Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.2.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiCNAPP Release Notes
    26.2.0
    26.2.0

    May 2026 Platform Releases

    May 2026 Platform Releases

    Generally Available

    • Observation process attribution

      Composite alerts and other machine‑learning–based observations now include process attribution, providing clear, execution‑level context for malicious activity.

      Instead of flagging suspicious behavior in the abstract, observations now precisely tie back to the originating application, binary, or command‑line invocation responsible for the activity, providing actionable intelligence: not just that something happened, but what ran, how it ran, and where it originated.

    • Vulnerability management now supports AlmaLinux

      Vulnerability Management now supports AlmaLinux versions 8, 9, and 10 for ingestion through both Agent and Agentless scanning.

    • AI Security : Bedrock LQL policies

      This release adds new default LQL (Lacework Query Language) violation policies that expand detection coverage, including the following AI and MCP-focused detection policies:

      • Detection of intentional tampering with AWS Bedrock service configurations, aimed at identifying defense evasion techniques, guardrail bypass attempts, and unauthorized model access.

      • Detection of suspicious AWS Bedrock runtime activity, surfacing potential multi-turn jailbreaking attempts or reconnaissance against AI system guardrails.

      Additionally, from any of these alerts, you can ask FortiCNAPP AI Assist to suggest a high-confidence policy variant tuned to the specific alert context and get step-by-step instructions to configure it in FortiCNAPP, including the LQL query, recommended policy settings, and the rationale for why the variant is high-confidence.

      Each policy has been validated using a multi-stage approach that includes reproducing relevant attack scenarios and running large-scale threat hunts across the broader customer dataset. This validation process is designed to assess signal quality, trigger frequency, and overall noise level.

      These new policies are disabled by default and must be explicitly enabled.

    • Viewing non-default branch assessments in Code Security

      Code Security now supports viewing security assessments for non-default branches. Users can select and view IaC and SCA/SAST/Secret scan results from branches other than the primary/default branch, enabling better visibility into the security posture of feature branches and development work before it is merged. Non-default branches can be selected in Code security > Applications > Repositories to review application scanning assessments, including details of vulnerable components, third party vulnerabilities, internal code weaknesses, and hard-coded secrets. See Repositories.

    • Low latency GKE audit log violation policy evaluation and alerts

      Google Kubernetes Engine (GKE) audit log (Kubernetes Activity) violation policy evaluation and alerting has migrated to a low‑latency processing pipeline. Previously, both Amazon EKS and Google Kubernetes Engine (GKE) audit log violation policies were evaluated hourly, and alerts for both platforms were grouped together.

      With this release, GKE and EKS alerting behaviors are decoupled:

      • GKE audit log violation policies are now evaluated in near real time, enabling faster detection of potential threats.

      • GKE and EKS alerts are generated independently to provide more granular visibility by cloud platform.

      This change improves your ability to respond to issues:

      • You can identify and investigate GKE violations sooner due to reduced evaluation latency.

      • You can prioritize and remediate alerts more effectively using per‑cloud alerts.

    • Vulnerability management now supports ChainGuard Wolfi images

      Vulnerability management now supports ChainGuard Wolfi Images for ingestion through both Agent and Agentless scanning.

    • Threat Observations Policies page

      The new Threat Observations Policies page is now available, providing a dedicated space to investigate and manage the policies behind Composite Alerts.

      This introduces a unified experience that surfaces policy details directly in a single view, rather than spread across multiple areas.

      Key capabilities include:

      • Policy list view: View a paginated, filterable list of all threat observation policies.

      • Filter panel: Quickly narrow results by policy attributes to focus on relevant policies.

      • Details view: Drill down into individual policies to see domain, remediation steps, subject entity type, and full metadata in a side panel.

      To see the new page in the FortiCNAPP console, go to Policy Manager > Policies > Threat Observations.

