This is an exciting release. We’ve kept working on the basics: making the reporting engine even more poweful (image and paragrapha alignment, border styling, image sizing), GitHub style in-line comments, dark mode,…

At the same time evolving the platform for what comes next: faster and easier deployments and upgrades, fine grained API access to unlock agentic workflows, built in context-layer so you can Bring Your Own LLM.

Have a look, let us know what you think and what you build on top of the platform.

Enjoy!

Docker deployment

Dradis is now available for Docker. No more dealing with hypervisors or downloading hefty VMs and upgrade files. All Dradis add-ons for your subscription level will also be pre-installed, so setup, configuration, data migration, and upgrades should be a breeze. Getting started with Docker couldn’t be simpler:

curl -fsSL https://get.dradis.com | /bin/bash

Dark mode

A much-requested feature is here at last. You can now enable dark mode across Dradis, or the auto mode that switches between light and dark mode based on your system preferences. Eye strain will be less of a factor after extended Dradis use!

Dradis Echo: Configurable user prompts

Dradis Echo, which lets you connect your Dradis instance to a local LLM, can now have custom prompts defined by you. Create prompts, define their scope, save, and use them wherever you want.

Business Intelligence for contributors

Read-only Contributor users in Dradis can now be given access to even more features and data within Dradis. The latest addition is access to Business Intelligence data for projects to which they have been assigned. For example, perhaps a project manager needs to see trends of recurring issues over multiple retests for a single client, but you have no other need to give that person a paid license seat. Simply add them as a contributor user, assign them permissions for the projects they need to look at, and they will be able to see all they need on the results portal.

Inline Comments in QA

For teams using the Quality Assurance feature in Dradis, some feedback we have heard frequently is that inline comments would be helpful to discuss specific items among the reviewer and tester(s). Now you can do so, with the QA inline comment feature. No more hunting through comment sections for relevant discussions – go line by line and open threads as necessary.

Personal Access Tokens

We reworked API keys so that you can now have scoped Personal Access Tokens (PATs). Instead of using keys that belong to one user but have that user’s access across the board, you can now have a scoped PAT with limited, granular, specific access. Create tokens at will for your API integrations, giving Create, Read, Update, and/or Delete permissions to each individual content type in Dradis. Set expiry dates and conditionals if you like, and create as many as you would need.

Release Notes

• Activities:
  • Remove ActivityTracking for Issues and use EventPublisher
• Background jobs:
  • Migrate recurring tasks to SolidQueue
• Business Intelligence:
  • Allow author/contributor access to Business Intelligence
• Docker:
  • Integrations: Include assets for all integrations regardless of enabled/disabled status
  • Update Dockerfile and add Docker Compose config file to enable Docker deployment
  • Update default attachments, templates and themes locations to storage/
• Echo:
  • Add configurable, reusable prompts for Issues
• Forms:
  • Improve visibility of form actions
• Kits:
  • Include ‘sort_field’ in export to preserve issue sorting on re-upload
• Layout:
  • Add light/dark/auto theme toggle to support dark mode
• Nodes:
  • Add more types and icons
  • Rename upload and parent node types and add distinguishing icons
  • Update associated evidence, notes and child nodes’ updated_at columns on node merge
  • Warn on node merge that methodology will not be copied
• Profile:
  • Update default user avatar
• QA:
  • Add inline comment threads for Issues
• Report Template Properties:
  • Validate sort field is numeric
• Results Portal:
  • Manage project access and contributor assignments
• Sidebar:
  • Add resize functionality
  • Keep sidebar open when editing issues in large viewports
  • Display validation when creating and editing issues
• Textile:
  • Add support for paragraph alignment
  • Add support for image resizing, alignment, and borders
• Usage tracking:
  • Send the on/off event always
• Webhooks:
  • Add Issue CRUD webhook events
  • Add Project CRUD and state transition events
  • Add Results Portal Project CRUD webhook events
• Wizard:
  • Mark as done after Kit step, without waiting for the background job
  • OWASP kit: add with 3 report template variations
  • Red Team kit: add with MITRE ATT&CK methodology and kill chain report
  • Welcome kit: update with OWASP Top 10:2025 methodology
• Upgraded gems:
  • faraday, nokogiri, rack
• Bug fixes:
  • Configuration:
    • Require integer settings to be positive numbers
  • Issues:
    • Render ‘Default’ option in New issue dropdown when issue fields are defined in the Report Template
  • Whitelabling:
    • Fix logo not appearing after uploading a new one in the admin settings
• Integration enhancements:
  • Azure Authentication:
    • Add to integrations manager
  • Duo:
    • Disable engine by default
  • Gateway:
    • Add Athena and Orion themes
  • Okta:
    • Add to integrations manager
  • SAML:
    • Add to integrations manager
  • Scheduler:
    • Add light/dark/auto theme toggle to support dark mode
• Reporting enhancements:
  • Word:
    • Remove support for the “Description” content control for Cards
    • Support textile alignment, image size, and image borders on export
• REST/JSON API enhancements:
  • Personal access tokens:
    • Add multiple, per-user, scoped tokens for agentic workflows
  • Issues:
    • Add support for search
  • Issue Library Entries:
    • Add support for search
• Security Fixes:
  • Low:
    • Authenticated (author) persistent cross-site scripting on smart combo component

