Bitdefender rolled out new functionality in Bitdefender GravityZone, a unified cybersecurity platform that provides prevention, protection, detection, and response capabilities for organizations of all sizes. These features are consistent with our multi-layered security strategy and are intended to ease the workload of security analysts, administrators, and users.
In a dynamic cybersecurity landscape, security analysts are responsible for uncovering any signs of potential sophisticated attacks to make the invisible visible. This section describes new functionality designed to elevate analysts' capabilities, offering enhanced tools for threat detection, investigation, and response.
Proactive Hardening and Attack Surface Reduction (PHASR) proactively hardens systems by analyzing user behavior to prevent Living off the Land (LotL) attacks and targeted threats. It applies anomaly detection to enforce tailored, application-level action blocking, thereby narrowing the attack surface without disrupting operations.
PHASR now structures its monitored rules library against the MITRE ATT&CK framework, introducing a four-tier hierarchy — Tactic, Technique, Sub-technique, and Monitored Rule — directly within Risk Management > PHASR > Monitored Rules. Three new ATT&CK-mapped columns — Tactics, Techniques, and Sub-techniques — are now present in the monitored rules table. Each Tactic entry expands to include Techniques and Sub-techniques, with each node displaying the monitored rules operating at that level, along with their associated triggers, behavioral profiles, recommendations, and incidents.
Contextual side panels have been updated to reflect this hierarchy, returning ATT&CK-aligned detail for the selected node rather than a generic rule summary.
New filter controls support scoped queries across any ATT&CK dimension, allowing analysts to identify which rules address a specific Tactic, Technique, or Sub-technique. This replaces the prior workflow step of manually mapping rule names to ATT&CK identifiers in an external matrix, so PHASR rule coverage and adversary method classification appear in the same view during an investigation.
Raw Events controls which endpoint events GravityZone processes and makes available for investigation, with configuration applied at the company level via Configuration > Raw Events and event data queryable from the Search > Historical tab.
This release extends Windows raw event coverage with nine new event types across Background Intelligent Transfer Service (BITS) job activity, local user account management, Windows Management Instrumentation (WMI) activity, and Group Policy modification.
The BITS jobs activity category introduces Add file, Create, and Delete events. The User category adds Create local account and Delete local account. The WMI activity category adds WMI execution method, WMI new activity, and WMI new binding. The Other category adds Modify group policy.
For organizations not yet using Proactive Hardening and Attack Surface Reduction (PHASR), the WMI activity events provide visibility to analysts investigating Living off the Land (LotL) execution paths. WMI execution method and WMI new binding capture two of the most widely observed techniques through which attackers invoke WMI to run code or establish persistent subscriptions without dropping files to disk. Analysts can query these events from the Search > Historical tab to identify unauthorized WMI interactions tied to suspicious parent processes or unexpected user contexts.
The new event types are disabled by default and must be individually enabled under Configuration > Raw Events before telemetry is collected and made available in the Search > Historical tab.
With administrators constantly juggling numerous tasks and responsibilities, tools designed to make their daily tasks easier are highly appreciated. This section describes new functionality designed to facilitate the management of features responsible for prevention, protection, and detection in a defense-in-depth security architecture.
GravityZone licenses for business products have historically applied a server limit — restricting the number of protected servers to 30% or 35% of the total licensed seat count — alongside a licensing model that counted workstations and servers as distinct entity types. Starting May 11, 2026, both constraints are removed for new licenses and renewals across the following products:
GravityZone Small Business Security
GravityZone Business Security
GravityZone Business Security Premium
GravityZone Business Security Enterprise
Under the revised model, the 30%/35% server limit no longer applies, and all protected entities — workstations and servers alike — are counted uniformly as endpoints against a single seat total. Administrators sizing licenses for environments with a high server-to-workstation ratio will no longer need to account for the server percentage limit when calculating required seats, whether purchasing new licenses or renewing existing ones.
Managed Service Providers (MSPs) operating in GravityZone manage security for multiple customer companies under a single partner account, provisioning each with its own licensing, policies, and configuration. MSP Simplified Customer Onboarding is an early access phase (EAP) feature that introduces a unified provisioning workflow for these partners on a monthly subscription, available from User menu > My company >Early access.
The workflow is initiated via the Onboard company button on the Companies page. After enabling Early Access and re-logging into the GravityZone console, the Onboard company button appears on the Companies page, from where the workflow is initiated.
Company details collects foundational account data — name, country, and industry — and allows partners to populate fields from a saved template. Licensing defines the services and add-ons the company will consume for its own use. Policy presents a full list of available security features and their activation states; the policy can be cloned and modified inline before the company record is created, and it takes effect at the moment of addition.
Finally, the Template option allows the completed configuration to be saved and reused for subsequent onboardings, reducing repetitive input across similar customer profiles. This differs from the standard Add company flow, where licensing, policy assignment, and configuration templating are handled as separate, post-creation steps.
A Feedback button on the Companies page is available to submit input to the product team throughout the early access phase.
Compliance Manager provides real-time evaluation of endpoint compliance posture through built-in mappings that link requirements from frameworks such as GDPR, ISO 27001, NIS2, and NIST CSF 2.0 to technical controls on Windows and Linux endpoints, together with actionable remediation guidance and audit-ready reporting.