    • Redesigned GCP and Azure cloud log pages

      The redesigned GCP Audit Log and Azure Activity Log pages are now available, bringing you a structured investigation workflow for Google Cloud and Azure that aligns with the experience introduced for AWS CloudTrail.

      The new pages provide a multi-tab layout designed to support efficient investigation and analysis:

      • Dashboard: View a visual time-series summary of activity, including events, unique users, resource types, operations, caller regions, errors, and correlated alerts.

      • Audit Logs / Activity Logs: Analyze events in a filtered, paginated view, including full detail such as operation, resource, result status, caller IP, and raw JSON fields.

      • User Details: Investigate activity by principal with enriched metadata and contextual insights, including context such as role, geographic location, and first and last seen times.

      • API Errors / API Error Events: Isolate and review API error events.

      • Polygraph: Explore behavioral relationships to identify anomalies and potential lateral movement.

      • Threat Alerts: View alerts correlated directly with audit and activity log data.

    • Agent support for Kubernetes on cloud platforms

      The FortiCNAPP agent now includes support for Kubernetes 1.33, 1.34, and 1.35 on the AWS, Azure, and Google Cloud platforms.

    Public Preview

    • Code Security Claude Code Plug-in

      FortiCNAPP Code Security is now available as a Claude Code plug-in in the marketplace, enabling developers to run IaC and SCA security scans directly from the Claude Code CLI. The plug-in automatically scans your IaC and dependency files for security vulnerabilities within your Claude Code workflow using Code Security.

      Key features of the Claude Code plug-in include:

      • Easy setup: Run /fortinet:cli-setup to install and configure the Lacework CLI and scanning components.

      • Auto-remediation: Critical and high findings trigger Claude to fix issues without prompting.

      • Parallel scanning: IaC and SCA scans run simultaneously to minimize wait time.

      • Smart scoping: Only scans files changed in the current task, not the whole repository.

      • Dependency caching: SCA scans skipped when dependencies haven't changed.

      For more information, see Claude Code plug-in.

    Previous
    Next

    May 2026 Platform Releases

    May 2026 Platform Releases

    Generally Available

    • Observation process attribution

      Composite alerts and other machine‑learning–based observations now include process attribution, providing clear, execution‑level context for malicious activity.

      Instead of flagging suspicious behavior in the abstract, observations now precisely tie back to the originating application, binary, or command‑line invocation responsible for the activity, providing actionable intelligence: not just that something happened, but what ran, how it ran, and where it originated.

    • Vulnerability management now supports AlmaLinux

      Vulnerability Management now supports AlmaLinux versions 8, 9, and 10 for ingestion through both Agent and Agentless scanning.

    • AI Security : Bedrock LQL policies

      This release adds new default LQL (Lacework Query Language) violation policies that expand detection coverage, including the following AI and MCP-focused detection policies:

      • Detection of intentional tampering with AWS Bedrock service configurations, aimed at identifying defense evasion techniques, guardrail bypass attempts, and unauthorized model access.

      • Detection of suspicious AWS Bedrock runtime activity, surfacing potential multi-turn jailbreaking attempts or reconnaissance against AI system guardrails.

      Additionally, from any of these alerts, you can ask FortiCNAPP AI Assist to suggest a high-confidence policy variant tuned to the specific alert context and get step-by-step instructions to configure it in FortiCNAPP, including the LQL query, recommended policy settings, and the rationale for why the variant is high-confidence.

      Each policy has been validated using a multi-stage approach that includes reproducing relevant attack scenarios and running large-scale threat hunts across the broader customer dataset. This validation process is designed to assess signal quality, trigger frequency, and overall noise level.

      These new policies are disabled by default and must be explicitly enabled.

