UpGuard Release Notes

We’re making it easier than ever to communicate your security posture and commitment to transparency with Trust Exchange. 

You can now perform a self assessment in the Security Profile, using our AI analyst to scan your security documents and questionnaires and populate suggestions for our library of 500+ checks in minutes (the same as assessed in UpGuard’s Vendor Risk product). You can review the suggested responses and approve, reject or add manual answers.

Then, choose which passed checks you’d like to publish onto your Trust Page, where they’re presented in a searchable public format. You can also optionally include linked evidence, subject to the existing access and NDA settings you have in place.

Our FAQ-style list of controls enables you to transparently and proactively communicate your security posture to customers and partners, cutting down on the back and forth hassle of outdated security assessment processes. 

This feature is now available to all Trust Exchange accounts. For more information visit our help guide. 

New threat detection for vibe coding tools

We’ve expanded Threat Monitoring with a new collector that captures signals from emerging “vibe coding” platforms, including v0.dev, lovable.dev, and Replit. This helps identify threats such as phishing sites created by attackers, as well as accidental leaks of IP, PII, or credentials by internal users. By monitoring these rapidly growing tools, we’re strengthening coverage of both external and insider risks associated with your Transforms.

Risk details API: Port information now available

The Risk API endpoints can now return port numbers for affected assets, giving you more detailed context for each security risk. To enable this, add the optional parameter include_sources=True to your API call on the /risks and /risksdiff endpoints. This will add a new sources field in the JSON response containing both the hostname and port.

Other improvements

• You can now export the Trust Page access log as an Excel file.
• This release includes a number of bug fixes.

‍

We’ve introduced bulk action improvements in Threat Monitoring, making it easier to manage large sets of signals. Users can now select all threats matching their applied filters across multiple pages, in addition to selecting all on the current page. A new “Close as remediated” bulk action has also been added, along with clearer visual feedback when threats are selected.

HECVAT 4 questionnaire now available

We have added the Higher Education Community Vendor Assessment Toolkit (HECVAT) 4 to our questionnaire library. This latest version of HECVAT consolidates the previous separate versions (Full, Lite, On-Prem) into a single dynamic questionnaire that adapts based on vendor responses. This enables higher education institutions to focus on relevant risk areas for a streamlined and customizable evaluation.

Preview control template questionnaires

We’ve added a “Preview” button on the control templates page. This lets you view the gap questionnaire for each control template, showing the questions that could be asked of vendors. Since the gap questionnaire is dynamic, the preview reflects the specific questions based on the controls in scope for that template.

AI-Generated risk assessment conclusions

Our Vendor Risk AI Analyst can now generate conclusion commentary for Instant Risk Assessments. The analysis considers vendor tier, engagement type, and other attributes to provide a more comprehensive and context-aware summary.

Other improvements

• Added "Select All" for bulk questionnaire sending
• A new Trust Page badge is now available to indicate FedRAMP compliance
• Clearer terminology for exposed credentials threats to be more intuitive
• This release includes a number of bug fixes

‍

We’ve shipped a targeted update to help customers respond to the Salesloft Drift supply-chain incident. This update enables immediate visibility of Salesloft – Drift wherever it appears in your estate—both as a fourth-party vendor (via our web scanner) and as a Detected product in Breach Risk—and introduces a Salesloft impact questionnaire to help your team quickly assess potential exposure and gather the right evidence. For background and our recommendations, see our blog post: Salesloft Drift Breach: What Happened and How Does It Affect Me?.

What’s new

• New product & vendor surfaced: Salesloft – Drift now appears in Vendor Risk: Fourth-party ecosystem (when discovered on your vendors’ sites) and Breach Risk: Detected products (when discovered on your own domains).
  

• Salesloft post-incident impact questionnaire: We’ve added a dedicated questionnaire to help you evaluate vendor exposure and response to the recent Salesloft/Drift incident. This assessment focuses on identifying compromised data, verifying remediation actions, and ensuring vendors have safeguards in place to protect your information.

‍

UpGuard’s new User Risk product gives you a single, unified platform to manage the complexity of human risk. Our AI Analyst unifies identity, behavior, and threat signals to give you a comprehensive picture of your workforce risk, while contextual coaching helps you build a stronger security culture and transform your employees into a proactive line of defense.

Here’s how User Risk transforms your approach to managing human risk:

• AI Analyst: Automatically synthesizes thousands of signals into a prioritized action plan, helping your team focus on the threats that matter most and move beyond manual, time-consuming analysis.
• Unified Risk Signals: Consolidates disparate human risk signals – like unauthorized SaaS and AI usage, compromised credentials, and over-privileged permissions – into a single, unified view that’s updated daily.
• Real-Time Behavioral Coaching: Moves beyond ineffective training by delivering educational "nudges" directly within an employee's workflow, building secure habits at the exact moment of a risky action.
• Comprehensive Risk Discovery: Utilizes a browser extension and directory integrations to discover your true SaaS and AI footprint, including non-SSO apps that other tools miss.
• Unified User Risk Profile: Centralizes all discovered risks for each user into a single profile, allowing for targeted intervention and a clear view of your riskiest individuals and teams.

