UpGuard Release Notes

We’re continuing to roll out incremental improvements to the Vendor Risk AI-powered Security Profile (Beta) to give you greater flexibility, control, and clarity. 

• Custom Domain & IP selection: You can now customize the domains and IPs used in a vendor’s security profile. Your selection is saved between sessions and automatically applied to the Instant Risk Assessment, helping you tailor assessments to specific vendor engagements and use cases.
• Excel document support:  You can now upload and scan Excel documents as part of the evidence used in the security profile.
• Manual check management: We’ve made it easier to manage checks and citations—users can now manually mark checks as "met" to better reflect their evaluation.
• Add comments to all checks: Comments can now be added to both passed and unmet checks (previously, comments were only supported for identified risks).
• Updated rating logic: The Security Profile rating will now default to the automated scanning score when no evidence has been provided. Once evidence is added, the rating will automatically update to reflect the combined impact of the automated scanning and evidence, against the Security Profile control set.

More enhancements to come in upcoming releases.

New in Breach Risk: Risk Waivers for Subsidiaries

We’ve introduced Risk Waivers for Subsidiaries, a powerful new feature in Breach Risk that gives organizations greater control and flexibility in managing risk across their subsidiaries. With this enhancement, you can now create private risk waivers for risks associated with any of your subsidiaries. These waivers are visible only within your organization and ensure your internal risk posture reflects the controls and context you manage centrally.

New in Trust Exchange: Trust Page enhancements

We’ve rolled out a number of improvements to Trust Pages in this release:

• Trust Page users can now add specific badges for their CSA STAR level, plus new badges for CSA TCP, CREST and URAC, so businesses who adopt these frameworks and standards can reflect that on their Trust Page. 
• Downloads data is now available in the Trust Page access log, giving you deeper insight into the documents that your prospects and customers find most valuable. 
• A preview mode for Trust Pages is now available, so you can see what your page will look like from an outside perspective prior to publishing. 
• You can now customize your security link titles on your Trust Page via Settings > Content Library. 
• We’ve made UI improvements to the Trust Page share modal, published status badges and settings page. 

Other improvements

• For Vendor Risk customers who want to be notified when their vendors make changes to their Trust Page, we’ve made improvements to the notification, which you can enable via Home > Manage Notifications > Configure custom notifications. 
• We’ve added a new Vendor Risk custom attribute type URL so you can now add clickable links as custom attributes.
• Users can now sort by percent complete when reviewing remediation requests in both Vendor Risk and Breach Risk.
• We’ve added SOC3 report as default document type to Vendor Risk Additional Evidence.
• This release includes a number of bug fixes.

We’re introducing custom domain support for all Trust Pages, so that you can deliver a fully branded experience that builds trust and reinforces credibility with your prospects and customers. Paired with previous custom branding enhancements, your Trust Page can now feel like a natural extension of your existing web presence. This comes at no additional cost, and is available on all Trust Pages. Get started for free, or learn more about this feature.

Export vendor reports into Word documents

We’ve added support for generating editable versions of vendor reports, giving you greater flexibility to tailor content before sharing. You can now export the Vendor Summary, Vendor Detail, Vendor Risk Assessment, and Security Profile Risk Assessment reports in Microsoft Word format, making it easier to customize findings, add context, or apply your own branding. This option is in addition to the PDF option when generating reports.

Detection for exposed Llama.cpp instances

We have expanded our external attack surface monitoring to detect exposed llama.cpp instances, a popular open-source framework for running LLMs (eg Deepseek, LLaMa 2, Qwen…) locally. This enhancement helps organizations identify unintentionally exposed AI infrastructure, reducing the risk of unauthorized access to self-hosted language models and maintaining a secure AI deployment footprint.

PCI DSS Questionnaires

We’ve added a complete set of questionnaire templates to the Vendor Risk questionnaire library, aligned with the Payment Card Industry Data Security Standard (PCI DSS) v4. Each of the 10 official SAQ types is now available as a pre-built questionnaire ready to assess organizations against the requirements of PCI DSS. Note that these questionnaires are not a substitute for an Attestation of Compliance (AOC) or Report on Compliance (ROC).

Other improvements

• We’ve made it easier to waive risks in the Vendor Risk Security Profile (beta). You can now easily waive risks identified through document scans as soon as they are identified.
• This release includes a number of bug fixes

UpGuard’s latest update to Breach Risk and Vendor Risk improves external attack surface monitoring by detecting exposed Ollama instances—self-hosted large language models that become vulnerable when publicly accessible via port 11434. This new capability helps organizations prevent unauthorized access, safeguard AI assets, and mitigate the risk of data theft or model tampering.

Improvements to Trust Page questionnaires

It’s now easier to add security questionnaires to your Trust Page, with a redesigned module that streamlines the process and makes it easier to share your responses with prospects and customers. You can now import questionnaires directly on the Trust Page, as well as more easily access details about your Trust Page questionnaires via Answer Questionnaires > Public questionnaires. 