Not using Dradis Pro?

• Automated pentest reporting tool, the cybersecurity reports you’re used to, generated in a fraction of the time
• Combine the output from 20+ different tools into a single report.
• Deliver consistent results. Never forget any steps, always know what has been covered and what is still ahead.
• Pentesting collaboration: all information available across the team.

Introducing Dradis Echo

Now AI integration is available (and entirely optional!) for Dradis. With Dradis Echo, you can deploy your preferred LLM in Ollama – a framework that lets you run LLMs locally, no external connections at all necessary – to work with Dradis. Use it to summarize raw scanner output, rewrite tester notes into executive language, enhance remediation advice, and more!

Webhooks for Dradis Gateway

You can now use Webhooks to carry out actions based on events in Gateway. Contributor requests, remediation progress, and project completions can trigger automated actions across your security stack. For example, kick off an onboarding flow when a client submits a project through Gateway, post Slack updates on new events in Gateway projects, or sync your ticket status across Jira, Azure DevOps, or ServiceNow.

While only Gateway webhooks are supported in Dradis v4.19, we plan to support other types of events in the future!

IssueLibrary improvements

We have also launched a series of improvements to the IssueLibrary. You can now upload CSV files to the IssueLibrary to bulk-import your own set of custom issues. You can bulk-delete issues in the IssueLibrary view. And finally, now when you go to add an IssueLibrary entry to a project, you can see each entry’s QA status, so you don’t import an unreviewed work-in-progress by accident!

Release Notes

• Editor:
  • Add inline code and highlight code buttons to the toolbar
• Layout:
  • Improve primary action visibility for Evidence, Issues, Methodologies, Notes, and Node Properties
• Navigation:
  • Move Trash and Project Configurations in main navigation bar
• Contributors:
  • Add a dashboard with Gateway, Remediation Tracker, and Notification widgets
• Hera:
  • Improve primary action visibility and add view description
• Projects:
  • Add user select-all functionality in project creation
• Webhooks:
  • Add event-driven webhook implementation
• Upgraded gems:
  • faraday, rack, rails, uri
• Bugs fixes:
  • Editor:
    • Add disabled button styling
  • Datatables:
    • Ensure correct record ordering when applying sorting
  • Kits:
    • Restore the functionality of the ‘Add mappings from kit’ option
  • Notifications:
    • Remove the duplicate breadcrumb link shown in project notifications
  • Sidebar:
    • Prevent the toggle button from being covered by the scrollbar
• New integrations:
  • Webhooks:
    • react to server-side events in your other systems
• Integration enhancements:
  • Gateway:
    • Add activities tracking
    • Add event instrumentation for webhooks
• Issue Library:
  • Add bulk delete action for entries
  • Import entries to the library using a CSV file
  • Import published entries to projects when using QA

Not using Dradis Pro?

