We get many feature requests about the Business Intelligence Dashboard, and now the first batch is ready! You can now see year-over-year trends of activities and custom properties, and lists of your most common issues across projects. Get a clearer look at changes over time at a glance.
Copy existing mappings to new templates
The Mappings Manager lets you keep multiple different mappings for different templates across tools. Now we have also made it easier to copy existing template mappings to new or updated templates when you upload them. When you upload a new Kit, you can select the mappings to apply or copy:
When you upload a new template (e.g., when you have updated a template and you want to move to the newer version), you can choose to copy existing mappings or to create new ones:
This will get you up and running with updated templates quickly and easily!
Release Notes
Activities:
Include methodology name in all methodology actions
Business Intelligence:
Add Custom Properties view
Add Dashboard view with Year-Over-Year insights
Add sub-navigation
Font:
Improve font weight consistency for international characters
Layout:
Add custom error pages
Issuelib:
Update entry edit UI to match issue edit UI
Mappings:
Add an option to copy existing mappings when uploading kits or report templates
Rails:
Upgrade Rails version to 8.0.2.1
Ruby:
Upgrade Ruby version to 3.4.4
Upgraded gems:
resque, rexml, selenium-webdriver, thor
Bug fixes:
Combobox:
Prevent forcing the selection of the first available option for multi-select forms
Admin testers can now add a custom logo and brand color in the Instance Settings view. Contributors will see this logo and color in the Dradis UI, providing a white-labeled experience that reflects your brand identity.
Simply click on the cogwheel to the top right, click Instance Configuration, then White Labeling, and set your preferred logo and brand colour.
Now your Contributor Login page will be branded with your logo and colour scheme.
MITRE ATT&CK calculator
We have added a new MITRE ATT&CK calculator, based on the MITRE ATT&CK matrices for Enterprise, Mobile, and ICS (more details: https://attack.mitre.org/). You can now add MITRE ATT&CK metrics to Issues from the MITRE tab.
Once you select a Tactic, the calculator will load the associated list of Techniques, followed by Sub-Techniques based on your selection. You can include Enterprise, Mobile, and ICS data all within the same Issue.
Additionally, the calculator is available as a standalone tool from the Tools menu in the top navigation bar.
Kit downloads
Report templates can now be downloaded as a Kit, including report template properties and mappings. This makes it easier to share and reuse report templates while maintaining all of the associated context.
Release Notes
Activation:
Add offline activation option for when online activation fails
Active project cards:
Display the most recently updated Methodology
Render empty states instead of hiding content
Admin settings:
Add ability to white label contributor-facing views
Update UI to match other settings-related UIs
Analyzer:
Add support for multi-word fields
Calculators:
Add MITRE ATT&CK
Contributors:
Use Contributor login by default
Hera:
Update brand colors
Add sub-navigation icons to improve consistency
Jobs:
Add /jobs view to view and manage background jobs
Logs:
Update logs to use string UIDs
Mailer:
Fix email footer incorrectly redirecting to tester login
Profile:
Add click-to-reveal functionality for the API token
Report Templates:
Add option to download a kit for each report template
Upgraded gems:
nokogiri
Bugs fixes:
Avatars:
Fix avatars disappearing after enabling/disabling an integration
Calculators:
Render Calculator links in tools menu
Quote Selector:
Scroll to comment box in Safari after selecting quote content
Word:
Only process scoped issues in node content controls
Don’t create an analytics event when validating the project
Integration enhancements:
Gateway:
Add dynamic project title to Ares theme
Issue Library:
Update issues import to be more consistent with the table search
LDAP:
Enable installation and editable configuration through the Tool Manager
Nessus:
Ignore entries that have blank values
SAML:
Add name_identifier_format in the config generator and default to ’emailAddress’ instead of ‘unspecified’
Reporting enhancements:
Adjust the default styles for unordered bulleted lists
Excel:
Track failed job states using JobTracker
Filters:
Fix filters with double quotes (“) not catching the correct values
Word:
Track failed job states using JobTracker
REST/JSON API enhancements:
Export: Add endpoints for exporting and downloading Word/Excel reports
Our designers have been working to completely overhaul the application interface to be more modern and integrated. Both the main interface and the individual projects view now use the same visual style, and you have access to all the application’s sections from the project view, so now you can go straight to your mappings or IssueLibrary from your project, rather than having to go through the Dashboard first.
