Bitdefender recently rolled out new functionality in Bitdefender GravityZone, a unified cybersecurity platform that provides prevention, protection, detection, and response capabilities for organizations of all sizes. These features are consistent with our multi-layered security strategy and are intended to ease the workload of security analysts, administrators, and users.

What’s New for Security Analysts

In a dynamic cybersecurity landscape, security analysts are responsible for uncovering signs of potentially sophisticated attacks, making the invisible visible. This section describes new functionality designed to elevate analysts' capabilities, offering enhanced tools for threat detection, investigation, and response.

Attack Path Functionality Update

Visualizing how an attacker can chain exposures across assets and accounts to reach a critical target requires both graph fidelity and navigability at scale. Breach Path — introduced as a Controlled Availability feature in February 2026 (v 6.70) — has been renamed Attack Path and has received significant additions to the graph navigation experience, along with a consistent shift in terminology from resources to assets across all labels and field names. 

On the main Attack Path page, the CVEs column has been removed from the All attack paths grid. In the attack path side panel, the General section no longer includes the CVEs or Main resource name fields, and further panel refinements have been applied. 

On the Assets tab (formerly Resources), the Asset ID column is suppressed for attack paths scoped to endpoints.

Graph Tab: Navigation and Context Improvements

The Graph tab of the Attack Path details screen has received significant navigation and context improvements. When an analyst first opens a path, the graph no longer presents every node at once — attack path nodes are now grouped into collapsed paths by default, keeping the initial view manageable. Each group opens with the dedicated arrow icon button, letting the analyst work through the path at their own pace.

As the investigation progresses, a new left-side Assets panel provides a structured inventory of every asset involved in the current path. A dropdown organizes the list by attack stage, risk factor, asset type, or asset name — depending on what angle the analyst is moving. Clicking any asset brings up additional detail, and a search field makes it straightforward to locate a specific asset by name.

Moving through the graph itself is now more informative. Transitions between nodes carry labels that describe the mechanism a threat actor would use to move from one node to the next. Clicking a transition opens a right-side panel with source and target node context and a full description of that movement — turning what was previously an unlabeled edge into an actionable finding. For analysts who need to assess the most direct route through a complex path, a new Shortest path button highlights the minimum-hop sequence from the initial node to the final target.

Keeping track of when a path was identified and last changed is now built into the view: Last updated and Created timestamps appear in the top-left corner of the window. For large graphs where spatial orientation becomes a challenge, a new Navigator provides a mini-map of the full attack path, with dedicated buttons to expand or collapse all grouped nodes.

XDR and EDR Enhancements

GravityZone Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) capabilities give security analysts the tools to detect, investigate, and respond to threats across endpoints and broader infrastructure. This release includes four updates spanning incident lifecycle tracking, custom rule labeling, direct incident linking, and navigation state persistence.

For companies with an active Managed Detection and Response (MDR) license, a new Closed: Reviewed by MDR SOC incident status now signals that the MDR SOC has reviewed and closed the incident. Incidents now also carry unique URLs containing the incident ID, available from the ID field in the Incidents table and from the View graph and View incident actions in side panels. This makes it possible to share a direct link to a specific incident. The browser Back button restores the Incidents page to its previous state — including applied filters and column arrangement.

On the custom rules side, several labels have been updated to improve accuracy. The On-Access column and filter on the Custom detection rules page, and the On-access field in the custom detection rule details panel, have both been renamed to Status. In the add or edit wizard, the On-Access scanning or Enable exclusion rule option is now Enable custom rule for Basic rules and Enable On-access for YARA rules. The Enable and Disable actions in the YARA rules contextual menu have been renamed to Enable On-access and Disable On-access.

YARA Rule Management via API

YARA rules in GravityZone give security teams a customizable pattern-matching mechanism to create organization-specific detection patterns that identify malware families and threat actor Tactics, Techniques, and Procedures (TTPs) — going beyond Indicator of Compromise (IoC) matching to detect threats that rotate infrastructure or recompile binaries.