Other improvements

• We’ve added company logos to Vendors in Vendor Risk.
• We’ve changed the handling of informational risks in the Vendor Risk Security profile. Details of informational risks are included but do not impact the control status or security rating.
• This release includes a number of bug fixes.

Supercharge your vendor assessments in UpGuard Vendor Risk with AI-powered Security Profiles and Instant Risk Assessments—faster, smarter, and more efficient than ever.

Here’s how these features take your vendor risk assessments to the next level:

• AI-powered analysis: Automatically uncover security control alignment, risks, and compliance gaps—insights that once required manual effort, now fully automated with AI.
• Complete security profile visibility: Gain instant clarity on a vendor’s compliance, risk exposure, and security posture with the new security profile—visibility that was previously difficult to achieve, now delivered in one streamlined profile.
• Proactive vendor engagement: Easily request supplementary evidence from vendors to determine security posture and compliance gaps—removing guesswork and ensuring more comprehensive assessments.
• Smarter, faster reporting: AI Assess converts all evidence and findings into structured, insightful risk narratives—seamlessly transforming scattered information into clear, actionable intelligence.
• Comprehensive risk assessment: Generate and publish a point-in-time risk assessment report with AI Assess’s contextual commentary in mere minutes—providing a level of depth and clarity that once took hours to achieve.

To learn more see How to assess your vendors using AI-powered Security Profile and Instant Risk Assessments.

These features have been released as beta with the objective of gathering feedback to drive ongoing improvements. We’re committed to refining their usability and value, and your input will help shape their future direction. Please share your feedback with your UpGuard Customer Success Manager.

Other improvements

• We’ve added new badges to Trust Pages, to include HITRUST r2, NIST CSF v1.1 and v2.0, and PIPEDA in the set of badges you can add to your page.
• We’ve made performance enhancements to the questionnaire viewer and questionnaire builder.
• This release includes a number of bug fixes.

We know that building custom questionnaires from scratch can be time-consuming and sometimes overwhelming. With our new import feature, you can instantly bring in your existing questionnaires from spreadsheets, giving you more time to focus on what really matters - managing third-party risk.

The questionnaire importer does the heavy lifting by detecting the correct columns for questions, answer options, and section headings, ensuring a seamless transition from spreadsheet to builder. Once imported, you have full control to fine-tune your questionnaire, ensuring it meets your exact needs. To learn more see How to build a custom questionnaire.

Our extensive questionnaire library also offers ready-to-use security questionnaires, designed by our experienced third-party risk analysts to help streamline your assessments while ensuring best-practice coverage.

Other improvements

We have deprecated an outdated version of the score sharing widget. The security ratings badge remains available as an easy way to promote your security posture on your website.

We’ve added three new security questionnaires aligned with CIS Critical Security Controls v8.1, tailored for each Implementation Group: IG1 for organizations with limited cybersecurity resources, focusing on fundamental defences against common threats; IG2 for those with moderate risk exposure, adding safeguards to protect sensitive data and critical business functions; and IG3 for high-security environments, incorporating the full set of CIS Controls to mitigate sophisticated threats and ensure compliance with rigorous security standards. These questionnaires help assess security maturity at the appropriate level, making it easier to evaluate risk and strengthen cybersecurity posture.

New to Trust Pages – compliance badges, branding customization and more

You can now control the look of your Trust Page with a customizable banner at the top of the page, as well as badges you can add to demonstrate your organization’s standards and practices. There are also improvements to the editing view, and more coming to continue to make it easy to share your security documentation with prospects and customers. Learn more.

Artificial Intelligence discovery

Our platform now includes AI Discovery, enabling automated scanning of third-party websites for AI-related disclosures and passive detection of AI usage.  The discovery of AI for a vendor will be shown as an informational risk in the vendor’s risk profile, and will not impact their score. This functionality enhances visibility into vendors' AI adoption, helping you to identify vendors using AI and assess the potential risks and compliance considerations.

Other improvements

• This release includes a number of bug fixes

Trust Pages have received a big upgrade this release, including a sleek new mobile-friendly design and the ability to add a profile image. You can also now add and autofill UpGuard questionnaires directly on your Trust Page, making it easier than ever to securely share security documentation with your prospects and customers. These features are now available to all UpGuard customers on paid plans and will be rolled out to all accounts in the coming weeks, along with more updates to Trust Pages. Take a look at your new Trust Page, or learn more.

New dark web news collector

UpGuard's latest news collector enhances the News & Incidents feed by sourcing stories from the dark web. This new data source ensures security teams are alerted sooner to potential threats, improving their ability to respond proactively.

Other improvements

• To streamline the risk assessment review process we’ve added the ability to generate a report for pre-published (draft) risk assessments.
• This release includes a number of bug fixes.