To learn more, visit the product overview page or contact your Customer Success Manager.

Pre-set assessment scope by vendor tier in Security Profile

You can now right-size vendor assessments by pre-setting scope with Security Profile control templates. Once set, these templates automatically apply across your vendor ecosystem based on vendor tier. Use our recommended tiered templates or tailor your own from the control library to match the exact scope you need. With an expanded security framework offering more comprehensive controls and checks, you get greater flexibility and precision when building assessments. Plus, the gap questionnaire is now dynamically generated from the applied template and pre-filled with existing evidence, so vendors only need to address what’s truly missing.

Ability to tune AI-commentary for Instant Risk Assessments

We’ve enhanced our AI Instant Risk Assessment commentary to give you more control. You can now fine tune the AI to suit your needs by setting the target audience (e.g. technical, non-technical), choosing the level of detail, and even entering custom prompts for specific use cases. Create the perfect report first time, faster than ever.

Vendor Risk AI analyst insights

We've added helpful, AI-generated insights to every vendor's summary page. Get an instant read on a vendor’s security posture and potential gaps, along with smart, actionable recommendations for next steps. The AI analyzes all active evidence including scan data, documents, questionnaires, and incidents to give you a comprehensive and immediate understanding.

More vendor evidence added to the Security Profile 

We've added over 1,500 new public documents for more than 200 of our most-monitored vendors. These documents are now available as evidence in Vendor Risk and have been pre-scanned against the Security Profile. This update saves you time and effort by reducing the need to chase down evidence, so you can get to assessing your vendors faster.

Other improvements

• We’ve changed the description of B grade to Organization has reasonable security controls in place but could have gaps in their security posture to better reflect risk level. 
• We’ve added some additional detail to the (excel) Vendor Risk assessment summary report including Portfolio, Grade and Assessment year.
• This release includes a number of bug fixes.

‍

We’ve made it easier to track and manage remediation requests. You can now revert a remediation request from "Awaiting Review" back to "In Progress" if the vendor's response is incomplete or insufficient. Previously, this status change wasn’t possible. Doing so will generate a notification to the recipient to take further action on unresolved risks. This ensures a more flexible and effective remediation workflow, empowering you to ensure all identified risks are thoroughly addressed. This improvement is available for both Vendor Risk and Breach Risk remediation requests.

Other improvements

• We’ve made improvements to the evidence selection modal in the Vendor Risk Security Profile, improving clarity on document names, types, statuses and dates
• This release includes a number of bug fixes

‍

To help get the information you need from vendors, you can now mark questions as required in both default and custom questionnaires. This can be done in the Questionnaire Library when creating a new custom questionnaire or when editing an existing questionnaire.

Required questions are also highlighted to vendors in the questionnaire viewer, making it clear what needs to be answered before they can submit their response.

We’ve also introduced an Overview section in the questionnaire builder to give you better visibility into the breakdown of questions and potential risks that could be flagged.

To learn more see Edit and build questionnaires.

Customizable vendor attribute update notifications

Users can now create custom notifications triggered by updates to their vendor's attributes.  This allows for proactive monitoring of critical vendor information changes, enabling timely responses and improved risk management.  

Granular Trust Page document access control

Trust Page administrators can now decide exactly which individual documents and questionnaires a requester can access, instead of turning access protection on or off for the entire Trust Page. This allows for more granular, per-resource access controls on Trust Pages, making it easier for admins to share evidence only with the parties that truly need it. 

Other improvements

• Users can now sort and compare vendors more easily with the addition of Industry and Headquarters columns on the Vendors page and in the Excel export.

• This release includes a number of bug fixes.

‍

We’ve added a CPS 230: Material Service Provider Questionnaire. This questionnaire is designed to help APRA-regulated Australian financial services customers identify and assess material service providers and their capacity to support your critical operations and obligations to comply with CPS 230. Learn more

Other improvements

• To make it easier to see the full list of documents available for a vendor, UpGuard-sourced public documents are now stored in the vendor’s Additional Evidence page.
• The list of all risks in Instant Risk Assessments is now filterable, making it easier to search, sort, and review relevant risks before finalizing your report.
• You can now export the “You and your vendors” tab from Incidents and News.
• Added “click to copy” functionality to risk details across Breach Risk and Vendor Risk.
• This release also includes a number of bug fixes.

Add an extra level of protection for the PDFs in your Trust Page with our new watermarking capability. Downloaded PDFs can now include a watermark displaying the downloader's company domain, name, email address, and download timestamp, providing greater control over your shared information. This feature can be enabled in your Trust Page settings. Learn more

Improvements to AI document scanning and risk assessment commentary

To improve the quality of results we've made improvements to AI document scanning in the Security Profile and AI Autofill. Improvements include:

• Improved citation handling, focusing on citation quality
• Improved prompts to handle specific nuances of some individual controls and control families
• Upgraded from GPT-4o to GPT-4.1

We've also made improvements to AI risk assessment commentary to reduce the likelihood for self-contradictory statements in the risk assessment narratives.