Gateway Services and Questionnaires
As we continue to improve the features and possibilities of the Dradis Gateway, we have now created a new Services section of the portal. Here you can create questionnaires, which you can then send to Gateway Contributors. For example, you could use a questionnaire to establish the scope and goals of a penetration test before starting a Dradis project for them. On the basis of their responses, you can create a new project for their team right from the questionnaire results.
MFA with one-time passcodes
We have now created our own multi-factor authentication integration, Dradis OTP. You are no longer limited to using DuoWeb for free MFA in Dradis. With Dradis OTP, you can create and scan a QR code to use for MFA in whichever MFA app you prefer.
Audit logging
By popular request, we have created the Dradis Audit integration, which tracks activity in Dradis on a deeper level than the Recent Activity tabs and gathers it in one place. Your logs for the whole Dradis instance are now easily accessible for your security, compliance, and accountability needs.
Release Notes
Contributors:
Add an intermediate login page to prevent Microsoft Safe Links from consuming the one-time token
Add Notification Settings link
Forms: Add a combobox for selecting, filtering, and creating options
Hera: Add new layout with redesigned navigation
Navigation: Replace Turbolinks with Hotwire
QA:
Add project states and QA stats in the active projects card
Add View History link when viewing Issues/Content blocks
Add a ‘Reviewer’ role for publishing Issues/Content blocks
Automatically go to the next record after reviewing
Revisions: Show state changes in the revisions view
Usage Tracking: Track the choice of toggling on/off
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal Business Hall – Arsenal Station 3 📅 April 3, 10:05am-11:20am
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
🔐 Briefings We’re Watching
🚗 DriveThru Car Hacking: Fast Food, Faster Data Breach
Speakers: Alina Tan, George Chen, et al Tracks: Privacy, Network Security A real-world case study of how a popular drive-thru system was compromised—leading to credential theft, data exfiltration, and a full system takeover. (Search the schedule page for the talk title)
🧠 Tinker Tailor LLM Spy: Investigate & Respond to Attacks on GenAI Chatbots
Speaker: Allyn Stott Tracks: AI, Threat Hunting Learn how to detect and respond to attacks on GenAI chatbots, including jailbreaks, prompt leaks, and advanced threat scenarios targeting language model behaviors.
📱 Watch Your Phone: USB-Based File Access Attacks Against Mobile Devices
Speakers: Florian Draschbacher, Lukas Maar Tracks: Mobile, Exploit Dev A look at how attackers can access sensitive data on Android phones simply by connecting over USB—even when locked. Includes analysis of newly discovered file access vectors.
Speakers: Zhiniang Peng, Lewis Lee Tracks: Exploit Dev, Platform Security Explores a novel pre-auth remote code execution vulnerability affecting Windows Server 2025, with a reliable exploitation chain and working proof of concept.
If your team is tired of copying and pasting findings, fighting with Word templates, or working in silos—come see how Dradis makes reporting and collaboration painless.
📍 Dradis @ Arsenal 📅 Thursday, April 3 | 10:05am-11:20am 🔗 Event link
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal Business Hall – Arsenal Station 3 📅 April 3, 10:05am-11:20am
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Cross-references in Word reports
A frequent report template request is being able to cross-reference Issues, so that you can have a summary table of issues in one part of the finished report that links to each full Issue description later in the report. Previously we have implemented this using VBA macros; now you can do it right in the Word template using content controls, no VBA needed!
You can create links in summary tables, or even refer to specific issues in other blocks of text (such as Content Blocks) with links directly to each individual issue you want to reference. For example, maybe you have a “Most urgent issues” content block? Now you can refer to those individual issues with links in text.
Reach out to us if you would like us to implement cross-referencing in your Word report templates, or if you currently have a VBA macro implementation of cross-referencing that you want to replace with the built-in cross-referencing feature.
Custom Tag Order
You have been able to customise tags in Dradis for a while; now you can sort them dynamically as well. For example, maybe you have your own custom “Resolved” tag as well as your typical High/Medium/Low tags, and you want Resolved issues sorted first. Now you can do that! Change your mind and want to see High issues first? Re-order the tags and you’re done.
Kit Updates
We refreshed our built-in Kits with updated templates for reports, projects, issues, and more. We also included integration mappings and rules, along with an OWASP Top 10 methodology update.
Kits can be deployed immediately on an instance (no upload required) and can be used immediately with some tool output for which mappings are included. Other tweaks like CVSSv4 support are also included.