Our new navigation introduces a streamlined and improved design, making it easier than ever to explore and utilize UpGuard’s platform. Whether you’re just starting out or are a seasoned user, the new navigation means you can access key features faster and focus on what matters most.

New UpGuard AI-Risk Essentials Questionnaire

Introducing the AI-Risk Essentials Questionnaire, designed to address key AI-related security risks, including governance, data handling, security controls, risk management, and incident response. Based on emerging AI-specific frameworks and best practices, this questionnaire ensures that AI systems provided by your vendors align with your risk tolerance, regulatory requirements, and operational resilience objectives.

UpGuard Multi-Framework Questionnaire update

We’ve updated the multi-framework questionnaire to include AI-specific questions and risks for vendors that are building AI systems internally or have integrated third-party AI systems into their products or services.  We’ve also introduced some additional questions in key areas that we are seeing in recent international standards and legislation.

New permissions default setting

Admin users can now configure the default set of permissions granted when a user is automatically added to your account. Learn more in this help article. 

Other improvements

• Introduced product detection for Mitel MiCollab devices
• Introduced a new verified vulnerability for CVE-2024-35286
• This release includes a number of bug fixes

We've introduced a new security questionnaire to help assess an organization’s security controls in line with the supplier risk management requirements of the NIS 2 Directive. This questionnaire integrates and expands on the controls from ISO 27001:2022 and NIST CSF 2.0, addressing the alignment with international standards and key components of NIS 2 supplier risk management requirements such as incident response, contractual safeguards, compliance with data protection laws and regulations, and cross-border data flows.

SIG Core and Lite questionnaires updated to 2025 versions

We've updated our SIG Core and SIG Lite questionnaires to the 2025 versions, incorporating the latest review and updates driven by industry standards and regulatory requirements for enhanced risk assessment.  You can also now choose which sections of the SIG questionnaires to send, removing unnecessary sections and streamline the vendor’s response.

Other improvements

• We’ve added vulnerability detection for vulnerabilities in Palo Alto PAN-OS and FortiManager to our passive scanners, broadening our scanning capabilities for both Breach Risk and Vendor Risk.
• We’ve continued to expand our sources for News and Incidents.

We’re continuing to enhance our News and Incidents feed to provide broader, more comprehensive insights into breaches and cyber incidents. The feed now pulls from five times as many sources, offering greater visibility into critical, officially disclosed events. This expanded coverage empowers you to stay informed and respond more quickly to emerging risks. Access the enhanced feed directly from your dashboard under News & Incidents, and leverage this improved data to protect your business with greater precision and confidence.

Get notified when an NDA is agreed to

Trust Exchange users can now get notified when an NDA is agreed to on their Trust Page, so you’ll know when a new organization has access. This notification can be configured in the Manage Notifications page. 

Other improvements

• We've standardized the design of primary actions across the platform, which now all use our dark blue button for a more cohesive and consistent user experience.
• This release includes a number of bug fixes.

We’ve launched a new questionnaire designed to evaluate an organization's compliance with the NIST AI RMF. This security questionnaire offers a structured framework for effectively assessing the risks associated with AI systems. It covers the core functions of the NIST AI RMF—governing, mapping, measuring, and managing AI systems—ensuring that vendors uphold best practices in AI governance and operational management.

Expanded news and incident coverage

We’ve greatly enhanced our news and incident scanning capabilities, now delivering five times broader coverage to provide faster, high-impact insights. This empowers your security teams and SOC analysts to detect incidents affecting your organization or supply chain sooner, enabling proactive responses to mitigate risks early. With an expanded range of advanced data collectors, including official reports and government databases, we now offer a more comprehensive view of emerging threats to fortify your security posture.

Other improvements

• This release includes small improvements to Trust Exchange, including a new home page for free users, and improvements to notifications. 
• We’ve added product and version detection for the Roundcube email client to detect the following vulnerabilities:some text
  • CVE-2024-42008 - A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type header
  • CVE-2024-42009 - A cross-site scripting flaw that arises from post-processing of sanitized HTML content
  • CVE-2024-42010 - An information disclosure flaw that stems from insufficient CSS filtering
• This release includes a number of bug fixes.

We’ve improved the Vendor list view and export to give you deeper insights into your vendor portfolio.

• You can now see exactly when a vendor was added to your portfolio with a new optional column called ‘Date added’. This column can be sorted and filtered, and is included in the Excel export.
• We’ve added an option to include Risk count by severity in the Excel export.

Other improvements

• When uploading or editing documents, we’ve changed the ‘document type’ selection sort order to alphabetical, making it easier to find and select the right document type.
• Several iterative updates for AI Autofill have been released, including an improvement to autofill sources and information messages. 
• Trust Exchange’s questionnaire form has seen some improvements, including an aspect ratio bug fix, an improvement to the naming of questionnaires added to Trust Pages, and more.
• This release includes a number of bug fixes.