· intuitem · News · 2 min read
What's New in CISO Assistant — Week 14, 2026 (v3.15.1 – v3.15.2)
DORA incident reporting, MCP vulnerability tools, framework builder fixes, degraded status for controls, and new language contributions for risk matrices.
Two patch releases this week refine the major features shipped in v3.15.0 while introducing DORA incident reporting and expanding the MCP server’s capabilities.
DORA Incident Reporting
DORA incidents reporting (v3.15.2) — Organisations subject to the Digital Operational Resilience Act can now manage and report ICT-related incidents directly within CISO Assistant. This dedicated workflow streamlines the classification, tracking, and documentation of incidents in line with DORA requirements.
MCP Server — Vulnerability Support
Vulnerability capabilities for the MCP server (v3.15.2) — The CISO Assistant MCP server now exposes vulnerability management endpoints, allowing AI-powered agents and external integrations to query, create, and update vulnerabilities programmatically. Combined with the new reverse foreign keys for vulnerabilities on nested tabs, it is now easier than ever to see how vulnerabilities relate to other objects across the platform.
Framework Builder Fixes
Two targeted fixes for the framework builder introduced in v3.15.0:
- Preview rendering now works correctly, so you can verify your custom framework before saving (v3.15.2).
- Parent-child requirement ordering is preserved when saving, ensuring the hierarchy you define matches what gets stored (v3.15.2).
Applied Controls Improvements
- Degraded status (v3.15.1) — Applied controls now support a “degraded” status, giving teams a more nuanced way to communicate when a control is in place but not operating at full effectiveness. The kanban view has been updated with matching styling.
- Layout fix (v3.15.1) — The applied controls detail view now renders correctly when a reference control is attached.
Scoring & Assessment
- Scoring labels regression fix (v3.15.1) — A regression that prevented scoring labels from displaying has been resolved.
- Seats count fix (v3.15.1) — Seat counting logic has been corrected for accurate license management.
Security
- Removed eval()-based template filter (v3.15.2) — A template filter that relied on
eval()forisinstancechecks has been replaced with a safer implementation, eliminating a potential code-injection vector.
Internationalisation
- Spanish translations for ISO 27005 risk matrix (v3.15.2) — courtesy of new contributor @iamrubeng.
- German language support for risk matrices (v3.15.2) — contributed by @hlederhaas.
- French translation for EBIOS RM attack path stakeholder types (v3.15.2).
Policy Management
- Published status sync for policy documents (v3.15.2) — The
is_publishedflag on policy documents now correctly propagates to the parent policy object, keeping listing views in sync with the actual publication state.
Infrastructure
- PyTorch-cpu for RAG inference (v3.15.1) — The RAG container image has been switched to PyTorch-cpu, significantly reducing image size without affecting inference quality for current workloads.
New Contributors
Welcome to @iamrubeng and @glitch-ux, who both made their first contributions this week!
For full details, check out the v3.15.1 and v3.15.2 release notes on GitHub.
