This release brings major capabilities for multi-tenant operations, faster remediation planning, and deeper visibility. Highlights include MSP-ready Customer Reference IDs, AI Remediation at scale in the split panel, Custom Software Checks to close blind spots, and compliance mappings in the Issues API. We have also delivered dozens of workflow improvements and targeted bug fixes to keep your operations smooth and predictable.
Highlights
MSP-ready Customer Reference IDs
Assign a Customer Reference ID when creating or editing an organization.
Service providers can now store and use an internal Customer Reference ID on each organization in Nanitor and find orgs by that ID across the UI and API. This makes it easy to reconcile Nanitor organizations with billing, PSA, and CRM systems.
What is included
Create and edit a Customer Reference ID when creating or editing an organization (optional, up to 64 characters).
See and search the ID in the Organizations table; the slug is now clickable for quick navigation.
Switcher support: the org switcher shows a subtle Ref: token when available and includes it in search.
Public API support: list and detail responses include customer_reference_id, and you can search or filter by it.
Key benefits
Frictionless reconciliation: map vendor orgs to billing/PSA records without spreadsheets.
Faster navigation: find the right org by either name or your own reference.
Non-disruptive: optional field, hidden when not used.
AI Remediation at Scale (Split Panel)
Generate and review remediation insights for many issues at once.
Plan remediation work for dozens of issues in one place. The Issues split panel now has a Remediation tab to view existing AI insights and generate any missing ones one at a time (you can queue several requests without leaving the panel).
What you can do
See remediation insights for all selected issues in one list.
Click Generate Insight on a handful of issues in succession; each request shows progress messaging so you know it’s running and the written plan drops in when ready.
If an insight fails to generate, click the same button again after a short pause to retry without leaving the split panel.
Why it helps
Massive time savings: prepare complete action plans in a fraction of the time.
Stay in flow: insights generate asynchronously, so there is no need to leave the list.
Scales to real workloads: designed for large selections without UI freezes.
Bulk “generate all” is intentionally deferred while we scale AI capacity; triggering multiple single-issue runs still allows parallel generation without overloading the service.
Custom Software Checks
Define process, file, or directory checks and surface results in Software Inventory.
Close visibility gaps by defining your own lightweight checks for processes, files, or directories across Windows, Linux, and macOS. Matches appear in Software Inventory and participate in policies, alerts, and reporting. All lifecycle actions are audited. The UI uses the clearer, user-friendly name Custom Software Checks.
Highlights
Check types: Process (name, command line, hash) and File or Directory (path, glob, hash).
Scope and schedule: target all devices, groups, labels, or specific devices; run with inventory scans or on an override cadence.
Inventory integration: results tagged as Source: Presence Check with a visible pill and filter.
Governance: create, update, enable, disable, and delete actions recorded in the Activity Log.
Value
Tailored coverage: detect portable, rogue, or bespoke software that package managers miss.
Policy parity: treat matches like standard software for allow or block policies and alerting.
Operational clarity: consistent naming and audited changes.
Issues API: Compliance Mappings
Fetch issues with mapped frameworks and filter by framework or control.
The Public API now returns compliance framework mappings for issues and supports filtering by framework and control. Connect technical findings to frameworks like ISO 27001, CIS, and NIST and power GRC workflows directly from Nanitor data.
API additions
compliance_controls array on /issues (via expand=compliance_controls) and always on /issues/{id}.
New filters: compliance_framework= and compliance_control=.
Benefits
Risk-aligned prioritization: tie findings to business and compliance requirements.
Seamless GRC integrations: consume mappings programmatically without exporting reports.
Improvements
CSV Import can update custom fields. Export, fill missing custom fields offline, and re-import to update matched assets. Empty cells leave existing values unchanged; clear summary after import.
Map custom fields directly in CSV templates before re-importing.
Step-up 2FA for sensitive admin actions. System Admins are prompted for a current 2FA code before high-impact operations (for example, turning off Force 2FA or resetting another user's 2FA). Actions are logged.
Require an up-to-date 2FA challenge before changing critical org settings.
Asset labeling: FQDN 'Contains' rule. Create label rules that match substrings in fully qualified domain names (case-insensitive), enabling flexible domain-suffix targeting.
Build flexible hostname rules with the new FQDN contains operator.
Public API – Asset Import unarchive_mode. Decide how archived assets are treated when using the AssetImport API: unarchive_auto_only (default) brings back only auto-archived records (today’s behavior), unarchive_all revives every archived match (manual or decommissioned) when the source says it’s active, and unarchive_none keeps every archived asset untouched so imports never re-enable them. Invalid values return a 400 listing the allowed options.
Windows patching foundation improvements. Backend sync now carries patch type and fixed build number metadata into the Available Patches data set, so future patch recommendations align with the exact KB/build combinations Microsoft publishes.
Available Patches now surfaces the exact KB and build metadata from Microsoft, making it easier to prioritize the right update.
Unified table action buttons. The action menu in list views (Issues, Assets, Inventory, etc.) now uses the same button-base style everywhere—larger icons, equal padding, and matching states—so you always know where to click without hunting for a slightly different icon.