Security analysts can now create, update, retrieve, and execute YARA rules directly via the GravityZone API, enabling the automation of detection workflows without requiring manual console interaction. This update extends the API with the following YARA-related methods:

• The createCustomRule method now supports the subtype parameter — specifying whether a rule is YARA-based or Basic — and the yaraQuery parameter inside the settings object for YARA rules.
• The updateCustomRule method now supports the yaraQuery parameter in the settings object for YARA rules.
• The getCustomRulesList method now accepts a subtypes filter to scope results to YARA rules, Basic rules, or both, and returns additional type and subtype information alongside the yaraQuery parameter for each YARA rule in the response.
• A new startYaraScan method allows initiating an on-demand scan on specified targets using a YARA rule to detect matching files.

What’s New for Administrators

With administrators constantly juggling numerous tasks and responsibilities, tools designed to make their daily tasks easier are highly appreciated. This section describes new functionality designed to facilitate the management of features responsible for prevention, protection, and detection in a defense-in-depth security architecture.

PHASR Enhancements

Proactive Hardening and Attack Surface Reduction (PHASR) proactively hardens systems by analyzing user behavior to prevent Living off the Land (LotL) attacks and targeted threats. It applies anomaly detection to enforce tailored, application-level action blocking that narrows the attack surface without disrupting operations. This release extends PHASR with new investigation controls, improved rule navigation, and expanded Linux support.

A new View events and alerts button has been added to the Recommendation details side panel, displaying all events and alerts associated with the current behavioral profile without requiring a separate navigation step. In the PHASR MITRE grouping area, a new Rule name filter allows administrators to locate specific rules across tactic and category cards directly, rather than manually scanning the hierarchy.

PHASR Standalone is now available for Linux. Linux-related installation options are now visible in the UI, making the deployment path accessible directly from the console.

The Request access feature now covers both PHASR and PHASR Standalone on Linux and macOS. On Linux, request access is available via command line rather than the GUI.

Also available as an Early Access feature, PHASR MITRE grouping provides a structured, top-down view of security coverage by mapping user activity and detections to attacker tactics, techniques, and sub-techniques from the MITRE ATT&CK framework. Accessible from the left-side menu under the PHASR MITRE grouping tab, the view is fully interactive — selecting a tactic or technique surfaces detailed, structured information about the associated detections and user behavior in context.

By organizing rules around MITRE tactics, techniques, and sub-techniques, administrators can focus hardening efforts on the attack patterns that matter most to their environment, aligning security priorities with industry-standard threat intelligence rather than managing rules in isolation.

To enable PHASR MITRE grouping, navigate to User Menu > My Company > Early Access tab.

For comprehensive insights into PHASR, we invite you to watch our masterclasses here.

Compliance Manager Enhancements

The Compliance Manager in GravityZone maps endpoint findings against regulatory and industry compliance standards, giving administrators a structured view of their organization's compliance posture across managed assets.

The HKMA TM-G-1 (HK) compliance standard is now available across the Findings, Account risks, and Compliance manager pages. Issued by the Hong Kong Monetary Authority (HKMA), TM-G-1 sets out general principles for technology risk management, providing authorized institutions with a framework covering IT governance, risk assessment, and IT controls. Access to this standard requires the Compliance Manager add-on.

In addition, the Compliance Manager page is now accessible under Risk Management for companies using the Bitdefender PHASR product type, with access scoped to the Cyber Hygiene – Windows standard. Advanced standards continue to require the Compliance Manager add-on.

For comprehensive insights into Compliance Manager, we invite you to watch our masterclasses here.

MSP Simplified Customer Onboarding

Managed Service Providers (MSPs) operating in GravityZone manage security for multiple customer companies under a single partner account, provisioning each with its own licensing, policies, and configuration. The MSP Simplified Customer Onboarding Early Access program, first announced in May 2026 (v 6.73), has been updated with usability and consistency improvements across the onboarding flow.

The Create company step now presents template selection in a dedicated section for improved visibility. The Policy step has been updated to display features as cards instead of collapsible lists, making it easier to review. All features disabled during the Licensing step are now hidden during the Policy step.

For comprehensive insights into MSP management in GravityZone, we invite you to watch our masterclasses here.

