar
Section titled “Editor toolbar”Title, Description, and Comments fields now include a quick-access formatting toolbar that supports bold, underline, strikethrough, block quotes, and bulleted lists. Press Tab to increase indent and Shift+Tab to decrease indent.
Risk and Incident exports
Section titled “Risk and Incident exports”Exports from the Risk Register and Incident Register now support customizable column selection. Choose the default fields or pick your own. Output is CSV.
Modal view: scoring reasoning
Section titled “Modal view: scoring reasoning”- For risks, Likelihood and Impact analysis reasoning displays directly below the corresponding field.
- For incidents, Severity reasoning displays directly below the field.
- Reasoning can be modified in place — no need to navigate to Comments, which are now reserved for collaboration.
Enhanced date selection
Section titled “Enhanced date selection”Dates can now be selected from a calendar view or entered directly as text in YYYY-MM-DD format.