Release Notes
Projects: Add `Owner` column to projects data table
Tags: Add custom ordering
Welcome Kit:
Add HTML report template
Add issue and evidence templates
Add integration mappings
Add project template
Add rules for Rules Engine
Update OWASP Top 10 methodology to latest version (2021)
Update report templates
Upgraded gems: net-scp, net-ssh, rexml
Bug fixes:
Dashboard: refresh cache on recent project changes
Word export: allow charts to be edited post-export
Integration enhancements:
Gateway: Process Liquid in content block, evidence, issue and note text by default when rendering template
To achieve this, we’re continually improving the product. Fixing bugs and adding/improving features.
Let’s look back on the updates that shaped Dradis Pro in 2024. From major feature rollouts to smaller, user-requested enhancements, our focus remained on delivering tools that help streamline workflows and improve reporting efficiency.
v4.12: Enhanced Mappings Manager and CVSSv4 Support
Released in May 2024
Overhauled Mappings Manager: We’ve revamped the Mappings Manager to associate configurations directly with specific report templates and their properties. This change allows for distinct plugin mappings tailored to each report template, streamlining your reporting process.
CVSSv4 Calculator Integration: Responding to user feedback, we’ve integrated a CVSSv4 calculator into Dradis Pro. You can now assess vulnerabilities using CVSSv4, with the flexibility to include outputs from multiple calculator versions within the same issue.
API Enhancements for Attachments: The API now provides additional functionalities for attachments, including access to size, creation date, and direct download links, enhancing automation and integration capabilities.
Official AWS and Azure Support: Our Dradis images for AWS and Azure have transitioned from beta to officially supported status, ensuring reliable deployments when following our documented methods.
v4.13: Advanced Liquid Support and Scheduler Integration
Released in August 2024
Expanded Liquid Functionality: We’ve broadened Liquid support, making Liquid drops available at more levels. This enhancement enables dynamic content generation, such as auto-generated executive summaries that summarize recommendations based on issue severity and evidence locations.
Project Scheduler Calendar Integration: The Project Scheduler now offers secure links to .ics files, facilitating integration with third-party calendar applications like Outlook, Thunderbird, and Apple Calendar. This feature ensures seamless scheduling and project management across platforms.
Auto-Detection of Word Report Template Properties: To simplify template configuration, Dradis Pro can now auto-detect report template properties upon template upload. This automation reduces manual setup, ensuring accurate project generation, validation, and export.
v4.14: Issue Library Synchronization and Quality Assurance
Released in October 2024
Synchronized Issues and Issue Library Entries: We’ve introduced synchronization between project issues and Issue Library entries. This feature allows for real-time updates and consistency, enabling you to sync content between associated issues and library entries seamlessly.
Quality Assurance for Issue Library: A new QA view for the Issue Library lets you review, edit, and manage entries with version history tracking. This addition ensures that reusable issues maintain high quality and consistency across projects.
Liquid Support for Issue Sorting Fields: We’ve added Liquid support for issue sorting fields, allowing you to use Liquid code within sorting fields without affecting the sort order. The evaluated result of the Liquid code determines the sorting, providing dynamic and customized report organization.
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal Business Hall – Arsenal Station 3 📅 April 3, 10:05am-11:20am
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Associate and sync content between issues and Issue Library entries
Issues and Issue Library entries are now synced. When you add an Issue to your project from the Issue Library, it is synced up with the original Issue Library entry. That way, you can identify when the two are out of sync and, if needed, sync them back up.
You can update either the Issue in your project to match the Issue Library entry, or update Entry to match your Issue Library entry – it works both ways!
This link between the issue and the entry is also created when you send an already existing Issue from your project to the Issue Library. Managing your reusable Issues has never been as easy as it is now!
Quality Assurance for Issue Library
We implemented QA for the Issue Library. You can now review your Issue Library entries and perform quality assurance on them.
When entries are marked as “Ready For Review”, they’re available in the new QA view. You can edit them, change their state, and keep track of changes with the version history.
Liquid support for Issue Sort fields
Liquid support for Issue sorting fields. When you export a report to Word, you can set a numeric sorting field, and your issues will be sorted in descending order on export.
This update allows that field to contain Liquid in the Val values without affecting the sort order. The result of the Liquid code will be used in the sorting, not the Liquid code itself.