Split-panel quality suite for faster triage. The Issues split panel now remembers your active tab when you hop between issues, re-opens reliably after closing, shows the same high-value fields you’d find on the full issue page (CVSS3, KEV/EPSS, summaries), and the Assets tab lets you expand each host to see exactly which selected issues apply plus OS context inline.
Split-panel polish keeps context, expands assets, and highlights severity cues.
- Inline setup guides for NinjaOne and Vanta. Collapsible, step-by-step instructions placed directly in the integration pages, with dynamic Redirect URI generation to cut setup errors.
Inline instructions keep the entire integration flow visible in one place.
Safeguard legacy platforms. Server-side logic prevents auto-upgrades on deprecated OSes (for example, Windows Server 2008 R2) so working agents remain stable; supported OSes upgrade as usual.
Assets CSV export: last_logon_user column. See who last logged on and when in one parse-friendly field per asset.
CSV exports now include who last used each asset and when.
Graph Inventory visibility. Issues with lower NPS/risk scores now render in Graph Inventory again—the query no longer filters them out—so the graph view matches the issue list.
Benchmarks & Feed Updates
Windows Server 2025 CIS Benchmark
We plan to publish the CIS Microsoft Windows Server 2025 benchmark to the compliance feed early next week. Agents will download it automatically—no UI upgrade or manual assignment required—and Windows Server 2025 assets will migrate off the Windows Server 2022 profile on their next check-in. This delivers the benchmark coverage we promised back in v5.9.0 when vulnerability detection for 2025 shipped first. Expect initial SCAP runs within 24 hours of the feed update; if you were explicitly pinning the 2022 benchmark, the new one overrides it only for devices whose OS version reports as 2025.
Windows 11 Enterprise Benchmark Refresh
A comprehensive refresh of the Windows 11 Enterprise benchmark is in final validation now. We aligned it with the latest CIS release, expanded automation across Level 1 and Level 2 controls, and rebalanced the default baselines so high-signal checks surface first. QA wrap-up is on track to finish this week, so we expect the updated benchmark to ship via the feed early next week; once it lands, agents pick up the new revision automatically and existing benchmark assignments stay intact.
Bug Fixes
Windows patch recommendations filtered correctly. The Available Patches tab now shows only patches valid for the affected OS, aligning with MSRC expectations.
macOS CIS benchmark rule 2.10.5. Fixed the password-hint visibility script so it no longer throws false negatives during CIS assessments.
Device transfer between organizations fully re-processes data. When you move a device, Nanitor now wipes the previous org-specific caches (software inventory, subnets, users, PII, OS vulns, etc.) so the next check-in rebuilds everything under the new organization without stale data.
Issue List scroll position preserved after actions. No more jumping to the top after operations like assigning to a project.
Project management stability. Fixed an issue where removing an issue from a Project sometimes failed.
Benchmark rule list UX. Filters and scroll position are preserved when closing the rule window.
Benchmark results no longer skipped by cache. First valid SCAP results are always published, eliminating 'assigned but empty' states.
VMware Tools vulnerabilities detected on Windows. OVAL evaluation now sets windows_view as required, fixing missed detections (for example, CVE-2025-22247).
Collector on Windows no longer creates empty files. The image-scanning capability probe now runs only on supported Linux collectors (and caches the result), so Windows collectors stop spawning empty files or checking for Docker/Trivy binaries they can’t use.
Sub-organization settings. Agent auto-update inheritance works correctly when changing org hierarchy.
Known Limitations & Practical Information
Legacy OS agent support
Description: Some operating systems (for example, Windows Server 2008 R2) are no longer supported by the Go runtime used in our latest agent builds. To keep those environments protected, we pin them to the last compatible Nanitor Agent (6.1.x, the final Go 1.20 release) and block automatic upgrades beyond that version.
Impact: When an asset checks in from one of those OSes, it continues running 6.1.x while supported platforms upgrade as usual. Customers can still deploy fresh agents on the affected OS; they simply stay on that proven build.
Workaround: Need the installer or configuration files? Contact Nanitor Support—we maintain signed packages and deployment guidance specifically for these systems.
Status: We’re actively designing a longer-term plan (potentially a dedicated “legacy agent” track) so customers with regulated or legacy workloads can stay current without depending on frozen builds.
Vendor fix badge vs. Available Patches
Description: Some vulnerabilities still display the Vendor fix badge (for example, data sourced from OVAL feeds), but the Available Patches tab shows “No patches available” because it now surfaces only MSRC-backed entries.
Impact: Analysts may click the badge expecting patch metadata and find an empty tab for non-MSRC Windows CVEs, even though we know the vendor has issued guidance.
Workaround: Continue to rely on the badge as a quick indicator that a vendor fix exists; for the full remediation details, use the issue’s external references until we merge non-MSRC sources back into the Available Patches view.
Status: We’re updating the remediation data model so the tab can display per-source patch information (MSRC plus other vendor feeds) without reintroducing incorrect matches.