• Automated pentest reporting tool, the cybersecurity reports you’re used to, generated in a fraction of the time
• Combine the output from 20+ different tools into a single report.
• Deliver consistent results. Never forget any steps, always know what has been covered and what is still ahead.
• Pentesting collaboration: all information available across the team.

New visual redesign

Our designers have been working to completely overhaul the application interface to be more modern and integrated. Both the main interface and the individual projects view now use the same visual style, and you have access to all the application’s sections from the project view, so now you can go straight to your mappings or IssueLibrary from your project, rather than having to go through the Dashboard first.

Gateway Services and Questionnaires

As we continue to improve the features and possibilities of the Dradis Gateway, we have now created a new Services section of the portal. Here you can create questionnaires, which you can then send to Gateway Contributors. For example, you could use a questionnaire to establish the scope and goals of a penetration test before starting a Dradis project for them. On the basis of their responses, you can create a new project for their team right from the questionnaire results.

MFA with one-time passcodes

We have now created our own multi-factor authentication integration, Dradis OTP. You are no longer limited to using DuoWeb for free MFA in Dradis. With Dradis OTP, you can create and scan a QR code to use for MFA in whichever MFA app you prefer.

Audit logging

By popular request, we have created the Dradis Audit integration, which tracks activity in Dradis on a deeper level than the Recent Activity tabs and gathers it in one place. Your logs for the whole Dradis instance are now easily accessible for your security, compliance, and accountability needs.

Release Notes

• Contributors:
  • Add an intermediate login page to prevent Microsoft Safe Links from consuming the one-time token
  • Add Notification Settings link
• Forms: Add a combobox for selecting, filtering, and creating options
• Hera: Add new layout with redesigned navigation
• Navigation: Replace Turbolinks with Hotwire
• QA:
  • Add project states and QA stats in the active projects card
  • Add View History link when viewing Issues/Content blocks
  • Add a ‘Reviewer’ role for publishing Issues/Content blocks
  • Automatically go to the next record after reviewing
• Revisions: Show state changes in the revisions view
• Usage Tracking: Track the choice of toggling on/off
• Upgraded gems:
  • capybara, mysql2, net-imap, nokogiri, paper_trail, rack, rails, rails-html-sanitizer, rexml, rspec-rails, selenium-webdriver
• Bug fixes:
  • Report Templates: Make the uploaded template available in the “copy template properties” select menu for subsequent template uploads
• New integrations:
  • Dradis Pro OTP: two-factor authentication using OTP
  • Dradis Pro Audit: enable tracking of key actions for improved visibility and compliance
• Integration enhancements:
  • Azure DevOps: Add support for ‘Iteration Path’ and ‘Tags’ fields
  • Burp: Fix HTML importer associating issues in the wrong node
  • Dradis Plugins: Default to ‘Draft’ state on tool upload
  • Gateway:
    • Add overview of projects using active project cards
    • Services: Implement Services and Questionnaires to initiate a pre-project process
  • Issuelib: Update syntax of default entries
  • Netsparker: Add support for Additional Websites as nodes
  • Nexpose: Fix UnorderedList/OrderedList formatting to work with Textile
  • PDF Export: Add table of contents
• Reporting enhancements:
  • Export: Default export button to ‘All’ if all records in project are in ‘draft’ state
  • Word: Fix links containing special characters by no longer double escaping
• REST/JSON API enhancements:
  • Nodes: include Node properties

Not using Dradis Pro?

We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.