Patch Management for MSP Subscriptions

Patch Management in GravityZone centralizes the discovery, assessment, and deployment of software patches across managed endpoints, closing the exploitation window that opens when vulnerabilities are disclosed and proof-of-concept tools become available to attackers.

Companies using the Bitdefender PHASR product type with a monthly subscription can now access the Patch Management add-on. It can be enabled independently for own use, for reselling, or both.

For comprehensive insights into Patch Management, we invite you to watch our masterclasses here.

Quarantine Enhancements

The GravityZone Quarantine is an encrypted folder stored locally on each endpoint that holds potentially malicious files — including malware-suspected, malware-infected, and other unwanted files — isolated according to the policies assigned to the endpoint. Files in quarantine cannot be executed or read, preventing any further harm.

A new File hash filter and column are now available on the Quarantine page, allowing administrators to locate quarantined files by their SHA-256 hash. This filter applies to new files that are quarantined after this release.

Microsoft Sentinel Integration

Endpoint security visibility has limited value when it stays within a single console. By forwarding GravityZone security events to Microsoft Sentinel, analysts gain the ability to correlate endpoint findings with data from other security sources — identity, network, cloud — within a single investigation surface.

The GravityZone Solution for Sentinel, now available from the Microsoft Marketplace or the Microsoft Sentinel Content Hub, establishes this connection and brings GravityZone telemetry into Sentinel's centralized monitoring and investigation workflows.

The existing Azure Sentinel integration will reach end of life in September 2026, when Microsoft retires the HTTP Collector endpoint it relies on. We recommend planning your migration to the new solution before that date to ensure continuity of service. For technical guidance, reach out to Bitdefender Enterprise Support, and for full setup instructions, refer to Integrate GravityZone with Microsoft Sentinel.

API Enhancements

Bitdefender Control Center APIs enable developers to automate business workflows. These APIs are exposed via the JSON-RPC 2.0 protocol. You can find usage examples and documentation in our Support Center, located here.

This update introduces new and extended methods across Incidents, Companies, Licensing, Network, Packages, Quarantine, and Event Push areas.

Incidents:

• The getIncidentsList method now retrieves details about Endpoint and Organization incidents for a specified company based on applied filters.

Companies:

• The createCompany method now supports the managePatchManagement and managePatchManagementResell parameters for companies using the Patch Management add-on with the Bitdefender PHASR product type.
  

Licensing:

• The setMonthlySubscription method now supports the managePatchManagement and managePatchManagementResell parameters for companies using the Patch Management add-on with the Bitdefender PHASR product type.
• The getMonthlyUsage and getMonthlyUsagePerProductType methods now return the number of endpoints via the patchManagementMonthlyUsage parameter when the Patch Management add-on is enabled for Bitdefender PHASR companies.
• The getLicenseInfo method now supports the managePatchManagement and managePatchManagementResell parameters under the same conditions.

Network:

• The getNetworkInventoryItems method now supports the managePatchManagement and managePatchManagementResell parameters for companies using the Patch Management add-on with the Bitdefender PHASR product type.
• The getManagedEndpointDetails and createReconfigureClientTask methods now support the patchManagement parameter alongside the Bitdefender PHASR product type.
• The getEndpointTags method now returns details about endpoint tags associated with specified companies.

Packages:

• The createPackage, getPackageDetails, and updatePackage methods now support the patchManagement parameter alongside the Bitdefender PHASR product type.

Quarantine:

• The getQuarantineItemsList method now supports the fileSha256 field within the filters parameter, allowing retrieval of quarantined file information by SHA-256 hash.

Event Push:

• A new azureSentinelV2 service type is now available for the setPushEventSettings method, supporting configuration of the new GravityZone integration with Microsoft Sentinel. The existing azureSentinel service type continues to apply to the legacy integration.

For comprehensive insights into automating workflows with the Control Center API, we invite you to watch our masterclasses here.

Summary

The Bitdefender GravityZone security platform offers a one-stop solution for all your organization's security needs. As the digital landscape evolves, Bitdefender remains proactive, providing prevention, protection, detection, and response capabilities to ensure the ongoing safety of organizations of all sizes worldwide.

To learn more about the Bitdefender GravityZone platform, contact us or a Bitdefender partner. You can also start a free trial by requesting a demo here.