Release Notes
Issue Library:
Associate issues with Issue Library entries
Sync content between associated issues and Issue Library entries
Implement a Quality Assurance view for Issue Library entries
Kit Import:
Use file name sequencing when a template file with the same name exists
Upgraded gems:
concurrent-ruby, et-orbi, fugit, puma, rexml
Bug fixes:
Report Templates:
Fix confirmation on deleting a report template
Spelling:
Restore functionality of native browser back/forward buttons
Integration enhancements:
Business Intelligence:
Show search results in a data table
Reporting enhancements:
Word:
Allow fields that contain Liquid to be used as an export sorting field
Ignore Tag field when auto-generating word template properties
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal Business Hall – Arsenal Station 3 📅 April 3, 10:05am-11:20am
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
Liquid updates
Dradis v4.13.0 expands what you can do with Liquid content. Support for Liquid drops has been expanded so that they are available at more levels. For example, perhaps you want to have an auto-magically generated text in an Executive Summary ContentBlock that summarises recommendations for Issues and their respective Evidence locations, in order of severity? Now you can do that!
In addition, we have tweaked the Word exporter so that Liquid content is evaluated before Word filters. That means that you can use Liquid syntax to programmatically set filters. For example, perhaps you have filters in your Word template that separate Internal and External Issues. Now you can use Liquid to, for example, specify that if an Issue is found on a Node beginning in 192. then the Type should be set to “Internal”.
Or perhaps you want to select which ContentBlock sections to display based on the Project type as defined in a document property? Now, with some Liquid code in the relevant ContentBlock filter sections, you can do that!
Project Scheduler integration
The Project Scheduler is one of our most downloaded add-ons, and a frequently requested feature has been integrated with third-party calendars. This is now implemented in v4.13.0! The Scheduler now has a secure link to a .ics that will let you integrate the Dradis Project Scheduler with apps like Outlook, Thunderbird, and Apple Calendar. The .ics file can of course also be downloaded rather than linked.
Auto-generate Word report template properties
Correct configuration of Word templates’ Report Template Properties is essential to ensure that projects are correctly generated, validated, and exported. With our recent Mappings Manager overhaul with per-template mappings, the correct configuration of report template properties is also essential to tool uploads. To make this process easier for you, Dradis can now auto-detect report template properties when you upload a report template to your Dradis instance. If you create or tweak your own templates, and don’t want to go through a fiddly .rb file to configure a new Kit each time, this feature is for you!
Release Notes
Liquid: Make project-level collections available for Liquid syntax
Validations: Evaluate Liquid syntax before validating the fields
Upgraded gems: nokogiri, rails, redcloth, rexml
Bug fixes:
Business Intelligence:
Prevent the “Business Intelligence” navigation label overflowing (in Project and Team forms) on mid-size view ports
Prevent the “Compare” chart y-axis label from being covered by chart data
Navigation: Restore functionality of native browser back/forward buttons
Rules Engine: Prevent issues from getting multiple tags
Tables: Enable sorting by validation column status
Word: Prevent EvidenceCounter filters from being ignored
Integration enhancements:
Calculators: Add CVSS/Dread calculators to the Tools Manager
Rules Engine: Process Liquid syntax before matching field condition
We’re heading to Singapore for Black Hat Asia 2025, and we’ll be showing off the latest in streamlined reporting and collaboration at our Dradis Arsenal demo. We’re excited to be part of the Black Hat Arsenal, demoing how Dradis helps security teams collaborate and report more effectively.
Catch us here:
🧪 Dradis @ Black Hat Arsenal Business Hall – Arsenal Station 3 📅 April 3, 10:05am-11:20am
Learn how our most recent updates—which include in-app quality assurance workflows, easier deployment with Docker, and AI-driven enhancements—allow for the creation of reports faster and with greater quality.
When we’re not presenting, we’ll be diving into the briefings, trainings, and executive summits across AI, exploit development, cloud, and physical infrastructure. Here’s what we’re most excited about.
New Mappings Manager
Dradis v4.12.0 contains a complete overhaul of how the Mappings Manager works. Mappings Manager configurations for each upload plugin (e.g. Nessus, Burp, Qualys…) are now directly associated with a particular report template and its associated report template properties. This means that you can have separate plugin mappings for separate report templates.
The editor itself has also been overhauled to be more user-friendly. Rather than having to manually type out the Dradis fields needed using their #[Field]# syntax, you can now pick “Source Fields” and “Dradis Fields” from dropdowns. Of course “Custom Text” and “Custom Field” options are also available.
This overhaul should also make it more straightforward to configure the Mappings Manager for report templates in Kits.
Your existing Mappings Manager configurations will be migrated to the new format on upgrade.
CVSSv4 Calculator
We heard you, now we support a CVSSv4 calculator right in the application!
Of course CVSSv3.0 and CVSSv3.1 are still supported as well. Pick your preferred version from the dropdown. You can have the outputs of multiple calculator versions in the same Issue if you like.