Catch us here:

🧪 Dradis @ Black Hat Arsenal  
Business Hall – Arsenal Station 3
📅 April 3, 10:05am-11:20am

Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.

📍 See our Arsenal session

When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.

Cross-references in Word reports

A frequent report template request is being able to cross-reference Issues, so that you can have a summary table of issues in one part of the finished report that links to each full Issue description later in the report. Previously we have implemented this using VBA macros; now you can do it right in the Word template using content controls, no VBA needed!

You can create links in summary tables, or even refer to specific issues in other blocks of text (such as Content Blocks) with links directly to each individual issue you want to reference. For example, maybe you have a “Most urgent issues” content block? Now you can refer to those individual issues with links in text.

Reach out to us if you would like us to implement cross-referencing in your Word report templates, or if you currently have a VBA macro implementation of cross-referencing that you want to replace with the built-in cross-referencing feature.

Custom Tag Order

You have been able to customise tags in Dradis for a while; now you can sort them dynamically as well. For example, maybe you have your own custom “Resolved” tag as well as your typical High/Medium/Low tags, and you want Resolved issues sorted first. Now you can do that! Change your mind and want to see High issues first? Re-order the tags and you’re done.

Kit Updates

We refreshed our built-in Kits with updated templates for reports, projects, issues, and more. We also included integration mappings and rules, along with an OWASP Top 10 methodology update.

Kits can be deployed immediately on an instance (no upload required) and can be used immediately with some tool output for which mappings are included. Other tweaks like CVSSv4 support are also included.

Release Notes

• Projects: Add `Owner` column to projects data table
• Tags: Add custom ordering
• Welcome Kit:
  • Add HTML report template
  • Add issue and evidence templates
  • Add integration mappings
  • Add project template
  • Add rules for Rules Engine
  • Update OWASP Top 10 methodology to latest version (2021)
  • Update report templates
• Upgraded gems: net-scp, net-ssh, rexml
• Bug fixes:
  • Dashboard: refresh cache on recent project changes
  • Word export: allow charts to be edited post-export
• Integration enhancements:
  • Gateway: Process Liquid in content block, evidence, issue and note text by default when rendering template
  • SAML: Bump ruby-saml dependency to 1.17
• Reporting enhancements:
  • Word:
    • Add support for cross-references
    • Add support for mismatched nested lists
• Security Fixes:
  • High: Authenticated (author) persistent cross-site scripting

Not using Dradis Pro?

We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.

Catch us here:

🧪 Dradis @ Black Hat Arsenal  
Business Hall – Arsenal Station 3
📅 April 3, 10:05am-11:20am

Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.

📍 See our Arsenal session

When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.

Liquid updates

Dradis v4.13.0 expands what you can do with Liquid content. Support for Liquid drops has been expanded so that they are available at more levels. For example, perhaps you want to have an auto-magically generated text in an Executive Summary ContentBlock that summarises recommendations for Issues and their respective Evidence locations, in order of severity? Now you can do that!

In addition, we have tweaked the Word exporter so that Liquid content is evaluated before Word filters. That means that you can use Liquid syntax to programmatically set filters. For example, perhaps you have filters in your Word template that separate Internal and External Issues. Now you can use Liquid to, for example, specify that if an Issue is found on a Node beginning in 192. then the Type should be set to “Internal”.

Or perhaps you want to select which ContentBlock sections to display based on the Project type as defined in a document property? Now, with some Liquid code in the relevant ContentBlock filter sections, you can do that!

Project Scheduler integration

The Project Scheduler is one of our most downloaded add-ons, and a frequently requested feature has been integrated with third-party calendars. This is now implemented in v4.13.0! The Scheduler now has a secure link to a .ics that will let you integrate the Dradis Project Scheduler with apps like Outlook, Thunderbird, and Apple Calendar. The .ics file can of course also be downloaded rather than linked.

