Skip to main content
← Back to Home

Changelog

New features, improvements, and fixes shipped to HackFast.

May 28, 2026

Performance overhaul

Project pages now load dramatically faster across the board, with the heaviest workspaces seeing the biggest speedups. Backend rearchitected so workspace data scales without slowing down.

Speed

  • Project overview, dashboard, and chat panels open noticeably faster — heavy projects that previously took several seconds now load almost instantly.
  • API key refresh and revoke are now instant and reliable.
  • Chat history, device analyses, and machine profiles load on demand instead of riding along with every project fetch, so opening a project is the same speed whether you have two chats or two hundred.
  • Dashboard hydration trimmed: only the data the current view needs is requested.

Reliability

  • Concurrent API key operations no longer collide.
  • Workspace data now scales without per-project slowdowns as chats, scans, and machine inventory grow.
  • Tightened error handling on long-running operations so transient hiccups recover cleanly instead of leaving stuck UI states.

May 27, 2026

API explorer, audit logging & polish

Expandable API route cards, optional attachments in AI Insights and Chats, new audit log for sensitive actions, and a fix for bug-report submissions.

Platform

  • Sensitive actions are now audit-logged: API key create/revoke, project delete, credential access, and chain delete.
  • Rate limits on AI chat, insights chat, and scans keep normal use smooth while reducing abuse.
  • Security headers (HSTS, frame protection, nosniff) applied site-wide.

API Routes

  • Click a route card or the +N endpoints chip to expand a full endpoint panel with every discovered path.
  • Add responses, replies, and notes from the expanded view without losing context.
  • Auto-discovered paths from gobuster, ffuf, dirb, and other tools still group under the correct domain.

AI & Chats

  • Ask general pentest questions in AI Insights and Chats without attaching an IP or port first.
  • Attachments remain optional — add targets when you want scan-grounded answers.

Fixed

  • Bug reports no longer show “Too many reports” on every submission — the rate limit check was using the wrong field.
  • Tidier API error responses with clearer client-facing messages.

May 26, 2026

API route auto-discovery from scans

Run gobuster, ffuf, dirb, or any enumeration tool and discovered paths are automatically logged in the API tracker under the right domain. Includes a status-code badge, source tool label, loading skeleton, and Delete All.

Enumeration → API tracker

  • gobuster, ffuf, dirb, dirsearch, feroxbuster, and wfuzz output is parsed automatically at the end of every fusion job.
  • Discovered paths are logged as endpoints under the correct domain route — one route card per target host, not one card per path.
  • The target host is extracted from the gobuster '[+] Url:' header so grouping works even when per-line URLs are absent.
  • Handles the real-world ESC[2K+CR progress blob format: hits buried inside the continuous progress stream are correctly extracted.
  • Works on malformed output, single-line blobs, and mixed multi-tool output.
  • Parser also runs on standalone CLI agent job results (not just fusion steps).

API tracker UI

  • Each auto-discovered endpoint shows a colour-coded HTTP status badge (green 2xx, amber 3xx, orange 4xx/5xx).
  • A small source-tool badge (gobuster, ffuf, dirb, etc.) indicates what found the path.
  • Route cards show a 'scan' chip when any endpoint was auto-discovered.
  • Loading skeleton replaces the blank flash while routes are fetching.
  • Delete All button clears every route in one click (with confirmation).

AI context

  • A curated enumeration wordlist (api, auth, admin, sensitive, uploads, common pages) is now included in every AI chat request so the assistant knows which paths to look for on any attached target.

May 25, 2026

Agent deploy from chat, intel cache & more

Ask the AI to run something and it will offer to dispatch a fusion agent. Project intel cache makes Tab searches instant. Plus chats workspace improvements and scan import fixes.

Agent deploy from chat

  • AI Insights and Chats now detect when you ask to run a scan, enumeration, or exploit task.
  • A deploy prompt appears inline: confirm within 5 seconds to launch a fusion agent, or decline — it cancels automatically on timeout.
  • The agent executes the task using whatever connected machine is available.
  • Toggle agent deploy prompts on or off via the new settings cog (⚙) in the chat composer.
  • Agent deploy info added to the Chats intro page.

Project Intel Cache

  • New per-project in-memory cache for IPs, ports, people, and credentials.
  • Tab mention searches are now instant — results come from the cache instead of live DB queries.
  • Cache automatically rebuilds on data changes (new IP, saved person, saved credential, scan result) and expires after 4 minutes.
  • View and search your full intel cache from Project Settings → Project Intel Cache.
  • Force-rebuild the cache at any time from the settings page.

Chats & AI Insights

  • New Chats section on the dashboard: full-screen assistant for back-and-forth pentest questions.
  • Same conversation history as the Ask tab in AI Insights on Attack Surface.
  • Attach IPs or ports from your project so replies stay grounded in your scan data.
  • Press Tab in Chats to mention saved people, credentials, IPs, and ports from the project.
  • Tab mention picker now opens where you are typing and shows what it is searching for.
  • People mentions pull in role, company, known emails, and saved credential matches so the assistant has the right context.
  • Credential mentions include the saved credential details without making you attach an IP first.
  • Same starter prompts as AI Insights, with a few extra suggestions for prioritization and exploit planning.
  • Chats uses a stronger analysis mode for deeper reasoning on complex targets.
  • Inline asset pills (IPs, ports) in notes and reports are now smaller and sit naturally in the text line.

Scan import & port context

  • Pasting nmap output with script results (-sC / -sV) now imports every open port, not just the first one.
  • Per-port script output stays on the right port instead of repeating the whole scan on each card.
  • Hostname and IP parsing is more reliable when nmap reports a name like srv-edge01 (10.0.0.1).
  • Scan imports from the dashboard, agent jobs, and API now use the same parser.
  • Deleted IPs stay deleted even if an older scan or agent job reports ports for that IP later.