    • Viewing non-default branch assessments in Code Security

      Code Security now supports viewing security assessments for non-default branches. Users can select and view IaC and SCA/SAST/Secret scan results from branches other than the primary/default branch, enabling better visibility into the security posture of feature branches and development work before it is merged. Non-default branches can be selected in Code security > Applications > Repositories to review application scanning assessments, including details of vulnerable components, third party vulnerabilities, internal code weaknesses, and hard-coded secrets. See Repositories.

    • Low latency GKE audit log violation policy evaluation and alerts

      Google Kubernetes Engine (GKE) audit log (Kubernetes Activity) violation policy evaluation and alerting has migrated to a low‑latency processing pipeline. Previously, both Amazon EKS and Google Kubernetes Engine (GKE) audit log violation policies were evaluated hourly, and alerts for both platforms were grouped together.

      With this release, GKE and EKS alerting behaviors are decoupled:

      • GKE audit log violation policies are now evaluated in near real time, enabling faster detection of potential threats.

      • GKE and EKS alerts are generated independently to provide more granular visibility by cloud platform.

      This change improves your ability to respond to issues:

      • You can identify and investigate GKE violations sooner due to reduced evaluation latency.

      • You can prioritize and remediate alerts more effectively using per‑cloud alerts.

    • Vulnerability management now supports ChainGuard Wolfi images

      Vulnerability management now supports ChainGuard Wolfi Images for ingestion through both Agent and Agentless scanning.

    • Threat Observations Policies page

      The new Threat Observations Policies page is now available, providing a dedicated space to investigate and manage the policies behind Composite Alerts.

      This introduces a unified experience that surfaces policy details directly in a single view, rather than spread across multiple areas.

      Key capabilities include:

      • Policy list view: View a paginated, filterable list of all threat observation policies.

      • Filter panel: Quickly narrow results by policy attributes to focus on relevant policies.

      • Details view: Drill down into individual policies to see domain, remediation steps, subject entity type, and full metadata in a side panel.

      To see the new page in the FortiCNAPP console, go to Policy Manager > Policies > Threat Observations.

    • Redesigned GCP and Azure cloud log pages

      The redesigned GCP Audit Log and Azure Activity Log pages are now available, bringing you a structured investigation workflow for Google Cloud and Azure that aligns with the experience introduced for AWS CloudTrail.

      The new pages provide a multi-tab layout designed to support efficient investigation and analysis:

      • Dashboard: View a visual time-series summary of activity, including events, unique users, resource types, operations, caller regions, errors, and correlated alerts.

      • Audit Logs / Activity Logs: Analyze events in a filtered, paginated view, including full detail such as operation, resource, result status, caller IP, and raw JSON fields.

      • User Details: Investigate activity by principal with enriched metadata and contextual insights, including context such as role, geographic location, and first and last seen times.

      • API Errors / API Error Events: Isolate and review API error events.

      • Polygraph: Explore behavioral relationships to identify anomalies and potential lateral movement.

      • Threat Alerts: View alerts correlated directly with audit and activity log data.

    • Agent support for Kubernetes on cloud platforms

      The FortiCNAPP agent now includes support for Kubernetes 1.33, 1.34, and 1.35 on the AWS, Azure, and Google Cloud platforms.

    Public Preview

    • Code Security Claude Code Plug-in

      FortiCNAPP Code Security is now available as a Claude Code plug-in in the marketplace, enabling developers to run IaC and SCA security scans directly from the Claude Code CLI. The plug-in automatically scans your IaC and dependency files for security vulnerabilities within your Claude Code workflow using Code Security.

      Key features of the Claude Code plug-in include:

      • Easy setup: Run /fortinet:cli-setup to install and configure the Lacework CLI and scanning components.

      • Auto-remediation: Critical and high findings trigger Claude to fix issues without prompting.

      • Parallel scanning: IaC and SCA scans run simultaneously to minimize wait time.

      • Smart scoping: Only scans files changed in the current task, not the whole repository.

      • Dependency caching: SCA scans skipped when dependencies haven't changed.

      For more information, see Claude Code plug-in.

    Previous
    Next