API Attachments
New funcionalities have been added to the API Attachments endpoint. You can now get the size, created_at, and (by popular request) a download link with an API call!
AWS and Azure images now officially supported
After a long time in Beta, we are now able to offer our Dradis images for AWS and Azure as officially supported by us, as long as our documented AWS or Azure deployment methods are followed.
Release Notes
Attachments: Add size, created_at, and download link to the API
Kits: Automate creating Mappings
Mappings Manager: Map fields from scanner integrations to Dradis fields
Upgraded gems:
nokogiri, rails
Bugs fixes:
Avatars: Allow both .jpg and .jpeg formats
Projects: Fix redirection when updating an issue or content block
Sidebar: Prevent version number from overlapping listed records
New integrations:
Pentera
Integration enhancements:
CVSS Calculator: Add CVSS v4 support
Integration Manager: Clarify integration status after enabling/disabling
Veracode:
Create evidence for every instance of <flaw>
Use cweid as the issue identifier
Reporting enhancements:
Word: Accept scope parameter in command line export
Excel: Accept scope parameter in command line export
Security Fixes:
High: Authenticated author path traversal on attachment rename
We have already supported Liquid content in Dradis Gateway templates for a while – now we are bringing Liquid Dynamic Content to Word and HTML reports as well.
Want to refer to document properties like dradis.client inside a ContentBlock? Want to show the count of evidence inside the text of an Issue? Want to use conditionals like “If this property is in Spanish, export this issue in Spanish instead of English”? Now you can!
We now have two more filtering options available in Word: Filters with spaces, and filters on Nodes.
Filtering with spaces means you can use double quotes in both field names and filter values. For example, you can filter by “CVSS Base"|(9.0..10.0) or Category|"A1 Injection“.
Nodes can be filtered by Node Properties. For example, if you have a Node property for type with values of internal/external, you can filter a Node by type|internal to only see content for internal-type Nodes.
What was previously the Plugin Manager is now the Mappings Manager as we’ve extended the functionality to Azure DevOps and Jira. You told us that you usually have a pattern for the data that you send to these external tools. For example, you’d want a specific set of fields from your Dradis issue to go into your Jira card’s description.
The Mappings Manager allows you to configure that mapping so that the next time you send an Issue to Azure DevOps or Jira, the editor will pre-populate with the data from your Issue in the exact format you specified. You’ll still have the ability to edit it before sending the Issue to Azure DevOps or Jira if needed.
Review/approve Issues and Content Blocks before including them in reports.
The goal here was to give you a way to differentiate between “I’ve reviewed this issue” and “I haven’t reviewed this issue yet”.
You can use the new QA view to look at your “Ready for review” Issues and Content Blocks and review them before including them in reports.
Then, on the Export page, the default is to export just the Published records. But, you can also export All if that makes more sense for your team’s workflow.
Previously, you could create custom tags by editing the XML of the project template directly. That’s still an option if you happen to enjoy dealing with XML. Otherwise, you can now use the UI for that whole process. There’s even a color picker so that you can get just the right shade for your custom tags.
From the project level, you can also manage your tags and create, edit, or delete them as needed:
Improved admin and support features
Archiving projects – rather than moving them into the trash
Previously, we had active projects or projects in the Trash and nothing in between. You asked for another way to organize projects and we delivered! Now, you can archive projects as well. Archiving a project does not delete a project, but leaves it in the Archive tab of the Projects view. This way you can maintain an uncluttered view of active projects without needing to send inactive projects to the trash.
Before v4.7, we had no way to receive usage data from your instance other than a ping to our licensing server when you first activate the instance. In v4.7, we have rolled out optional usage analytics that you can share with us. Yes, optional!
For full transparency, you can see exactly what you would be sending to us in the event log. It’s all anonymized data like “someone exported a Word report” or “someone logged in as a contributor” that is designed to help us understand how teams are using Dradis and should not reveal anything sensitive, not even your email address.
Of course, you can always opt out of sharing this data with us if you prefer. We’re excited to have a bit more information about how you’re currently using Dradis so that we can make the product even better for everyone in the future.
We’ve also added better in-app tester administration. If a user gets locked out of their account with too many incorrect login attempts, Admin users will now be able to unlock their account with 1 click.
v4.11 – the latest release
We’ve continued releasing updates in 2024, here’s an overview of our latest release:
Improved version history
Fixed liquid dynamic content preview in the editor
Fixed export crashing with links with trailing special character
Fixed link formatting for hyperlinks in inline code blocks