Fixed

  • Full nmap scans with blank lines between script blocks no longer stop after port 21.
  • Chats no longer gets stuck loading when opening a fresh conversation.
  • Chats loading skeleton now lines up with the real Chats layout.
  • New chat messages now save into the sidebar and can be reopened later.
  • AI Insights logo is larger in the embedded panel for better visibility.
  • Dashboard loading states use section-specific skeletons instead of blurry overlays.
  • Device guess on busy hosts is less likely to fail on large pasted scans.
  • Common web ports like 80 and 443 no longer show critical catalog risk unless a real high-risk finding is detected.
  • Port detail panels no longer show identical walls of script text on every port.

May 24, 2026

Attack Chain, Report Builder & Attack Surface refresh

Generate attack paths port-by-port with smarter CVE lookup, save and reuse intel across the workspace, draft multi-page reports with a full editor, and explore targets through a redesigned Attack Surface with AI insights, passive recon, and unified port analysis.

Attack Chain & CVE lookup

  • Attack Chain Generation Studio: pick ports on a target IP, analyze each one, then merge the results into a full chain.
  • Per-port steps finish independently — review completed ports while others are still running.
  • Port picker tiles match Attack Surface colors and risk styling.
  • Smarter CVE lookup matched to the service and version on each port (e.g. MySQL, nginx).
  • Clearer CVE triage: confirmed matches, items worth verifying, and filtered noise shown separately per port.
  • Expandable CVE cards with severity scores, affected versions, and reference links.
  • Save CVEs from port analysis and browse them from Report Builder.
  • Sort CVE findings by date or severity in port security analysis.
  • Port security analysis in the port panel now uses the same enrichment flow as Attack Chain.

Saved intel & Report Builder library

  • Save credentials from CredCruncher and OSINT breach cards with a bookmark button on each result.
  • Saved Credentials tabs in CredCruncher, OSINT Map, and Report Builder — review and insert into reports.
  • Saved Employees in OSINT Map: bookmark people from company search, grouped by company.
  • Report Builder library tabs for Saved People, Saved Credentials, and Saved CVEs.
  • One-click insert from saved intel into a new or existing report write-up.
  • Open in Report Builder links from CredCruncher and OSINT saved-credential views.

Report Builder — writing & editor

  • Multi-page reports: add pages with +, switch between tabs, and keep each page’s content separate.
  • Auto-generated titles so new drafts autosave as soon as you start typing.
  • Titles auto-update from your first heading until you edit the title field yourself.
  • Quick-start templates: Executive Summary, Findings Report, and Scope & Methodology.
  • Formatting toolbar: headings, bold, italic, inline code, bullet and numbered lists, and URL links.
  • Headings, lists, bold, italic, and links render at the correct size and style while you edit.
  • Clearer document canvas: white page card on a gray workspace with accent border and Document badge.

Report Builder — linking & preview

  • Colored resource chips: IPs, ports, people, credentials, CVEs, and API routes each have their own color in the editor and previews.
  • @ search when linking only shows saved people for this project — not unrelated search results.
  • Note previews use proper heading sizes, lists, and underlined external links.
  • Multi-page badge on saved report cards.

Attack Surface & ports

  • Attack Surface redesign: aligned panel grid, slimmer headers, and a steadier AI Insights box.
  • AI Insights chat: ask questions about attached IPs and ports with formatted answers.
  • AI Insights Briefing tab alongside chat for structured target summaries.
  • Passive Recon panel redesigned: host summary, stat tiles, colored sections, and expandable services.
  • Clearer passive recon loading with status badge and skeleton placeholders while data loads.
  • Device guess in Service Ports with confidence display and inline display-name editing.
  • Tighter, even spacing between device guess, manual port add, and port cards.
  • Port detail view with exposure warnings for risky or well-known services.
  • Paste nmap output to capture banners, hostnames, OS hints, and extra scan details — not just port and service names.
  • Run Scan maps discovered ports and adds new IPs to your target list.
  • Uniform panel titles and section labels across Attack Surface tools.
  • Manual host JSON paste moved to the bottom of the Passive Recon panel.

OSINT & CredCruncher

  • Automatic breach indicators on employee cards while browsing company results.
  • Employee search paginates 50 results per page with clearer scanning progress.
  • Leak results highlight the person first, with an expandable company leak browser.
  • CredCruncher email searches return exact matches instead of broad domain results.
  • Employee breach flags on cards match the same checks as manual breach search.

Dashboard & workspace

  • Consistent page headers and wider workspace across Attack Surface, OSINT, CredCruncher, API Routes, chains, and reports.
  • Cleaner icons throughout the dashboard — no heavy background boxes on tool headers.
  • What's New popup and changelog page for release notes.
  • AI chat replies use proper headings, lists, and emphasis instead of plain unformatted text.

Fixed

  • Attack Chain studio sidebar port numbers no longer clip on 4-digit ports like 3306.
  • Port tile badges and checkmarks no longer overlap in the attack chain port picker.
  • Attack Chain empty state is centered when no target IP is selected.
  • Fewer false-positive CVE matches for nginx and MySQL.
  • Report Builder help icon no longer clips at the top of the header.
  • Switching between report pages no longer errors.
  • Project resource chips in the editor show correct type colors instead of all green.
  • AI Insights typing indicator stays next to the reply area while a response is loading.
  • Display name editor opens correctly from device guess — no longer clipped by the panel.
  • Fixed display name link causing a hydration warning in the device guess panel.
  • Restored missing port color picker state in the port grid.