Auto-generate Word report template properties

Correct configuration of Word templates’ Report Template Properties is essential to ensure that projects are correctly generated, validated, and exported. With our recent Mappings Manager overhaul with per-template mappings, the correct configuration of report template properties is also essential to tool uploads. To make this process easier for you, Dradis can now auto-detect report template properties when you upload a report template to your Dradis instance. If you create or tweak your own templates, and don’t want to go through a fiddly .rb file to configure a new Kit each time, this feature is for you!

Release Notes

• Liquid: Make project-level collections available for Liquid syntax
• Validations: Evaluate Liquid syntax before validating the fields
• Upgraded gems: nokogiri, rails, redcloth, rexml
• Bug fixes:
  • Business Intelligence:
    • Prevent the “Business Intelligence” navigation label overflowing (in Project and Team forms) on mid-size view ports
    • Prevent the “Compare” chart y-axis label from being covered by chart data
  • Navigation: Restore functionality of native browser back/forward buttons
  • Rules Engine: Prevent issues from getting multiple tags
  • Tables: Enable sorting by validation column status
  • Word: Prevent EvidenceCounter filters from being ignored
• Integration enhancements:
  • Calculators: Add CVSS/Dread calculators to the Tools Manager
  • Rules Engine: Process Liquid syntax before matching field condition
• Reporting enhancements:
  • Word:
    • Auto-generate fields for uploaded templates
    • Process Liquid before generating the Word report
    • Remove the NoSpacesInNodesValidator
    • Skip QA validation when exporting all the records
• Security Fixes:
  • Medium: Authenticated (author) horizontal privilege escalation affecting attachments

Not using Dradis Pro?

We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.

Catch us here:

🧪 Dradis @ Black Hat Arsenal  
Business Hall – Arsenal Station 3
📅 April 3, 10:05am-11:20am

Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.

📍 See our Arsenal session

When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.

New Mappings Manager

Dradis v4.12.0 contains a complete overhaul of how the Mappings Manager works. Mappings Manager configurations for each upload plugin (e.g. Nessus, Burp, Qualys…) are now directly associated with a particular report template and its associated report template properties. This means that you can have separate plugin mappings for separate report templates.

The editor itself has also been overhauled to be more user-friendly. Rather than having to manually type out the Dradis fields needed using their #[Field]# syntax, you can now pick “Source Fields” and “Dradis Fields” from dropdowns. Of course “Custom Text” and “Custom Field” options are also available.

This overhaul should also make it more straightforward to configure the Mappings Manager for report templates in Kits.

Your existing Mappings Manager configurations will be migrated to the new format on upgrade.

CVSSv4 Calculator

We heard you, now we support a CVSSv4 calculator right in the application!

Of course CVSSv3.0 and CVSSv3.1 are still supported as well. Pick your preferred version from the dropdown. You can have the outputs of multiple calculator versions in the same Issue if you like.

API Attachments

New funcionalities have been added to the API Attachments endpoint. You can now get the size, created_at, and (by popular request) a download link with an API call!

AWS and Azure images now officially supported

After a long time in Beta, we are now able to offer our Dradis images for AWS and Azure as officially supported by us, as long as our documented AWS or Azure deployment methods are followed.

Release Notes

• Attachments: Add size, created_at, and download link to the API
• Kits: Automate creating Mappings
• Mappings Manager: Map fields from scanner integrations to Dradis fields
• Upgraded gems:
  • nokogiri, rails
• Bugs fixes:
  • Avatars: Allow both .jpg and .jpeg formats
  • Projects: Fix redirection when updating an issue or content block
  • Sidebar: Prevent version number from overlapping listed records
• New integrations:
  • Pentera
• Integration enhancements:
  • CVSS Calculator: Add CVSS v4 support
  • Integration Manager: Clarify integration status after enabling/disabling
  • Veracode:
    • Create evidence for every instance of <flaw>
    • Use cweid as the issue identifier
• Reporting enhancements:
  • Word: Accept scope parameter in command line export
  • Excel: Accept scope parameter in command line export
• Security Fixes:
  • High: Authenticated author path traversal on attachment rename

Not using Dradis Pro?