Improved domain list filtering in Breach Risk and Vendor Risk

You can now view active and inactive domains even after applying filters in the Domains UI. Previously, these lists were only available when no filters were applied—this update restores that flexibility and makes it easier to analyze filtered domain sets.

Other improvements

• This release includes a number of bug fixes

‍

UpGuard’s new Threat Monitoring features give you real-time visibility into threats across the open, deep, and dark web. Our AI Threat Analyst continuously scans for signs of data exposure and malicious activity linked to your organization, helping you detect and respond before attackers can act.

Here’s how Threat Monitoring takes your external risk detection to the next level:

• AI Threat Analyst: Automatically triages findings and provides clear remediation guidance to help your team act faster.
• Broad threat coverage: Continuously monitors multiple attack vectors across open, deep, and dark web sources for early warning signs.
• Prioritized and contextualized: AI Threat Analyst filters out noise and enriches results with relevant context so your team can focus on high-confidence threats.
• Transform-based monitoring: Lets you define what to track, such as brands, domains, IPs, emails, or product names, for targeted threat detection.
• Collaborative investigation workspace: Centralizes alerts, context, and actions to support faster triage and investigation across teams.

To learn more, see What is UpGuard Breach Risk Threat Monitoring?

These features are available to customers in our early access program. If you’d like to learn more or be notified when they become generally available, please contact your UpGuard Customer Success Manager.

We’ve made it easier to monitor vendors

Adding and managing vendors is now significantly easier. The improved vendor monitoring flow provides a clear, guided experience, allowing you to add multiple vendors at once, search our database, or add vendors without a web presence with minimal information.

Subscribe to Trust Page updates

Trust page viewers can now subscribe to receive email notifications of important updates.  Trust page administrators can also manage subscribers directly within the Trust Page settings, making it easier to communicate important security and compliance updates to your customers and prospects. To learn more, see How to Create Your Trust Page.

Other improvements

• This release includes a number of bug fixes

‍

Trust Page administrators can now add updates to their Trust Pages, keeping customers informed about important events and news, such as communicating a new certification or other compliance milestone; promoting a change to a policy; or to inform customers in the rare event of an outage or breach. These updates are immediately visible on the published Trust Page and Vendor Risk users can also subscribe to their vendors’ Trust Page updates.

Questionnaire attachments automatically added to additional evidence

Questionnaire attachments submitted by vendors are now automatically added to the Additional Evidence section. This streamlines the assessment process and eliminates the manual step of converting attachments, making it faster and easier for you to include these documents in your security profile and risk assessments.

Minimum questionnaire completion rates

Users can now set a minimum completion percentage for questionnaires in Settings. This ensures vendors provide sufficiently complete responses, reducing the need for follow-up and improving assessment accuracy. If a vendor attempts to submit a questionnaire below the set threshold, a message will prompt them to answer additional questions before submission.

Improved navigation for settings pages

The Settings pages now use a consistent sidebar navigation, matching other areas of the application.  This improves navigation and provides a more unified user experience.  The Settings menu has also been reorganized for better clarity and includes new sections for Subsidiary Management and Vendor Onboarding.  

Other improvements

• Support for ISO42001 badges on Trust Pages
• Added automated scan and evidence rating breakdown to the Vendors page and Excel export enabling for more comprehensive vendor comparison and analysis 
• This release includes a number of bug fixes

‍

You can now download the Risk Assessment Summary Report in Excel. The report provides a snapshot of assessment statuses across your vendor portfolio and is organized into three sheets—In Progress, Completed, and Not Assessed—to simplify analysis. We've also improved the sorting for easier navigation.

Other improvements

• Resolved an edge case affecting document states in draft questionnaires
• General bug fixes and performance enhancements

‍

We've enhanced News and Incidents coverage to include the Securities and Exchange Commission (SEC) as a source. The SEC tracks regulatory outcomes of data breaches and broadens our coverage of US cybersecurity impacts.

Trust Page tips and tricks

We've made several updates to help you edit and publish your Trust Page. There’s a new “Get started guide” with information to guide you through the process of setting up your Trust Page, as well as the introduction of tips after your page is published.  The Settings page has also been redesigned, making it easier to add a custom domain, NDA, and configure your access settings. Visit your Trust Page to see these changes.

Other improvements

• Resolved problems with case sensitivity in security links and re-issuing access invites.
• Improved Vendor Risk Fourth party export to make it clearer which vendors are using which products.
• Added page numbers and question numbers to citations in the Vendor Risk Security profile to help provide more context.
• Improved warnings when questionnaires and documents used in Vendor Risk security profile and risk assessments are deleted or archived.
• Detected Products export functionality now includes the vendor's score and an indication of whether the vendor is currently monitored within Vendor Risk. 
• This release includes a number of bug fixes.