LLM Pentest Type General Availability
What we did:
LLM pentests were previously available through a supported, manual setup with an SE and TEM. This launch introduces native platform support for LLM Standalone pentests and LLM Add-Ons, enabling self-service configuration directly in the platform. This includes:
Customers can select LLM (Standalone) and LLM (Add-On) as asset types when creating a pentest.
LLM assets have their scoping questions built out in platform.
Pentest methodology documentation has been added to the platform & downloadable docs.
Why we did it:
Customers continue to deploy LLM applications at a high rate and security teams are struggling to test & secure these systems. Our AI Red Teaming offer remains a great option for many customers who want to test these systems. The LLM pentest is a good fit for customers who need a formal review for assurance needs (compliance, policy, etc.) or are looking for a quicker/more cost-effective place to start their LLM testing journey. The LLM Pentest offers customers a formal, methodology-driven pentest for their LLM applications and includes a standard pentest report suitable for sharing with stakeholders, including auditors, internal guidelines teams, and customers.
Who it helps:
Customers who use our pentest program to test AI/LLM applications.
SEs who are helping pentest customers scope their efforts pre-sale.
TEMs who work with customers to test their LLM applications.
How to use it:
In a pentest engagement in the Scoping stage, click the Add asset button.
In the dropdown, select AI/LLM Application (Standalone) or AI/LLM Application (Add-On).
Fill out the AI/LLM-specific scoping questions and hit Continue.
AI Research Safe Harbor
AI Research Safe Harbor is now live across the platform. It is a separate opt-in safe harbor from the existing Gold Standard Safe Harbor standard to cover AI system testing. Programs with AI assets can now show researchers a clear, formal policy that defines protections for good-faith AI security research. Additionally, Gold Standard Safe Harbor will now be enabled by default for all new programs, with customers able to request to opt out through their customer support teams.
What we did:
We updated the existing Gold Standard Safe Harbor processes so that all newly created programs have Gold Standard Safe Harbor enabled by default.
We added the ability for customers to opt in to AI Research Safe Harbor - Opting in AI Research Safe Harbor does not require the customer to opt into Gold Standard Safe Harbor, and vice versa.
We updated the Program Highlights section of the Program guidelines to show when a program has opted into AI Research Safe Harbor.
Support App has been updated to enable/disable AI Research Safe Harbor upon customer request, functioning the same way as the Gold Standard Safe Harbor Support App toggle.
Why we did it:
Customers with AI assets asked for stronger clarity when researchers test AI systems. Researchers need a clear reference for AI testing protections. Competitors do not publish AI-specific safe harbor language, which gives us differentiation. This prepares customers for the growing adoption of AI and aligns with emerging regulatory pressures.
Who it helps:
Researchers who test AI models and want defined protections. Enterprise customers who are adopting AI systems in their programs.
How to use it:
To activate:
Customers can go to their program’s Security page.
In the left-hand tab, select Customizations -> Overview and go to the relevant Safe Harbor section of the page and select ‘Yes (Recommended)’.
They will then view a pop-up confirming that once enabled, they will need to make a request to their CSM to disable it. Once Confirm is selected, they need to scroll to the bottom of the page and click Update.
In the Program guidelines' Program Highlights section, the program is marked as following the relevant Safe Harbor, which will be visible to Community Members, and the Safe Harbor tab under the Security Page tab will display the relevant Safe Harbor wording available to both customers and Community Members.
To disable:
Customers cannot disable adherence to either safe harbor option; this can only be done on the SupportApp Teams page.
Upon request, internal customer teams can disable either Safe Harbor via their own Safe Harbor toggle, which can also be used to enable either option.
Learn more:
Stripe Integration Update - Decommissioning of legacy workflow
We previously announced the launch of the new Stripe payment flow, allowing all customers to begin transitioning to the updated workflow on July 30, 2025. This subsequent update deprecates the old Stripe integration.
What we did:
Switched off Stripe’s legacy API flow.
Why we did it:
This completes the rollout of the new flow, which aligns us with Stripe’s long-term roadmap, improves customer experience, and reduces Finance’s manual workload.
Who it helps:
All customers using credit cards on our platform now benefit from improved payment reliability. Internal teams gain from reduced maintenance overhead and stronger compliance alignment.
There is one exception to be made clear: due to local requirements, we are no longer able to accept Indian-based credit cards. India has added new requirements for such payments that we cannot currently support. We have identified that this currently impacts two customers. We will be working with the teams of these customers to support their migration to invoice-based payments.
How to use it:
The new flow is now live for everyone. All card-based transactions use the updated integration. Customers will notice a smoother, more consistent experience.
Asset Analytics
Customers can now view counted assets, which helps them understand asset growth and how their assets are accounted for under the new pricing and packaging models, all in a single dashboard.
What we did:
Added a new Assets dashboard with a chart displaying the timeline of counted assets, allowing users to apply filters to track asset growth. For customers on the new pricing and packaging model, this dashboard tracks assets being counted against their entitlement.
Why we did it:
Customers lacked clarity about counted assets, which is necessary as we transition to asset-based pricing that relies on transparent counts and CTEM workflows that require consistent asset understanding.
Who it helps:
Program Managers monitoring asset growth over time, and customers preparing to migrate to the asset-based pricing model who need to understand their entitlement requirements.
How to use it:
In Analytics, go to the new Assets dashboard.
Select a timeframe.
Review counted assets and utilise the chart filters to view more granular views.
Use the data in entitlement and CTEM conversations.
Learn more on the doc page.
Invite Hackers API Functionality
We’ve introduced a new API endpoint that allows customers to programmatically invite hackers to their private programs. This is an improvement for customers seeking automation, efficiency, and seamless integration with their internal systems.
What we did:
Built a new API endpoint for inviting Hackers to programs, which can:
Create invites for researchers to a program by username or email
Enabled custom invitation messages and context fields to ensure customers can connect with Hackers with a relevant invite
Implemented structured validation results so customers can see the success or failure reasons for each invite
Ensure that invitations to Clear programs ensure that Hackers are either already Clear or go through the Clear sponsorship flow
Automatically prevent duplicate invitations
Why we did it:
Some customers rely heavily on automation and requested a way to sync researchers between programs and challenges without using the UI. This capability supports enterprise-grade workflows and reduces friction for security teams managing large or dynamic programs.
Who it helps:
For customers managing large or dynamic researcher populations, this can save a significant amount of time:
Automating onboarding so new researchers are invited immediately when certain conditions in your system are met.
Syncing hackers across programs or challenges, for example: Invite everyone from Program A into a challenge that’s starting next week.
Reducing repetitive admin work by eliminating manual data entry.
How to use it:
Follow the API docs instructions.