We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.

Catch us here:

🧪 Dradis @ Black Hat Arsenal  
Business Hall – Arsenal Station 3
📅 April 3, 10:05am-11:20am

Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.

📍 See our Arsenal session

When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.

Liquid Dynamic Content in Word and HTML reports

We have already supported Liquid content in Dradis Gateway templates for a while – now we are bringing Liquid Dynamic Content to Word and HTML reports as well.

Want to refer to document properties like dradis.client inside a ContentBlock? Want to show the count of evidence inside the text of an Issue? Want to use conditionals like “If this property is in Spanish, export this issue in Spanish instead of English”? Now you can! For example, the following will export into an Issue:

#[Description]#
Global:
{{ project.name }} for {{ team.name }} team
{{document_properties.available_properties}}
 
Tag Name:
{% for tag in issue.tags %} {{ tag.name}} {%endfor%}
 
CVSSv3 score:
{{ issue.fields['CVSSv3.BaseScore'] }}
 
Evidence:
{% for evidence in issue.evidence %} {{ evidence.fields["Label"] }} {%endfor%}
 
The {{ issue.title }} issue has {{ issue.evidence.size }} instances of Evidence
 
Evidence count per node:
{% for node in issue.affected %}
{{ node.label}} has {{node.evidence.size}} instances of evidence
{% endfor %}

It would give a result like the following:

Better filters in Word templates

We now have two more filtering options available in Word: Filters with spaces, and filters on Nodes.

Filtering with spaces means you can use double quotes in both field names and filter values. For example, you can filter by "CVSS Base"|(9.0..10.0) or Category|"A1 Injection".

Nodes can be filtered by Node Properties. For example, if you have a Node property for type with values of internal/external, you can filter a Node by type|internal to only see content for internal-type Nodes.

DuoWeb and ServiceNow support in the Integration Manager

We have changed the way our integrations work, so you can now install DuoWeb and ServiceNow right in the Integration Manager. No need to use the command line to install 2FA! You can also configure Duo and ServiceNow, as well as integrations like Azure DevOps, right in the Integration Manager.

Release Notes

• AccessTokens: allow the storage of per-user encrypted tokens
• QA: Show state changes in activity feed
• Sessions: Store :secret_key_base in encrypted configuration file
• Tylium: Extend support for Liquid Dynamic Content
• Upgraded gems:
  • bootstrap, popper_js, simple_form
• Bugs fixes:
  • Issue Library: Prevent rendering navbar over top of the fullscreen editor
  • QA: Redirect to correct view when changing states on QA edit views
  • Users: Force logout for users with locked accounts
• Integration enhancements:
  • Acunetix: Parse inline code, not just code blocks
  • Burp: Adds strong and code tags parsing
  • CSV: Fix CSV Upload for files with special characters
  • Nessus:
    • Parse code tags as inline code
    • Add plugin_type as an available Issue field
  • Nexpose:
    • Parse inline code, not just code blocks
    • Wrap ciphers in the ssl-weak-message-authentication-code-algorithms finding
  • Qualys: Adds Request/Response Evidence fields for Web Application Scans (WAS)
  • Azure DevOps: Switch authentication from PAT to OAuth2
  • Duo 2FA:
    • Migrate to UI-based configuration
    • Add to Integrations Manager
  • ServiceNow:
    • Migrate to UI-based configuration
    • Add to Integrations Manager
• Reporting enhancements:
  • Word
    • Add support for filtering nodes by properties
    • Add support for the notextile tag
    • Allow multi-word fields/values in the content control filters with double quotes
    • Extend support for liquid dynamic content in Word reports
    • Warn of missing blank lines around a screenshot only when it’s not the first or last item in a field

Not using Dradis Pro?