This update extends Compliance Manager add-on eligibility to companies using the Bitdefender PHASR product type on a monthly subscription. Add-on availability is managed at the product type level, meaning administrators control whether it is active for a given product type independently of other configurations. Because the add-on is bound to the product type rather than the company record, a product type change requires the add-on to be explicitly re-enabled — it is not transferred automatically.
GravityZone Identity Provider (IdP) is a centralized authentication service that supports SSO for Bitdefender service providers, using SAML 2.0 and System for Cross-domain Identity Management (SCIM) to manage and verify digital identities across the GravityZone ecosystem.
This release introduces GravityZone IdP Proxy, a new service that operates between an organization's existing third-party identity provider and GravityZone services that currently require native GravityZone IdP authentication. The proxy accepts inbound SAML assertions from the external provider, validates those assertions, and issues authentication tokens recognized by the GravityZone service layer. Configuration is performed via a new GravityZone IdP Proxy metadata URL field on the Authentication page, under the Single Sign-On using SAML section. It is accessible for both the administrator's own company and any companies under their management.
The Policies page in GravityZone Control Center provides access to security module configuration across endpoint types, with settings distributed across a hierarchical structure of sections and subsections within each policy.
With this release, breadcrumbs are added to the top of every policy settings page, displaying the current path within the policy structure. Each page also receives a unique URL, which can be entered directly into a browser, shared with other administrators, or revisited using the browser's back button. Accessing a direct link while unauthenticated redirects the user to the login page; the subsequent destination depends on the authentication method configured for the company.
Users who authenticate with GravityZone credentials are forwarded directly to the requested page after login. Users who authenticate via GravityZone Identity Provider or a third-party IdP are redirected to the company's default Control Center homepage and must navigate to the linked page separately — a behavior consistent with how IdP-authenticated deep links function elsewhere in the console.
The Configuration Profiles section in the GravityZone main menu allows you to create and manage collections of settings that you can assign to one or more policies.
With this update, %system% and %programdata% are now valid variables when defining paths in Policies > Configuration Profiles > Exclusions. Both variables resolve at runtime on each target endpoint: %system% maps to the Windows system directory (typically C:\Windows\System32 or C:\Windows\SysWOW64), and %programdata% maps to the application data directory shared across all users (typically C:\ProgramData). Using variables rather than literal paths ensures that exclusion rules remain valid across endpoints where system drives or installation paths differ from the default.
This release introduces two infrastructure updates to appliance image distribution and sensor onboarding.
The Security Server and the XDR Network Sensor (NSVA) virtual appliance images can now be downloaded in QCOW2 format, adding support for KVM-based hypervisor environments. For Network Sensor deployments, the GravityZone console now displays a ready to run SSH command during sensor setup; executing that command on the newly installed appliance establishes the connection to the console directly, without requiring administrators to locate or enter connection details manually.
The Ransomware Mitigation module detects ransomware activity on endpoints, blocks encryption attempts where policy permits, and retains file backups to support recovery.
This release revises terminology across the Ransomware Activity page, extends the Ransomware Detection notification to cover reported events, and adds a dedicated event type to the Security Audit report — collectively improving visibility into detections that are logged but not actively blocked.
On the Ransomware Activity page, the Encrypted Files column has been renamed Backed-up Files to accurately reflect that the retained copies are backups, not attacker-encrypted files. All related labels across GravityZone Control Center have been updated to match, and the remediation task previously named Restore Encrypted Files is now Restore Backed-up Files. A new Action column has also been added to the same page, displaying whether each detection was Blocked or Reported; this column is populated only for events generated after this release, with records predating the update displaying an empty value.
In Notifications, the Ransomware Detection notification now triggers for detected and reported events, in addition to detected and blocked events. In Reports, the Security Audit report introduces Reported Remote Attack as a new Event Type value, covering ransomware detections where the activity was recorded but no blocking action was taken.
Content Control applies host-based web filtering policies, acting on outbound web traffic according to per-policy rules that include blocking, warning, and, with this release, report-only enforcement. To reflect the introduction of the Report only action under Web Traffic Scan in policy settings, the reporting layer has been updated across three areas.
The report formerly titled Blocked/Warned Websites is now titled Detected Websites, expanding its scope to web traffic events in which no enforcement action was taken. On the report configuration page, the Action Taken field now includes a Reported option, allowing administrators to isolate web traffic events logged under the report-only action. Inside the report, the Blocked/Warned Websites column has been relabeled Detected Websites to match the report's new title and broader event coverage.
The Network section provides functionalities for managing all entities available in your network. Entities are defined as physical computers, virtual machines, Security Servers, containers, and folders available in your network.
This release introduces several updates to how administrators interact with entities and actions within the Network section:
Bitdefender Control Center APIs enable developers to automate business workflows. These APIs are exposed via the JSON-RPC 2.0 protocol. You can find usage examples and documentation in our Support Center, located here.
This update introduces new API parameters and methods to support Compliance Manager, updated endpoint isolation task handling, and new event push telemetry.
Event Push
For comprehensive insights into automating workflows with the Control Center API, we invite you to watch our masterclasses here.
Bitdefender GravityZone platform stands out from competitors, offering a one-stop solution for all your organization's security needs. As the digital landscape evolves, Bitdefender remains proactive, providing prevention, protection, detection, and response capabilities, ensuring the ongoing safety of organizations of all sizes worldwide.
To learn more about the Bitdefender GravityZone platform, contact us or a Bitdefender partner for more information. You can also start a free trial by requesting a demo here.